Spending on cybersecurityHow credible -- and serious -- is the cyber threat the U.S. faces?

Not every one is terribly worried about cyber threats to the United States. A new report by a Washington, D.C. think tank dismisses the idea that terrorist groups are currently launching cyber attacks and says that the recent attacks against U.S. and South Korean networks were not damaging enough to be considered serious incidents.The report, written by James Lewis of the Center for Strategic and International Studies, looks at cyberwar through the prism of the Korean attacks, which many commentators have speculated originated in North Korea. There has been little, though, in the way of proof offered for this assessment, and Lewis does not go down that road. Instead, he focuses on whether the attacks constituted an act of war and whether they could have been the work of a terrorist group.

Dennis Fisher writes in Threat Post that the answer is no on both counts.

“The July event was not a serious attack. It was more like a noisy demonstration. The attackers used basic technologies and did no real damage. To date, we have not seen a serious cyber attack. That is only because the political circumstances that would justify such attacks by other militaries have not yet occurred and because most non-state actors have not yet acquired the necessary capabilities. As an aside, this last point undermines the notion of cyber terrorism. The alternative to the conclusion that terrorist groups currently lack the capabilities to launch a cyber attack is that they have these capabilities but have chosen not to use them. This alternative is nonsensical,” Lewis writes.

This is not to say that terrorist groups will not one day be capable of launching such attacks. Just the opposite, in fact. There is no reason to believe that organized, well-financed terrorist groups won’t soon acquire the ability to launch sophisticated attacks, Lewis concludes.

“A very rough estimate would say that there is a lag of three and eight years between the capabilities developed by advanced intelligence agencies and the capabilities available for purchase or rental in the cybercrime black market. The evidence for this is partial and anecdotal, but the trend has been consistent for more [than] two decades. This suggests that in less than a decade, perhaps much less, a terrorist group could enter the cybercrime black market and acquire the capabilities needed for a serious cyber attack,” he writes.

“The implications for the United States are troubling. We have, at best, a few years to get our defenses in order, to build robustness and resiliency into networks and critical infrastructure, and to modernize our laws to allow for adequate security. Our current defenses are inadequate to repel the attacks of a sophisticated opponent.”

The report also discusses at length the limiting factors that currently are preventing foreign countries and organized criminal groups from attacking the United States. These deterrents, which include political constraints and the possibility of a physical retaliatory strike, have been of use so far, but may not continue to be for much longer. The difficulty of attributing an attack to any specific person or group makes these deterrents far less effective than they might otherwise be.

Moreover, the U.S. dependence on digital technology makes it somewhat more vulnerable to cyber attacks than other nations, Lewis writes. “In the Cold War, there was symmetry in vulnerabilities - each side had cities and populations that the other could hold hostage. That symmetry no longer exists. The United States is far more dependent on digital networks than its opponents and this asymmetric vulnerability means that the United States would come out worse in any cyber exchange,” Lewis writes.

-read more in James A. Lewis, “The ‘Korean’ Cyber Attacks and Their Implications for Cyber Conflict” (CSIS, October 2009)