Short of a cyber attack that exploits an unknown fundamental flaw in the technical protocols underlying the Internet or an exceptionally strong solar flare destroying vital communications equipment, no single cyber event has the capacity to become a full scale global shock, say two British academics in a paper published Jan. 14 by the Organization for Economic Cooperation and Development.

The paper, by Peter Sommer, a visiting professor at the London School of Economics, and Ian Brown, of Oxford University, is one of a series examining the potential for cataclysmic events with global reach commissioned by the Paris-based international organization of mostly high-income countries, including the United States.

A succession of multiple cyber attacks undertaken by perpetrators of great skill who do not care about the likelihood of the attacks spiraling beyond their control and the real possibility of inflicting self-damage could have a global impact, the authors say. But, cyber attacks tend to be localized and temporary.

The longer an attack persists, the greater the chances it will be detected, mitigated and the perpetrator identified. Large scale attacks also result in more data needed to diagnose and fix system vulnerabilities, report authors note.

For a distributed denial of service attack to last more than one to two days, attackers would have to launch a successive series of never used before DDoS attacks, each with its own botnet, they write.

For such attacks to amount to a cyber war, perpetrators would have to compromise a number of different systems, implying that the attackers have conducted enough research to know the services and functions each attacked system provides.

A pure cyber war, fought entirely with cyber weapons, is unlikely, report authors state--if for no other reason, because there is no strategic reason why aggressors would limit themselves to only one class of weaponry, they add. Future wars will involve a mixture of kinetic and cyber weapons, they say.

An international cyber warfare treaty is unlikely to succeed as a deterrent, they add, since given the nature of cyber weaponry, reliable inspection of signatory nations' arsenals would be almost impossible.

"A better deterrent to state-sponsored cyber attack is awareness that such attacks are often uncertain in their effects and eventual outcome; it is this uncertainty which has thus far limited the deployment of biological weapons in particular," the say.

Still, individual cyber events can generate great harm and a potential for a "perfect storm" exists when two such events occur simultaneously or when a cyber event takes place during some other sort of disaster, the authors say.

Report authors also criticize promiscuous use of the terms "attack" or "incident" in connection with cybersecurity issues. When a "cyber attack" includes anything from an easily identified phishing attempt to a multi-stranded stealth onslaught, the term "leads to grossly misleading conclusions."

For more:
- download the report, "Reducing Systematic Cybersecurity Risk" (.pdf)

Related Articles:
Commission report: American reliance on Chinese telecoms poses security concern 
Clarke: Regulation needed to defend critical infrastructure against threat of cyberwar 
Chinese attacks 'Byzantine Candor' penetrated federal agencies, says leaked cable 
DHS official: Variants of Stuxnet could attack industrial systems