Opinion: There is no Geneva Convention online

When it comes to cyber safety, the mantra should be "trust, but verify"

I am not a lawyer, but to my mind cyber crime is committed by individuals, or groups, whereas cyber warfare is committed by governments. Does it matter? Not from a cyber defence point of view, but rather from the way it is played and the endgame.

Dealing with cyber crime within a legal and regulatory framework means there are six potential endgame scenarios, depending on whether it is the result of an internal or external attack. These are: discipline, resignation, dismissal, civil prosecution, criminal prosecution, or make it go away.

Although the last one may be viewed as morally wrong, it is often the easiest and cheapest from a company perspective. Whichever route is chosen, the rules are defined and the operating parameters are usually quite clear.

With cyber warfare, there are only two possible outcomes - victory or defeat - and the constraints are pretty much unlimited. There is no Geneva Convention to define what is or what is not allowed. So the concept of total cyber war is equivalent to blanket bombing. Hit everything and there is a good chance that you will take out something important. But we know that blanket bombing is only effective against civilian assets.

If the next wars are to be won by the side with the fastest computers, then perhaps the only way for the weaker side to survive will be by the use of intelligence coupled with disinformation. If we can predict where the attacks are likely to come from, then perhaps we can limit their capability by destroying their sites at source? The equivalent of a pre-emptive strike.

Any actions taken by a company based on advice from the CPNI (Centre for the Protection of National Infrastructure) are likely to be based on the commercial considerations of an individual company. Our electrical infrastructure is provided by several companies who are in competition with each other, so getting a consensus to help the nation as a whole is an interesting concept. Indeed, it could be held that the directors are acting illegally if they are doing things that are not of direct benefit to their shareholders. What is adequate for a charity may be not be adequate for a bank or a nuclear power station.

Change is an ideal time to insert a devastating trojan in the guise of an authorised change. The majority of my clients have a huge vulnerability in their change management processes that tends to be trust based.

The audit motto is “trust, but verify”, which in reality means that we only trust after it can be proved that the trust is justified.

John Mitchell is managing director of LHS Control