When a big corporation suffers a major cyber-attack, we may assume the attacker is also big. Alarmingly, that's not necessarily true.
Questions over virus are vital to cybersecurity
There was no warning. On August 15, 30,000 or more computers in the offices of the Saudi Arabian Oil Co were suddenly wiped clean. The anonymous attacker left behind, as a calling card, the image of a burning US flag.
It could have been worse - oil-production systems were not affected - but it was bad enough, a warning that in the age of cyber-warfare, few computer systems are ever truly secure.
At Saudi Aramco, as the company is known, suspicion turned instantly to Iran; US officials hinted that they agreed. Leon Panetta, the US defence secretary, used the opportunity to warn that serious attacks on the software controlling power plants, corporate operations and government activities could amount to a "cyber Pearl Harbor".
But it turns out that the Saudi Aramco attack was not nearly as sophisticated as the Stuxnet family of programmes that hit Iran's nuclear facilities in 2010. The vehicle for the recent attack, a virus called Shamoon, may even have been the work of a single individual. And a similar attack on office computers at the Qatari natural-gas company Rasgas, late in August, seems to have been a simple copy-cat, using a Shamoon variant.
This is bad news, not good. The idea that a solo hacker or two can do so much damage to big companies is almost as bad as the notion that states are launching cyber-offensives. It also raises the question: if one individual can wipe out tens of thousands of computers, then how much damage could a determined government do?
As with some other types of asymmetric warfare, cyber-attacks leave the victims doubly defenceless, unable to foresee attacks and clueless, after the fact, about the enemy's identity. In conventional or even nuclear warfare, counter-strike capability - the power to retaliate - is a potent deterrent, but it depends on knowing the identity of the foe and having the right weapons to strike back.
The best brains business can buy, to say nothing of well-funded government researchers in many countries, are hard at work on improving defences. The International Society for Automation, for example, has developed standards and protocols to secure production machinery, although Stuxnet has no doubt sent them back to the drawing board.
In this arms race, complex systems may always be vulnerable to malicious hacking, whether organised or by an individual.
We'll have to live with it and, learning from the Shamoon case, avoid jumping to conclusions. Threats fired off into the cybersphere will be best met by defences in the same.