The Cybermen may have nearly defeated Dr Who, but today’s good guys face an even more formidable foe in the shape of cyber criminals. Tim Gibson reports on a round table held to identify the civil service’s sonic screwdrivers.
Criminals have a tendency to lurk in the shadows, and the internet provides plenty of dim-lit hiding places. As the online world expands, offering ever-more services on a growing range of devices, there is no shortage of either virtual nooks and crannies, or juicy targets – with the result that cyber crime is a fast-growing threat to governments, businesses and individuals alike.
So how should the government safeguard its corner of cyberspace, particularly in an era of expansion in digital public services? That was the question under discussion at a recent CSW round table, sponsored by IT company Oracle, at which civil servants and others came together to explore ways of protecting the government’s systems and data.
Clear and present danger
Gordon Morrison, director of defence and security at technology industry association Intellect, didn’t mince his words in describing the nature of the threat from professional cyber criminals, opportunistic attackers and hostile nation states.
“There is a clear and present danger,” he opined, noting that 180,000 new pieces of malware are detected in the world’s IT systems each day. “A reality we all face, whether we’re an individual, a company, a government department or a state, is an ongoing threat to our intellectual property, the wellbeing of our information systems and the security of our organisations.”
Mark Allen, project manager on the digitalisation programme within the Department for Work and Pensions, pointed out how fast the threat is changing: “We all put things in place so we know if someone is trying to attack us,” he said. “But the cyber criminals are evolving at incredible rates, so how do you keep up with that, and how do you then know if someone has found a way of getting around [your systems]?” Many organisations, warned Oracle’s security specialist Peter Corpe, are quite oblivious to the vulnerabilities in their IT systems.
Simon Godfrey, chair of the Public Sector Board at Oracle, noted that there are also internal threats: the government’s data can be compromised by its own personnel, whether in the pursuit of fraud or due to innocent mistakes in the way information is managed.
The National Fraud Authority’s (NFA’s) chief executive, Stephen Harrison, was quick to identify a further risk for the government as services move to online channels. “Once you let your systems be accessed by everyone out there,” he noted, including “the general public, you can’t guarantee that those systems won’t be compromised in some way, and… there might be a knock-on effect on your own systems.”
The cyber threat to the government’s data is therefore threefold. First, there are external threats from criminals, hostile states and opportunists. Second, there is a risk of data being compromised by the government’s own personnel, whether intentionally or accidentally. Third, as citizens interact directly with the government online, there is a chance of security breaches as they, for example, allow others access to their passwords or use computers that host viruses.
Meeting the threat
Everyone agreed on a point expressed by Nigel Dexter, senior information rights manager in the Department for Education: “We tend to focus on technology” when talking about cyber crime, he said. “But the carbon life form is also a factor.”
Dexter meant, of course, that all the technology in the world won’t prevent a security breach unless the human user knows how to minimise the chances that an attack will succeed. This is a question of effective ‘data hygiene’ – not leaving passwords on display, for example – and good online practices, such as not following suspicious links when they come in via email.
Saima Williams, policy adviser at the Department for Communities and Local Government, said that it is essential to raise awareness of security issues among users of online services, whether they are government employees or citizens. If people know the extent of the risk, they will be motivated to adopt better habits when using their computers.
Intellect’s Gordon Morrison argued that as well as educating people about security risks, IT planners and managers must meet them half-way: there’s a need to avoid “technical jargon”, he said, as it “turns people off”. The simpler the language used to inform people about cyber security, the higher the chance of them following appropriate protocols and helping to minimise the risk of a data breach.
That said, there will always be some employees who deliberately set out to compromise their department’s data. To protect against such activities, Dele Airen, a VAT assurance officer at HMRC, spoke of the need to monitor staff. “In HMRC, there are ways of [tracking] who has accessed what [information],” she reported. “This provides a way of monitoring usage, and mitigating the risk.”
Chris Gavin, vice president of information security at Oracle, said that government departments should take this further by reducing the size of their “attack surface”. He added that access to data should be kept to a minimum within an organisation, to minimise the risk of it falling into the wrong hands: “If you have a department of 5,000 people, and you give them all access to your confidential information, you’ve immediately increased the chances that you’re going to be compromised.”
Prevention is one part of the equation, but it is naïve to assume it will always succeed. Indeed, the group agreed that government departments will inevitably have their systems breached at some point.
Mark Allen from the DWP noted that, when a breach happens, it’s important to act fast. This is something the government is getting better at, he reported. Given a quick reaction, many of the implications of a breach can be managed – though some reputational damage is inevitable once the news enters the public domain.
When it comes to spotting a breach, the NFA’s Stephen Harrison argued that cross-departmental cooperation can help. He pointed to the work of the Metropolitan Police Force’s Virtual Taskforce, which coordinates information on attacks between a range of stakeholders. “If there’s a quick way for a number of big interested parties to share information,” he remarked, “you can then start to make a conclusion about whether this is an isolated incident or a more sophisticated attack.”
Improving best practice
Harrison’s advocacy of a more joined-up approach to cyber crime prompted a wider discussion of what the government could do to improve its performance in this sphere. Brian Pritchard, a tax specialist in HMRC, and Kemi Aina, who works in special investigations for HMRC, reflected that much of the government’s ICT equipment is out of date. Nick Welsh, lead assurer in the Cabinet Office’s Government Digital Service, agreed, and reported that a number of government PCs run old versions of key software programmes such as Microsoft Internet Explorer, making them more susceptible to cyber attack.
It’s not just the technology available to government departments that needs updating, argued Rob Evans, a project manager in the Department for Transport. He said the government’s vetting procedures, and the permissions granted to personnel to access sensitive data, are based on communications systems and a cold war mentality that is now outmoded.
These vetting procedures are now being reformed as the Cabinet Office leads an overhaul of the ‘protective marking’ system. But the government will also need to invest in new technical infrastructure, said Oracle’s solution sales director Jeff Penrose, so that it is better able to fend off the threat of cyber crime in the 21st century.
In order to drive such change, Nick Welsh said, security needs to be seen as an enabler of, rather than a blocker to, efficient public service delivery. The value of effective data security must be recognised and incorporated into business cases as IT projects are planned out: after all, any chinks in the armour of government’s IT are likely to prove much more costly than the premium paid for building better armour in the first place. The National Cyber Security Strategy puts the cost of IT security breaches at between £110,000 and £250,000 each for large businesses, and up to £30,000 for smaller ones. The private sector is well used to ascribing value to good data security, said Oracle’s Simon Godfrey and Peter Corpe, and it can help public bodies to follow suit.
Such investment needn’t take the form of technical upgrades, though these are clearly important. It can also involve initiatives such as education programmes to promote good data hygiene among employees and citizens, analysis of online behaviours to identify at-risk groups, and monitoring of government personnel to prevent them from using data to which they have privileged access in ways that may harm others.
The threats are many, and the targets for them to exploit are growing as government expands its online presence. But participants agreed that, with cultural changes, clear education programmes, proper checks and improved internal IT systems, many of the smaller problems can be swept away quickly and efficiently. Then concerted efforts by disparate departments and the private sector to join up and tackle the bigger problems together should shrink the number of hiding spaces where cyber criminals can lurk.