As dangers facing the UK develop, so must the means of preventing attack. Joshua Chambers looks at the threats to UK cyber security, and the methods being used to defend Britain’s public and private sectors.
It can’t be easy to astonish the head of MI5, but the scale of the threat posed by cyber crime does just that. As Jonathan Evans, MI5 director general, said in a speech this summer, “vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states. And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both state-sponsored cyber espionage and organised cyber crime.”
Evans isn’t alone; his concerns are shared across Britain’s security professionals. Indeed, in the National Security Strategy, cyber security is ranked as a tier one priority alongside terrorist attacks, international military crises and natural disasters.
Yet while the issue is being raised by our intelligence agencies, it is not an issue for them to tackle alone; all senior civil servants must play their part. After all, as government starts to move services online, it offers up a huge target to hostile agents. “Putting more public services online increases the attack surface. When the big benefit services are online there will be billions of pounds going out down the wires,” explained James Quinault, director of the Office of Cyber Security and Information Assurance in the Cabinet Office’s National Security Secretariat, at a CSW round table earlier this year. But while the risk is increasing, defensive barricades mustn’t be unduly constrictive; after all, ordinary citizens will need to be able to access services quickly and efficiently.
In order to assess the challenges for departments, and the actions that civil servants should take to mitigate the risks, CSW has rounded up key opinions from experts across the public and private sectors.
The threats
There are three key threats to Britain’s cyber security. Firstly, the traditional threat of espionage from hostile nation states. Parliament’s Intelligence and Security Committee (ISC) said in its annual report that the majority of state-sponsored cyber attacks on the UK emanate from China and Russia, and that “such attacks are focused on espionage and the acquisition of information.”
“The extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people”
Jonathan Evans, MI5 director general
Yet despite the seriousness and pervasiveness of the threat, it’s very difficult to prevent countries from engaging in it. Sir David Omand, former head of GCHQ, one of Britain’s three intelligence agencies, and told Queen Mary University’s Mile End Group earlier this year that “espionage is ubiquitous” and that it’s very difficult to attribute cyber attacks. Therefore, cyber espionage will be of a fact of life, and government, businesses and individuals are “all going to have to take responsibility for protecting that which is most valuable to us.”
The second key threat is from so-called ‘hacktivists’. These are disparate groups of computer hackers intent on causing damage to companies and governments. Their most common form of attack is a distributed denial of service attack (DDoS), which brings down a website through the sheer weight of requests placed on it by automated programmes. In the past year, there have been hacktivist attacks against GCHQ, the Home Office and the Ministry of Justice. Just this summer, the Olympics became a target (see box right).
At the CSW roundtable Quinault explained the motivation. “For the most part, it’s a sort of perverted glory of doing it – a modern sort of vandalism that is an annoyance rather than a serious threat to government business, but there is always the potential that something they do will cause collateral damage.” As important payment mechanisms such as universal credit move online, the risks will become greater as people’s livelihoods depend on the reliability of computer systems. Furthermore, where hacktivists are motivated not by money or by the desire to steal state secrets, they will target parts of a network on which organisations typically do not focus security resources, making the attacks difficult to combat.
The third threat is an old problem in a new form: cyber crime. As Evans noted, “One major London-listed company with which we worked estimates that it incurred revenue losses of some £800m as a result of hostile state cyber attacks – not just through intellectual property loss but also from commercial disadvantage in contractual negotiations.” Stealing intellectual property is big business for cyber criminals, and innovative products from British companies “underpin our future prosperity.” Indeed, the foreign secretary has estimated that the global impact of cyber crime exceeds $1tn, while the UK company Detica says that it costs the UK £27bn a year.
The plan
The government launched its Cyber Security Strategy last November, focusing on ensuring continued prosperity through online safety. “Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace,” it says, setting out four key objectives to achieve by that year. First, the UK will be “one of the most secure places in the world to do business in cyberspace.” Second, the country will be more resilient against cyber attack. Third, the public will be safely able to interact online. Fourth, the UK will have the skills and capabilities to protect itself. The strategy also says that an update must be provided on progress made after one year, so government is preparing to publish a ministerial statement setting out how much has been done to achieve these objectives and ensure cyber security.
In fact, the UK is already relatively safe compared with other countries’ cyber spaces. A report by consulting firm Booz Allen Hamilton at the beginning of this year found that Britain, along with the United States, leads the G20 in its “ability to withstand cyber attacks and to deploy the digital infrastructure necessary for a productive and secure economy.”
Nonetheless, the challenges are many and manifest, meaning that businesses and civil servants must partner to tackle them. The Cyber Security Strategy set aside £650m for government to work in partnership with the private sector and other countries, building capability and raising awareness. This is a significant sum in a time of austerity, but as Vincent Blake, head of cyber security at Raytheon UK warned at Civil Service Live this summer, one company lost more than that in a single cyber attack. Indeed, the $1tn potential cost of cyber crime estimated by the foreign secretary “is greater than the entire revenue for every major cyber security company on the planet by a factor of ten,” he said.
Roughly half the scheme’s £650m is going directly to intelligence agencies, while the rest is going to the police, Ministry of Defence, Cabinet Office and to help businesses with communications and training initiatives. Training is particularly important, because the majority of cyber attacks are easy to prevent without involving Britain’s intelligence agencies. As the current director of GCHQ, Sir Iain Lobban, said in his first public speech earlier this year, 80 per cent of potential risks can be mitigated just by ensuring that employees both in the public and private sector download security updates to their office software and use secure passwords.
This frees up the intelligence agencies to work on the pernicious 20 per cent of problems that can’t easily be prevented. Lobban’s predecessor, Omand, said recently that 20 per cent of cyber attacks can only be stopped through “intelligence work, deep penetration, tracking suspected agents of the other side, and uncovering and disrupting their activities.” And doing this is troublesome, he added, because when attacks are on businesses, it’s difficult for intelligence agencies to get involved. In order for GCHQ, MI5 and MI6 to prevent vast losses by UK companies, British businesses will need to trust the intelligence agencies and share sensitive corporate information, he argues. To this end, GCHQ is running numerous summits with businesses to win their trust and persuade them of the importance of good cyber standards.
International efforts are also important: since the internet is in essence a series of interconnected access points, information cannot be secured without global collaboration. Last year, the foreign secretary held a conference in London with 60 nations to try to build common standards of acceptable online behaviour. This year, there will be a follow up event in Budapest.
Spies in the community: From left to right, MI6 chief Sir John Sawers, MI5 director general Jonathan Evans, GCHQ director Iain Lobban earlier this year
Top tips from GCHQ
1. As senior officials you set the security culture within your organisation. Visibly support and follow your departmental guidelines.
2. Don’t connect a personally owned device such as your mobile phone, or personal USB stick or a personal laptop to your departmental IT system.
3. If you use an official laptop, keep the password and/or token separate from the device.
4. Minimise the amount of information transferred to your laptop or removable media to that needed for the task in hand.
5. Only use officially provided IT to conduct business.
6. Only use officially provided removable media (like USB devices)
7. Where possible, use only your official IT system to access the Internet for official purposes.
8. Be wary of unsolicited emails, even if they look relevant to your business or interests.
Based on CESG’s information assurance advice
Departmental defences
Meanwhile, within government, departments are largely autonomous in managing their IT networks and cyber security, although CESG – the information assurance arm of GCHQ – sets centralised standards for civil servants (see top tips box above). It also defends the most sensitive information stored by government.
Judy Baker of Cyber Security Challenge UK said at Civil Service Live that while government has some centres of excellence – she cited GCHQ as an example – it also has “a huge range of problems and issues.” She called for a report ranking departments in order of capability so that the problems can be properly highlighted, and the stronger departments can assist the weaker ones.
Meanwhile, John Ellis of IT security company Symantec warned that “there is a mismatch” in cyber security capability. “At the high end there is capability, but the issue is that it does not cascade down fast enough or far enough, and the skill levels in the mid-tier to the lower tier – for example, system administrators … do not have the breadth in the security space.”
Training is a serious issue, because, as Raytheon’s Blake warned, training budgets can be among the first to be cut: “If you do have talent, you often cannot invest in that talent because the budget is not there.” CSW ran an online debate discussing cyber security over the summer, and access to digital training was cited as a problem by a number of respondents.
Another problem faced by government is talent retention. The ISC recently warned that GCHQ is “losing critical staff with high-end cyber technology skills” to the private sector – dubbing it a matter “of grave concern.” As Blake noted, “[in the private sector] we pay an awful lot more than government,” and so the public sector may train people, only to then lose them before recouping their investment.
Stopping the hacktivists: the Olympics experience
In the run-up to the Olympics, the Department for Culture, Media and Sport (DCMS) was concerned by two cyber threats – hacktivism and fraud – explains Oliver Hoare, the department’s head of Olympic information assurance and cyber security. Both were experienced during the Games, but DCMS managed to tackle the threats in partnership with the police, Cabinet Office, LOCOG and their private sector stakeholders.
The experience provides good lessons on how to mitigate the risks from hacktivist attacks. “Some websites were hit during the games and we managed to keep them going,” Hoare explains. In particular, there were a number of hackers trying to protest against the extradition of Julian Assange.
However, the websites were broadly well-protected and held up against the attacks, he adds. Hactivists work by overwhelming websites with requests for information, so the private sector website providers, BT and ATOS, built in high levels of capacity and distributed traffic around the websites in different ways so that one part of the site didn’t become overwhelmed.
Meanwhile, the government also had to be wary of online fraud. Criminals set up websites that appeared official, encouraging people to submit their financial details and try to purchase tickets. DCMS ran publicity campaigns to ensure that people were aware of the official websites, and the police arrested over 90 people for cyber crimes.
First principles
Government must ensure that it thinks about cyber security as it formulates new systems and online approaches. However, the need for security can sometimes clash with another imperative: achieving value for money. Omand warned that “in preventing the potential for sabotage, my old colleagues in the Ministry of Defence have a conflict between the current fashion of buying things off the cheapest shelf rather than spending the money and getting computer code that is genuinely secure.”
He added that “many cyber attacks exploit software, and in future will exploit the embedded flaws in hardware that need not have been there, especially if the system has been botched together with blocks of pre-existing code written goodness knows when, and this is going to be true of all operators of critical national infrastructure.”
Cyber security also mustn’t be seen as the preserve of just one agency or organisation. The Office of Cyber Security was moved into the Cabinet Office to ensure greater coordination and oversight across all departments. However, when Cabinet Office minister Francis Maude appeared in front of the Commons’ Defence Committee earlier this year, the chair, James Arbuthnot, expressed concern that cyber security efforts didn’t seem as joined-up as they should be.
Certainly cyber security presents new challenges for Whitehall. But Omand also believes it presents an opportunity. “We really mustn’t be intimidated by fears of this future,” he said. “Much of cyber crime is really old crime committed through new means, such as fraud or forgery, and you can argue that these new crimes are easier in principle to commit. But once we get ourselves organised, they’re also going to be easier to detect in a hyper-connected world.”