What should we make of the threat of cyber terrorism? Should we prepare for a catastrophic meltdown of critical services along the lines of a James Bond film? Or are we overblowing the threat, just the infamous Y2K bug? You have to look hard to find signs of impending doom – but the evidence is there if you examine the trends.
In 2007, for example, the Estonian government’s online services were hit by a Denial of Service attack (the kind designed to cripple a network for its users), prompting an expansion of NATO’s cyber capability. Since then we’ve seen large scale thefts of payment card data and reports of intrusions into Western government systems, generally blamed on Chinese hackers. We had the Stuxnet computer worm attack on an Iranian nuclear enrichment laboratory in 2010, which showed that even the most protected environment can be penetrated by a determined adversary. More recently we’ve seen threats to Sony’s business interest, which paradoxically boosted their online sales.
None of this activity raises eyebrows or causes sleepless nights for the majority of citizens. Yet governments have elevated cyber security to the top of the security agenda. If the threat is so high, why are we not experiencing major catastrophes? We could assume it’s because our critical national infrastructure is well protected against intrusions. Or perhaps it’s because there is no one out there sufficiently capable and motivated to launch a damaging attack. But is this true?
At first sight it would seem reasonable to imagine that our critical infrastructure is secure. After all, it is run by reputable companies and overseen by responsible regulators. But today’s threats are sophisticated, defined by attackers who are able to research, find and exploit an unknown weakness in a system – or the money to buy this on the black market.
The most sophisticated attacks are termed “advanced persistent threats”. These attacks are designed to bypass the most commonly used security products, exploiting unpublished flaws in IT products and flying through anti-virus scanners. Manipulating a user to download malicious coding will invoke a sophisticated framework of software modules, each designed to carry out a specific task, such as inspecting the software environment, installing back doors, searching for files, stealing credentials, transmitting stolen data, or taking over the control of a target system.
Measured against this, our current cyber defences are arguably outdated and ineffective. And the situation is not improving. The reason for this is simple: security comes at a cost and takes time to establish. Unfortunately, it’s time we can’t spare.
The underlying problem is that the systems that deliver our critical national services were not designed to deflect attacks of the scale and sophistication of today’s cyber threats. It’s not surprising, as security solutions always lag behind identified problems. It can take months to develop a fix to a newly discovered flaw, and longer for companies to find and fund the resources to implement the fix.
Retrofitting security measures to old systems is far from easy. It’s often prohibitively expensive, and sometimes plain impossible to achieve. And changes are not helped by the industry’s tendency to outsource the management of outdated systems to low-cost service providers. Contracts with third parties can present a major complication and barrier to change.
It is only logical that businesses will prefer to make money, rather than spend it. As such, many businesses only spend on security when their arms are twisted by regulators.
But compliance is a poor motivator, encouraging a tick-box response rather than an effective strategy. Compliance can also discourage innovation by promoting well-established practices over novel solutions.
Dangerously, it also breeds a monoculture of identical security measures, which aids the attacker, who only has to test a new attack vector against a limited set of defensive technologies. It can take years for industries to discover a new form of attack. Security managers refer to the time taken to detect intrusions as the “dwell time”. Even top companies struggle to get this time down to under a month.
We must assume that there will always be more covert intrusions taking place in the UK than those we know about, and many of them will be targeted at our critical national infrastructure, especially the SCADA (supervisory control and data acquisition) systems that run the industrial plants that control our supply of oil, gas, electricity and water.
These systems have become progressively more extended and powerful. Unfortunately, they have not become more secure. Many are already open to attack, especially through exploits of “zero-day” (undiscovered) vulnerabilities.
SCADA technology has been hacked over and over again since the day it was first introduced in the 1980s, generally without any major catastrophe or publicity. But the potential for damage remains, and it is the big plants that are generally the easiest to destroy because heavy machinery can generate big power surges.
Other essential services in the government, financial and retail sectors are similarly vulnerable to a sophisticated cyber terrorist attack.
This has been repeatedly demonstrated by the growing number of reported data breaches. If you can steal the data, you can also cripple the services.
The potential therefore exists for a massive, coordinated attack on critical national infrastructure.
This exposure will not go away, nor be adequately countered by business-asusual security efforts. It will continue to grow with the increasing availability of knowledge and attack tools put to use by would-be attackers.
What are some of the other challenges that we face in the battle against big cybercrime? Speed and agility are the keys to survival and success in a networked society, but you’ll see little reference to these in contemporary cyber security standards.
Similarly, there is a lack of emphasis on the new technical skills needed to defend complex, networked infrastructures. Executive boards need to become comfortable with the fact that it’s better to have a team of computer geeks defending business assets than an executive in a suit setting out a strategy.
The long term is even scarier, epitomised by the internet of things, a world in which sensors and devices can be accessed by citizens through the World Wide Web.
Just as we rushed to exploit the original internet with nothing more than obscurity for our security, so we are just as likely to embrace a world in which privacy, security and safety take a back seat to satisfy our thirst for consumerism, technology and convenience.
What’s missing is the big incident: the wake-up call that irrevocably alters our perception and demands an absolute response. Today it is fairly easy to envisage the toxic blend of capability and motivation in the form of jihadists and rogue states and where that might lead us.
In the past, young hackers may have been driven into the arms of organised crime by hard-nosed law enforcement authorities. Instead we should seek them out, and persuade them to use their talents for the good of society, before their loyalties are hijacked by those who would do harm to others. Governments posture but do not possess the skills, resources or determination to fix the problem. They promote eye-catching initiatives such as competitions and war games, rather than attempt to dismantle the barriers to decisive security action.
Just as 9/11 transformed our counter terrorism effort, you can bet that a major cyber terrorist attack would change our complacency. The inescapable fact is that attacks, not common sense, are what drive forward innovation in the world of cyber security.
David Lacey is a cyber security consultant and writer for Computer Weekly