In January 2011The World Economic Forum (WEF) at Davos identified cyber-security issues ranging from the growing prevalence of cyber-theft to the little-understood possibility of all out cyber- warfare as one of the five most severe risks facing the world alongside demographic challenges, resource security issues, retrenchment from globalisation and weapons of mass destruction. Experts consider these risks may have severe, unexpected or underappreciated consequences. The US Government is rewriting its military manual to include cyber-attacks as acts of war.
In June 2011 Nintendo announced that like its fellow online games company, Sony, it had been the target of cyber-attacks as it prepared to launch an online gaming service. In the Sony case over 100 million individuals found their personal details including credit card accounts compromised. The cost to Sony was estimated at $171 million. The defence firm Lockheed Martin and the US public service broadcaster PBS have also been attacked. Hackers based in China have broken into Gmail accounts used by US public officials and the British Chancellor of the Exchequer, George Osborne told an international conference last year that British government computers are now on the receiving end of over 20,000 malicious email attacks every month. Cyber-attacks are estimated to cost the UK economy £27 billion pa. In addition there are other costs such as damage to reputation. In 2010 20% of UK businesses reported a cyber-security incident. But this rose to two thirds of those companies owning strategic infrastructure.
This is an issue that affects every one of us. Both individuals and companies of all sizes, indeed everyone who accesses the internet needs a strategy to deal with this risk. So what is to be done? I was recently invited to participate in a seminar on the subject organised by PwC. The participants were Non-Executive Directors of a variety of organisations but in discussion it was clear that most people and many organisations have focused too much on the rewards of online engagement, the use of the web to access information or entertainment and the exploding consumption of online media. In contrast there has been little focus on the threats posed. Further, too many organisations treat this as an IT issue to be managed by the IT department when it needs to be treated as a matter of people, processes and technology together. One participant in the seminar is a Non-Executive Director of GCHQ. Much of what he said must remain confidential but his Board is being encouraged to give speeches on the subject to raise awareness. In November 2011 the UK government published its Cyber Security Strategy[i]. Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we also have to secure our position in cyber-space.
The cyber-world knows no boundaries so global solutions are required but today what solutions there are tend to be national. The risks escalate from financial crime which is not only about hacking into bank accounts, for example €40 million were stolen from carbon credits in 2011, through espionage and intellectual property theft through activism to terrorism and warfare. Unlike traditional analogous attacks in each of these areas the attack is hard to attribute, will usually be remote and therefore can have a high rewards, low risk ratio. To compound matters much of it may just be casual vandalism by underage minors who may not fully appreciate the consequences of their actions. The risk is to individuals and small companies as well as large entities for they could be the vehicle for the attack.
PwC has a team of experts who advise their clients on this issue. This is led by an individual who himself was a teenage hacker and knew all this stuff when he was 15. He now knows of 50,000 ways of attack and he demonstrated some of these for us. One common example is denial of service which can be triggered by flooding a computer system with demands, effectively like a plumbing overflow. Chains of attack can be bought cheaply on the web as a cloud provided service. I was familiar with the concept of phishing, where the criminal seeks secure information through masquerading as a trusted site, a form of mass marketing where if only a few are duped into providing such details it will still be highly profitable. But this has evolved into “spear phishing” which is more targeted and even “whaling” which goes after particular high net worth individuals.
Password cracking is now simple as there are programmes which can be downloaded which can crack most passwords. Any password under 14 characters is a waste of time. A safer password would be a long full phrase which can be recalled but would take ages to decode. It is easier to hack into a PC that is left on. Laptops have microphones and so the presence of laptops in confidential meetings is a source of risk. One defence is full disc encryption. Another option is to remove personal computers from employees and force them to use centralised systems that identify the users. But ultimately education of internet users remains a key strategy in combating cyber-crimes.
Experts are rarely called in to try a full penetration attack as that might create other risks and so systems may not be fully tested. Typically the IT department wants to have a clean bill of health and so deep attacks will not be conducted. Further if security reports through the IT boss this may be a problem. I was reminded of the position of the Quality Assurance manager in a food firm who has to have the power to close the factory if he suspects a product failure even if he reports to the head of manufacturing. The key question is not what we are doing to prevent an attack but what are we doing to respond?
A long-term friend of mine, Ian Ryder is Deputy Chief Executive of the British Computer Society, The Chartered Institute of Information Technology. Ian tells me that the number one concern among its 70,000 members is cyber-security. But this is an issue for all of us, not just the IT professionals. It may require reorganising the way we do business. The cyber-attackers move fast and so the organisation needs to be able to respond quickly as well. A cyber-attack can gain entry via any node on an organisation’s network and that may include third party suppliers, customers or business partners. You cannot outsource risk. The IT department needs to be looking outside the four walls of the system it operates to see if the data at risk is already outside those walls. Data loss can be as serious as financial loss. And as more people start to run their lives on their mobile phones these risks will only escalate. It is estimated that 115 million Europeans will be using mobile banking services by 2015. The cyber-thieves must be licking their lips.
As in all things a balance must be maintained between the security of the assets and the data, the cost of that security and the usability of the system. But the risks are so great that organisations that do not consider how to guard against such threats and prepare to deal with them if they happen may not survive.