BRITAIN’s national security is in peril. According to a report released yesterday by the House of Commons Defence Select Committee, the threat to British IT systems from cyber attack is both rapidly evolving and increasingly significant. And it’s hard not to be convinced of the potential for disaster. In 2010, a highly-sophisticated computer worm known as Stuxnet disabled Iran’s nuclear facilities. More recently, the Flame virus destroyed government computers across the Middle East. And these were just the headline events.
Business is increasingly on the front line. Jonathan Evans, head of MI5, recently highlighted one anonymous British company that suffered a long-term revenue loss of £800m due to attacks from cyber criminals. Further afield, the Canadian telecommunications company Nortel was declared bankrupt after a series of cyber attacks. And Aramco, the world’s largest oil producer, suffered an attack in August 2012 that disrupted operations at oil refineries and left petrol stations in Saudi Arabia without fuel.
Part of the reason is that the lines between major corporations – especially in the financial sector – and nation states are blurring. Banking and insurance are part of a nation’s infrastructure, and are consequently the target for high publicity attacks (like recent denial-of-service attacks on a string of banks). More malicious attacks have also attempted to extract sensitive company data. As the disruption caused to Saudi state oil company Aramco demonstrates, any firm closely linked with a nation’s security, wealth and welfare is a highly attractive target for criminals seeking to do damage.
Of course, unpicking the psychology of a cyber criminal is a helpful way of understanding why some companies are especially vulnerable. Some criminals and “hactivists” wish to attract as much publicity as possible, while others wish to gain maximum impact without detection – through the covert theft of information or intellectual property to gain unfair advantage in a competitive market. Whatever the reason, the end result is likely to have a material impact on shareholder value.
But the real task is more complex than psychological analysis or strengthening defence. While firewalls, password protection, and anti-virus software are prerequisites, there’s always a way around them. A bespoke piece of malware can be bought online for a few thousand pounds. These viruses, created for a specific purpose and aimed often at a particular person or piece of information, can’t be easily predicted or prevented.
The critical point is that it isn’t possible to prevent all cyber criminals from getting into a network. The solution is to not just defend, but to focus on removing any danger that has already penetrated. And technology can only do so much. Cyber attacks are perceived by many as a problem for technology to solve, but they are as much a human instigated threat as terrorism or conventional war. Just as technology can’t predict whether a human enemy will attack an army’s left or right flank, traditional defences aren’t enough to face up to sophisticated online threats.
To use an analogy, we need to find a balance between controls – like locks and barbed wire – and the CCTV cameras and intelligence experts that can identify those that get through in time to prevent serious impact. Heightened awareness by employees across companies can also help lessen potential damage. Encouragingly, progress has been made in recent years. It’s heartening to see organisations in the City taking steps to combat the cyber threat, including an attack simulation exercise run by the FSA. But what’s needed now is increased monitoring of bespoke cyber attacks, and a move towards more efficient and speedy removal of threats.
But we should also remember why we have to deal with these risks. The cyber threat exists because of the extraordinary technological advances made over the last 50 years, which have brought about astonishing advances in social and economic prosperity. The current trend is rather like the spread of buccaneering after European exploration of the oceans. It’s simply a set of risks that need to be managed to exploit advances effectively.
The internet and mobile communications have given us social, economic and political benefits that far outweigh the cost of managing residual risks. Whatever the headlines, expect this balance to remain overwhelmingly positive.
Tom Burton is head of cyber security services at BAE Systems Detica.