CBR rounds up expert reactions on MI5’s Director warning on cybercrime threats to businesses and governments.
Jonathan Evans, the director general of the security service, said in a speech that the organisation is fighting an "astonishing" level of cyber-attacks against the UK industry. He pointed out that one UK business has suffered £800m in losses from cyber attacks.
Evan’s warning speech comes in the wake of Italian, German and Dutch banks being targeted in a €60m euro cyber bank heist.
Evans warned that internet vulnerabilities are being taken advantage of by criminals as well as states. He says that it is likely terrorist will use cyber vulnerabilities to attack infrastructures in the future.
CBR looks at expert reactions on the cybercrime warning from MI5.
David Harley, senior research fellow, ESET
MI5 is fairly typical of a security service in the Western World. It answers to the government, but doesn’t have the same view of the world (or of security) as the government. Make no mistake: the Security Services and the Centre for the Protection of National Infrastructure was aware of and working against a wide variety of attacks long before cyber-terrorism and cyber-warfare became hot political issues, and long before UNIRAS/NISCC/CPNI became so publicly aligned with those elements of the private sector that are intermeshed with the public sector elements of the Critical National Infrastructure (CNI).
Governments, on the other hand, are driven not only by the need to respond appropriately (whatever ‘appropriate’ means), but the need to reassure the electorate that they’re doing something, and most governments nowadays have acknowledged the need to maintain defences against cybercriminals and cyber-warriors of all flavours, as well as acknowledging more often that they are working proactively in cyber-espionage and cyber-sabotage, and all the other cyber-nuisances and cyber buzzwords. Also, there has been plenty of discussion about the precautions being taken to minimize the dangers posed by the Olympics.
Andy Kellett security principal analyst, Ovum
Generally malicious attacks focus on three levels: Nation state sponsored attacks are seen as targeted, well-resourced, and well-organised. Traditional financially-motivated cybercriminals continue to silently hoover up sensitive business, customer, and account information in order to make a profit. The third element is significantly different. It involves groups who are motivated by the prospect of publicity and are now organised to the extent that hacktivism is known to have stolen more data in the last year than the traditional models. All add to increased attack volumes and all continue to be more pervasive in their approaches. The need to ensure that the Olympics are fully protected at all levels of security is paramount. It also raises the profile of all forms of malware attack and the need to make sure that the time focused on building security defences has been well spent.
Ross Brewer, managing director and vice president of international markets at LogRhythm
The threat of terrorism is shifting from physical acts of violence to a more subtle, silent war that is fought from behind a computer screen. Cyber warfare is no longer a product of a Minority Report-esque era – and it seems that MI5 is now placing the issue directly under the microscope. Considering the discovery of the Flame malware, Google’s warning to vulnerable users about state-sponsored attacks, and recent headlines around the ACAD/Medre.A virus, it is becoming clear that Governments and businesses must take urgent action to boost security and ensure that any vulnerabilities are addressed.
There are clear examples of how a cyber attack can lead to loss of information and financial repercussions for big businesses, but as this threat develops and becomes more sophisticated, the potential to compromise critical assets and cause real world damage grows exponentially. What’s more, as our world becomes progressively more connected – with the internet controlling most aspects of daily life from cars, to traffic systems to cash machines and other infrastructure – the problem becomes more complex, vulnerabilities increase and urgent steps must be taken to ensure that security procedures are aligned
William Beer, Director at PwC information and cyber security practices
Businesses should be operating under the presumption that an attack is likely and be ready to respond. By building resilience into their incident response and crisis management capabilities, businesses can make themselves much better prepared in the event of an attack and minimise the potential fallout.
Cyber security is not only a technical issue, but a core business imperative. Faced with attackers who move quickly and unpredictably, organisations also need to be able to act and respond quickly and flexibly. Being prepared for a cyber attack is not just about having a good IT policy but good governance across the business. When attacked, businesses need to be able to rely on well thought through plans and respond assertively.
Frank Coggrave, general manager for Guidance Software
In the old days companies could hide in the herd with other companies and hope that the sick or weak (in security terms) would be picked off. Now the attackers are getting wiser and richer by focusing on the fatter, healthier companies. The herd doesn’t work anymore, so you’re on your own and have to make sure your security and processes work perfectly – not just better than the worst.
Paul Davis, director of Europe at FireEye
Recent news surrounding state-sponsored malware attacks serves to reinforce the notion that we have entered a new era of cyber threats. As evidenced by Jonathan Evans’ latest speech and breaking news of financial losses at banks across Europe, cyber espionage is more prevalent than people realise – and it is time that governments and businesses take note. In most cases, the victim organisations perform damage control before the breach becomes public. That said, as attacks become more advanced and complex, it is very likely this type of activity will become more visible to the public – particularly as cybercriminals begin to target critical infrastructure and other systems that could have a greater impact on human lives. More worryingly, as these attacks become more high-profile, others could potentially learn from these techniques, making future attempts even more difficult to defend against.
Cyber attacks have become a new form of ‘cold conflict’, where nation states are able to affect each other through indirect means. This evolved threat landscape now means that any organisation, government or nation must urgently up the ante on pre-emptive security before it is too late. Over-reliance on traditional signature-based perimeter defences and heuristics means that too many are still lulled into a false sense of security – while woefully exposed to zero day, unknown attacks. Instead, more must be done to ensure continuous monitoring of all network activity so that attacks can be thwarted at an early enough stage to prevent any widespread damage.
Ash Patel, country manager for UK & Ireland, Stonesoft
I am glad to see the government has finally stood up and announced the real concerns around cyber-attacks. It is unfortunate that they have taken so long to speak up, however, I imagine it was more of a case of ensuring they had all the correct information before making any announcements. Given the complexity and rate at which cyber-attacks are growing, I’m grateful that there is at least one organisation that is making an effort to safeguard us, and all our personal and sensitive data, along with our Critical National Infrastructure.
Dr. Kevin Curran senior member of the IEEE and reader in Computer Science at the University of Ulster
The prevalence of cyber espionage is starting to suddenly become visible. Indeed, 2012 may become the year of cyber espionage. To date, we could only speculate but recent US admissions to involvement in previous malware bring it to the fore. Now companies know that it is not a matter of if but when rogue nations come looking for their data or to wreck havoc in their systems. It is incredibly difficult to estimate which countries are heavily conducting research into cyber war as it is not as simple as perhaps counting the size of their armies or weaponry.
Cyber espionage by governments is using increasingly clever methods and tools to attack systems and governments. Issues of national and worldwide safety are at risk here. The reason this risk exists is that the Internet offers little or no regulation, potentially huge audiences, anonymity of communication and a fast flow of information
Adam Kujawa, Malware Intelligence Analyst at Malwarebytes and former government security contractor
Cyber weapons have been in use for war-fighting for quite a while. I am sure there is a countless number of hidden highly-specialist malware currently either stealing information or sitting hidden deep in crucial government systems ready to deploy their particular payload. Cyber-attacks of this type are deeply advanced, and whilst resolute technological defenses can be erected, these responses are often reactive to a new exploit or flaw which has been discovered.
Social media is also increasingly a bain for government security, because it allows foreign governments to gather information about all public facing assets which might be involved in particular projects, targeting individuals who have access to internal networks. This is not hard using Facebook, Linkedin and Twitter. This information can then be used to target that particular individual in a number of ways, all ultimately intending to use social engineering to sneak information stealing software into a secure area. Once in, malware can stay hidden for days, weeks, months or even years, stealing information and obfuscating itself, feeding back a detailed information picture to the controller.