UK government champions cyber security
Cyber attacks are front of mind for the UK government and local companies, following comments from business secretary Vince Cable earlier this week. But concerns linger after the latest Waking Shark exercise.
The UK's Houses of Parliament
Addressing members of the Cabinet Office, Department of Business, the Bank of England, OFCOM and National security and intelligence divisions at a briefing in London on Wednesday, Cable stressed that the country's banking, energy and mobility networks are increasingly under threat from cyber attacks.
“Cyber attacks are a serious and growing threat to British businesses, but it is particularly important that those industries providing essential services such as power, telecommunications and banking are adequately protected to avoid disruption to our everyday lives,” said Cable at the time, before urging partnerships between the government, regulators and industry.
“Today's event marks the next step in highlighting the important role of the regulators in overseeing the adoption of robust cyber security measures by the companies that supply these crucial services.”
This follows on from the GCHQ introducing the ‘ten steps to cyber security' and the Cyber streetwise initiative, as well as the Cyber Security Information Sharing Partnership (CSISP), which was formed in March of last year. Earlier this month, the Research Institute into Trustworthy Industrial Control Systems (RITICS), based at Imperial College in London, was also established to look at threats facing critical systems.
However, the government's work will not be easy judging by recent attacks against RBS/NatWest and critical infrastructure, but also by looking at the latest Waking Shark 'war' game carried out by banks back in November.
The Bank of England this week reported on the Waking Shark II exercise, in which hackers test bank defences. 220 people attended from banks and regulators but concerns were raised by the BoE shortly afterwards.
It concluded that the banks didn't collaborate with each other (it has suggested that the British Bankers Association co-ordinate bank communication in future), call the police when breached, and expressed confusion over regulatory reporting to the Financial Services Authority (FSA). One participant, who wished to remain anonymous, told SCMagazineUK.com that banks were reluctant to be the first to admit that their bank had been hacked.
As a result, information security market watchers believe that Cable's comments should be a stepping stone for future action.
“UK Financial Institutions have real active infection inside their networks now, “said Adrian Culley, technical consultant of Damballa and formerly of Scotland Yard's Computer Crime Unit.
“Caphaw is an example of one such very prevalent advanced attack, there are many others. Despite Waking Shark II there appears to be a disconnect between Mr Cable's very timely warning, and banks actually holding accessible, actionable intelligence.
“How they are planning to ever respond decisively without such intelligence? These bodies are part of UK Critical National Infrastructure, and both active attacks, and the threat of attack, are real. Banks need this information to detect active infections and prevent them becoming breaches. It is clear many of them do not have this”.
He added: "It is somewhat alarming the 24 years after the UK's introduction of the Computer Misuse Act 1990, incidentally the first such piece of legislation in the world, that industry professionals are unaware what does or does not constitute a criminal offence. It is equally a missed opportunity that the Waking Shark II exercise included no Law Enforcement input."
Others added that Cable's speech, meanwhile, represented a “tipping” point for cyber security and showed that critical infrastructure is a new avenue for attack, especially as more of these connect to the Internet.
“The results of the Waking Shark II exercise, coupled with Vince Cable's speech, make it clear that that we have reached a tipping point in cyber security” ViaSat UK CEO Chris McIntosh told SCMagazineUK.com.
“While previously relatively safe from cyber attacks, the modernisation of the country's essential infrastructure networks means they are now closely connected to the internet and so more vulnerable than ever. While at one level any threat could involve targeting individual sections of the networking, denying certain services at specific areas, at the extreme level attacks could potentially overload systems or override safety mechanisms, causing catastrophic damage to the surrounding area and the infrastructure as a whole.
“Cyber attacks have developed to such a sophisticated level that they should now be viewed on a par with a physical attack on infrastructure,” he added. “In future organisations such as banks, gas distribution, rail signalling and mobile companies will need to ensure their networks are secure from attack at each individual point in order to meet these challenges; and decide whether increased connectivity for ease of access and communication is worth the risk to the wider network.”
Such are the concerns around cyber security, there's even the suggestion that the Waking Shark experiment should expand into other lines of business.
“It's now time exercises such as Waking-Shark are expanded beyond the financial sector and are replicated across all industries and critical infrastructure,” Mark James, technical director for ESET UK, told SCMagazineUK.com.
“As threats constantly evolve, what's most important is to continually assess where their strengths and failures lie during unanticipated attacks, how effective their contingency plans are, the resilience of communication channels and adherence to protocol.”