Ahead of last month's Neustar International DDoS Awareness Day, SC Media UK spoke with event panellist, Robert Hannigan CMG. Hannigan is a senior British civil servant who previously served as the director of the signals intelligence and cryptography agency the Government Communications Headquarters (GCHQ) from 2014 until he resigned earlier this year.
SC: You previously called for greater government and industry cooperation in tackling cyber-attacks – how can the public sector tap private sector innovation given that the private sector developments are profit oriented and the public sector is notoriously short of cash?
RH: “At the moment the government is putting quite a lot of money into cyber, but the driver for all of this is in the pockets of the private sector. The problem is affecting the private sector, the solutions are in the private sector, and the investment money is in the private sector. The days of looking to the government to fund this are over.
“What the government can do is bring people together. It can do some really useful things such as those we've now started with the National Cyber Security Centre (NCSC), with active cyber-defence. That's really about getting the infrastructure of the internet better and stopping some of the things that just don't need to happen from happening, being trialed within government [such as DMARC]. There's no reason why that shouldn't be rolled out nationally as it is working in government. So it's about industry doing that with government, it won't be about government doing it to the country.
“On the cyber industry, government can do things to encourage innovation and to encourage start ups and get the pipeline better but ultimately it is the market that will drive this and it is driving it.
SC: You were instrumental in the creation of the NCSC – and it has been welcomed as a public facing organisation for business to work with. One year on, is it achieving what you envisaged, both in how it liaises with GCHQ and with business to protect industry? What more should it now do?
RH: “I think it is. It's not so much liaising with GCHQ, it's a part of GCHQ. A big debate within government was about the need to put all this operational cyber-security in one place – should it be a free-standing agency, and what kind of relationship it should have with GCHQ? And the decision really was made on a number of bases – the skills which are hard to come by, and the relationships were already there with CESG as it was then, so why not just put the whole thing under GCHQ, as an operational arm of GCHQ? I think that was the right decision. It was a bold experiment and it seems to me to be working.
“The big challenge, I guess, is, is it growing fast enough? We set it up because we could see this gradual rise of cyber-incidents and its risen even faster than we expected if you look at the results of the first year. So, the big challenge is to grow fast enough, to get the skills in, to get the industry skills in [which they are doing]. The innovation around active cyber defence is probably the biggest long term thing – DMARC and all the rest – it's the biggest game changer long term.
“That was a big change with the NCSC. We'd spent years feeling that the model for government was just to advise people, consulting. Whereas with the NCSC we would try and do this [active defence] on a national scale – as you would in any other area of safety. Too much responsibility for cyber-security was being left to the individual – and I think it still is. In 10 or 20 years time we'll look back and think how ridiculous to expect individuals to do all the right things all the time, implementing all these security and safety measures. You wouldn't do that in any other area of life. You wouldn't do that with fire safety, aircraft safety, which would be regulated or insurance-driven.
“Because the internet is still relatively young, we're still finding our way on this. But government and big industry has to do more of this and take the strain off.”
SC: Was there any concern that setting up the NCSC could make it appear that GCHQ was the Premier League, with the NCSC as a lower division?
RH “I don't thinks so. [Some] people in the NCSC are absolutely Premier League and there's no one better in the country, possibly in the world. It wasn't outsourced – we took a large chunk of GCHQ and called it the NCSC so the people with the highest skills are there. So I don't worry about that at all. Cyber is attracting increasingly good people.
SC: Talking about the people and the critical cyber skills gap, you are reported to have put a "focus on technology and skills" at GCHQ and called for less reliance on the "well-meaning generalist in boards” but you initially came from a Classics background, so is it more about the MBAs learning tech, or the technology specialists learning the language of the boardroom?
RH: It's a bit of both actually. One thing I did at GCHQ was to bring far more deep technologists into the leadership of the organisation. In that sense, to make it more like a tech company and less like a civil service organisation.
“You need both. Clearly you don't want only technologists and engineers, but equally you do need people who understand the questions to ask. Every other organisation or company that's going digital is facing this issue. There is a skills gap and you can plug it in one of many different ways. Part of it is bringing technologists up pretty quickly into leadership positions. That means taking some risks and doing some non-traditional things.”
SC: Talking specifically about DDoS Awareness Day and the issues to be discussed, a report from the Institute of Critical Infrastructure Technology says, “The Mirai malware offers malicious cyber-actors an asymmetric quantum leap in capability; not because of sophistication or any innovative DDoS code, rather it offers a powerful development platform that can be optimised and customised according to the desired outcome of a layered attack by an unsophisticated adversary.” Is it not inevitable that DDoS attack volumes will continue to increase – and what can we do about it?
RH “That is a big trend of the last ten years, and particularly the last five years with a lot of commodity hacking going on. You don't need to be particularly good at this – you can buy in a service, you can buy in sophisticated tools and that has massively expanded the possibilities for people who want to do damaging things, with DDoS the most obvious example.
“There are a lot of sophisticated tools out there, some of them stolen from [state actors] and the criminals will get better at using them for crime, so it is going to get worse for a while.
“What can be done about it? Some [solutions] are around the infrastructure of the internet, including security in hardware and software, and governments will have to implement some basic security standards for devices that are going to be connected. Probably more important, they need to reduce the cost. The companies and networks to which they are being connected will have to adhere to these standards and ensure that applies to devices connected to their networks. So I think there will be market and government driven regulatory approach.
“[The market is] also looking at what they can do to protect themselves and there are some good technical solutions out there.
“A real worry is that DDoS is increasingly used as a smokescreen for other activities. It's an old technique, it's quite crude, people are used to it, so there is a danger of it being used as a cover in a hybrid attack where you disable and distract an organisation with DDoS, and then you do something much more intrusive and dangerous and we've seen some of that and it's a trend to watch.
SC As well as volume, there's the size of attacks. Higher bandwidth speeds will escalate DDoS attacks; we saw a 600Gbit/sec attack on journalist Brian Krebs, and perhaps even a couple of 1000Gbit/sec ones. How can we (businesses) dilute such attacks?
RH: I guess the issue is, how do you scale up your defences? You can't buy infinite amounts of sink hole capacity. You need more sophisticated approaches. There are quite a few companies out there like Neustar, dealing with DDoS attacks, with a range of technical solutions, which we'll be discussing at the Awareness day.
SC: Will you also discuss defending against threats from state actors such as Russia, China and North Korea and if so, what's the likely advice? And is there a difference in how we defend against state actors?
RH: “With some important exceptions, even the most sophisticated state actors – and North Korea is not the most sophisticated but it's beginning to get there – Russia is sophisticated - tend to launch their attacks through the same delivery mechanisms so there are some common things that need to be done to protect against those. They usually gain entry through social engineering or human weakness or failure to patch – all the usual things – whether crime or state, those vectors of attack tend to be the same. At the most sophisticated end – the Petya/NotPetya was a nice example – it's pretty difficult, unless you have some state protection – and the top five to ten percent of state attacks experienced by nation states in the West, it's unreasonable to expect an individual or even a company to be able to defend against those most sophisticated attacks.
“The trend that worries me is that overlap between criminals and the state, and states are using criminal groups as a sophisticated way of outsourcing. There's the full spectrum. Some of it is just classic corruption, you've got law enforcement taking a cut of what criminals do, right through to the worst end where you've got nation states tasking criminal groups to do stuff for them.
“In Russia it's the full spectrum and in some cases it does include criminals tasked by government agencies, working in the same room, and it's hard to see what is government and what is crime. Through to a commercial model of classic corruption. It gives them a huge resource of skills and tools that might not have been brought into the state though Russia has plenty of state skills.
“North Korea is an ideal model because you can't do much against N Korea, it's not networked, not fully connected to the internet [for the average person within the country]. like most countries So you can use that great tool of cyber-crime out there beyond your borders at no risk, recently attacking bitcoin exchanges too, so I think money is going to be a big driver for them. Not just the Swift attack and Bangladesh bank, it's a whole slew of banks – from Vietnam right through to Poland.”
SC: Attribution is particularly important now that the US has approved the idea of hacking back.
“Attribution is difficult but it depends what you mean by attribution. Sometimes it's about deploying the proof that you've got.
[Addition 6 Nov, subsequent correspondence: "I actually think the UK Govt is less willing to attribute than US, Germany etc. They don't officially say Wannacry was North Korea, for example. Having said that, I see Ben Wallace did this on Today, so maybe the policy is changing!"
“Regarding private sector hacking back, I am not convinced that allowing people other than the state to hack back is a very good idea. It can just raise the chaos level. There may be a case for the state to hit back sometimes. It's very often the case that retaliation is not necessarily going to by cyber, just because it's a cyber-attack. The response may not be cyber and North Korea is a good example of that. The options of hitting back in cyber are pretty limited and the Sony Picture attack saw sanctions so it won't always be, just because there's been a cyber-attack, you have to hit back. You probably don't want to play by the same rules as those countries.
“If the Russians turn off domestic power in Ukraine, you don't want to hit back by turning off domestic power in Russia. The West plays by different rules.
“There are options for using cyber-offensive techniques to go after crime groups that are beyond the reach of law enforcement. And there have been some experiments with that. That may mean cutting them off from the proceeds of crime or destroying their infrastructure.
“Maybe in the future there will be more of that. But we don't want it to be a ‘Wild West' free-for-all.
“Discussion at DDOS Awareness Day will include looking at state attacks during the year - WannaCry, Petya/Not Petya, and the fact that a lot of companies were caught unaware because they thought they weren't targets. Most of the problems were what you might call collateral damage, which is a new phenomenum. So in the case of WannaCry, I don't think anyone thinks North Korea set out to have a go at the NHS, it was just a Ransomware attack that got out of control. But they don't really care that there is accidental, or collateral damage. The same with Petya/NotPetya – it was particularly aimed at Ukraine. The fact that it disabled large parts of European manufacturing, Reckitt Benckiser etc, in quite a serious way, it almost certainly wasn't their intention and it doesn't look like they wanted any money out.
“[Future concerns will be similar to being collateral damage in ransomware] the same is true of DDoS – some of it will be targeted and some will be accidental collateral. State crime will be a big issue for the future. [We will look at ] Key steps that businesses need to take to protect from DDoS. DDoS as a cover for other stuff. Its good to have a DDoS day.”
SC: With ISIL having lost most of its physical territory, can we expect to see them increasingly online, maybe wanting to use the worm from WannCry to deliberately create the kind of collateral damage we saw, but deliberately, untargeted to create chaos?
RH: “That's right, but I think we are a few years away from that at the moment. Just because the most [technically] sophisticated ISIL people are not yet at a level to do this. They aspire to do chaotic and damaging attacks online. They have done defacement and DDoS attacks, but I don't think they are anywhere near having the capability to match their intent. That will happen over time – there's no question that in five to ten years terrorists will get into this commodity hacking area and realise that they can do a lot of damage. They're still fixated on physical damage and physical attacks. Some aspire to do these kind of attacks but they haven't got the capability yet but that will come. As with N Korea, they don't care about collateral damage and welcome it really. I don't think they're there yet.”
Neustar's International DDoS Awareness Day included discussion on data from its newly published
Global DDoS Attacks & Cyber Security Insights Report
Speakers at the event also included:
· Rodney Joffe, Senior Vice President and Fellow, Neustar
· Robert Hannigan, former Director of GCHQ, and currently Chairman of the European Advisory Board of BlueteamGlobal.
· David Young, Senior Manager IT Security, Bank of England
· Ron Feler, former Deputy Commander of Israel's Unit 8200, and currently Head of Threat Intelligence and Operations, Israel, for BlueteamGlobal
· Chris Matthews, Head of Operations, Global Development Group at Experian Data Quality UK
· Barrett Lyon, Head of Research and Development, Neustar
· James Willett, Vice President of Security Product Management, Neustar
· Joe Loveless, Director of Product Marketing for DDoS, Neustar
· Chris Roosenraad, Director of Product Management for DNS, Neustar