With so much of the national infrastructure, from utilities to the internet itself, a potential target of attack, the Government is forging partnerships with the private sector to help protect the services we all rely on. But, in the wake of Edward Snowden, defence is no longer just a question of what can be done, but also of what is acceptable. Asavin Wattanajantra reports.
Recently, a report was released by KPMG accusing FTSE 350 companies of failing to keep their networks safe. It suggested that the safety of Britain's economy and national security could be under threat due to flaws in web security.
According to GCHQ, there are around 70 sophisticated cyber operations directed against British governmental and industry networks every month. There is a strong chance these are state-sponsored (it is impossible to be certain), but the potential consequences of the activity are now so severe that cyber security has become a boardroom discussion, both in the UK and abroad.
“The realities of protecting our infrastructure is that these systems and services are relied upon by every member of society on a minute by minute basis. Life without power, water and other necessities of life would be a very dark and miserable place,” says Ross Parsell, director of cyber security at Thales UK. “All these systems and services rely on control systems and information, with a large number of these being prone to vulnerabilities that could be exploited by hackers.”
Jarno Limnell, director of cyber security at Stonesoft, believes the chief targets for cyber attacks are shifting away from the military to financial markets and critical infrastructure systems, often operated privately.
“The interplay and need for governments to work with private sector organisations to mitigate these threats is obvious,” explains Limnell. “National structures in the form of security (national, economic and environmental) and activity (commerce, energy supply and transport) are starting to inherently depend on the internet, which is operated in the hands of private enterprises.”
In the UK, the Government is working with private defence and telecom companies to tackle cyber threats. Many experts believe that the expertise and market insight of enterprises, combined with governmental resources and responsibility to protect citizens, means this area has the potential to become a booming sector.
Phil Lieberman, CEO and founder of Lieberman Software, says the public and private collaboration on the protection of critical national infrastructure is a commendable development. “It is a genuine example of the Government taking proactive action to help its citizens and private organisations protect themselves via the shared information provided by both government and private enterprise,” he explains. “The reality of the situation is that everyone participating in these arrangements understands what is at stake and takes the laws surrounding security and privacy very seriously.”
The challenge, according to Dwayne Melancon, chief technology officer at security software firm Tripwire, is to know when a government is overstepping the bounds of what a reasonable person would consider appropriate, and whether the public disclosure of these methods would render them useless.
“One would think that the incident with Edward Snowden would increase people's awareness and willingness to get involved in better understanding some of these issues, but it's quite likely that few people will really change their behaviour based on this,” he says. “These days, it seems people are more willing to change the colour of their icons on Twitter than they are to actually become incensed enough to try to change the practices and policies they disagree with.”
Regarding the US's Prism programme, initial reports suggested the National Security Agency (NSA) was collecting information through software installed on company computers, but this was denied. It was then reported that locked mailboxes were created – networks from where the agency could collect requested files that had been copied over. This was also denied. However, it was confirmed that Microsoft and Google, among others, complied with legal requests from US intelligence services, allowing information to be collected while circumventing encryption.
Security experts generally agree that companies should comply with the law, despite any moral objections they might have if requested by their government to hand over data.
“Tech firms should operate within the laws of the countries in which they operate,” says security consultant Brian Honan. “However, they also have a responsibility to ensure the security and privacy of the data entrusted to them by their customers, be they foreign or domestic.
“While everyone wants to ensure governments can detect and prevent those with criminal or terrorist motivations, tech companies need to recognise they have a moral and ethical obligation to protect their customers, while at the same time complying with the law.”
Alongside all this there exists another issue: if governments can get access to sensitive information, then surely criminals can too. Information security consultant Nik Barron says while the intercept technology used for schemes such as Prism are apparently lawful, any direct links into companies to collect intelligence need to be exceptionally well protected to prevent abuse. However, he adds: “In general terms, the sort of technology used by NSA/GCHQ is not applicable to the average or even well-funded crook. You can pretty much guarantee that if you are forced to put a government backdoor into your product, someone else is going to find and exploit it, but so far no evidence has been presented to show that the NSA has made anyone backdoor their products.”
There is always a risk, though, that sophisticated technology created by governments to do harm to their enemies could fall into the hands of criminals, Honan says. “Stuxnet is a classic example, developed by one nation state to damage Iran's nuclear programme,” he explains. “However, copies of Stuxnet leaked out onto the internet and infected innocent victims. The components and code of Stuxnet have now been analysed and are available online for anyone to download and use.”
The apparent extent of surveillance exposed by the Snowden affair has led some to draw parallels with the Cold War, when espionage between the West and the East was rampant. For his part, Limnell believes most nation states are continually preparing for cyber war, suspicious of each other's intentions and testing opposing capabilities.
With tension and mud-slinging between countries such as Russia, China and the US, the evidence is that cyber espionage, cyber attacks and hacker recruitment is now a recognised part of strategic influence and combat. Limnell explains: “State actors are openly showing their ‘weapons' and can do whatever they please with little fear of open retaliation because there are no accepted rules or limitations.
“Due to the potential for anonymity and diversion inherent in networked structures and the ability to disguise the origin of digital espionage and surveillance, all states will have to assume their ‘enemies' know more than they do about their systems and weaponry.”
According to the Verizon Data Breach Investigations Report, state-sponsored attacks motivated by espionage represented a significant proportion of data breaches last year, second only to financially motivated crime. The attacks were highly sophisticated, using stolen credentials and network backdoors to gain access to intellectual property.
The report found that 96 per cent of all espionage cases investigated were linked to China, with the attacks targeted primarily at the manufacturing, professional services and transportation industries of the affected countries.
“While this may indicate that, as many already fear, China is the most active source of national and industrial espionage in the world today, it could simply mean that other threat groups perform their activities with greater stealth and subterfuge,” says Ernie Hayden, managing principal for energy security at Verizon.
Striking a balance
So what's next? There's a need for research in the cyber security domain, with important questions that need to be answered. For instance, how can we effectively protect against threats, without interfering with people's privacy and lives? Also, how can we share the success of protecting one infrastructure with another organisation, without knowledge getting into the wrong hands?
“I think we'll see more debates, and Snowden claims to have more information that will be released in the future,” says Melancon. “Now, I think we just need to wait and see what else comes out and whether the reaction amounts to anything more than saber rattling. After all, governments take a lot of liberties in the name of national security. The tone and tenor of both conversation and the actions taken need to change dramatically for us to move away from our current posture. I don't know that we will.”
There are some signs that things may be changing, he says. For example, in the US, Oregon senator Ron Wyden has introduced new legislation to increase the transparency around surveillance, as well as pushing for requirements that would require citizens to ‘opt in' much more deliberately before their information could be shared.
“At the pace of government, it could take a while for a lot of these kinds of changes to be implemented – but we may yet see some changes that favour the average citizen's privacy,” Melancon says.