Following the recent Government security review, which acknowledged cyber security to be among the top four threats to the UK, Damian Saunders, director of the data centre and cloud group at Citrix, looks at the implications and genuine threat of 'cyber terrorism' faced by the UK.
This month the Government announced that cyber terrorists are one of the most serious threats to UK security, second only to physical terror attacks, and it is taking the risk incredibly seriously with an additional £500 million ear-marked for increased cyber security.
This was announced as part of the strategic defence review (SDR), which noted that the West's long-standing technological advantages over the rest of the world are likely to disappear in the coming years, adding that 'further game-changing technologies, such as artificial intelligence... will become mainstream in the next 20 years'. Cyber attacks on the 2012 Olympics have been identified as a significant threat after Beijing suffered 12 million attacks a day during the 2008 games.
Nonetheless, compared with the physical threat of a terror attack on our transport network or office buildings, the threat of cyber terrorism can seem obscure. Business and individuals are being urged to ensure they are protected, but are unsure on why or how to take action. Hackers simply do not seem as scary, or as serious, as the risks of bombs or violence.
There are three main areas where cyber terrorism needs to be prevented from the Government's perspective: attacks on the military, the economy and on our personal freedom.
Preventing military threats
The 2008 conflict in Georgia showed how a modern pre-emptive strike is more likely to be digital than physical; an online assault aimed at the web-facing assets of key government and commercial entities.
These assaults are aimed at disabling key political and economic infrastructure, to prevent society functioning in a normal way and to hamper a government from communicating with its nation or the outside world.
Consequently, the Government is investing in a ‘cyber wall' as part of its overall defence infrastructure now that both industrial and military systems will become targets in times of both peace and war.
Protecting personal freedom
An equally significant threat is that of an attack on our personal freedom. Traditionally terrorists have used bombing and kidnapping to strike fear into a nation by making people scared to behave as they normally do, for fear of attack. Today the internet has become one of our last realms of true personal freedom, where we are free to create an identity, arrange our social lives, plan our finances and speak our minds without fear of suppression.
In recent years we have witnessed the arrival of industrialised cyber crime, where attacks on our online lifestyles have shifted from individual ‘hackers' determined to extract your identity or credit card details, to the type of automated, global attack that can only be orchestrated with organisation and funding.
This forces us to change our behaviour and forces the information or service provider to invest in expensive, resilient infrastructure. The impact can be seen in Wikipedia's campaign for donations and the online press having to charge for access to their news service.
Defending the economy
The recent Stuxnet worm was the first example of what some experts are calling ‘cyber weaponry'. It was specifically designed to destabilise Iranian nuclear plants, as 60 per cent of all infections were found in Iran's industrial-scale control systems.
Historically, companies defend themselves by deploying a firewall and an anti-virus system. Even though these protections are still vital, they are no longer sufficient to guarantee preservation of ‘critical' assets from new malware attacks, not least because anti-virus protection is only effective against known viruses. If Stuxnet can target a specific system in Iran, it is feasible that any network or operation could be identified and targeted, including commercial sites, such as banks, shops and manufacturing plants.
This means that security must now extend from the network perimeter into data centre connectivity, identity management and methods that control the physical location of data (e.g. mobile assets).
Organisations now face the dilemma of enforcing the right security policy whilst not limiting the nascent potential of the mobile internet or cloud computing, which offer better productivity and improved economics for IT.
Prevention is better than cure
The Government is right to give cyber terrorism a high level of attention, but with the right approach to online identity management and data centre security, national security, personal freedom and commercial enterprise need not become casualties.
They have stated their aim to ensure the nation's critical assets are secure. Likewise, as individuals we need to ensure our personal information is shared only with trusted sources that demonstrate the right credentials (site encryption, PCI DSS compliance). As businesses we need to embrace new technology such as cloud computing, but ensure that security and control are not compromised.