The UK has done a good job over the years in the fight against cyber-crime even as there remains more to do, said the former director of MI5 in a speech today.
Lord Jonathan Evans was speaking to an audience of information assurance and cyber-security professionals at EuroCACS 2015 in Copenhagen today. His 33-year career as an intelligence officer spanned the end of the Cold War and the beginning of the cyber-age. In 2007, he warned business leaders that the Chinese were engaged in cyber-espionage.
After retiring as director of MI5 in 2013, Lord Evans became a director of HSBC where he takes a special interest in cyber-security.
He told the audience that in the cyber-age, it was still necessary to secure the bank against armed attack. “As a bank director I'm aware that there are still physical bank robberies, but that's a really stupid way to get money out of a bank and the main daily threat we find is the cyber-threat,” he said.
Meanwhile, espionage has followed suit and moved online because it's cheaper, less risky and the amount of information that can be lifted is significantly greater.
While he is carefully not to discount the threat of cyber-terrorism, he noted that for all the planning and worrying about it, “cyber-terrorism is a dog that hasn't barked yet”.
In an exclusive interview with SCMagazineUK.com prior to delivering his speech, Lord Evans said that the government has rightly recognised cyber-attacks as one of the greatest security threats facing the country today, on a par with terrorism. “The reason for that is that it is very widespread,” he said. “It's not a narrow and specific thing – it's a whole series of threats.”
On the whole, he thinks that commercial organisations and government are rising to the challenge, and he does not share the concerns expressed by the director of GCHQ about the state of the cyber-security industry.
GCHQ director Robert Hannigan said in a speech yesterday to the IA15 conference in London that standards in cyber-security are not high enough and that the global market for security is not developing as it needs to. “Demand is patchy and it is not yet generating supply. That much is clear,” he said.
Lord Evans said he isn't as worried as Hannigan about this issue. “I think that there is a push on the insurance side but I think that what's on Robert's mind is that it's patchy,” he said. “If you look at some of the regulated industries – the banking industry for example and finance industry in general – the regulators are taking an interest in this, so we have CBEST testing taking place under the auspices of the Bank of England and the PRA [Prudential Regulation Authority], so there is regulatory pressure there.”
He said it's likely that there will be a shift in the extent to which companies are held to account for security flaws in their software. “There are different views as to whether there should be higher levels of liability or whether we are better off not doing that,” he said. “The issues are complex because if you go for very high levels of liability then that incentivises companies not to be open about problems they've had. If you require people who produce software to be liable for any weaknesses in the coding you give them an incentive to get it better but on the other hand you may deter creative innovation and development.”
He believes there will be a shift, albeit small. “My own instinct is slightly more liability might be the direction we end up going,” he told SC.
However, when it comes to internet-connected machines such as cars and planes and critical national infrastructure such as power plants the issue of liability will be more critical, he said. “The internet of things does pose different sorts of risks because we are not talking just about information in its normal sense but much wider potential impacts.”
National infrastructure such as power plants were not designed with security in mind so a great deal of work has been required to retrofit them. “If you started now, I think you'd find quite a bit more security would be built in,” he said.
Meanwhile, the motor industry discovered to its chagrin just how vulnerable its vehicles could be when two security researchers hacked a Jeep, taking control of the brakes, indicators and, when reversing, even the steering.
“I would be extraordinarily surprised if that wasn't the case with other motor manufacturers. I know a number of manufacturers are investing heavily in cyber-protections because they recognise that there are vulnerabilities,” he said. “They haven't made a big thing about it because you don't want to talk about it because it makes the vulnerability more likely to be exploited and also because it might not be very good for the share price.”
But he also said the industry has a problem with transparency. “Not all companies in the motor industry are forward-leaning when it comes to transparency, given recent experience with what Volkswagen were up to. I'm not saying there are equivalent things in cyber but I'm certain there is a big issue in the automotive industry which they are investing in at the moment and they are going to need to do more on.”
Meanwhile, as a member of the House of Lords, Lord Evans will be taking a particular interest in the Investigatory Powers Bill. It is currently in draft form which means that it is being examined by the Lords and the Commons in a joint committee which will send recommendations for changes to the government.
There is pressure on the government to get a bill through Parliament before the current powers expire at the end of 2016.
He said the government has listened to the concerns of the public regarding the security of encrypted messages. However, he said that the government would always seek to have access at some level to encrypted messages because of its obligation to protect citizens against serious crime and terrorism.
“So there are overlapping and competing demands here, and in my view the current proposals are a pretty good attempt to meet the main requirements of accountability and oversight to make sure that this is being done lawfully and proportionately,” he said.
He said that ideally crytpo would only be applied to messages at the service provider level, meaning that intelligence agencies could, with authorisation, ask companies to supply customers' messages.
“The fact is that the models for communications are multiple and complex and what the legislation tries to do is enable and authorise dialogue and discussion between the government on the one hand and the companies on the other without mandating a particular answer to the problem.
“It's a recognition that it's not a problem that you can write a neat, black letter clause on in a bill and answer all the difficulties. This is to some extent seeking the legal authority for the government to engage with all sorts of providers in different jurisdictions to find where it can the appropriate balance.”