It is a matter of “When, not if” a major cyber-attack on the UK will happen says Ciaran Martin, head of the NCSC. This statement raises the prospect of huge disruptions to the British government and critical infrastructure. According to Martin, Britain has been lucky to avoid a Category 1 attack in the last 15 months, ie one that it would cripple infrastructure such as energy supplies and the financial sector.
In the next twoyears it is expected that an attack on the UK will be made at the C1 level and Martin said “We will be fortunate to come to the end of the decade without having a category one attack.” Martin adds that total protection for the country is impossible and “some attacks will get through.”
The most serious cyber-attack to hit the UK so far has been the WannaCry cyber-attack that happened in May 2017; despite the damage done by the attack, WannaCry was classed as C2 not C1 because there was no risk to life.
Martin said one of 2017's biggest lessons was to fear attacks that were reckless as much as attacks that were controlled. WannaCry, which was blamed on North Korea, was an example of an attack in which the perpetrator lost control, according to Martin.
Ilia Kolochenko, CEO of web security company High-Tech Bridge has commented: “Virtually any country in the world faces similar challenges today. Paradoxically, the more developed a country is, the more risks it has, because critical national infrastructure, hospitals, military objects and the integrity of financial system become manageable from the Internet.
“Nonetheless, such a large-scale operation against a country will require a lot of resources - mostly qualified hackers. And it will be very difficult, or even impossible, to keep the information about the impending attack secret. Potential villains are perfectly aware of it, and will have to be certain in their success and further impunity to start the attack.
“Last, but not least, nobody in a sound mind will attempt to cause a nuclear incident, because it can trigger an uncontrollable series of consequences and cause the death of humanity. To summarise, we definitely need to prepare for cyber-war and a surge in nation-backed cyber-crime, but the chances of a global apocalypse are relatively low.”
Javvad Malik, security advocate at AlienVault, adds: “While it's definitely likely that hostile agents would seek to launch an attack on national infrastructure, it's worth bearing in mind that due to the ever-increasing connected nature of critical national infrastructure, incidents of similar impact can occur through negligence or error. An incorrect patch, poorly designed security controls, lack of assurance, lack of monitoring or environmental awareness are all factors that could contribute to a similar scenario. Just like how we saw in Hawaii, where a poorly designed interface led to a false missile alert being sent out that caused mass panic.”
Steve Malone, director of security product management at Mimecast, commented: “Despite the educational efforts of security companies and government so far, it's clear that organisations need more support and training fast. WannaCry was a wake-up but we're still not seeing these news threats taken seriously enough. The damage potential of a category one (C1) attack demonstrates how vital it is to get this right.
“There is a prime opportunity for critical national infrastructure organisations to lead the way forward with the forthcoming NIS Directive in 2018. This EU-wide legislation needs to be harnessed quickly to foster a new culture of security for citizens.
“The defence of democracy requires ongoing scrutiny. We should be concerned that many of the UK political parties appear to be trusting their email security to Microsoft Office 365, essentially a homogeneous security environment. Security best practice on-premises dictated multiple layers of protection, and this remains when moving email to cloud.
“Only by working together in homes, schools, businesses and the wider community can we begin to build cyber resilience into the fabric of society and the services upon which we rely.”
Kevin Bocek, Chief Cyber-Security Strategist at Venafi commented: “Martin is absolutely right – it's only a matter of time until the UK suffers a crippling attack. Adversaries have already tried to manipulate elections and target critical infrastructure in Europe and US. Escalation of hostilities – whether criminal or by nations – is one of the most basic rules of human history. Much of the reason the UK is so vulnerable is that many organisations – both in the public and private sectors – are simply bad at doing the basics right. With security teams being pulled from pillar to post by constant attacks, they don't have the time to take care of a number of key precaution. It's precisely these oversights which can let attackers in!
“For example the defences most organisations have in place are useless against a whole new set of attacks involving machines and their use of encryption. Last year around 40% of attacks came through encrypted traffic, a figure that would be unthinkable if organisations had a proper grip of what machines encrypting communications should be trusted or not.
“It's these failures to sort out cyber-security basics which make Martin's prediction of a C1 level attack within the next 2 years all the more likely to come true. What's more, given that many of these issues can be automated, fixing the problem doesn't even involve taking analysts away from tackling live threats. Martin's warning should be a reminder for all organisations, particularly those responsible for our critical infrastructure, to get a handle on these processes immediately – otherwise they are simply laying out the red carpet for those who want to do us harm.