Protection for Hire: The Cyber Security Industry and You (Part Two)
Amid the big money, broad ideas, and competing platforms, there is as much as, if not more of, an emphasis on the fundamentals. Colonel (Ret) John Doody is a strategic cyber security advisor, former GCHQ man, and now director of consultancy firm Interlocutor Services Ltd, a company that specialises in information assurance. Having the longest spanning vantage point of the cyber timeline amongst the specialists we spoke to, he was best placed to put the domain in its proper context.
"Cyber security is the latest name for something we’ve been doing for quite some time, and that’s information assurance (IA). IA is 80% of ‘cyber’ and that’s defensive aspects. Then there are offensive aspects of cyber, which you can put down to penetration testing, IT health checks, monitoring networks, et cetera. And that’s responding, really, to the new threat. Terrorists. Money laundering. Criminality. Intellectual property theft. It’s a very complex environment."
Doody was quick to point out that the cyber threat has of course had a UK government response in the establishment of the Cabinet Office’s new cyber unit, which reports directly to Francis Maude, David Cameron’s appointed Cyber Minister.
The Minister for Cyber Security, Francis Maude [image: appg-aids.org.uk]
The office has been charged with developing a national cyber security programme, but its eagerly anticipated plan of action due in mid-September has been delayed for at least a month, owing to the need for last minute discussion and rewrites. Still, Doody believes that the eventual arrival of this paper will only cover part of the problem.
"The people that are vulnerable in the cyberspace are government, defence, industry, and the citizen. The first three can be covered by national policy, but the citizen cannot be governed by anything, and that’s the weak link."
"You as a citizen are – I hope – doing everything online; your banking, you road fund license, your medical needs, VAT returns, corporate tax returns. Anything you want you can do online, through the government portal. That has to be secure. If the citizen is irresponsible in the way they manage their little network or computer, there is a danger of a transition of threats to a government system. We hope that doesn’t happen."
Defence IQ picks up on the fact that in last year’s Strategic Defence and Security Review, the UK government allocated £650 million to take the cyber strategy and initiative forward. This is pocket change when compared with the United States’ allocation of $30 billion for cyber this year, and for the next five years to come. Are we just spitting into the wind?
"I don’t think so. We’re slightly more cautious and careful in the UK in the way we approach the security issues. We take a carefully considered view based on gathered information."
"For example, what have cyber attacks cost the UK? It was credited as £27 billion. I think that’s the tip of the iceberg. It’s a ‘best guesstimate’. I would put it twice, possibly three times as much as that, but you can’t quantify it."
"Beyond that, it’s the confidence that other nations have in the UK as a safe place to do business in. That’s the wealth creation aspect."
It comes as no surprise that Doody agrees with the other leading players in the industry that the biggest threat we face is not the disruption of military networks, but the theft of intellectual property, which in turn can change the balance of armies.
"It’s a very valuable asset. How do you think the Chinese launched a stealth bomber earlier this year? You read every day of networks being attacked. It’s a regular thing in the papers. So that is the reality of life today. People want to steal information for their well being, for financial gain, and you could liken it to a step towards true cyber warfare."
Tom Burton from BAE also recognised the rapidly evolving nature of the threat, but felt that the public’s awareness of the issues were also evolving alongside it, with thanks in large part to the intense media interest in what it sees as a mysterious weapon pointing at our front door.
"I think it’s fair to say that things have moved on an awful lot since Estonia suffered its major DDoS attack over ten years ago. But actually the movement in the frequency of attack, or perhaps more importantly in the recognition that this is a clear and present threat, means that perception has increased significantly over the last six to nine months.
"You can see that in the stories that hit the news. RSA – a top information security firm being hit by a very advanced, sophisticated, targeted attack. The fallout of that is other firms have potentially been exploited as a result. Also the ones that have hit the news around Sony’s Playstation Network.
Burton is adamant that the profile given to these attacks in the news, though some will scoff at as sensationalist, has actually raised the issue much higher on corporate board agendas. In the past few years, many more companies than ever have been vocal about taking the situation far more seriously, and seem to recognise that it is a direct threat to their commercial competitiveness, which could therefore be a direct threat to their position in the market as a whole.
"There’s still further progress that needs to be made. So while the recognition is there, the challenge is being able to build it into their enterprise level risk management processes, so that it’s treated like all of the other significant commercial risks that they have to deal with on a quarter-by-quarter or month-by-month basis.
"It’s still quite an ethereal, intangible thing. It is very different from physical security, in which you can recognise where you need to put guards on gates to make sure the wrong people don’t get through, where you would use wire on fences and CCTV. Cyberspace is harder to visualise. But it needs to be thought of not as a new domain, but simply as another route by which bad people can do bad things to companies. Instead of walking through the front door to steal secrets, James Bond style, it’s achieving the same effect in cyberspace, giving them the advantage of being more covert, and being at arms length. Yet it is still essentially the same threat by another means."
A threat to the cyberspace is not, of course, just a threat to military and government, it is a threat to nation states, particularly in developing states where economies are underpinned by intellectual property. Fortunately, given that the UK government is vocal about its vital part to play in both developing and protecting our nation on these grounds, the commercial sector in other parts of the world has since latched on, and is now too awakening to the idea that they are side-by-side with governments in the efforts to strengthen the gates.
Burton offers an analogy: "The government is responsible for putting police on our streets, there to prevent crime – but everyone recognises, particularly industry, that police alone don’t solve the problem. Industry has to put their own defences around their perimeters. The same applies to cyberspace. My hope is that industry can understand what steps they can take to play their part in that battle."
Patching Old Wine Skins
Despite it being something we all often do – or should – whenever we start up our personal computers, the idea of periodically updating our systems to prevent security holes from being exploited is our only way of dealing with a desperate situation. We are, in essence, in the middle of an ocean on a perpetually leaking boat, and if we spend too long a time between looking for those leaks… well… no more boat.
So in the defence industry, where boats are multi-billion pound naval carriers and missile defence systems, can we simply carry on patching the leaks in the same vein? Unsurprisingly, none of the specialists we spoke to thought so.
"You can’t retrofit security, says Chris Smith from Green Hills. "Security has to be in the system at the point of design. That’s why there are still problems in so many of the desktop operating systems out there today. What happens is that someone discovers a vulnerability and the company plugs it with an update. The next day, someone discovers another. It’s just the way it’s architected.
"The other aspect of this is that when you look at corporate networks, they’re often flat structures, maybe with some segregation, but not like military systems already ought to be. Nowadays, so many companies are hacked for their intellectual property or whatever the bad guys can get off their systems and it gets taken away and ransomed, and everything else. The reality is that it actually doesn’t cost much to buy a vulnerability on the black market and cause huge damage."
Doody provides further support to the argument. "When you build a network, you build security in on day one; you don’t add it on downstream. You make security be a business enabler. Your people are aware of the threats. Your systems manager should patch regularly, virus checkers, security checkers, do penetration testing frequently. That is what I call ‘good husbandry’.
"In the more sensitive networks, there’s a much harder response which I’m not at liberty to talk about, but generally the measured response, good governance, good policy, and professionalism of the people managing and implementing these networks is absolutely essential to make the nation safe.
"I think as mature nations, we assess the threat and take a measured response. It’s not going to cost billions of pounds to protect our networks from any perceived threat – DDoS, hacking, ID theft, et cetera. The measured response starts from those few basic things."
The Big Question
In this era of the cyber threat, the defence industry at least shares a mutual understanding: that while there is an opportunity for business, there is also a fundamental need for it – a need that all commercial sectors must now prioritise.
Within this labyrinth of new policy, legislation, business, and danger, can we at least crystallize the pressing concerns into one immediate question?
"I’ve been slightly outspoken about this over the last six months," says Ed Wolton from Thales UK, almost anxious about his admission, "but as an industry – a defence industry or high-technology industry, or whatever we call ourselves – we are not good at understanding risk.
"We’ve looked to the financial services for lessons on risk, but in the last three years of the banking crisis and much else besides, it demonstrates to me and many others that even the banking sector doesn’t fully appreciate the meaning of the word risk. 80% of cyber security is good information assurance. A lot of information assurance is about managing information risk. I don’t describe myself as an absolute hard-and-fast expert in this area – I’ve been doing it for fourteen years – but we the industry don’t fully appreciate risk. And if we don’t, our customers don’t. We are not good enough at articulating this.
"So I think there’s more work to be done from an academic standpoint, and from a practical and pragmatic standpoint. The question I would ask the industry is what do we need to do to mature our own thinking in order to be ready for what’s just over the horizon?"
Burton’s emphasis, however, was less on risk, and more on responsibility. "The short question," he says, "would be, in this emerging world of cyber, what part do you feel industry must play?"
"The context around that question, in particular from a military context, is what part can industry play – with our unique expertise – to help and defend military operations, defend the nation states within which they exist, and deliver a secure and successful democracy as a result?
Clearly living by his own ethos of a measured response, Doody ponders the same question for several moments.
"It’s a dynamic environment with new challenges every day…the questions I always ask are: have you got the right controls in place? Are people aware of the threat? Are they aware they must use strong passwords? That they mustn’t mix classified and unclassified information on the network? If your portable device is stolen, is it still protected?
"We’re good as professionals at looking after government, defence and industry – we’ve been doing it for a long time. The people I worry about are civilians. How are they made aware of the risks?
"Why can’t we have a marketing campaign for computer vulnerability awareness? I’ve been citing the seatbelt programme: ‘clunk, click, every trip’. The power of that national advert has stood its test of time; people automatically belt up. We need a marketing campaign that does the same for IT security. A big national awareness campaign, starting in the schools and presented in a non-frightening way, something routine."
It’s a sound idea. So sound that one does already exist, and has done since 2005, in the form of ‘Get Safe Online’. Backed by governmental departments and sponsored by various organisations, it promotes practical advise to the average user about basic protection techniques. Yet, with millions of pounds behind it, its overall impact and visibility-for-value is in debate. Several other practitioners in the field we spoke to had not heard of it.
Can We Win?
There is no doubt that the industry responsible for the provision of cyber solutions is under great pressure to stay on top of what will continue to be an elusive danger. For obvious reasons, many specialists have expressed cynicism in this ongoing pursuit, but in recent months, there is a sense amongst both commercial operators and military officers that the tide may be changing.
"I think it’s early days," Burton confesses, "and all of us, to a certain extent, are finding our way in working out what the possibilities may be, what operating models may be in place. I think it’s premature to say either enough is being done or not enough is being done. But I also think it’s important that collectively we have these conversations to discuss what is best for UK PLC, what is best for the nation, and what is best for the armed forces."
"It’s not going to happen overnight," stresses Doody, "and the cyber security strategy is a part of that. Some years ago, the government launched the UK Strategy for Information Assurance. That laid down some very strong principles for what people should do when managing their networks. But at the end of the day, security is not the privilege of one, it’s the necessity for everybody."