One thing that RSA week always brings is dozens of new surveys and research reports. I looked at three for Infosecurity Magazine on Friday:
- 2013 Security Report (Check Point)
- Targeted attacks and how to defend against them (Trend Micro/Quocirca)
- Managing information security: Public sector survey report (Clearswift/SPS)
They are all looking at different issues, but there is a common finding in all of them – a disconnect between recognising a threat and taking the right or adequate action to mitigate that threat. More specifically, they all say that the public sector is the worst offender.
From Check Point we learn that government is the leading offender in the use of high risk applications (remote admin, file storage and sharing, P2P file sharing, and anonymizers). In particular government is more likely than any other sector to suffer an incident that could lead to data loss at least once every week; and government is the leading offender in sending credit card information to external resources.
From Clearswift we learn that “Despite 93% of [UK public sector] organisations sharing sensitive information with external partners, 30% don’t view information security as a high priority when selecting a partner.”
Trend Micro, commenting on its own report, says, “Public sector respondents were guilty of a worrying level of complacency, with over a third claiming targeted attacks are not a concern, despite 74 per cent of such organisations having been a victim of these attacks in the past.”
Put quite simply, government cannot and must not be trusted with our personal information. In the UK, this is the government that plans to build a national DNA database within the NHS; and that wishes to be able to intercept our private communications at will. For the sake of our security, it must be stopped.
“Britain is target of up to 1,000 cyber attacks every hour” says the headline in a Telegraph article today. It comes from William Hague, UK Foreign Secretary, in his latest interview with the media.
What neither Hague nor the Telegraph do is explain where this figure comes from, nor what type of attack is meant. Last month the White House was breached by Chinese attackers who gained access to US nuclear secrets. The reality is there was a single, but unsuccessful, phishing attack that got past the primary defences. You have to wonder if similar disinformation is at work here.
If we’re talking about ‘all’ attacks, then I would suspect this is an unrealistically conservative figure – 1000 attacks per second – scam, spam, skiddie probes, phishing et al – would be more realistic for the whole of the UK. But limiting the figure to just 1000 makes the reader assume this is 1000 serious, APT-style attacks against the critical infrastructure alone. The problem is, no details are given, leaving the reader to assume the worst.
This lack of detail pervades the entire article/interview.
Hackers and foreign spies are bombarding government departments and businesses around the clock in what has become one of the ‘greatest challenges’ of modern times.
As well as targeting state or trade secrets, the cyber criminals and anarchists also try to disrupt infrastructure and communications and even satellite systems.
Britain is target of up to 1,000 cyber attacks every hour
Anarchists threaten the internet? Really? Typical fear-mongering, reminiscent of the Russian hacker who attacked a US water utility (not), or the attack on Brazilian power supplies that turned out to be soot on the insulators.
This speech is just another fear-mongering attempt by the government to ease the passage of the Communications Bill, and is typical of the sort of government warnings, on both sides of the Atlantic, that always precede new legislation.
That’s not to say the internet is safe. It isn’t. There are problems, lots of problems and serious problems. We think we’re secure when we’re not. But that’s not the underlying message from Hague and GCHQ. The underlying message here is that terrorists (and anarchists!) are attacking the UK, and the only solution is to pass more laws giving government more powers and us less liberty. The security industry joins in with this conspiracy by leaping on every word the government utters – even though they said it first – and claiming government endorsement of the need for business to buy their products. Government wants our liberty and the security industry wants our money.
But it’s the final two paragraphs of this article that should worry us most.
The Intelligence and Security Committee, appointed by the Prime Minister, believes Britain should declare cyber war on states and criminals who target the country by using aggressive retaliatory strikes to destroy their own operations.
Security and intelligence agencies should be willing to engage in covert cyber attacks on enemy states using programs such as the Stuxnet virus that targeted Iran’s nuclear ambitions, the committee members say.
The worrying thing is not the sentiment – we’ve already been doing that for years. The worrying thing is that government is now openly advocating what it is already doing secretly. The implication is that if things are that bad, we’re effectively at war. War invariably involves martial law. Martial law of the internet is what the government is after. If we think we are at war, attacking and being attacked, we are more likely to accept the draconian laws that the government wants to enact – for our own safety.
We are being manipulated into accepting the loss of liberty. It is disgraceful that a newspaper like the Telegraph should support this manipulation.
Confidential and for internal eyes only
This basic demand template is suitable for all demands for all personnel in all branches.
Please note that only the subjects change.
- budget is interchangeable with law, personal information, surveillance etc.
- spam is interchangeable with any occurrence whatsoever
- China is interchangeable with greatest perceived threat du jour
- Congressman Rogers should be replaced by your own name
- ‘no match for’ should be replaced by an expansion of 3
Empirical evidence suggests a 99% success rate based on this template, but expect a three-month turnaround. Once complete, change the names and start again with the next requirement.