Man vs Machine

In July, a security firm based in Belarus identified a computer worm – a sort of virus, able to transfer and replicate itself without human intervention – designed to seek out and re-program the systems which control motors in industrial plants. It had infected tens of thousands of computers across the world, with a particular concentration of incidences in Iran.

“In effect, it speeds up or slows down electric motors randomly”, says Tony Dyhouse, cybersecurity director of the Digital Systems Knowledge Transfer Network – a national initiative supported by government, industry and academia to share expertise and promote a digitally-enabled Britain. In the event, although the ‘Stuxnet’ worm had infected computers involved in Iran’s nuclear development programme, it caused a delay rather than any more serious damage – but the potential was there. “There is a good chance that if that attack had been launched, it would have been extremely difficult to work out what on earth was going on,” says Dyhouse. “It would have been subtle, but totally ruinous.”

Stuxnet’s software is so complex that, mosts analysts agree, it must have been developed by a state-funded team. But cyber attacks – identified as a ‘tier one’ danger to the UK in this autumn’s National Security Strategy – can include a wide range of threats, from state-sponsored spying and organised cybercrime right down to opportunistic spam.

Last month Dr Steve Marsh, deputy director of the Cabinet Office’s Office for Cyber Security and Information Assurance (OCSIA), told the Commons science and technology select committee that, from a government point of view, “The main concerns that we have currently are around cybercrime and cyber espionage, the economic espionage aspects.” There is a risk of “large impact/low likelihood” attacks such as Stuxnet-style worms, he said, and government should address that risk, but “we need to keep them in proportion”.

Impacts and funding

Over 20,000 malicious emails are sent to government networks each month – 1,000 of which are deliberately targeting them – the director of signals intelligence agency GCHQ, Iain Lobban, told the International Institute for Strategic Studies in October. In a rare public appearance, Lobban highlighted the importance of cybersecurity – AKA information assurance – and spoke not just of the risk to critical infrastructure but also of a “disturbing” rise in e-crime which puts individuals, companies and government at risk of financial and reputational loss.

Cybersecurity is not just a defence issue, said Lobban; it “goes to the heart of our economic wellbeing and national interest”. And it isn’t just about creating a secure environment for the UK’s digital economy and internet entrepreneurs: 95 per cent of high street transactions now take place on credit and debit cards which rely on a functioning communications infrastructure. The problem has also increased rapidly in recent years: the Strategic Defence and Security Review (SDSR) reported that that 51 per cent of all malicious software threats ever identified were found in 2009.

The SDSR allocated £650m to a “transformative national cybersecurity programme to close the gap between the requirements of a modern digital economy and the rapidly growing risks associated with cyberspace”. This is a big boost for information assurance: Marsh reckons that the public sector currently spends about £600m a year on cybersecurity.

Yet this is small beer compared to the cost of cyber attacks – cybercrime alone is estimated to cost the UK £10bn a year, according to a report by consultancy PwC published in April. The real figure is likely to be much higher; much of the crime that takes place through cyber channels is reported as standard theft, for example. So what can managers across departments and professions do to aid the war against cyber enemies of all sizes?

The human factor

The first answer is surprisingly – perhaps disappointingly – old-fashioned: follow procedures and good security practice at all times. Technology can do much to protect networks, but attackers are increasingly adept at exploiting ‘social vulnerabilities’. Stuxnet was spread through memory sticks – someone on the inside had to be forced, persuaded or tricked into plugging an infected stick into the computer.

“Our professional rule of thumb,” Lobban told the IISS, “is that good information assurance (IA) practice will solve 80 per cent of government’s cybersecurity vulnerabilities. By this we mean observing basic network security disciplines, like keeping ‘patches’ up to date. That, combined with the necessary attention to personnel security and the ‘insider’ threat, will offer substantial protection for each individual network.”

Information protection and assurance in the civil service has been the focus of many recent reports, recommendations and reforms, thanks to a series of high-profile data losses at HMRC and the Ministry of Defence. These data losses were a “warning shot that the assumed culture of security in the civil service had gone,” according to Neil Fisher, vice president of global services at IT service provider Unisys. “The culture they had of [hitting] performance targets at all costs pushed security out of the window.”

Five reports into data security and assurance have been carried out since the MoD and HMRC losses – including one by cabinet secretary Gus O’Donnell, published in 2008, which introduced mandatory minimum security measures across government when handling personal data; mandatory annual training of civil servants dealing with personal data; standardisation of data security roles within departments; and a right for the Information Commissioner to perform spot checks.

Richard Thomas was information commissioner at the time of the HMRC loss, and now works as global strategy adviser to American consultancy the Centre for Information Policy Leadership. Information security across central government has improved since those days, he says, though it would be a “brave person who said everything was completely perfect”.

Indeed, he says, “no part of a system which is processing significant volumes of personal data can afford to be complacent”. Senior leaders need to be sure that their information assurance policies are up to date and fit for purpose, he adds, and that there is a good awareness of these policies at all levels and in all departments.

By December last year, Marsh told the select committee, over 450,000 public servants had received specific training on data security. There are now more than 9,000 information asset-owners across the public sector and more than 150 senior information risk owners (SIROs), so awareness across government should be increasing. Despite this, Unisys’s Fisher still believes the civil service needs “information and awareness in buckets”. He reports that a Cabinet Office-sponsored MSc in Cyber Security developed at Cranfield University has had no takers – an indication, he says, that cybersecurity expertise is not seen as a priority by other departments.

Indeed, data security might even be slipping out of the spotlight. In the November issue of IT security journal SC Magazine, Peter Fischer, from security software providers Check Point, said departmental SIROs are increasingly willing to take risks, as this generation of SIROs has not “lived through – or has forgotten – the problems of 2007”. “More and more often, you will hear questions such as ‘Do we have to use CLAS consultants [approved by government’s information assurance advisory body CESG], or can we do it ourselves?’ ‘Do we have to use CESG assurance schemes, or other schemes that are cheaper?”, he said.

Digital by default

But cyberspace isn’t all about risk. An increasingly digitised world presents opportunities, too; opportunities which the government itself is keen to exploit by putting more public services online. The Cabinet Office is now pushing for this to happen at a faster pace, as part of the coalition’s wider plan for wholesale reform of public services (see news section).

Speaking at Civil Service World’sMore for Less conference last week, the head of the National Fraud Authority, Bernard Herdan, said a time of rapid change in public services brings an increased risk of fraud – both with services that are not properly planned, and through an increasing ‘insider threat’ from disaffected staff across government and businesses.
In an ideal world, says Dyhouse, security should be considered from the outset when designing new policies or services: “You can make a solution and at the last minute bolt on security; but it’s very expensive, and it’s not as efficient because security becomes one of these nuisance things that we all try and avoid and get round because it stops us doing our daily jobs.”

Lobban agrees: “Those setting policies for public services, and those designing their delivery, need to be conscious of – and well advised about – the wider cyber security aspects that might subvert their aims”, he said, calling for a deeper dialogue between government and the “partners who deliver the systems and services that need securing”. To this, Thomas adds the point that there needs to be an understanding of information security across all teams within a department, so that those who understand the value of data (in delivery or policy teams, for example) have clear communications with those in ICT who understand how to protect it, and those in commercial teams who can ensure this protection is written into contracts.

Secure solutions can be more expensive, however, meaning that “security perishes with cost-cutting measures,” says Dyhouse. If a service is being outsourced to save money, the temptation will be to opt for the cheapest service and skimp on security; likewise for new service development, particularly given Cabinet Office minister Francis Maude’s assertion that the shift to online services should involve looking for “cheap and cheerful” ways of doing things.

Secure by default

This focus on securing government data and systems will need to be coupled with a drive to make the public more aware of, and compliant with, security needs. In his speech to the IISS, Lobban warned that “Criminal exploitation of those transactions need not be at the government end. A government network can be as well-protected in IA terms as you like, but the stolen legitimate credentials of a citizen would still present a security problem.” Similarly, any computer can become the vehicle for transmitting malicious software if it is not properly protected.

The public may have expectations for the way in which government protects their data, but we are not yet, as a society, cyber security conscious by default. A recent survey by Unisys found that UK consumers have a inconsistent attitude to digital security – protecting our information on social media sites, for example, but not adopting or updating passwords for our mobile devices or choosing ‘hard to guess’ passwords.

The challenge of incentivising and encouraging people to behave more securely is addressed in the field of security economics – a research area raised by Professor Ross Anderson at the recent select committee. “Many things that go wrong fail because people have the wrong incentives – and this is particularly a problem on the internet, where things scale globally and you have classic collective action issues,” he said, adding that the government is not yet engaging with this discipline. “I don’t recall any UK government people coming along to relevant workshops, ever. In the USA, on the other hand, security economics has become one of the three top priority research areas in information security. They are spending something of the order of $50m on it this year.”

Dr Marsh later accepted that this is an area where the government needs to do more, and said the OCSIA will support this and raise awareness of the discipline: “We absolutely need to bring in this broader scientific base, not just the technical response around the machines or networks themselves,” he said.

Cyber warfare is already a reality. “I can vouch for that from the displays in our own operations centre [which show], minute-by-minute, cyber attempts to penetrate systems around the world,” said Lobban at the IISS. “Cyberspace is contested every day, every hour, every minute, every second.”

As in old-fashioned wars, technology alone will not be the answer to winning battles. Victory will require a consistent effort to follow good security processes – a discipline in which the civil service has strong foundations – and a concerted focus on building security into all services. The risk is that this focus could be lost at a time of cost pressure and rapid change; and the task facing OCSIA and other cross-government organisations is to ensure that cybersecurity isn’t seen as an exotic-sounding, far-off threat involving power plants in Iran, but part of business as usual for the whole public sector and the people it serves.

Cybersecurity: who's who and what do they do?

The tentacles of cybersecurity reach across several organisations in government. The minister responsible, Dame Pauline Neville Jones, is a Home Office minister, and this department also hosts the business-focused Centre for Protection of the National Infrastructure (CPNI). But many departments and agencies have a finger in this growing pie.

At signals intelligence agency GCHQ, the Communications-Electronics Security Group (CESG) provides advice for other departments on technical aspects of cyber security. GCHQ also hosts the multi-agency Cyber Security Operations Centre (CSOC), established last year to monitor the internet for threats to UK infrastructure. Although based within GCHQ, CSOC is under the control of the Cabinet Office – itself home to another multi-agency team, the Office for Cyber Security and Information Assurance (OCSIA). Created last year as part of the previous government’s National Cyber Security Strategy, this team – according to its deputy director Dr Steve Marsh – provides “strategic leadership, being a focus for cyber security across government as a whole” and ensures that the work of CESG, CPNI and others are “part of a coherent whole”.

This autumn, the Strategic Defence and Security Review announced the creation of a National Cyber Security Programme with £650m funding, which will be overseen by the OCSIA. The programme includes investment in both infrastructure and research in this area, and also creates a new organisation – the UK Defence Cyber Operations Centre – to build capacity and skills in cyber-warfare across the military.

Another newly-announced unit is the Department for Business, Innovation and Skills’ Cyber Infrastructure Team – still in the process of being created – which will support work to “address shortcomings in the critical cyber infrastructure upon which the UK as a whole depends, both to tackle immediate weaknesses in security and to ensure that we maintain access to a trusted industrial base”.

Two new cyber strategies are expected – one on cyber crime, to be developed by the Home Office in “late autumn”, according to the SDSR; and one on cyber security, to be published by the Cabinet Office next spring.

Cybersecurity: who am I?

A key challenge for civil servants to address as they develop new services will be how to properly identify individuals to ensure the right person is receiving the services or accessing the data available online.

Neil Fisher, of IT services company Unisys, says the coalition’s decision to scrap the National Identity Card and National Identity Register without an alternative plan to support proper authentication has done an “enormous disservice” to the UK and its economy.

There is work ongoing to create some form of national authentication scheme, he says, but any solution may struggle to gain political support, and this lack of a straightforward way to verify identity online will be “the biggest failure we’re going to suffer from over the next ten years – you will not have assured service delivery digitally online direct to me, because I can’t authenticate myself in a way which is 100 per cent assured. Username and password doesn’t cut it, unfortunately”.

Tony Osborne, head of public sector at security firm Symantec, agrees that identity will be more and more important as we move towards ‘cloud’-based systems in which we access programmes and information hosted online rather than on our own machines. He points to the work of the Jericho Forum – a group of industry and academics – addressing this issue. Solutions are being developed to ensure we can identify ourselves in the cyber world; the challenge may be to build enough political and public support to implement these solutions in a way that makes for straightforward yet secure access to online public services.