Defence IQ's Blog

We are the IQ of global defence.

Tag Archives: Cyber Security

Information Security Threats – Round Up From The 5th Hemispheric Security and Intelligence Forum

By Alex Stephenson, Defence IQ’s man in Brazil

What breaks a company is lack of money, not lack of management or leadership. The same applies to criminal gangs. Imprisoning individuals is almost completely ineffective compared to denying a criminal organisation the proceeds of their activity. Concerning narcotics, one method is to interdict air, sea and land cargoes of substances – an alternative is to prevent the flow of the financial incentive in the other direction. No one sells a product if they cannot receive payment. A complete approach to narcotics includes both these elements.

But, there is a crime more profitable than narcotics. The sale of unknown vulnerabilities in computer software to criminal organisations who can exploit these weaknesses either to cause damage or steal intellectual property. So significant is this threat that it was contextualised as the threat of the modern era, paralleled by the nuclear threat of the cold war. A cyber threat to remain potent needs to remain unknown and then deliver chaos. An explicit parallel to the Hiroshima bomb; a capability unknown until it was deployed was drawn.

Linking both cyber security threats and counter narcotic threats I understood there to be three key takeaways:

  • These are evolving risks, much like a game of chess they require continual attention, calculation and execution.
  • Simplistically there are two approaches that can be used in tandem; tackling the problem and tackling the incentive – money makes the world go round
  • Finally, the importance of sharing information, helping partners and collaborating.

This last point is perhaps the most important. Too often perhaps there is a concern about sharing information about a problem. Perhaps this is because there is a national sensitivity around admitting there is a problem. However, if it is happening on your patch it is probably happening on your neighbour’s and by working together the intelligence picture becomes more complete and hopefully solutions begin to appear.

It is a great privilege for me to be able to attend this conference by kind invitation of USSOUTHCOM and the Brazilian Ministry of Defence. Later during this weeklong conference I will be delivering two presentations, one to the Caribbean Regional Intelligence Conference and one to the Central American Regional Intelligence Conference. The subject of this presentation will be the Caribbean Basin Coastal Surveillance and Maritime Security Summit 2013.

Advertisements

Rumoured Chinese computer espionage to be analysed by defence leaders

At a US hearing last month, two Chinese telecoms firms formally denied allegations that their products are being built for purposes of espionage.

Shenzhen-based Huawei and ZTE stated before the committee that the ‘backdoors’ believed to be built into some of the technology are merely ‘software bugs’ and that neither company is controlled by the Chinese government.

Lt Col (Rtd) William Hagestad, former US Marine and author of ‘21st Century Chinese Cyber Warfare’, has spent several years flagging this type of vulnerability to the digital security world, but many had previously not considered the idea to be a genuine threat.

Asked in an interview with Defence IQ about the recent developments that are finally bringing the issue to the attention of the wider public, Hagestad replied: ‘I wish I had been wrong.’

Explaining that the possibility of major telecommunications manufacturers violating their respective hardware for espionage purposes has always existed, Hagestad points to evidence to suggest that this is not a case of mistaken identity.

‘When you look at the recent DEFCON 20 presentation that describes in great detail some of the Huawei routers and some of the compromises that have led to buffer overflow, you can see that it is not a software bug,’ he said.

‘These are actual, no kidding, compromises to the hardware and software of the telecommunications manufacturers. Now whether they are overt, covert or unknown is irrelevant – the fact that they exist… is a concern not only commercially but also to the national security of the countries that are using them.’

Hagestad was speaking ahead of his involvement in the annual Cyber Defence & Network Security (CDANS) conference, set to take place in London from January 24–27, which bring together the world’s defence chiefs and heads of CERT, systems security, military IT, counterterrorism, and cybercrime professionals. Last year’s BBC-covered event hosted over 150 attendees and over 25 speakers from 24 nations.

This year, much of the focus will rest on dealing with the ongoing threat to critical national infrastructure and cloud computing, but there will also be inevitable discussion on the potential of the use of cyber weapons and foreign state responses to the evolving cyber domain.

Asked whether these allegations are likely to change how the technology industry manufactures its products, or if we are in fact too late to counter the threat, Hagestad is philosophical.

‘I would hope that we’re never too late,’ he said.

‘And I’m not one to say that we should ban every Chinese product. That doesn’t do international trade, cooperation, and geopolitical agendas any good – that’s actually counterproductive.’

You can listen to the full interview here.

Do you have an opinion on this topic? Can East and West ever see eye-to-eye in the digital realm? Email haveyoursay@defenceiq.com with comments, views and questions, or simply post your comments below.

More information on attending the event can be found on the Cyber Defence & Network Security website here.

Public confidence in national cyber defence strategies is lacking

Defence IQ’s Summer Cyber Defence Report has confirmed that 65% of respondents to our survey on national cyber defence strategies have no confidence in their government’s strategy to stop cyber weapons and protect public services.

The report, published last week, asked the question of global cyber defence strategies and asked respondents if their own national cyber strategies were made clear and were performing as expected. Over 60% of respondents for the report were directly responsive for cyber security solutions or decision makers and which a large proportion of respondents claiming that they were ‘unconfident’ with national strategies in cyber defence, this brought up the debate in whether countries should be doing more to protect their infrastructure.

But there has been some improvement in this arena, according to Defence IQ’s report. Over 47%of respondents claim that there has been some improvement in securing networks over the past two years, showing that strategies are heading in the right direction but not necessarily at the speed those in the industry has envisaged. However, slightly more worryingly, 9% claimed that their governments had made no significant improvement over the past two years, potentially leaving themselves open to an attack.

The findings of the report are to be used as a point of reference during discussion sessions at the Cyber Defence Forum, which will focus specifically on the challenges, operations and solutionsfacing armed forces and governments as they formulate national strategies to keep their defensive and offensive cyber capabilitiescurrent and in-line with the international community.

You can read the report in full here.

We’re keen to hear your thoughts – do you agree or disagree with the findings in this report? Would you like to write a follow-up in response? Email comments or article submissions to: haveyoursay@defenceiq.com

Can cyber security investment get the UK out of recession?

By Calum Jeffray

During an industry conference last month, Neira Jones, Head of Payment Security at Barclaycard, posed the question, “Can cyber security contribute to getting the UK out of this recession?”

It’s an interesting questions posed by Jones, who backed up with statement by explaining that If we didn’t spend the amount that we currently do on recovering losses as a result of data breaches and other cyber crime, the saving would be so huge our economy would no longer be in recession.

Although there may be a good number who dispute Jones’s logic, it begs the question – is it possible to accurately measure the cost that the UK is paying as a result of hacking, data theft, corporate espionage, and other offences that come under the umbrella of ‘cyber crime’?

The problem, of course, depends on which set of statistics are to be believed the most.

In February 2011 Detica, a division of BAE Systems, made the headlines when it claimed that cyber crime cost the UK economy a remarkable £27 billion every year. It estimated the cost of IP theft at just over £9 billion and espionage at over £7 billion a year. Having been commissioned by the UK Cabinet Office, the report has since benefited from the “according to government statistics” tagline and is widely quoted in the media.

Fast forward to today, and things don’t seem to have improved much. As Jones stated during her presentation, “It is no a longer a question of if you are hacked, but when”. The first six months of 2012 have seen 35% more data breaches than in the same period in 2011. There has also been a 10% rise in identity theft since 2010.

However, The conclusion of ‘Measuring the cost of cybercrime’, this time commissioned by the UK MoD and produced by an international panel of computer scientists, is that the cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself. It argues society should spend less on anti-virus software and more on policing the internet and tracking down the “small number of gangs” that it claims are often behind the majority of cyber crimes.

Lead author Ross Anderson, Professor of Security Engineering at the University of Cambridge’s Computer Laboratory explains:

“Some police forces believe the problem is too large to tackle. In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software. Cybercrooks impose disproportionate costs on society and we have to become more efficient at fighting cybercrime.”

The report finds that each year the UK spends $1 billion on efforts to protect against or clean up after a threat, including $170 million on anti-virus. By contrast, just $15 million is spent on law enforcement.

So, going solely by this report which suggests that relatively small number of perpetrators are indeed responsible for the majority of cyber attacks, then investing in further policing would be a cost-effective solution to reducing all these costs – even if it doesn’t get the whole of the UK economy out of recession.

Cyber Defence ForumFind out more information on Cyber Defence at Defence IQ’s Cyber Defence Forum in October

2012 cyber predictions: Part 1

Cyber crime: “It’s about the suffix crime, not the prefix cyber”

“We’re seeing 66,000 pieces of malware a day according to FireEye data; last year it was 20,000 a day and two years ago it was only 5,000 a day,” said Robert Lentz, President of Cyber Security Strategies and former CISO for the U.S. DoD at the Cyber Defence and Network Security conference in London.

The issue of cyber crime, cyber terrorism, and, dare I say it, cyber war, is becoming increasingly prevalent today and it shows no signs of slowing down anytime soon. Listening to Lentz it’s easy to see why. Indeed, Maajid Nawaz, Chairman of the Quilliam Foundation, said it’s only “going to get worse.”

“The defining change of our generation”

Cyber security has become, in many respects, just a buzzword. However, the threats hiding behind it are very real, and not least when a digital threat is turned into a physical attack.

“I’m not being melodramatic … but the reality is cyber threats will lead to lead to physical attacks,” said Lentz.

There are countless scenarios in which this could emerge. Hacking into a hospital’s network and altering a patient’s medical records would be considered an assassination. Hacking into a nation’s nuclear weapons system and fiddling with the delicate balance of its reactors could be considered an act of cyber war….ah, wait a minute….oh yes, Stuxnet.

Cyber war itself is an issue of particular contention. What is it? How do you define it? Does it even exist as a tangible entity or is it just a term dreamed up in an attempt to describe an ethereal concept?

Dick Crowell of the U.S. Navy War College has a thoughtful response to this. “I don’t believe there will ever be a thing which we can call a ‘Cyber War’ … but I think cyber warfare tactics will be employed in all future conflicts.” That is an important distinction because it suggests that in the future a conflict will not be defined by a single strategy; the onset of the threat from cyberspace is shifting the battlespace to a point where the lines between peace and war become blurred.

The trouble is with the term itself: ‘War’ has become convoluted over the past half century, it is used more as an evocative term than a descriptive one. Technically the US has not been at ‘War’ since 1945, it has instead been involved in supposed peacekeeping missions and counter-insurgency operations.

Shaw explained that: “The word war has lost all its meaning; it’s now only relevant in political theory, not as an operational term.”

Cyber hygiene: Managing the threat

“The growth of the internet is the defining change of this generation,” said Mark Field MP, a member of the Intelligence and Security Committee. Learning how to manage and mitigate the threats it poses will need to be the next.

“The reality is we can’t keep the bad guys out of our networks,” said Lentz. This means we need to improve our resiliency; we need to figure out how to ensure networks remain online and operational even during a cyber attack, Lentz explained.

For Lentz, the most effective response to this is to employ offensive cyber tactics. He called for key government and industry actors to conduct more drills, exercises and live operations as a way of preventing the advanced persistent threat.

For the military at least, the perception of ‘cyberspace’ has to change for this to become a reality. “We need to think about cyberspace as an operational domain, just like the land, sea and air domains,” said Lieutenant General Rhett Hernandez, Commander at U.S. Army’s Cyber Command.

Here, Lentz and Hernandez agree that changes must be implemented at the ground level. “We need to focus on the training dimension,” said Lentz. Hernandez shares this sentiment: “We need to think differently about recruiting and training.”

Staying safe online

Moving this argument forward, Major General Shaw, Commander at the MoD’s UK Cyber Policy and Plans Team, stated that “education offers the only response to preventing attacks.”

But that leads to an important question: Whose responsibility is it?

Should the government be the ones to educate the public about ‘staying safe online’ and legislate to protect against cyber criminals? More specifically is it a military or government services concern? Should industry be more accountable? Or is it up to the individual and the individual alone?

There’s no simple answer, but there’s little doubt government should be taking a more proactive approach. Whitehall has produced a Staying Safe Online campaign, but Shaw postulates that only about 1% of the UK population has actually set eyes on it (let alone heard of it) because it was not a promoted campaign. The THINK! Seatbelt campaign worked in 1973 because the government put its weight behind it, it was well promoted and reached the targeted demographic. At the moment the government is doing little more than going through the motions regarding cyber security – the ‘Great Get Along’ as Lentz calls it.

For now though, little is likely to change. We will likely only see a step-change in the government’s attitude towards cyber security after it’s too late, similar to how the War on Terror was born out of the 9/11 attacks.

“Cyber physical threats are on the horizon and that will be the ‘tipping point’ when the government really becomes involved,” said Lentz.

Shaw concluded that it will take a “whole society approach” to manage the advanced persistent threat in the future.

Private and Public sector must work closely together to combat Cyber Warfare Threat

Information sharing, education and cyber training are essential for mitigating the threat of cyber security for public sector, military and private sector bodies.

Information leaks, identity theft, malware and intellectual property theft are major cyber security threats facing private and public sector organisations alike. In an exclusive interview with Defence IQ Niels Groeneveld, head of Operation Aurora, the Cyberconflict Research Group for online cyber research and Robert Nowill, the Director of Cyber at BT, have strongly argued for the importance of the public and private sector to work together to combat the rapidly evolving threat of cyber warfare.

Both Robert Nowill and Niels Groenveld contend that more can be done across Europe to ensure a better working relationship between public and private sector bodies. Nowill contends that the preparation for organisations to deal with the cyber security threat varies across European countries and suggests that it is important for there to be a uniform, international response cyber threats across public-private sector lines.

However, even when there has been co-operation between public and private sector bodies, efforts have often been clouded by a reluctance to share sensitive information. This is now changing, according to Nowill, who states that there is a greater recognition amongst public and private sector bodies that organisations cannot form “an effective cyber security strategy without an increased degree of sharing some of the more sensitive areas.”

While there might be an array of advanced technical solutions to cyber security threats, Groenvield states that the weakest link in network security is often comes down to a lack of education and human error. If an end-user can be tricked into performing an unsafe action, he or she can compromise a network’s safety.

Robert Nowill concurs, stating that what fundamentally matters for organisations of all sizes and at an individual level, is cyber security education. Computer-based training, “cyber alarm” exercises and an ability to efficiently and appropriately react to a cyber security threat, can all help to mitigate cyber risks.

The cyber warfare threat will be discussed at Cyber Warfare Online, Defence IQ’s inaugural virtual summit that will bring together members of the US Cyber Command, USMC and NATO to facilitate information sharing across nations. For more information about the event, which will be taking place from June 13th – July 8th, please visit https://www.cyberwarfareonline.com/.

Rapidly Evolving Cyber Warfare Threats to be discussed at Defence IQ?s Cyber Warfare Online

As cyber warfare threats continue to evolve at a rapid rate, senior representatives from the US Cyber Command, NATO and EU will discuss cyber warfare strategies, tactics and practices at Defence IQ’s Cyber Warfare Online Event.

In an interview with Defence IQ at Cyber Warfare Europe 2011, Lieutenant Colonel William Hagestead, USMC, contends that cyber vector threats will ‘change so rapidly that we won’t even know they’re there.’

From STUXNET to Wikileaks, recent attacks on critical infrastructure and information security lapses, have thrown cyber warfare into mainstream headlines and made military bodies such as the US Army and US Marine Corps, which are traditionally focussed on kinetic warfare, move onto the cyber security domain.

In order to address the strategic and tactical challenges faced by cyber professionals within military bodies, cyber security companies and intelligence agencies, Defence IQ will be holding Cyber Warfare Online 2011.

The virtual summit, which includes a keynote speech from Brigadier General John Davis, the Director of Current Operations for US Cyber Command, will keep cyber professionals up-to-date with the latest developments in battle management, command and control and defensive counter-cyber strategies.

It will also be a prime opportunity for cyber warfare and cyber security experts to see how military bodies are developing their exploit and attack capabilities in conjunction with government and intelligence agencies. Given the transmogrifying nature of cyber warfare threats, forums such as Cyber Warfare Online play a pivotal role in developing and understanding effective cyber warfare and security strategies.

In spite of the fast-evolving nature of cyber warfare threats, Lieutenant Colonel Hagestead, who will be speaking at the event, suggests that cyber warfare incidents can be far from typical and that while ‘there may be cyber battles but there will not be full scale cyber warfare’.

He also notes that the curious character of cyber threats is that they are more likely to be internal, not external.  ‘If one looks at the recent case with the wikileaks example…it’s purported that the majority of the data was leaked from an internal source. That goes to show that the majority major threats are going to be internal, not external.’

To listen to the full interview with Lieutenant Colonel William Hagestad II,  Force Movement Control, US Marine Corps on ‘Transmogrification’: US Marine Corps Cyber Officer Stares Down a Rapidly Changing Threat’ visit http://www.defenceiq.com. For more information about Cyber Warfare Online or to get involved, please visit www.cyberwarfareonline.com.

US and UK Formalise the Cyber Terror Risk to National Security

It’s official – national security strategies in the US and the UK have formally acknowledge the role of cyber security in the national security hierarchy. Dr Dan Kuehl is director of the Information Strategies Concentration Program at the National Defense University in Washington, DC. He specialises in information operations and warfare as well as military doctrine for IO. In this interview, he explores the Stuxnet threat and how this impacts the west’s ‘cyber dependency’ predicament. Dr Kuehl chaired this year’s Cyber Warfare event in London.

Watch the full video here: http://ping.fm/itXf6

Admiral Lord West: Rules of Engagement and Infrastructure Vulnerabilities in Cyber Warfare

Defence IQ caught up with Admiral Lord West for an exclusive interview on Cyber Warfare. Here are some snippets from the interview

1. The Considerations of Cyber Warfare

This includes the ethical element of interacting with citizens across counties as well as the question as should young individuals with the skills be given the authority to act upon Cyber threats. Watch the full interview: http://www.defenceiq.com/video.cfm?id…

2. What should the british government reaction to Cyber law and legality be?

To date the British Government have not re-acted violently. Watch more: http://www.defenceiq.com/video.cfm?id=924

3. The Terrorist threats associated with Cyber Security

Terrorists use it for radicalisation. Using it to attack critical infrastructure…..Watch more: http://www.defenceiq.com/video.cfm?id=924

4. How do we define Parody between attack and response?

These are not straightened out and they need to be. Watch more: http://www.defenceiq.com/video.cfm?id=938

6. Estimation of Cost: Are Hackers Costing the UK Billions?

The cost of resolving hackers can reach the billions. The only way to ensure 100% protection online is to not be connected…
Watch more: http://www.defenceiq.com/video.cfm?id

7. Where does the budget for Cyber Security from?

[Youtube=http://www.youtube.com/watch?v=QNlyaClELYI]

Admiral Lord West points out the government does not have budget for this so the funding needs to some from elsewhere. Watch more: http://www.defenceiq.com/video.cfm?id=940

8. Would Admiral Lord West take up a position within the Coalition Government asked him to do so?

As a state servant from his history in the Navy Lord West would assist. Watch more: http://www.defenceiq.com/video.cfm?id=942  …

9. Do you think the UK will go down the Cyber Command route?

Admiral Lord West discusses how the MoD could address this taking into account ethics, legalities and linking to Cyber Warfare. A form of structure is key.
Watch more: http://www.defenceiq.com/video.cfm?id=941  …

%d bloggers like this: