There’s no doubt that “Cyber Pearl Harbour” is a great headline, evoking memories of the devastating surprise attack by Japanese fighters on a US military base that forced the States into World War 2.
Information security commentators and politicians alike have really gone to town on it over the years, most recently former US Defence Secretary Leon Panetta, who last October claimed his country’s energy infrastructure was at risk. However, the reality is that there are several reasons why a similarly sudden attack in cyber space successfully knocking out large chunks of the UK’s critical infrastructure simply won’t happen.
Firstly the types of countries that would have the cyber fire power to launch such an attack - e.g. China and Russia - lack the geopolitical motivation for doing so. Firms which run critical infrastructure in financial services, energy and other industries are more at risk from sophisticated and highly targeted IP-stealing malware attacks, and breaches of customer data from attacks launched by hacktivists or financially motivated criminal gangs.
Secondly and perhaps most encouragingly the government has finally grasped the importance of cyber security and has outlined several steps in its February strategy document which will make us more resilient to a possible attack.
Over half of the £650 million allocated to the National Cyber Security Programme is going to the Security and Intelligence Services in order to “increase our ability to detect and defend against cyber attacks”. A new National Cyber Crime Unit will be formed within the National Crime Agency this year to look at “ways of preventing cyber crime to protect UK citizens, commerce and our national infrastructure”, while a new CISP (Cyber-security Information Sharing Partnership) will be opened up to CNI firms this year.
While the UK has had a Centre for the Protection of National Infrastructure (CPNI) since 2007, it’s good to see that as part of this new strategy, its remit will be extended to include all organisations which “may have a role in protecting the UK’s critical systems and intellectual property”. In addition to these welcome steps from the government, I’m confident that industry is ahead of Westminster in many areas, especially information sharing between professionals in the cyber security space.
That’s not to say, of course, that UK organisations can sit back and relax. While nation states may not have the motivation - at the moment - to launch a “cyber Pearl Harbour”, a terrorist organisation or at a push even a well-resourced financially motivated cyber gang could. Among the most at risk organisations are those which run SCADA and other industrial control systems.
These internet-connected systems have historically not been given the same level of protection as their office-based counterparts, but since the advent of Stuxnet in 2010 are increasingly on the radar of cyber attackers and security-by-obscurity is no longer an option.
New honeypot-based research from Trend Micro last month showed that such systems are subject to attack within hours of appearing online.
With this in mind, security professionals in relevant CNI industries of course need to follow tried and tested best practice - implementing a multi-tiered strategy to improve security, using a combination of people, process and tools. Regular pen testing is also a key requirement to ensure systems are as safe as they possibly can be from attack. But, to use the Pearl Harbour metaphor again, security teams also need an early-warning system - radar and scout planes of the digital age which can detect attack patterns in the cloud and feed back vital info to HQ.
These cloud-based threat protection systems, designed to make sense of all the noise out there in the wild and spot attacks before they hit the network, are readily available in the market so there’s no excuse to labour on with antiquated defences.
There also needs to be a will on the part of security chiefs to better understand how attacks are packaged these days. Targeted and designed to fly under the radar of conventional systems, such threats require IT teams to be more intelligent in how they use security information management (SIM)-related data. In a whole page of logs it could be one line which reveals an unnoticed attack and insurgent malware sitting undetected on a system.
There’s certainly nothing wrong with being prepared and reminding folk once in a while that the threat from cyber space is real and persistent. But there’s sometimes a danger in trying to compare the cyber world to the physical that we mis-focus slightly on exactly where the major threats are likely to come from. As an industry, perhaps once in a while it would be better to lay off the hyperbole.