UK business facing major cyber espionage attacks

The computer systems of utility companies and large financial firms are continually being probed by thieves wanting to steal information or find weaknesses, a UK security expert has warned.

Share

The computer systems of utility companies and large financial firms are continually being probed by thieves wanting to steal information, a UK security expert has warned.

Industrial espionage probes are being waged on companies that provide the Britain's national infrastructure and on similar organisations across Europe, delegates at RSA Europe 2008 heard.

Mark Oram, head of information security knowledge department at the government-backed Centre for the Protection of National Infrastructure (CPNI), said the instances of political, economic and technical spying were more common than cyber-terrorism attacks.

"We see frequent attacks on organisations for the purpose of intellectual property theft that we would not obviously classify as an attack on infrastructure," he said.

"The use of cyber techniques is relatively easy, cheap and low risk in terms of being caught," he said, adding that most of the time the culprit is known, but proving their guilt is difficult.

CPNI works to protect key government and private organisations in the UK and encourages coordinated approach to protecting IT infrastructure from attack.

The organsiation prefers not to rely on regulation to persuade firms to reduce vulnerability, but Oram said, regulators do "play a role" in protecting the IT assets of utilities and financial firms.

"The government's role is encouraging, but we don't want to be doing anything that industry can't do for itself," said Oram.

"We urge firms to adopt a common approach to security, to be impact driven, look at assets that support essential needs for citizens and prioritise according to criticality. Firms should focus on the vulnerability – whether it be IT security, insider threat or physical security - and be threat informed," said Oram.

Michael Carlin, directorate generale, justice at the European Commission, said the 2007 Estonian cyber-attack was a "turning point in Europe and made it clear we need to do more to prevent massive cyber-attacks."

Carlin said the European Network and Information Security Agency (ENISA) is unveiling a blueprint document for how European countries can strengthen national communications networks. The ENISA report recommends fast reaction on reported incidents, collaboration between public and private stakeholders and development of a national strategy for information sharing and responsibilities for different parts of the network.

But Carlin added harmonisation between member states is "far away still".

Ira Winkler, president of the Internet Security Advisory Group and security guru, said allowing the industry to regulate itself in the US has "proved to be a massive failure".

Replying to a question about the Department of Homeland Security, Winkler said the department relies on voluntary cooperation from every company that controls critical infrastructure. But without regulation, "there is no benefit for most private firms to create policies that lead to process changes, expenses when there is no justifiable reason aside from it being the right thing to do and in the national interest."

Winkler also urged caution into the roll out of any mandatory measures. "Most security polices implemented after 11 September were justified but completely useless policies, like taking tweezers away from people boarding plans. These are grossly ineffective regulations," he said. "Security regulations should be more specific. For example with vendor patches, could regulate that they will be deployed in so many days after release, depending on the severity of the bug."

Find your next job with computerworld UK jobs