A Home Guard inspired Dad’s Army of computer security experts will be set up to protect Britain’s businesses and help the armed forces at times of national emergency, it has emerged today.[From ‘Dad’s Army’ of cyber security experts to be formed to tackle growing threat of website hackers in Britain | Mail Online]
This does, at least, open up the possibility of some continued employment for me as I fight to stave off the cat food years in amongst the embers of post-employment Europe. But hold on. Just how bad is the cybersecurity situation? We are all used to reading statistics about the size of the problem (I seem to recall that Detica estimated it to be £27 billion in the UK) but let’s go and find out what the top people think about it. I imagine the head of the US National Security Agency would know.
Gen. Keith Alexander is the director of the National Security Agency and oversees U.S. Cyber Comman… he cited statistics from, among other sources, Symantec Corp. and McAfee Inc., which both sell software to protect computers from hackers. Crediting Symantec, he said the theft of intellectual property costs American companies $250 billion a year. He also mentioned a McAfee estimate that the global cost of cybercrime is $1 trillion.[From Does Cybercrime Really Cost $1 Trillion? | Threat Level | Wired.com]
Wow. A trillion. What kind of crimes are racking up these numbers? Tidal waves of cybercriminals looting bank vaults? Could be. But it would take teams of cybercriminals working round the clock on their trivial $45m ATM raids to get anywhere near this figure. Redirecting flows of cash from their rightful owners to Mafia oligarchs safe behind their computer screens? That would be hard to distinguish from regular investment banking. On the whole, it turns out that putting a number on cybercrime seems to involve a bit of interpretation. To see what I mean, consider the example of a cybercrime that I heard discussed at a forum on the issue recently.
Blooomberg reveals that the hackers spent one month “pilfering sensitive files” about Coca-Cola’s attempt to acquire China Huiyuan Juice Group for $2.4 billion. If successful, the transaction would have been the largest foreign takeover of a Chinese company ever. The breach started with malware-infected e-mails to Coca-Cola’s senior executives which, when opened, enabled the hackers to infiltrate the network and steal proprietary information. Once revealed, the Huiyuan deal collapsed three days later.[From Coke Cyber-Attack Raises Corporate Disclosure Issues]
That sounds terrible. A successful cyber-attack on a multinational and a billion dollar deal collapses. I thought this might make a useful case study in a workshop with a client, so I decided to investigate a little further. And I found that the “cyber-attack” was not as clear-cut as it seemed.
But some investors were relieved that the offer didn’t go through. Coke had said the acquisition would dilute earnings by three cents to four cents a share for the first full year after completion of the deal.[From Beijing Thwarts Coke’s Takeover Bid – WSJ.com]
There may have been no cyberattack at all! It may have been the company’s own shareholders working through incumbent management. Now, I am not for one moment saying that there are no real cyberattacks. Clearly there are and some of them a considerably more serious than a few percent different in a share price.
The Moscow-based firm said it found Gauss had infected personal computers in Lebanon, Israel and the Palestinian Territories. It declined to speculate on who was behind the virus but said it was related to Stuxnet and two other cyber espionage tools, Flame and Duqu… According to Kaspersky Lab, Gauss can steal Internet browser passwords and other data, send information about system configurations, steal credentials for accessing banking systems in the Middle East, and hijack login information for social networking sites, email and instant messaging accounts.[From Virus found in Mideast can spy on finance transactions | Reuters]
Cyberattacks are real. Cyberwarfare is real. Yes, companies should be designing and implementing more robust infrastructure and using sensible risk analysis methodologies to determine levels of exposure and appropriate countermeasures (as you would expect me to say, since this is precisely what Consult Hyperion does for payment organisations and others). But wee have to be a little cautious in responding to the trillion dollar cybercrimewave, even if it actually does exist. We don’t want to fall into knee-jerk responses that might end up making the problem worse.
A number of countries, including Russia and China, have put forward proposals to regulate aspects of the Internet like “crime” and “security” that are currently unregulated at the global level due to lack of international consensus over what those terms actually mean or over how to balance enforcement with the protection of citizens’ rights.[From The United Nations and the Internet: It’s Complicated – By Rebecca MacKinnon | Foreign Policy]
All of which suggests to me that the problem might require something more infrastructural than a bunch of old duffers like me fiddling about with laptops in the snug. We need business to work with government to do something about it and I think that a high-level commitment to a sensible identity infrastructure might be a place to start. The longer we persist in messing around with passwords and similar pseudo-security, the more the mysterious foreign viruses will attack. One of this year’s Economist “top ten” global trends for business leaders to factor into their strategies this year is cybersecurity.
Cyberspace is the new frontline for security. Knowledge and information is a source of competitive advantage for organizations, nations and individuals. But it’s a growing challenge to retain control as mobility and the democratization of everything (commerce, politics and societies) increases – along with cybercrime and cyber war. Look for a rising tide of litigation, policies and regulation. Digital freedom or a “big brother” society?[From Global trends for 2013: A top ten for business leaders | The Economist]
I don’t think it’s an entirely accurate dichotomy but you can see the idea they are getting at. One the one hand there are people who think that people should be able to communicate freely over the open public internet and the other hand there are those who want to control, spy on and censor inter-personal communications: the Icelandic government, Sony UK, Hillary Clinton and me for example (although I want to do it in a better way). Time for some better informed public discussion, I think, and a rational debate about what to do about cybersecurity.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
I’ll share your concerns (and probably raise you several more) over the ‘cyber reserve’ if it does indeed turn out to be “a bunch of old duffers…fiddling about with laptops in the snug”. But I’m optimistic that it might be more like the Specialist Group Royal Signals, a unit staffed entirely by reservists which has been running since 1999 and parts of which do network defence for the Army. The people they get in are all information assurance/network defence specialists, who are unlikely to want to leave high-flying and well-paid jobs in industry to join the Army full-time. Getting that expertise into the military makes a lot of sense, and if this policy turns out to be a genuine and thought-through attempt to apply the same principles more widely across the CNI, then it’ll surely be a very shrewd and useful move indeed. Fingers crossed…
Nice piece Dave. best wishes