Is the UK prepared for Cyber Warfare?

© 2000, Parliamentary Information Technology Committee

The discussion was led by:

Bill Robins, Business Development Director, Alenia Marconi Systems

DK Matai, Managing Director, mi2g software

Simon Davies, Privacy International

Bill Robins says we still have time to mobilise against a massive cyber-attack

In Information Warfare, the deal is not the technology but the management: the way you manage your way through the attacks. If you get excited about this in a nerd-like way, you have probably lost the plot. Information Warfare is important; much too important to be left to the military.

Modern war

From the point of view of the military, the definition of Information Warfare is to make the best use of information for your own purposes, while denying that to the opposition. The opposition is, of course nowadays very dispersed. In a place like Kosovo, it may be separate bunches of people who do not do each other any good. It all becomes very complex, and one tends to get a very mixed degree of trust between various parties.

This is rather like the business environment. Information Warfare has become so important because, whereas five years ago, IT was little more than a filing-cabinet, now it is the fuel of a nation's GDP. The trend is coherence, the integration of information from all sources, and this means connectivity to the home.

Asymmetric warfare

And the more integrated we are, the more vulnerable we become. This can be used in two ways. The first is for a rich nation to use the technology to thwart a much larger nation. The second is the way the infrastructure of a country can be exploited by a much smaller power. The USA's Department of Defence calls this asymmetric warfare.

On 16 March 99, the Financial Times reported that China was building an offensive IW capability targeted on the USA. Last November, the Computer Bulletin reported that there were 250,000 attacks on American Department of Defence installations in 1995. The writer, Brian Gladman, concludes that there are no defences that are both complete and affordable. We are balancing degrees of risk. I see no immediate danger of an electronic Pearl Harbor or a melt-down of the UK's information infrastructure.

Things are getting worse

We have, I believe, a window of opportunity to get this nation prepared for a serious attack before it happens, before sophisticated individuals join forces with powerful institutions with a political motive to do something really harmful.

I believe that the situation is getting worse for a number of reasons:

o In the 1980s an intruder had to have considerable technical knowledge.

o Systems were rarely connected.

Now people describe the details of viruses on the Net. Trapdoors and backdoors are published, with pull-down menus. A lot more people can do a lot of harm. A lot of them do get caught, but it is happening now in a much more sustained way.

The danger of outsourcing

The other point is outsourcing. It is popular and could become more so. The danger is not outsourcing itself, but sub-outsourcing of parts of the system. We find that we have lost sight of people who manage key parts of our systems. The third point is: how do you know when you are under attack?

In 1994, the Department of Defence IS Agency in Arlington Virginia launched some 12,000 attacks on DoD installations. More than 98 per cent, I am told, were successful. Of those, 90 per cent were not detected, and the organisations concerned had to be shown that they had been successfully attacked. Intruder protection systems are now much better than they were, but this does still give concern.

The international dimension

Then there is the international dimension. Any clever hacker makes sure that he builds an international pathway through some nations that do not have the same attitude to hackers as we might. This makes life difficult for the security people.

A collection of insecure parts

My final point is directed to the software industry. The drive to functionality has driven systems from tightly drawn protected systems into rich but vulnerable systems. You have seen criticisms in the press of vulnerable widely-used operating and application systems. This will continue. We, as an industry, have got to get our act together. Otherwise, tomorrow's integrated system will be a heterogeneous collection of insecure parts.

Threat and response

Turning to the national information infrastructure, the risk overall is a function of threat and response. The first part is security: will the data be protected from being read? Then comes integrity: will the systems let us down? Will they be available when we need them? Then there is authentication: can I be sure of the identity of who has told me something over the Net? Lastly "non-repudiation". If I have done a deal over the Net, can I be sure that it will be fulfilled?

The sixth rule of System Security is the "insider threat". Our worst danger is ourselves and our own people. To handle all these threats, I recommend the BS 7799 standard, which has been adopted by the Dutch and the Australians as their standard too. There is a vast amount of USA experience on the subject, and the "US National Plan for Information Systems Protection", published in January on the White House website, is an impressive document.

A single responsible body

The departments of Government, which are combating these threats must accept there must be a single responsible body. On 20 December last year, a National Infrastructure Co-ordination cell was set up, to run the UNIRAS, the Unified Incident and Reporting System, which is the central body, which takes reports of intrusions, collates them and creates central policies to improve things in the future.

DK Matai lists some of the major attacks over the last few years

In 1999, the value of the Internet economy was already $300 billion, larger than either the energy and telecom sectors. This year it should, at $500 billion, have overtaken the automotive sector which took 75 years to get to its present value.

Defining eRisk

We define eRisk as "problems that occur in business or government from system overload or electronic attack from viruses or hackers". Those at risk are business and financial companies, utilities and national security agencies.

There are four broad types of electronic attack: denial of service, piracy, surrogacy and hazards.

o By denial of service, I mean making a computer system or website unable to service its customers.

o Piracy is to do with intellectual capital stored behind that website or server, being stolen by foreign governments or malevolent characters around the world.

o Surrogacy is pretending to be a well-established brand name, to make purchases over the Internet.

o Hazards take place when a hacker or terrorist gets hold of details of personnel working in sensitive parts of the world for the purpose of blackmail, by threatening to publish the address of such persons on the Internet.

Taking counter-measures

To counter these attacks an e-business must consider four elements of e-risk before going online. The first is legal: in many countries there is little legal framework for financial institutions or other e-traders to work under. Nor is the consumer protected, when buying something outside his country's jurisdiction. We are still in an embryonic phase.

There are human resource problems. When we see attacks on finance institutions, where we have clients, we find that the in-house staff have been suborned. There is collusion between outsiders and insiders. There has to be legislation to halt this kind of activity.

Finally, there is the question of insurance. Lloyds of London is leading the world in electronic risks insurance. More needs to be done to create legislation to stop firms going online without appropriate insurance. At the moment, there is no government consideration about the needs for insurance.

Who are the hackers?

There are about 10,000 serious hackers in the world today. They are able to camouflage their trails, move money from one bank to another. About 60-70 per cent are disgruntled employees. Others do it for financial gain. Some do it for the challenge and as an intellectual game. In the last 12 months, there have appeared some with political motivation. In a survey of 2,700 security professionals, the number of attacks made by hackers and terrorists was estimated to have risen from 14 per cent in 1998 to 49 per cent.

Attacks by foreign governments have also risen sharply, largely because of the Kosovo war. NATO and DoD systems were attacked, and some DoD systems were disabled for over 36 hours. After the bombing of the Chinese Embassy, over 140 American companies were attacked and their websites defaced with anti-American graffiti. The White House site itself was defaced by Hong Kong activists.

We also have to fear those who go into the websites of stockbrokers and change the prices in a very subtle way. In 1999, the "Hackers Unite" group accessed Microsoft Hotmail, using only nine lines of HTML code, bypassed security, and gained access to all the e-mail accounts. They hacked into information posted on the Web and caused the Market Cap to fall $15.3 billion .

In 1999, an American student "MagicFX", aged 22, hacked into eBay, the Electronic Auction site, valued on 8th March at $21.3 Billion. He took "root access" to the computers, which allowed him to change the prices, place false statements and images on the site, divert traffic to other sites and crash the whole eBay network. As a result, 60 per cent of its share price was wiped out in 12 weeks.

In November 1999, the Halifax suspended its Internet share-dealing service after customers were able to access other people's accounts, because of faulty system design.

President Clinton acts

So, the dangers in Internet trading are very real. So much so that in January 1999, President Clinton allocated $1.46 billion to improve US Government computer security against cyber-terrorism. He increased this money by $600 million and in January 2000 asked for $2 billion more expenditure to form an Institute to tighten eSecurity , and to provide scholarships in computer security.

Simon Davies blames the American Government for privacy and encryption policies

My task is to appear as a privacy advocate, a term of abuse in the commercial world. However the individual and the business both want to keep their information secure. Our intention at the moment is to persuade the US Government to create a privacy law. Once the USA takes the lead, the whole security culture will change.

Wanted: a good encryption law

For the past five years, we and other cyber-rights and liberty organisations have tried to persuade the UK Parliament to adopt responsible encryption law. At the 'Scrambling for Safety' conferences from 1997 onwards, we were at loggerheads with the DTI, with Downing Street, with the Home Office, GCHQ. If we have a threat now, it is because the US Government has been responsible for destabilising the development of secure encryption and a wholesome security culture. The UK Government has followed suit.

There is no risk-analysis

I was brought out last month to Washington DC by the Rand Corporation to advise the Army on whether it should establish new identification systems and access control systems for computers and battle environments. At a meeting with most of the Government agencies I asked whether anyone could provide me with a threat analysis as a basis for the discussion. No one had an answer, and it turned out that all the tens of million dollars asked for was at the request of a West Virginian Senator, as an employment generator in his State. We asked for the definition of unauthorised attacks behind these figures of 250,000 attacks, and got no answer.

Corporates know what it means to secure their systems, but I believe that at the national infrastructure level, the problem is obscured by rhetoric, a luridly painted bucket into which we throw everything. It is like national security. There seems to be no interest in public debate. I think we need that. Perhaps we should revisit the idea of what we mean by a national encryption policy. Encryption is the future battleground of privacy and of security. If we don't get it right in the next year, we will be in trouble, because UK Government legislation is actively discouraging trust.

The RIP Bill does not help

When I look at the RIP Bill, I see that the police can demand your key. If you cannot provide your key, you can be imprisoned for up to two years. If you tell your lawyer or anyone else, you can be imprisoned for up to five years. It is an extraordinary breach of what we have gone through to develop trust in information systems. And I would urge PITCOM members to see if there is any way to reverse this trend.

comments and questions

John McWilliam MP, Chairman PITCOM : You make out that the NSA and GCHQ do not trust anyone. Surely they only act when there is suspicion of criminal or terrorist intent?

Simon Davies : They are playing two hands in the card game. It is generally accepted that the NSA, and presumably GCHQ as well, have been intercepting commercial communications. It is not just about crime: it is about economic intelligence gathering. Congress will be debating this in March.

Margaret Ross, BCS Southampton : Is it time to look again at the Computer Misuse Act and the Data Protection Act?

Bill Robins : Older legislation should be looked at to counter these new threats. A general point I would like to make is that the longest encryption key is useless if it comes in a faulty envelope. An integrated security system will deter the casual hackers who give most of the trouble at the moment.

DK Matai : Twenty five per cent of the attacks come from Eastern Europe, and it is therefore important to internationalise the Computer Misuse Act.

Adrian Norman, Consultant : It is time to collaborate, not just to get one's own system right. Otherwise, we will be like a safe driver on a road on which most others cannot drive, or drive according to different rules.

DK Matai : The financial community seems reluctant to co-operate with each other in the City of London on these matters, let alone between two countries. The community is not yet mature enough to produce standards.

Bill Robins : Indeed, if I am travelling in France and buy a German product from an American store on the Net, where does the responsibility lie if the transaction goes wrong?

Simon Moores, Chairman Research group, mi2g : Should we not go for a national government network, or at least a back-up system, using different security protocols?

Simon Davies : You have to look at the failure of the NHSNet, to see what happened to this grand vision of a health infrastructure. I wouldn't trust the Government with such a system. Simon Coombs, ex-treasurer of PITCOM: How many hackers get caught?

DK Matai : Some years ago, a Russian hacked into the CitiBank in America, and was caught. Ninety per cent of attacks are not reported by financial institutions for fear of adverse publicity.

Bill Robins : One wonders whether mandatory reporting of attacks is a good idea. I suspect it may give more trouble than it is worth. However, a central record of those who have suffered such attacks would be a good thing. We do need a National Security Cell, covering the utilities as well as government. At the moment, discussion on a National Security Infrastructure flops about a bit.

David Firnberg : Who is going to kick the backside of the ostrich? I ask this because there seems to be a lot of ostriches here today, with their heads in the sand. Who is going to be the prime mover to solve these problems: the NCC, EURIM, or the Government?

DK Matai : The Government and other governments around the world.

Bill Robins : The Cabinet Office has been leading policy in this area and the Home Office will become the managing Department. What is now needed is close co-operation between Government and Industry. This is still not happening as much as it should. There will be new skills arising in the security area: computer crime investigation for example. There must be better supervision by IS managers. Those are the people who we will have to rely on.

Good personnel management is essential. There must also be increased awareness of information warfare in related professions: the legal profession and others. This could all be part of Alex Allan's e-commerce initiative. Without security, e-commerce is not going to get off the ground. Nobody is going to trust it.