Cyber security – former Defence Secretary criticises companies ‘in denial’ of cyber threats
The former Defence Secretary Dr Liam Fox has spoken about his concerns about the varied (at best) understanding of the potential cyber threats currently being faced by organisations and also about the lack of urgency in dealing with them.
In his speech at the Royal United Services Institute, which he called “War of the Invisible Enemy:, he said:
“As we have become more dependent on technology to lubricate the wheels of our everyday activities, so we have become more vulnerable to either the failures of the technologies themselves or our ability to access them. We are being drawn inexorably into the era of the ‘War of the Invisible Enemy’…
Technology gives advantages but also potential weaknesses… The Chinese, in particular, are spearheading a new approach to security, which is not to match our military capabilities like-for-like but to deny us access to our own defence capacity.
It is against this background that we need to consider the whole range of cyber vulnerabilities. Although we talk about cybercrime, cyber espionage, and cyber warfare as being separate entities they are in fact part of a continuum. ..we cannot draw clear distinctions between different types of cyber threats.”
Cyber crime-the three elements which make it attractive to criminals
Dr Liam Fox explained that there are three elements of cyber crime which make it so attractive to criminals:
- Low risk with potentially high returns
- Largely has the advantage of anonymity
- Often goes unreported
“Contrary to the image so often portrayed in our newspapers and broadcast media, cyber criminals are not typically the sad geeky teenagers trying to impress others with their ability to hack into big organisations but veritable armies of terrorists, agents of hostile states or drug cartels. They use fraud and extortion to fund their activities and do so on a truly industrial scale.”
In his speech, Dr Liam Fox spoke about the recent high profile attacks including the United States Army, Trip Advisor and JP Morgan. The latter going undetected for 2 months giving cyber criminals the opportunity to compromise 76 million personal accounts and 7 million business accounts.
Cyber espionage-the main aim is to gain information.
The main aim of cyber espionage, Dr Fox said,was not to make a monetary gain but to gain information, often in the form of industry ‘know how’ or IP. Potential opportunities for this to occur were:
- during the process of acquisition and mergers when potential partners have access to each others systems, and could potentially introduce spyware.
- by lower paid staff, such as cleaners, accepting financial inducements to access systems out of normal office hours to introduce malware to computers which were left on.
- by employees accessing social media through work computers, mobiles and tablets, opening up a gateway to huge amounts of information about valuable contacts etc. to competitors.
Cyber warfare-preventing access to systems and capabilities
Finally Dr Liam Fox highlighted that cyber warfare differed from traditional warfare as it was no longer about matching capabilities, but rather about preventing the other party access to their own systems and capabilities. Developed countries where there is a huge reliance on advanced technologies, such as financial systems, telecommunications, healthcare and even critical infrastructure, were particularly at risk.
Dr Liam Fox-steps to mitigate the cyber risks
Dr Liam Fox said:
“…particular attention needs to be given to staff. 80% of malicious attacks on companies come from inside their own organisation.In any organisation that is serious about cyber security, all staff need to be screened…
Just as important is the education of staff in relation to the portals that they handle a daily basis – mobile phones, tablets and computers. They need to understand that this is company property and that to leave it exposed and vulnerable either by intent or carelessness is a serious, possibly sackable offence…
Another area which needs to be considered is the security of business and supply chains. Those involved in cybercrime or espionage, particular, will be looking to find the weakest link as a way into a wider system and minimum standards of cyber security need to be applied not just at the highest level in any business chain but throughout.”…
“There are two other areas for change that I would propose. The first is legislative and the second is organisational.
… I believe the government needs to change the law to make it illegal to be hacked without informing shareholders and other stakeholders.
The second change I believe we need is in relation to those who do business with government. As I have already pointed out, it is much easier to penetrate a small company in a supply chain than a major organisation such as the Ministry of Defence. That is why I believe the government should insist, legally, that any organisation that does business with government should have a minimum defined level of cyber security or they will be excluded from government contracts.”
Read the full speech at War Of the Invisible Enemy
A fascinating (and some would say long overdue) call to action over cybersecurity from the former Defence Secretary. Interestingly, the MOD now requires the Government backed Cyber Essentials Certificate as a minimum baseline security standard for its supply chain!