One cloudy morning in November, executives from major UK banks gathered together to play a war game. The top secret exercise, called Waking Shark II, was a test of the UK banks’ strength to resist a prolonged cyber-attack.
This exercise isn’t unique, because the UK is at war. This time there will be no fighting in the trenches, gunpowder or bloodshed. The battlefield is online, and the struggle is over information.
According to Alastair Paterson, CEO of Digital Shadows, major cyber-attacks on the UK companies that hold our personal data are happening right now.
There are so many kinds of cyber-attacks out there that companies should learn to expect everything. “There is some very sophisticated malware that is able to sit in the browser that you use when you are transacting with a bank and it can make it seem like you have just sent £20 to your mother, when in fact you have sent £20,000 to a cyber-criminal,” he said.
The Cabinet Office estimates that cyber-crime costs the UK around £27bn every year. The biggest target has been the banking sector.
Paterson said: “Some of the banks haven’t been the most popular for the last few years, so there are people with a political point to make, who target the banks for that reason alone. You have obviously got to look at organised criminals, because it’s a lot easier to steal a million pounds from a cyber-attack than a bank robbery.”
It’s not just money that the hackers are after – our data is now the most valuable currency in the world. As people open their online horizons by increasing connectivity through new gadgets and uploading personal data to the cloud, confidential information has never been more vulnerable to attack.
The Digital Shadows CEO said that the world is changing quickly: “In the old world, companies kept all of their data in the centre of their network and they built big walls around the edge, with firewalls and anti-virus and web content gateways and other boundary controls.
“Suddenly you have social media, you have cloud services (like Dropbox and others), and everyone has mobile devices and tablets. All of these forces mean that there is a lot more data outside the boundary that there ever was before. It is a completely different landscape, the boundaries are dissolving. Suddenly, these large institutions have to worry about what’s going on outside as much as they do about what is going on at the edge of their network,” he said.
Chema Alonso, IT expert and white-hat hacker, said that cyber-attacks will get worse: “The number of attacks against organizations and governments has increased over the last few years. They have become more complex and elaborate, surpassing anything we have seen even in science fiction movies.
“Technology and the internet have now become an important part of our lives: every company is connected, but there are also connected cities that coordinate all their services through the internet. The logical channel for any attacker is to use the internet. I don’t doubt that this kind of attack will increase,” he said.
According to information from The Financial Times, the National Crime Agency has thwarted two large attacks against UK interests in recent months, involving over £250m of potential damage to businesses, government officials said. Around 2,200 NCA officers have now been trained as “digital investigators”, specialising in dealing with online crime.
Alonso said: “Pandora’s box opened years ago. Since the Stuxnet attack on Iranian nuclear power plants, countries have witnessed the potential to use the internet as a weapon, and the need to form cyber armies to protect IT systems throughout the country. I think that every country is, in some way, part of a hidden war which is still in its early stages, with controlled operations. Intelligence in armies is now dedicated almost exclusively to the internet, as we saw through Edward Snowden’s leaked documents.”
Although countries are taking a more militant approach to cyber-crime, not many governments are willing to admit that they are arming themselves for a charge. Phillip Hammond, Secretary of Defence in the UK, was lambasted earlier this year when he talked about developing a new offence strategy to lead the attack on cyber-crime, potentially developing a full spectrum military cyber capability, including a strike capability. Although some other countries are thought to have measures in place to attack systems that they consider a threat, this was the first time that an official openly shared that information.
Two years ago, the government launched an £860 million National Cyber Security Strategy (NCSS) to fight online crime, and have this month come up with their first official report.
A Cabinet Office spokesperson said that the government can’t solve the cyber crisis alone, and are hinging their approach on building partnerships between the government, law enforcement agencies and the private sector.
He said: “The private sector is the largest economic victim of crime and economic espionage perpetrated through cyberspace, and much of the infrastructure we need to protect in the UK is owned and operated by the private sector.”
The imperiled private sector is torn between innovation and security, posing an important problem for cyber security companies. Paterson said: “The security industry seems to lag behind by a few years and typically we see that anything that benefits the business trumps safety concerns because revenue and competitive advantage are so important.
“We think absolutely, companies should be adopting all of the latest technology, like social and mobile and cloud, precisely because it gives them that leg up and that competitive advantage. The downside is the security aspect, so they have to take a responsible attitude to it. While embracing the latest technology, we want to double the security efforts to try and protect them.”
If UK companies and organizations want to continue to invest in new technology, it is crucial that they resolve this security threat. It’s clear that the risk to our information is real and that it’s more likely for people, rather than companies, to become casualties of cyber war. The fight to own and use our information is ongoing: for better or worse, it looks like the war against cyber-attacks has just begun.
Creative Commons image Ivan David Gomez Arce