WAR OF THE INVISIBLE ENEMY”
SPEECH BY THE RT HON DR LIAM FOX MP
ROYAL UNITED SERVICES INSTITUTE (RUSI)
MONDAY 11th JANUARY 2016 13:00hrs
WATCH: Dr Fox’s Cyber Security Speech at RUSI
Check against delivery…
We live in new world. A world of interdependence where risk in one part of the globe quickly spreads to the rest. Contagion – whether economic – such as the 2008 banking crisis, natural – such as SARS or terrorist – such as 911, will ricochet around the globe. As I wrote in my book, Rising Tides, if Francis Fukiyama had called his book “The end of geography” rather than “the end of history” he would have been closer to the mark.
Nowhere has the rate of change been greater than in the world of communications technology. President Bill Clinton put it concisely when he said, ‘When I took office, only high-energy physicists had ever heard of what is called the World Wide Web . . . Now even my cat [Socks] has its own page.’
It is astonishing to think that in the middle of 1993 there was a total of 130 websites. By the end of 2014 this had risen to well above 950 million. To put things in context, at the end of 1995, during President Clinton’s first term, around 16 million people (0.5 per cent of the world’s population) were using the Internet. By the end of 2012 this figure had ballooned to 2.75 billion people, around 39 per cent of the world’s population.
Today I want to talk about some of the new threats that we face as a result of these changes and some of the new ways of thinking that we need to incorporate as a result. Of course, in the wider context, we need to consider not only what is now conventionally seen as cyberspace but also the information elements involved in hybrid warfare. However, time only allows me to deal with the former today.
I recently spoke at a gathering of Swiss bankers in Lugano where I was surprised both by the variation in understanding of the potential cyber threats they were facing and the apparent lack of urgency about dealing with them.
As I pointed out, the first thing we have to learn about this new world is that we cannot disaggregate risk in the way that we might have been able to do in the past. Our dependence on new communications technology and the vulnerability that it brings with it has added a new risk to the mix.
As we have become more dependent on technology to lubricate the wheels of our everyday activities, so we have become more vulnerable to either the failures of the technologies themselves or our ability to access them. We are being drawn inexorably into the era of the ‘War of the Invisible Enemy’.
This is not the Cold War where individual spies smuggled small pieces of information to their Soviet handlers in London clubs or Viennese cafes. Nowadays we can have the vast theft of electronic material by traitors like Snowden who massively compromised his country’s national security – and ours- and quickly jumped on a plane to Hong Kong and Moscow.
Technology gives advantages but also potential weaknesses. When the Chinese shot down one of their own satellites in space it was not to show themselves that they were capable of doing so, but to show the rest of us. The naval fleets of the West may be advanced and powerful but not if they don’t know where they are. The Chinese, in particular, are spearheading a new approach to security, which is not to match our military capabilities like-for-like but to deny us access to our own defence capacity.
It is against this background that we need to consider the whole range of cyber vulnerabilities. Although we talk about cybercrime, cyber espionage, and cyber warfare as being separate entities they are in fact part of a continuum. Just as we cannot disaggregate some of the risks I mentioned earlier, so we cannot draw clear distinctions between different types of cyber threats.
It is an old adage that crime doesn’t pay but we all know that some crimes pay better than others. Cybercrime has at least three elements which make it more attractive: it is generally low risk and high return, it largely has the advantage of anonymity and it is often goes unreported. While estimates of the cost of cybercrime vary, it is thought that the annual global bill runs somewhere between hundreds of billions and trillions of dollars.
Contrary to the image so often portrayed in our newspapers and broadcast media, cyber criminals are not typically the sad geeky teenagers trying to impress others with their ability to hack into big organisations but veritable armies of terrorists, agents of hostile states or drug cartels. They use fraud and extortion to fund their activities and do so on a truly industrial scale.
The first lesson that I want to leave with you today is that those who leave themselves vulnerable to these activities make themselves part of a national security threat, usually as a result of lack of diligence or a lack of understanding.
We have heard a great deal in recent times about the concept of a denial of service attack, where information overload results in the inability of a company or organisation to continue with normal function and service its customers. Yet, what is less well known is that these denial of service attacks are very often a smokescreen used by cyber criminals to perform a secondary crime.
For example, the confusion caused by the attack may be used as an opportunity to implant malware into the system which can subsequently be used to extort ransom by threatening to cripple the system itself. Nokia were recently a victim of such an attack when blackmailers successfully persuaded the company to part with a suitcase containing millions of dollars in exchange for a crucial piece of smart phone software.
When the victims do not accede to the criminals’ requests they may find that their systems data is wiped, their files are encrypted to the point of becoming useless or the information in their customer base will be used and misused, often in subsequent financial crime.
Attacks may come from outside or inside any organisation. Those who have been subjected to high-profile attacks in recent times range from United States Army to TripAdviser.
In 2014 the banking giant JP Morgan had cyber criminals sitting on their servers for over two months before being detected – around 76 million personal accounts were compromised along with 7 million business accounts.
I have already mentioned the case of Edward Snowden who compromised the national security of his country and its allies acting from within the US security architecture.
But cybercrime can be profitable in some unexpected areas. Healthcare is a case in point where attention to patient care often leaves information security as a secondary issue. In the US in particular, healthcare mergers have often left multiple IT networks running in a single hospital.
Although there have been no reported hacks at the NHS, it is currently facing more than £1.3m of fines for compromised data. Last year in the US the health records of over a hundred million people were hacked, a hundred times more than in any previous year. It is thought that many of the attacks originated in China where the Chinese government is keen to find out how medical insurance databases are set up so that they can construct similar systems of their own.
There is of course the possibility of such data being collected for intelligence and espionage purposes and US authorities are increasingly concerned about what may be a potential threat to national security.
So how much are your healthcare records worth on the market? It is sobering to note that credit card data can be purchased on the dark web for as little as a dollar while a set of medical records can sell for as much as $2000 on the black market.
Probably the greatest difference between cybercrime and cyber espionage is that, in the latter, the aim is not to make monetary gain through a ransom but to gain information. Often this will involve a strategy of remaining undetected in order to gain proprietary knowledge, understanding of the business strategy or details of IP development.
This can be done in a number of ways and generally exploits gaps in security where business is being done “in the way it has always been done”. A very good example of this is during the process of mergers and acquisitions where potential partners have unparalleled access to staff and communications and are able to exploit this to their own benefit.
The ability during this period to insert spyware which can potentially stay undetected for a long period of time is a major weakness in the cyber security of many companies and, given that such spyware can be purchased for as little as $250 from the dark web, provides an enormous temptation to the unscrupulous.
Another major weakness is the failure of companies to properly security clear the most junior staff, especially those such as cleaners.
Not only are these likely to be the lowest paid employees, and therefore more susceptible to modest financial inducements from outside sources, but they will often have access to premises that are otherwise empty. A few minutes, while they clean an office or a room, can be enough time to insert a USB into a computer port and infect the system with malware, especially where employees add to the risk by leaving computers on while they simply switch off their monitors.
How many of us can honestly put up our hands and say that we have never been guilty of this particular piece of negligence?
A more traditional, “James Bond style”, of cyber espionage is the classic honey trap. Despite what the general public is likely to believe secrets are much more likely to be betrayed over cocktail parties than in the bedroom. Those eager to impress another can all too easily spill out information over a drink - or four!
There are, however, more subtle ways to achieve the same effect. When someone asks to use your mobile phone to make a quick call because they have left theirs at home think twice. Likewise, when someone offers you the use of their laptop or tablet to access your email account, or asks for your password, it may be the key to opening up vast amounts of data that you would not want them to have.
Even more likely than these two methods of cyber espionage is the voluntary exposure induced by employees when they access social media through their work computers, mobiles or tablets. This can provide a gateway to a huge array of information of networks and contacts that can prove invaluable to competitors or saboteurs.
Activities such as these will not be confined to those who operate in the same business base but in the case of China, for example, represents hacking on an industrial scale in attempts to gain access to market information that might prove valuable at a national level. Neither is it only small companies that are likely to be targeted.
A hack known as “Titan Rain”, believed to have been the work of Chinese groups started in 2003-4 as an attempt at corporate espionage, lifting sensitive information from the computer networks of major US Defence contractors, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA.
The attack then spread in 2005-6 to involve the networks of both the US Department of Defence, and our own MOD. The MOD have always declined to say whether their systems were compromised, but it is believed that the same attack managed to shut down the House of Commons computer system for almost a day in 2006.
Although the MOD admitted that the hacks originated in China, they declined to link them directly to the Chinese government or the People’s Liberation Army.
This is an example of how the line is blurred between corporate and state cyber-espionage.
Two other recent attacks are worthy of note for different reasons.
During March and April 2014, the US Office of Personnel Management was subject to one of the largest personal data breaches in history.
For over a month, an as-yet unknown group of hackers syphoned off the personal data of over 21 million US Civil Service employees, including names, addresses and social security numbers; more than enough to clone their identities. The most arresting aspect of this breach however was the theft of 5.6 million sets of fingerprints from the department.
For the first time, cybercrime had been used to steal not only a person’s legal and financial identity, but part of their physical identity as well.
The one that most people will be aware of, however, because it relates to the media and celebrities is the November 2014 hack of Sony pictures entertainment. There is nothing to stimulate media attention like stories about the media! Sony Pictures were hacked in the run up of their release of The Interview, a film about two American reporters traveling to North Korea to assassinate Kim Jung Un.
A group calling itself the ‘Guardians of Peace’ appropriated the private information of employees and their families, internal company emails, and footage from unreleased films. Unsurprisingly, the finger pointed clearly at North Korea.
Let me turn to the third element – cyber terrorism and warfare. Traditional warfare is costly in both human and financial terms, so there is a constant incentive to find alternative ways of achieving the same end. The high altitude spy planes of the Cold War have given way to the unmanned aerial vehicles (UAVs) or drones that have themselves evolved from purely information gathering to having attack capability. In recent years they have been used extensively in Iraq and in the mountains of Pakistan and of Afghanistan.
The first point to make about cyber warfare is that it is not always about matching capability. The Chinese in particular, do not invest vast sums trying to recreate America’s conventional capability (although their defence budget has risen massively in the last five years), but in developing systems that will deny America and its allies access to their own systems and capabilities. It is worth pointing out that the US defence budget is still the size of the next eleven combined!
The whole concept of cyber warfare is based upon the ability to bring developed rivals, who are hugely dependent on advanced technologies, to their knees by denying them IT capability. This may happen across the financial system, across telecommunications or even in healthcare. Perhaps most worryingly, is the effort being put into disruption of critical national infrastructure such as power generation and transmission. It is known that terror groups in countries such as Pakistan, Iran, Syria and Kenya have in recent times been recruiting IT experts in this area with the specific aim of developing such a capability.
Terror groups have been increasingly involved in projects to make drones ineffective or, worse, to turn them around and send them back to return fire on their senders, the so-called “return to sender” concept.
In Syria, a group known as Project viridian have been able to take out the Syrian stock exchange with huge knock-on financial impacts.
In Iran, a group known as Parastoo has not only been recruiting IT experts with knowledge of financial markets and electricity transmission but has already been linked to an attack on an electric substation in California on April 16, 2013. It would be extremely naive to believe that we can expect anything other than more of the same!
So, what can be done about this seemingly vast array of problems? There is understandably a great deal of commercial activity linked to dealing with yesterday’s threats and it is no more than common sense to install anti-viral software in our computers - but we would be wise not to put too much faith in this as a means of protecting us from future threats.
As I have already mentioned, particular attention needs to be given to staff. 80% of malicious attacks on companies come from inside their own organisation. In any organisation that is serious about cyber security, all staff need to be screened from the more senior executives right down to the janitors and cleaners. The more senior the staff, and the greater their access to sensitive information, the deeper the screening needs to be including physical as well as digital checks.
Just as important is the education of staff in relation to the portals that they handle a daily basis – mobile phones, tablets and computers. They need to understand that this is company property and that to leave it exposed and vulnerable either by intent or carelessness is a serious, possibly sackable offence. In particular, they must understand that social media can act as a Trojan horse, allowing threats from the outside to easily gain access to complex data about their organisation with potentially devastating consequences.
Another area which needs to be considered is the security of business and supply chains. Those involved in cybercrime or espionage, particular, will be looking to find the weakest link as a way into a wider system and minimum standards of cyber security need to be applied not just at the highest level in any business chain but throughout.
Some companies have developed ethical hacking services, such as KCS in the UK. These can enable companies to test the cyber security in real-time and to determine weaknesses that they may not have previously perceived.
They have developed a programme known as Glasswall, which is able to track the movements of documents within an organisation, detailing from the outset who had access to such documents and what they did with them.
In a recent test of their Sentinel program, they found that a desktop had been disconnected from the server for just a few minutes and a removable drive had been inserted. As a result, they were able to identify that 2000 files had been copied by an employee who had already resigned and was intent on taking up a post with a rival company, taking information with him.
All this has huge implications at the national security level. One of the major challenges we have is the need to persuade both the public and the military that we need to spend more on the invisible technology that will protect us from some of the threats I have described.
In a finite budget environment, this may mean that we will have to disinvest in some of the things that we can see, our traditional military capabilities, so that we can invest in things that we cannot see, ie cyber capabilities. The alternative, and most rational course, is an increase in overall security spending although this is a hard sell in democratic countries which have become addicted to welfare provision and take security for granted.
We also need to develop proper cyber doctrine in the way that we did in the emergence of the nuclear era. We need to determine how we would respond to potential existential threats and how we will use asymmetry to both deter and, if necessary, deal with cyber aggression.
There are two other areas for change that I would propose. The first is legislative and the second is organisational.
I believe that the law needs to change in two major ways. As I mentioned earlier, denial of cyber intrusion is too often the response of companies worried about their reputation. This encourages entirely the wrong culture. If the fund holding my pension is being hacked and my money lost, I want to know about it. That is why I believe the government needs to change the law to make it illegal to be hacked without informing shareholders and other stakeholders.
The second change I believe we need is in relation to those who do business with government. As I have already pointed out, it is much easier to penetrate a small company in a supply chain than a major organisation such as the Ministry of Defence. That is why I believe the government should insist, legally, that any organisation that does business with government should have a minimum defined level of cyber security or they will be excluded from government contracts.
The final change refers to the structure of government itself. I believe that the current structure of Whitehall and the way that our cyber security is arranged is outdated, too complex and is an inefficient way of using taxpayers money. I would like to see all government cyber activity, including both its offensive and defensive capabilities, concentrated in one place and answerable to a single ministerial portfolio. We cannot afford either the luxury or risk of unnecessary duplication and diversion of resources, not to mention the misplacement of the vital, but finite, individuals with the necessary skills to carry out these tasks.
The task of responsible politicians is to ask today the questions that the public would ask the day after a major security breach. They may not make the front pages when we ask them. Our challenge is surely to make sure that they never do.