Strategic defence review to prioritise cyber security - TheNewTopical.com - current events, politics, culture, ethics, economics discussion forum

Zichao · #1 (**permalink**) 14-10-10, 11:45 AM

Quote:

A major increase in resources devoted to combating the threat posed by internet attacks will feature in next week's strategic defence and security review, the government's cyber tsar signalled today.

Neil Thompson, director of the Office for Cyber Security, spoke of a "step change" in the government's approach to the threat. Cyber attacks were "cheap, quick, and deniable", he said.

Thompson was addressing a Royal United Services Institute conference on the future of the "critical national infrastructure" – utilities such as gas, water and the National Grid – a day after Iain Lobban, director of GCHQ, the government's eavesdropping and encoding centre, warned of a "real and credible" threat of cyber attack on Britain's infrastructure.

In an unprecedented public speech published today, Lobban said: "Just because I, as a national security official, am giving a speech about cyber, I don't want you to take away the impression that it is solely a national security or defence issue. It goes to the heart of our economic well-being and national interest."

He said there had already been "significant disruption" to government computers by internet worms" -– both those that had been deliberately targeted and others picked up accidentally. "Cyberspace lowers the bar for entry to the espionage game, both for states and for criminal actors," he told the International Institute for Strategic Studies (IISS).

Nigel Inkster, a former senior British intelligence officer and now IISS director, said the problem with cyber attacks was the "complete absence of strategic notice". When they happen "you don't know who's doing it", he said. He added: "And what constitutes an act of aggression?" General Sir David Richards, the new chief of the defence staff, warned in discussions on the strategic and defence review of the danger of "proxy attacks" through cyberspace.

Government officials first told the Guardian three years ago that Chinese hackers, believed to be from the People's Liberation Army, had attacked the computer networks of the Foreign Office, and other Whitehall departments.

Though Britain's armed forces, security, and intelligence agencies are expected to get more resources to combat cyber warfare, officials today emphasised the need for co-operation with the private sector, including internet service providers.

Thompson today stressed the importance of international co-operation. Anders Rasmussen, Nato secretary general, warned earlier this month that the alliance's systems were being attacked "a hundred times a day" by hackers. He added: "Cyberattacks can take down a country's air traffic control system, shut down the banks, paralyse government services and cripple an economy ... they can reach a level that threatens the fundamental security interests of the allies."

Nato spokesman James Appathurai told the Guardian today: "There is a clear general consensus that the Alliance needs to upgrade its cyber defence role and capabilities, for obvious reasons. I think that that will be clearly set out in the Strategic Concept."

A big question is whether under the alliance's New Strategic Concept, a cyber attack will be covered by Article 8 of the Nato treaty which states that an attack on one member would be considered an attack on all.

Strategic defence review to prioritise cyber security | Politics | The Guardian

I hope that "defense" is a euphemism for "offense" here, otherwise it's a big waste of money.

All the tech in the world won't prevent, say, a concerted Chinese DoS attack. Equally, you can have a Deep Thought sitting in the MoD, and if some bumbling member of staff uses a USB key left lying around by a Russian intern or opens a dodgy e-mail you're still going to get infected. Even if you send them to every best practice course going, the evidence shows that they're still going to be careless.

And then you've got the universal problem of defense purchasing: if you don't get attacked it's because your kit's so good and you should buy more, if you do get attacked it's because you haven't got enough kit and you should buy more.

Zichao · #2 (**permalink**) 14-10-10, 11:47 AM

Not incidentally:

Quote:

There have been a lot of scare stories in the media about electrical power grids in recent times, suggesting that it would be a simple matter to bring down a national transmission system by way of a minor cyber attack or physical sabotage - thereby bringing that nation's infrastructure to a grinding halt.

There's just one problem with that idea: it's "a bunch of hooey," according to power-engineering boffin Seth Blumsack.

Blumsack and his colleagues were moved to look into the matter of deliberate power-grid crashing after recent papers and studies in hefty journals - including some briefed to US politicians - painted a grim picture earlier this year. The perception was that making a targeted strike on a relatively minor electrical installation such as a neighbourhood substation (by bomb, arson or electronic/network sabotage) could easily bring down the whole grid to which it was attached.

According to Blumsack and his fellow 'leccy boffins Eduardo Cotilla-Sanchez and Ed Hines, the alarmist analyses are based on a particular type of mathematical modelling of power grids - so-called "topological" models.

"Some modellers have gotten so fascinated with these abstract networks that they've ignored the physics of how things actually work," Hines says.

"This can lead you grossly astray."

Blumsack, Hines and Cotilla-Sanchez decided to contrast the performance of a topological model with one based on actual physics - specifically on Ohm's and Kirchoff's Laws governing the flow of electricity in the real world. They tried out both kinds of model on an accurate representation of the North American Eastern Interconnect, the largest and one of the most trouble-prone portions of the US grid, using real-world data from a test case generated in 2005.

The three engineers say that the physics-driven model was much closer to reality, and that this verifies what physics models show. The results showed that in fact it is major grid components through which a lot of power flows - big generating stations and massive transformers - which are the main points of vulnerability, not the minor installations scattered across the country.

It isn't so much that a minor event on a minor line or installation can't crash the network: such things do happen. But in general there have to be huge numbers of such minor events before one of them happens to hit the miracle weak point and bring everything down. It would be an impossible task for terrorists or other malefactors to know in advance just where and when a minor pinprick could cause massive effects.

"Our system is quite robust to small things failing," says Hines.

Hitting a bigger installation or link, which would generally be better secured and more resilient, would be much more likely to work. Even then a well-resourced terror or sabotage unit with the ability to knock out bigger grid components would struggle to take down the whole thing as it is still very difficult to know exactly where and when to strike.

"It takes an incredible amount of information," says Hines, "to really figure out how to make the grid fail."

Hines and his colleagues' paper, Do topological models provide good information about electricity infrastructure vulnerability?, is published here by the journal Chaos. ®

Power grid scare stories a 'bunch of hooey' ? The Register

Gilles de Rais · #3 (**permalink**) 14-10-10, 11:58 AM

Wait a sec. They have to model these things? They don't... like, KNOW?

I mean, if a switch is on or off, you ought to be able to tell the consequences, no? In any case, yes, I'd imagine that redundacies and general sturdiness means small things can go wrong without the system imploding. If it was so, it'd have already occured.

Beside which, one day in the dark isn't the end of the world. Happen often enough due to natural catastrophe. Not fun but rarely deadly.

I am more concerned about things like air or ground traffic control and especially automated factory stuff... I am thinking of someone reproducing deliberately whatever went wrong in Hungary with that red mud stuff...

Zichao · #4 (**permalink**) 15-10-10, 12:27 PM

Security firms shrug shoulders over GCHQ cyberattack warning ? The Register

Quote:

Security firms reckon GCHQ's well-publicised warnings about the threat from cyber attacks earlier this week are timed to coincide with the run-up to the UK government's comprehensive spending review announcement.

We spoke to several security consultants who believe the threat warnings were aimed at making sure GCHQ's line of funding remains assured. If this was the case, it seems the approach has already been successful.

Iain Lobban, head of the GCHQ, warned that the the UK government is targeted with over 1,000 cyber attacks a month.

Sean Sullivan, security advisor for F-Secure, commented: "Iain Lobban’s comments seem strategically timed to protect GCHQ’s funding ahead of the Comprehensive Spending Review announcement on 20 October."

"One could even argue they are over-hyped because the sort of attacks or worms he refers to are very common and have been for some time. They are experienced by all sorts of different organisations failing to implement best security practices - not just Government agencies," Sullivan added.

F-Secure reckon the number of targeted email attacks has risen across all sectors of the UK economy. "The US's cyber command also recently spoke of worms 'targeting' them but, once again, most of these worms target everybody," Sullivan added.

As we reported on Thursday, the government is expected to earmark more than a billion pounds to finance an effort to bolster Britain's cyber security over the next three years, including plans to develop "active defence" capabilities that will surely tap the expertise of GCHQ.

Rik Ferguson, a security consultant at Trend Micro, argued it was important to ignore the "white noise" generated by the random scanning activity of worms such as Conficker in favour of concentrating on targeted attacks. "You need to make a judgement and cut through the stuff that looks like an attack to focus on the stuff that actually is an attack," he explained.

GCHQ's Lobban argued that co-operation between government agencies and the private sector is needed to combat complex and targeted threats, a point welcomed by security firm M86 Security.

Back in July, M86 Security identified a targeted attack aimed at an as yet unnamed UK high street bank and involving the Zeus crimeware toolkit. Since then more than 30 suspects - alleged money mules and organisers of the fraud - have been arrested in the UK, US and the Ukraine. ®

Gilles de Rais · #5 (**permalink**) 15-10-10, 12:36 PM

I think it might be worth the commission in charge of civil/public procurement while to go through some of these "expert" claims.

If they can be shown to be exaggerations made more or less deliberately or that the expert should have known them to be exaggerated by virtue of his expertise (i.e. cannot credibly claim ignorance), bringing charges (say, of High Treason - just to make it worth our while but also because it can be substantiated; After all, goading the state into wasting money can be construed as a threat to national security) against said misleading governmental or quasi-governmental experts and lobbyists would clean up behaviours.

But I am pretty sure no politician would ever dare be so "common sense"...