Darwinian Defence – Adapting to meet the Threat of Cyber
Attack
As media headlines of successful cyber attacks continue to
gather pace, Finmeccanica UK’s Vice President, Strategic Marketing,
Sir Brian Burridge, examines the nature of the cyber threat, the
implications of a successful national attack, and the need for UK
PLC to evolve the way it prepares for the cyber security
challenge.
On Thursday 21 March 2003, the Joint Forces Head Quarters in
Qatar were reviewing intelligence on an earlier bombing raid of the
Iraq Dora Farms complex.
The situation room had just been informed that neither Saddam
nor his sons had been present when it was announced that the main
command and control system server had inexplicably gone down. A few
minutes later, the news was compounded by the fact that the main
server at the logistics headquarters had also gone down.
At that moment, thoughts turned to the possibility of a
co-ordinated Computer Network Attack! Had the Joint Forces been
totally complacent in underestimating the Iraqis? Knowing they
would lose the force-on-force battle, had they been concentrating
on the manoeuvrist approach and attacked the Joint Forces’ Achilles
heal?
Fortunately it wasn’t a cyber-attack. The main server at PJHQ,
Northwood, had received a new software upgrade overnight and was
now incompatible with the deployed infrastructure; the change was
quickly reversed and all was well within the hour.
But just imagine how that felt. Just imagine the sinking feeling
you get in the pit of your stomach because your world has
completely unravelled and the risk of losing all has gone sky
high!
The account perfectly illustrates our total reliance on
information and Information Technology. It raises the question
whether, in an inter-connected global society, any section of
society cope with a successful cyber attack?
This article considers four aspects of today’s cyber
battle-space: the ease of weapon delivery; the extent of the target
array; what a bad day in cyberspace might look like, and the
response of the eco-system.
Ease of Delivery
Information Technology is now all-pervasive within our society,
and our reliance on it is total. From the most prosaic aspect of
shopping to choosing and connecting to an electricity supply,
everything is now so reliant on IT and the internet, in one form or
another, that anything that presents a genuine risk to this
situation must be taken absolutely seriously.
In the updated National Security Strategy (published in October
2010), cyber security was identified as a Tier 1 security threat,
alongside the threats posed by of terrorist activity, natural
disaster and international military crisis.
There are a growing number of examples that illustrate the
extent of our vulnerability, how easy it is to damage or disrupt
the internet dependent world, and at what cost to the nation.
Symantec reports that in the UK in 2010, they recorded over 286
million malicious attacks, and among these was an increase in
web-based attacks of 93%. The
OCSIA reports a cost to UK business in excess of £20 billion.
Other reports put this figure as high as £27 billion.
Also in 2010, reports came out that nuclear refineries in Iran
had been affected by malware called STUXNET.
The finger of blame was pointed at Israeli and US intelligence
agencies; be that as it may, the scary part of the story was that
the payload for the attack was delivered by the Internet and then
most likely loaded onto the control system by someone with a memory
stick or CD ROM. The malware had at least four previously unknown
attacks embedded within it and was designed to run on the real-time
control software for the refinery. As attacks go, it seemed to be
successful. Estimates are that it set-back the Iranian refinery
process by six months.
Recently, toolkits have been released on the Internet, which
help craft attacks against a whole range of electronic control
boards that control real-time IT systems.
With the knowledge required to attack these types of systems now
publicly available, any company that deals with manufacturing,
processing, refining, energy and transport should now be concerned.
It no longer takes a state-sponsored intelligence agency to attack
you.
Attacks of this nature can now come from bored teenagers,
hackers looking for kudos, competitors, terrorists or disgruntled
employees.
It was recently reported that thousands of furious computer game
fans were caught up in an online battle between Sony and
‘hacktivists’ who had previously attacked Amazon and Mastercard's
websites.
Anonymous – the secret ‘hacktivist’ group – claimed that Sony
unfairly launched legal action against two hackers who were
attempting to crack the electronic protection on Sony's PS3 games
console. They pledged to hit back, and are believed to have caused
Sony's online gaming network, PSN to collapse with more than 100
million customers’ personal details – such as dates of birth,
addresses, e-mail address, and credit card information etc – being
stolen.
All these examples illustrate the seriousness of the growing
cyber threat; and these are only some of the examples that made it
into the public domain. We can only guess as to those that have
gone unreported or even more worryingly, those that have gone
unnoticed!
The extent of the target array?
The most feared level of attacks are targeted at specific
organisations and originate from state-sponsored organisations or
increasingly from serious organised criminal groups. However even
though not every organisation in the UK will be targeted by these
sources, is there any organisation that can say no-one else will
want to attack them? And for those that are attacked, collateral
damage is just as much of a problem as in any other, more
traditional, form of warfare.
Estimates put the cost of recovery from a single serious cyber
attack for a large organisation at more than £1 million, and this
takes no account of the cost of damaged reputation or loss of
customers and future business. Sony’s share price fell by 4% when
it first admitted loss of customer details and the cost to fix
systems affected by the attack has cost an estimated £100
million.
Any organisation that has valuable Intellectual Property,
undertakes any form of manufacture, relies on up-to-the-minute
information, or carries out financial transactions over the
internet (not just online banking) is at serious risk.
It is hard to think of a business which is not at risk, and as a
further reminder; a recent RUSI paper drew attention to public
confidence being damaged if a GP’s patient records or a law firm’s
e-mail accounts are compromised.
There is no government ‘front-line of defence’ that companies
can hide behind. Everyone who uses IT and the internet is in the
front-line. This threat is real and the risk is persistent.
We can therefore confidently predict that if there was a nation
who wanted to attack the UK, it is no longer necessary to do so
using conventional means, and I would include terrorism here. A
co-ordinated cyber attack would form a key part of their armoury.
The UK is well-protected in a military sense and the perception of
the robustness of our defence and counter-terrorism posture acts as
a strong deterrent. But could the UK be crippled by an effective
and well-orchestrated cyber-attack aimed at our Critical National
Infrastructure and underlying economy?
A bad day in cyberspace
Picture a scenario where country X is hostile towards the UK to
the point whereby they want to attack and cause as much damage as
possible. Suppose that country X has been generating the potential
to launch an attack for the last three years. In that time, they’ve
supplied computers and electronic components to the UK, all with
logic-bombs or command and control Malware embedded within them.
(Many PCs and laptops used in almost all government departments
today come from a single nation supplier!)
In those three years, country X has amassed hundreds, maybe
thousands of Zombies – PCs within the UK that are connected to the
Internet and have command and control Malware on-board that means
that they will do collectively what a single attacker wants them to
do.
Now suppose that country X decides to launch their attack. It
merely takes an agent of country X, sitting in an anonymous
apartment block in the UK with a laptop, to type a few
commands.
Power supplies shut down across the country and the national
grid can’t account for the anomalous behaviour. Electronic payment
systems fail and debit and credit cards no longer work. Those
people with cash can’t buy anything because the shops can’t process
payments using their EPOS terminals. Mobile phones stop working
because the masts that transmit signals require power, and the
power has been interrupted. Water supplies suddenly stop because
the systems are reporting contamination, so they all go to an
emergency stop. Trains stop running because of signal failures, the
underground in London comes to a standstill, and the barriers stop
functioning, leaving thousands of people trapped.
Financial systems all over the country fail, money can’t be
moved, the FTSE is reporting dramatic losses in share values;
partly because of Malware and partly because confidence suddenly
vanishes. Billions of pounds of stock value are vanishing. Sterling
starts to plummet and the value of our currency falls to half of
its current value within a few hours.
That’s what a bad day in cyber space looks like – but it feels
much worse!
In the space of a few minutes, our comfortable society could be
brought down – by one person – using one laptop.
We are developing ways to combat this threat, but one thing that
can’t be done is to turn back the clock to a point where we were
not so reliant upon IT.
The response of the Eco-system – Darwinian Defence
At Finmeccanica Cyber
Solutions, we speak about Darwinian Defence against cyber
attack, by which we principally mean an ability to adapt to our
environment and adapt quickly.
Foremost and for a Darwinian Defence to be successful, it is
necessary that all UK organisations and indeed all individuals take
this threat seriously.
Darwinian Defence is about market forces and survival of the
fittest. It is driven by suppliers of defensive services, making
them available to consumers, organisations, companies and agencies.
As the private sector evolves capabilities that provide levels of
protection against this threat, different methods for mitigation
will emerge and private sector companies providing defence will
seek to win new business.
Winning the business, however, requires genuine capability to
mitigate the real threats, and different techniques will evolve.
Successful companies will be those that demonstrate the
characteristics best-suited for the environment. Competition will
drive-up the quality of the capabilities that are being offered
until only a handful of providers remain. Successful companies
won’t just be those that come up with the biggest firewall or
Intrusion Detection System, but those that continuously adapt new
features and characteristics at the same pace as attacks are being
developed.
The key point is that symbiotic relationships are required
between organisations that provide security services and those that
need them. The organisations that provide the security services
must be agile, specialist and able to adapt to the changing
threat.
The Ecosystem will fight back
So why is Darwinian Defence an applicable framework for
considering real problems that are faced by all companies?
Take, for example two companies – let’s say competitors – with a
comparable footprint and similar set of business risks. Both
companies are active and involved in M&A discussions on a
regular basis. Both have been floated, but one company has
undertaken due care relating to IT security and invested wisely.
The other has not!
Cyber attacks occur daily, whether they are noticed or not, and
one company finds its customers’ details on the internet; it has
M&A details publicised, it has company-sensitive e-mails spread
all over the public domain, and in no time confidence in this
company is destroyed. The value of a company has a lot to do with
confidence – the confidence of its customers, employees,
shareholders and suppliers, and that which is best adapted will
survive.
What is more, following Information Security advice and
investing in capability to gain Information Assurance need not be
expensive.
Director GCHQ, Iain Lobban, states that 80% of cyber attacks can
be defeated by use of conventional security components and
improving IS processes. The toughest 20% may require investment in
the capabilities of a
Security Operations Centre (such as ARCHANGEL™ by Finmeccanica
Cyber Solutions) which instruments the entire IT estate and
detects attacks by monitoring patterns and behaviours as
information flows around the network and through its
boundaries.
Conclusion
This is the information age and the cyber battle is just
beginning. Even as we publish this article, more attacks on
organisations such as Lockheed Martin and Fox are being reported.
“It’s only the beginning, unfortunately, of the shape of things to
come”, Sony Chairman, Howard Stringer, recently said. “It’s not a
brave new world, it’s a bad new world.”
As in real war and in nature itself, only the fittest will
survive, and the fittest is that organisation or company that
adapts to the environment. Those companies will have sought
professional Information Security advice and invest in professional
capability. Cyber Defence against a cyber attack, just as in real
warfare, is no place for an amateur.
Contact VEGA for more information about
cyber security