Responding to the global cyber security threat
According to the House of Lords EU Home Affairs sub-committee
report entitled ‘Protecting
Europe against large-scale cyber attacks’, published in March
2010, the UK is “reasonably well placed to cope with acute
disruption to the internet” resulting from a large-scale cyber
attack, or natural or man-made disasters. However, the report
highlighted the cyber space vulnerabilities of other EU Member
States and the wider international community. In this article, Vega
considers what measures may wish to be considered as a result to
ensure a successful, joined up approach to global cyber
security.
Cyber attacks are now generally accepted as a
major threat to a country's way of life. The disruption experienced
by Estonia in 2007 was a very public example of just how a targeted
attack can bring a country’s critical national infrastructure to a
standstill.
The House of Lords EU Home Affairs report on
the threats posed by cyber attacks, which was published in March
2010, looked to understand the UK's ability to respond to such an
emergency scenario, particularly if the UK’s telecommunications
networks were to be comprised.
In the report, the UK’s reliance on the
internet –, more specifically Voice Over Internet Protocol (VOIP) –
is identified as critical. Although internet resilience was rightly
acknowledged in the report as a relevantly low risk in comparison
to many of our fellow EU member states, more can always be done in
terms of preparedness and protection.
With Internet accessibility currently in the
hands of private companies, there is a case to ensure that the ISP
industry’s should be recognised as an essential component of the
UK’s Critical National Infrastructure (CNI) in the same way as the
oil and gas supplies. With 22 millions Britons using internet
banking, the problems of an internet failure within the UK, remote
as they may be, would be serious.
As such, every eventuality should be
considered as to the steps that may be needed to address them.
One example that may wish to be considered
further is the use of VOIP technology. Every internationally
manufactured handset (with components likely to be manufactured in
parts of the world synonymous with cyber attacks), combined with
the actions of each individual user who may be unaware of their
potential vulnerability, may well introduce unforeseen risks to
information security.
Vega has previously
highlighted the potential cyber threat to the UK’s CNI, where
information systems have been developed in organisational silos,
each delivering individual services to the community and each being
separated by politics, policy and organisation. These issues become
increasingly complex when considering our role within the EU and
the global economy.
As highlighted by the House of Lords report,
the UK should expect a potential cyber threat from all its
interactions, including those with other EU member states. Just as
within the UK Government where central
departments are potentially at risk through their interactions with
non-HMG bodies which do not have to conform to a mandatory
information security policy, so our preparedness to
protect the UK CNI must reflect the global considerations of cyber
attacks. These, just as with the threats represented by asymmetric
terrorist cells, are not governed by borders. The UK connections to
EU member states could therefore result in being the biggest chink
in the proverbial armour.
The House of Lords report takes the view that
the UK is well prepared to resist cyber attacks. Vega believes that
as a leader within the EU, the UK should take a lead in bringing
together a European adaptation of a security standard similar to
that governed by the UK Government’s Technical Authority for
Information Assurance (CESG). This could provide up-to-date
standards, policy and guidance on Information
Assurance, Security and Resilience to the public and other
critical sectors. To ensure compliance, where standards are not
met, a specific member state could be denied access to certain
capability enablers.
The constantly evolving nature of information
technology will mean that protection against cyber attacks will
continue to have an ever-expanding role in national and
international security. Great strides have been made to address
these challenges by the UK and its internationally recognised
supply chains including companies such as VEGA. However, a single
unrecognised back door or the faintest crack of light is all that
is needed for a highly intelligent enemy to cause a potential
crisis that could take weeks to recover from. The EU and all its
member states therefore need to remain ever-vigilant and continue
to share best practice and support.
Vega characterises the UK’s position to resist
attacks and disaster in general, as “brittle”, like toughened
glass. It has high initial resistance but ultimately has a tendency
to shattering failure rather than graceful degradation. The UK’s
internet usage has so far been resistant to attack mostly because
of its diversity of supply and routing. However, with increased
dependency on the ‘net for essential services, one serious problem
would have devastating effects.
One only has to consider the limitations of
the mobile phone network in London during the 7/7 terrorist
attacks, or to have seen the dislocation caused to hundreds of
thousands of people across the world in April 2010 due to the
effect of a volcano on the air transport industry, to understand
the dangers of being complacent about technology in modern life and
its susceptibility to terrorism or “Acts of God”.
Vega therefore supports the view that the
security and resilience of all parts of the UK’s CNI be
continuously enhanced to defend against failures and cyber attacks.
This goal should be included in every organisation’s long term
objectives.
Vega welcomes the review exercise that the EU
Commissioner will be carrying out towards the end of 2010. This is
intended to evaluate actions that have taken place, and identify
and propose further measures that will help strength the
infrastructure.
Such initiatives will be supported by VEGA,
which is a significant company in the UK’s Information Assurance landscape.
Our expertise is valued in helping clients
manage their information security and related
risks by understanding their vulnerabilities and applying
mitigating measures.
Furthermore, VEGA’s expertise can be engaged
to identify threats and develop appropriate plans for a quick and
relatively painless recovery.
Vega has a three-point agenda to help its
clients with resisting cyber attacks:
- Assurance – knowing you’ve got it
right – Enabling an organisation to navigate the correct
course through the Information Assurance
landscape; providing a confidence that they are operating securely
and conform to recognised UK and International Standards.
- Build it securely –
Supplying information systems which are built to the
highest security standards; ensuring the integrity of an
organisation’s assets.
- Keep on going –
Providing a guide through the steps that will ensure that business
can withstand attacks and carry on even when the worst does happen
and physical assets are destroyed.
Contact Vega for more information
about cyber security