Frank Smith delves into the high-tech world of Internet security, considering the present and future dangers that cyber-criminals pose to our global society, and steps that can be taken to counter them.
The Ukraine war has given the impression that the greatest threat of international geo-political conflict still resides in the territorial encroachment of one power upon another.
In reality nothing could be further from the truth and the next major conflict is likely to be fought without force of conventional arms but through high-tech cyberspace, disrupting and disabling the beating computer hearts of modern societies. And more specifically, the financial and commercial power of the West.
The United States has now become so concerned that its allies must be alerted to the scale of the problem and the immediacy of the threat that it has despatched Admiral Michael Rogers, commander of US Cyber Command, director of the National Security Agency and the Central Security Service, to brief the City of London under the auspices of the Royal United Services Institute.
‘Geopolitics is now a game best played with financial and commercial weapons,’ said Professor Sir David Omand, visiting professor at the Department of War Studies, King’s College, London who hosted the 30-year navy veteran at the London Stock Exchange. The professor, who was for ten years director of GCHQ, the heart of Britain’s intelligence operation, warned businesses that the most pressing issue facing commercial enterprises in sharpening their cyber capabilities was to understand that it was no longer solely an issue for the IT department but something that must be tackled at the board room level. And preferably with the company treasurer in charge because he, best of all, would understand the potential damage to the firm’s financial standing while at the same time being able to approve the necessary expenditure.
The professor paid tribute to US-UK cyber co-operation, saying it was a remarkable asset for the country which was essential to its future security and prosperity because ‘we have sold our souls to the Internet.
‘The great American blues man Robert Johnson at midnight at a crossroads sold his soul to the devil in order to play the blues like no-one else had played them before.
‘One day, of course, the devil comes calling and on the Internet we sold our soul. We took advantage of the speed, the connectivity, the reduction in costs and overheads and all the rest of it and plunged into a system of systems that was never designed to be secure.
‘The devil is now calling in the shape of bad guys of various shapes and sizes. Our economic future is wholly dependent on having a safe, open secure Internet for business.’
It had taken only a few years for the Internet to become irretrievably enmeshed in the financial life of nations as well as being at the heart of the control of great national assets essential to life, such as power and water.
‘As a network of networks the Internet is already capable of storing almost unimaginable volumes of data including data that can be identified with us as individuals and that can be used for good and for ill.
‘So all advanced economies now have multiple dependencies’, with the integrity of markets and big data resting on the control systems, and that dependency has increased as global reliance on the Internet increases.
‘It’s an obvious point to make but it is important to recognise that the communications of the bad guys and the good guys are all mixed up: everyone is using the same mobile devices, everyone is using the packet switch networks of the Internet and the same Internet protocols. The shift in the availability of personal information and the potential to remotely access infrastructure and control systems and the ability to use the Internet to affect market sentiment are all new sources of vulnerability for society and the nature of the mobile devices they all carry and use on the wireless networks offer additional ways for networks to be penetrated.’
In the United States 43 per cent of companies experienced some kind of cyber breach last year and Price Waterhouse Cooper of the UK reported that 81 per cent of large corporations and 60 per cent of small businesses had some kind of breach. The average breach cost $20 million in larger businesses and less, at $12-13 million, in the technical and communications industries.
In the US Ebay, American Express, J P Morgan Chase and Home Depot have all experienced attacks, while in the giant Target attack they were forced to admit that they had lost 70 million people’s personal details in addition to the 40 million credit card details that were stolen.
The attacks in Britain have been of a less costly nature but one in ten smaller enterprises which suffered attacks had to change the nature of their businesses. And while just over half of British businesses have insurance to cover themselves against such an eventuality, that figure falls to 35 per cent for smaller organisations.
‘The financial sector finds itself in the front line,’ said Sir David. ‘Don’t be surprised to see a major cyber theft campaign against the global banking industry. The group that gained access to one bank network then used malware to manipulate the ATMs into dispensing cash without a legitimate withdrawal and transferring the cash into a network of accounts controlled by the attackers. That campaign targeted banks in more than 30 countries in the US, Germany, Canada and Ukraine. It was believed to be based in the Russian Federation and has probably been involved in attacks against American retailers.’
A typical attack of that nature takes from two to four months to prepare and involves taking low-grade video footage of customers, looking at work flows, coding and processes.
‘This was not a cheap and cheerful “throw a brick through the window and grab what you can”. This was a very sophisticated attack and they made a lot of activity logging fake transactions to hide their withdrawals.
The infamous American bank robber Willy Sutton observed that he targeted banks ‘because that’s where the money is’, but today’s cyber-criminals know that that’s not the only place they can find a rich seam of wealth as stockbrokers, money managers and their well-heeled clients join their list of potential targets. ‘Expect criminals to be much more selective about who they target,’ said Sir David, ‘using Facebook pages to identify potential victims.’
But cyber vandals were ‘a different kettle of fish. They set out to embarrass or humiliate the most visible parts of market capitalism. It’s much safer than trying to smash up the City wearing a Guy Fawkes mask.’
Much of this is down to defending websites that people had been too lazy to protect properly. Some of it is denial of service attacks to keep clients out and point them to alternative services on the web. The tools for this are readily available on the markets of the so-called Dark Net.
But a more direct threat to capitalism comes from cyber rogue traders and further attempts to spook the market can be expected.
The classic example was the hacked Twitter feed that reported explosions at the White House, with the US president injured. ‘That’s not a new thought, that you might short the market in anticipation of rumours that you are about to spread, but the internet makes it extremely easy to do.
‘The Dow Jones lost 140 points in six minutes and the S and P 500 lost market capitalisation of $136.5 billion before the rumour was exposed, while traders had plunged into ten-year Treasury Bonds in self-defence.
‘Who claimed responsibility? The Syrian Electronic Army. Why? Because they support President Assad and they thought US policy was getting too aggressive towards Assad.
‘State attackers are going to try and get access to economically sensitive information.’
Another area of which ordinary employees need to become more aware is the use of so-called ‘spear-fishing’ attacks in which emails are sent to key employees with attachments which appear to be entirely innocent communications sent from family members which arouse no suspicion, or a from a perfectly legitimate subcontractor to gain access to a computer system to corrupt it or inject malware.
Governments are increasingly aware that they need to be able to show aggressive intent if they are deter the more prolific cyber attack nations-Russia and China.
The most graphic example of cyber-aggression was the US-Israeli attack on the Iranian nuclear programme, which many felt at the time was the equivalent of a declaration of war. It involved the deployment of the Stuxnet malware.
The attack was successful on a number of levels: not only did it cause the physical destruction of the all-important centrifuges creating the necessary nuclear fuel for Iran’s nuclear programme by making them run at the wrong speed and so self-destruct, but it was also able to disable monitoring systems which would have indicated to Iranian scientists that something was wrong, and it was able to cover its tracks.
But the attacks don’t have to be as sophisticated as that to be devastating for the target while being relatively easy for the aggressor to carry out. This can be achieved by merely flooding target computers with requests for massive amounts of data, as happened in Estonia in 2007 when a ‘distributed denial of service’ ensured all the country’s main computers stopped working and banking and other commercial operations stopped working.
Seven years later, ‘Dragonfly’ targeted dozens of computers in key Western industries, mainly energy and pharmaceuticals. It used rogue websites and bogus emails to feed malware into computers that could then be used for sabotage and spying in an attack that is believed to have originated in Russia.
But perhaps the most striking raid was against the US Office of Personnel Management, which stores the details of millions of US Govt employees. By a process of elimination—through identifying personnel not listed-it would have been possible for the attacker, believed to be China, to identify those staff working abroad who were operating undercover.
No wonder that the British government is planning to boost funding for cyber warfare to ten times its current spend, or an annual budget of £400 million, amounting to about £2 billion over the next five years. There are expected to be some 300 new cyber warfare specialists recruited who will be looking to develop malware to take on the new threat.