A security expert tells Channel 4 News cyber-attacks are hard to quantify and the Iran Stuxnet was a wake-up call, as the National Security Strategy names cyber-warfare a major UK security threat.
The strategy is being announced by David Cameron in a written statement to MPs. It has been drawn up by the Prime Minister’s new National Security Council as part of an assessment of the UK’s defence needs, ordered in May.
The strategy sets the scene for tomorrow’s Strategic Defence and Security Review (SDSR), which will outline how Britain’s Armed Forces will be shaped for the future and explain what equipment and manpower will be sacrificed to achieve the agreed 7 per cent to 8 per cent defence cuts agreed with the Chancellor George Osborne.
Leaked draft
A leaked draft of the national security document suggests that military conflict with another state will come only fourth in a list of potential threats to the UK. Ahead of that come international terrorism, cyber attacks and natural disasters.
Last week GCHQ’s Iain Lobban warned of the very real danger of cyber terrorism which could target Britain’s critical computer infrastructure.
'Until a cyber attack happens it's difficult to quantify'
Cyber terrorism is as big as international terrorism, writes Dave Clemente an international security expert from Chatham House, but in a slightly more insidious way. It's not a bomb going off in the street or tube, it's much more behind the scenes. You don't know who's attacking you and both the public and private sectors are losing intellectual property. So it's not human lives but something more fundamental to the economy. Until a cyber attack actually happens it's difficult to quantify the threat, but it's encouraging to see the government taking it seriously before something dramatic does happen.
Clear acts of cyber terrorism are fairly rare, from terrorist movements or groups, but cyber attacks on the whole are increasing. There is quite a lot of variety in these attacks. Cyber attacks can be as simple as a malicious software downloaded from an email, but they can also include denial of service attacks, whereby a server or website is overloaded with traffic until it crashes. Another area is espionage or theft of intellectual property.
We do appear to be working our way up degrees of severity. The Iran Stuxnet cyber attack has been much talked about in the media. It was hyped quite a bit. This worm in Iran targeted very specific areas and was directed at one or two nuclear facilities. It shows us the reality is getting close to the hype. It is particularly concerning governments and companies because the systems used are very common. Oil and gas refineries, power plants, even traffic control systems can all be targeted. So each command and control system is unique, but what concerns governments is the Iran worm and sabotage. It shows that it can happen. The UK may or may not be a target, but the government is now realising it needs to at least account for the threat in risk strategies.
At a personal level cyber attacks can often clear up contact lists, identity theft used, people's bank accounts can be emptied. At a societal level there is sensitive high value information to be had from the public and private sector. The problem is there is no way to identify the attacker, so you can't fight back against them. This is why it's better to go on offence rather than defence to prevent it from happening.
Who are the cyber attackers?
Primarily the attackers will be from organised crime, teams of sophisticated hackers, there's also strong suspicions of threats coming from other states. From our research there appears to be less of a threat from al-Qaeda.
The states that have sophisticated cyber capabilities include the US, China, Russia, Israel, France and Germany. It's not clear what level of capability these states have, but they are thought to be more advanced than other states.
The first priority should be the enhancement of cyber security tools, operating centres and the expansion of technical capabilities. In essence the hard physical bits.
The government needs to invest in human capital to keep the UK safe and competitive in an increasingly globalised and interconnected future. The government has to compete against the private sector to get these people. There aren't many highly skilled cyber security experts out there. These are your cyber security geeks, the people employed by GCHQ or the Office of Cyber Security. They will be at the sharp end of things. The government can improve public education so individuals, companies are more aware of the threats and a final area of spending could be on enhancing partnerships with the private sector and friendly countries too to link up knowledge and capabilities.
Cyber-spending
He claimed some 20,000 malicious emails on Government networks are caught every month, and that significant disruption has been caused to official systems by electronic “worms”.
He said cyberspace has “lowered the bar for entry to the espionage game for states and criminals”.
It has been mooted that the SDSR tomorrow may include a £500m boost for cyber-warfare.
Today’s document is expected to focus on terrorism and will underpin moves towards mobile military units, intelligence-gathering and special forces. This would signal a move away from tank brigades and jet fighters which dominated defence strategy during the Cold War.
Chief Executive of information assurance company NCC Group plc, Rob Cotton told Channel 4 News the government needs to “actively invest” in cyber security and work with the world’s best cyber security experts to limit the danger of Britain being attacked.
He said: “Over the last few years we have not only seen increased frequency of cyber crime incidents, but the methods employed are becoming increasingly sophisticated. With UK infrastructure and defence now operating with mission critical software in order to function, not only is the UK more susceptible to attacks but the implications of a serious breach could be catastrophic.
“It is therefore no surprise that the National Security Council’s report highlights cyber crime as one of the most serious threats to national security. We have been saying for a number of years that the battle against cyber crime is a never ending arms race, with hackers becoming increasingly sophisticated in their methods and more radical in their targets.
“This is a promising step, but the UK is still losing the battle for security at present and we will only fall further behind unless the government makes a large investment in safeguarding our national information infrastructure.
“No one doubts that the Strategic Defence and Security Review and the Comprehensive Spending Review are vital for the long term welfare of the UK – and that security will likely be protected in upcoming spending cuts – but rather than manage cyber crime and the threat to national security as some sort of overspent legacy, it needs to be actively invested in.
“Should the government choose to boost cyber crime protection through a reported £500m additional investment, it must work with security experts from across the country and if necessary the world, to produce a watertight, considered strategy to battle international cyber crime. While much of this protection can be achieved by patching simple vulnerabilities in existing networks, other threats will require specialist defence strategies and responsive action.”
Manpower cuts
The SDSR is expected to include manpower cuts in all three services, the closure of RAF bases and the withdrawal of Army tanks and RAF jets.
A personal intervention by Mr Cameron spared the MoD the 10 per cent to 20 per cent cuts demanded by the Treasury, and a £5 billion project to build two new aircraft carriers for the Royal Navy will go ahead.