Writing in the Times newspaper, the head of the UK's surveillance and listening station said that sensitive data on government computers had been targeted, along with defense, technology and engineering firms' designs.
"I can attest to attempts to steal British ideas and designs – in the IT, technology, defence, engineering and energy sectors, as well as other industries – to gain commercial advantage or to profit from secret knowledge of contractual arrangements", he said, adding this type of intellectual property theft doesn't just cost the companies concerned. “It represents an attack on the UK's continued economic well-being.”
"We are also aware of similar techniques being employed to try to acquire sensitive information from British government computer systems, including one significant (but unsuccessful) attempt on the Foreign Office and other government departments this summer", he explained, noting that criminals are using cyberspace to extort money and steal identities, as well as exploit the vulnerable.
“Increasingly sophisticated techniques target individuals. We are witnessing the development of a global criminal market place – a parallel black economy where cyber dollars are traded in exchange for UK citizens' credit card details. Tackling cyber crime matters and it is a very real threat to our prosperity", he said.
Lobban's article in yesterday's Times comes as a key cybersecurity conference opened this morning in London, with a number of high-ranking delegates such as Jimmy Wales, the co-founder of Wikipedia and Hillary Clinton, the US secretary of state.
Reaction to the Times feature has been mixed, with Paul Davis, FireEye's director, saying Lobban's comments come as no real surprise, but he asserts it is vital that we see the government taking decisive action to protect the UK's critical infrastructure, particularly with the Olympics being held in London next year.
“One of the key points that came out of the GCHQ disclosure is something which we have been seeing across all sectors – government, defense industrial base, financial etc – the increase in targeted emails attacks”, he said, adding that spear phishing is the Achilles heel of many existing security products is causing an increasing amount of concern.
“Once they know who to target it’s relatively simple to spoof an email, add a sprinkling of social engineering and bang they're in. Once that channel is established with an external source, that compromise could have serious implications”, he explained.
Over at AEP Networks, Mark Darvill, the firm's CTO, said that many countries are engaged in an ‘arms race’ similar to that which we saw during the Cold War.
“All major states have cyberwarfare programs in place, (whether acknowledged or not) and are developing increasingly sophisticated techniques for both defensive and offensive purposes. The difference with the Cold War is that states are actually attacking each other on a regular basis”, he said.
Many of these attacks are more like ‘reconnaissance’ missions in traditional warfare – they are designed to identify weak spots in an enemy’s national critical infrastructure and test their defenses to plan for future attacks. This is why it is essential that both UK government bodies and major private sector firms demonstrate robustness in terms of cyber defense to thwart these attacks at the first opportunity since once inside the network they become more difficult to defend against”, he added.
Rob Cotton, CEO of the NCC Group, meanwhile, found Lobban's comments encouraging, and noted that the IT security industry has known for a long time that a lot of malicious cyberactivity is directed at governments and public sector organizations, and that the scale of it can be significant.
“It’s the increased level of transparency in terms of the attacks they’re subject to that’s encouraging. The public and private sector are interlinked – a politically motivated cyber attack on the UK could easily mean an assault on critical national infrastructure or commercial industries. People won’t appreciate the seriousness of the threat until organizations are required to disclose security breaches and data losses”, he said.
“It’s time for decisive action from the government, and a solid investment in the cybersecurity of private sector organizations. The UK needs disclosure legislation, not guidelines, to ensure that customers and shareholders are protected. If personal data or intellectual property is compromised then transparency with stakeholders is paramount, so that appropriate steps can be taken and share prices reflect reality”, he explained.
“This is an arms race we can’t afford to lose.”