Both government officials gave talks at the National Security Conference 2012 held in London on Tuesday. Clarke stressed both the cybersecurity threat posed by the London Olympics and the sheer effort gone into all forms of security. He seemed to be supporting last week’s lecture by the head of MI5, who warned on the scale of the security threat faced by the UK.
Paul Davis, director of Europe at FireEye, later agreed with Clarke. “Recent events,” he said, “certainly reinforce the widespread notion that we have entered an era of cyber warfare. In the same breath, numerous warnings of the potentially severe national security risk posed by computer-based attacks enforce the fact that this is a very real issue – one that must be urgently acknowledged by organizations worldwide.” He aded, “This is a hugely critical time for the country, as we prepare to have the world’s eyes watching over us during the Olympic Games.”
But at the same conference, James Quinault from the Cabinet Office later commented, “But it remains true that 80 per cent of attacks we're seeing in the UK could be defeated by basic cyber hygiene using the techniques and software that are already available.” It is this statement that has been seized upon as being incompatible with the stance taken by the security and counter terrorism services.
“Yesterday’s two statements... are contradictory to say the least,” claims Ross Brewer, managing director and vice president at LogRhythm. “On the one hand we are being informed – not only by the Cabinet, but also by MI5 – that the current UK cyber threat is at an ‘astonishing’ and ‘industrial’ scale, whereas the subsequent statement assures us that basic techniques and technologies are more than enough to keep us safe.” This only highlights, he believes, the sense of confusion and apparent disorganization stemming from the rapid, unpredictable evolution of today’s threat. “To be frank,” he adds, “this is simply unacceptable at such a critical time for the UK, and London in particular.”
Brewer believes that Quinault is wrong. “By suggesting that the majority of attacks can be defeated simply by changing passwords or being careful about what information is shared online points to a severe lack of understanding of how the current security landscape is manifesting.”
Nevertheless, security in cyberspace is now so complex and varied that all parties could be correct. Statistics often quoted from Microsoft have shown that 99% of all attacks can be stopped by having up-to-date and fully patched software. In this sense, Quinault’s 80% is really a bit on the conservative side. But that still leaves the 1% of 0-day, nation-state Flame and Stuxnet advanced and persistent threats that can only be prevented by serious security defenses. Here Brewer is correct. “The fact is,” he says, “today’s cybercriminals are as intelligent as they are determined. With such a heavy reliance on IT, ever tightening data laws and an abundance of highly valuable Intellectual Property and confidential data online – the repercussions of a cyber attack cannot and must not be underestimated.”