“The threat the UK is facing from cyber attacks is disturbing in its scale and complexity. The theft of intellectual property, personal details and classified information causes significant harm, both financial and non-financial. It is incumbent on everyone – individuals, companies and the Government – to take responsibility for their own cyber security. We support the Government’s efforts to raise awareness and, more importantly, our nation’s defences." This is one of the primary conclusions and recommendations in the latest annual report of the Intelligence and Security Committee (ISC) chaired by Sir Malcolm Rifkind.
The report strikes an unusual balance. While governments, including the UK, have been stressing the need for sharing information between the public and private sectors, this report points out that government's primary concern is terrorism – both physical and cyber – and that business must take responsibility for itself.
It's a reality accepted by Jeremiah Grossman, CTO of Whitehat Security. "What individuals and business must understand is that, while governments are able to reasonably protect a country's physical borders, it has little capability to defend their populace from incoming cyber-attack whether domestic or foreign in origin – they are on their own," he warns.
Two other aspects stand out in the report. The first is that cyber terrorism and cyberwar is more of a potential than a reality. For example, the threat from Al Qaeda is a physical threat – there is a perceived danger that groups fighting in Iran could train jihadists who might then return to the UK. In cyber terms, however, "there does not, as yet, appear to be a credible threat in cyberspace from terrorist groups such as Al-Qaeda." Nevertheless, it adds, "terrorist groups may well pose a greater threat in cyberspace in future."
One approach to the UK's cyber defense is 'upstream disruption;' that is, cyber offense. "This has driven closer working with SIS and GCHQ, who are able to collect intelligence and pursue disruptions overseas in support of these investigations", notes the report. But it also bemoans a lack of international support. "All three Agencies have noted that their work to disrupt plots is affected by a lack of identifiable partners, concerns over other governments’ approaches to human rights or legal obligations, and/or those governments’ low political will to tackle terrorist groups." The committee is a strong supporter of the development of UK offensive cyber capabilities.
The second standout from the report is that all organizations, whether public or private, suffer from a soft underbelly: the information supply chain. "Government departments are also targeted via attacks on industry suppliers which may hold government information on their own systems. We have been told that cyber espionage '[has] resulted in MOD data being stolen...'"
William Hague, the UK foreign secretary, warned the committee about 'the increased targeting of professional services firms (e.g. lawyers and accountants) as opposed to other, more obvious, targets who may have stronger defences.' "[These] are a route into a defence company, a high tech manufacturer, whoever it may be, who may have good defences themselves, but of course a lot of their data is sitting with their lawyers or their accountants and if they are soft targets, well, then it becomes quite easy to get that data a different way."