Scientific advice and evidence in emergencies

Memorandum submitted by the Symantec (SAGE 40)

Today the very foundations of our modern society and economic stability are increasingly being built on electronic communication infrastructures that span across national, European and international borders and the data that is shared, processed and stored within these networks. Safeguarding these electronic networks and systems from possible cyber attack or disruption has therefore become a component of countries emergency preparedness and critical national infrastructure protection. In light of the increasingly complex and evolving online threat environment and the possible impact of cyber related attacks Symantec welcomes the Committee’s inclusion of cyber attack as one of the potential case studies in this inquiry.

The following submission aims to provide input to the questions raised in relation to a potential cyber related emergency in the UK given the current online threat environment. It should however be noted that the following input is not based on, or related to any specific cyber security incident in the UK.

· What are the potential hazards and risks and how were they identified? How prepared is/was the Government for the emergency?

For the last seven years Symantec has produced its Internet Security Threat Report which provides an overview and analysis of worldwide Internet threat activity and a review of known vulnerabilities and trends in activities such as phishing, denial of service attacks, botnets and spam. According to the latest report in 2009 alone Symantec created over 2.8 million new malicious code signatures which represents 51% of all malicious code signatures ever created by Symantec [1] . Not only is the sheer number of new malicious codes, and therefore new cyber threats, increasing worrying but what is also key is how these malicious codes are being used by attackers to support multistage and increasingly sophicated and targeted attacks on systems and networks. For example the recent Stuxnet incident represents an example of a threat designed to gain access to and reprogram industrial control systems specifically.

The Stuxnet incident provides a real life case study of how such an organi sed and structured cyber attack on critical infrastructure systems can succeed and how they could be used in the future. While details of the attack are still unfolding, w ith further analysis currently taking place, it is estimated that at least four zero day vulnerabilities attacks were involved in the incident which allowed attacker s to steal confidential Supervisory Control and Data Acquisition (SCADA ) design, usage and control documents for industrial systems such as those used by the energy sector . This is the first time that so many zero-day vulnerabilities have been exploited in one attack and indicates that the people needed to develop and execute such an attack were not amateurs. It is understood that once the attackers gained entry into the targeted systems a root kit was used to hide their presence while they targeted software within the systems used to control industrial assets and processes. It is also believed that stolen digital certificates were used in the attack to mask their trail through the compromised systems. The use of zero-day vulnerability , root kit, stolen digital certificates, and in-depth knowledge of SCADA software are all high-quality attack assets and points to an estimated group of at possibly up to ten people involved in developing this specific, targeted and technically sophisticated cyber attack.

In the past this type of cyber attack focusing on critical national inf r astructures were seen by many as theoretically a possibility h owever it is fair to say that most would have dismissed such an attack as simply a movie-plot scenario. Symantec believe the Stuxnet attack is clear evidence that such attacks are real and a possible threat and are no longer just a theory but a reality that countries need to prepare for. According to a recent survey by Symantec 53% of all firms surveyed suspected or were pretty sure that they had experience an attack on their systems waged with a specific goal in mind. [2] The Stuxnet incident has shown that such targeted, organised threats do exist where external act ors motivated possibly by organised crime, terrorism or even hostile nations, attempt to gain control of industrial processes and then place that control in the wrong hands.

Overall cyber attacks are becoming increasingly complex, sophisticated and organized. No longer are online attackers motivated by notoriety but by economic gain with access to systems for information being a key target. Information that can then be sold as a commodity on the underground economy and possibly used in further attacks such as through social engineering or more targeted attacks on institutions. In fact in a number of cases there have been reports of attacks aimed at not causing disruption, but rather at collecting intelligence and stealing confidential information.

While the Committee’s focus on the UK’s preparedness for a potential cyber related incident is understood, from the perspective of the computer security industry, and on the basis of experience to date, it is suggested that the Internet itself has been resilient to possible large scale cyber attacks. The Internet is simply a series of interconnected computer networks, systems and essentially large servers based all around the world. As with any electronic or computerised system these computers are reliant on electrical power to function. Therefore it may be possible that a natural disaster or perhaps offline traditional emergency, such as the other case studies being considered by the Committee that impacts or disrupts power within a country or region, could potentially affect the ability of the Internet users to gain access to online networks or systems. Physically, therefore the internet is susceptible to regional interruption such as when cables are broken. Such outages have occurred when an undersea cable providing network connectivity to the Middle East were damaged.

Clearly though the risks and threats to the security, integrity and resilience of the Internet have certainly increased over recent years. This together with the shift towards greater interoperability between internet based networks and systems means that a targeted cyber attack has the potential to have a cascading effect and impact on other connected systems. It is therefore vital that adequate levels of protection are in place that can identify risks quickly and effectively particularly given the significant increase in criminal use of the Internet for purposes such as identity theft and extortion.

In response to the question of how prepared the Government is for a potential cyber related emergency it is important to recognize that ensuring the ongoing resilience and stability of the Internet is a responsibility that is shared by all those using the Internet. While the Government has a role to play in considering and addressing preparedness for cyber related issues, it should be noted that cyber security issues cannot be solved by ISP’s, software manufactures, law enforcement, government or even individuals alone. The nature of the internet and IT technology is such that no single person can be held accountable and we all share a collective responsibility to protect ourselves and our customers whether they be businesses, users or citizens.

Overall Symantec believes that a modern approach to cyber security must be balanced between protection against and preparedness to address possible incidents. Symantec therefore welcomed the creation of the Office of Cyber Security and the Cyber Security Operations Centre. The role of these bodies to provide coordination across government of activities in this area and operational response to cyber incidents are seen as key for ensuring efforts across government to recognise, identify and therefore address cyber related issues. In addition the willingness of the Office of Cyber Security to engage and work with industry is also welcomed given the shared responsibility to prepare for and address cyber incident as and when they occur. In addition to the Office of Cyber Security, it is recognised that the UK has a number of different bodies that are active in addressing cyber security related issues at many different levels ranging from e-crime to critical national infrastructure protection that, as explained above, can be interconnected given the multi-layered cyber security risks and attacks being perpetrated. These bodies include the important work of CPNI and the UK e-Crime Police Unit which also play an important role in addressing cyber security issues in the UK.

· How does the Government use scientific advice and evidence to identify, prepare for and react to an emergency?

From the perspective of the computer security industry Symantec is supportive of government efforts to gather advice and information as needed and remain committed to assisting in this work as and where appropriate and within the boundaries of the law.

Given the complex cyber ecosystem of the internet it is suggested that the threat information, technical intelligence and cyber security related expertise and advice that may be needed in a cyber related incident will reside across a number of different sources both inside and outside of government. For example it is estimated that 90% of critical national infrastructures that are increasingly reliant on interconnected networks and systems, and therefore a possible target for cyber attacks, are privately owned and managed. As a result public and private sector co-operation and collaboration is seen as a key factor to assisting not only the government but also industry to identify, assess and evaluate the level of seriousness of a cyber related incident and better prepare for and react. Symantec believes that information sharing is a fundamental component of a modern cyber security strategy and that the development of trusted information sharing networks and systems is a key element to the development of successful public and private cooperation.

· What are the obstacles to obtaining reliable, timely scientific advice and evidence to inform policy decisions in emergencies? Has the Government sufficient powers and resources to overcome the obstacles?

It is suggested that a main obstacle to obtaining timely information in a cyber related incident is the online threat environment itself as it continues to evolve at an ever increasing pace with risks and attacks emerging, mutating or evolving into new variants and therefore new attacks. It is suggested that cyber attacks are unlike the other case studies being considered by the Committee as the online threat environment is constantly shifting and changing. As a result in order to respond to this changing threat landscape having the most up to date information, threat intelligence and situational awareness of the changing threat landscape is vital to making decisions in a timely manner and deploying effective countermeasures as and where necessary.

Symantec believe early warning capabilities and real time online threat intelligence are vital components of a cyber security response strategy. Having the right information at the right time can provide an effective means to guarantee a timely response to an attack on critical information and/or communication systems. Having real-time information collection, correlation, analysis and response capability can provide organisations with the ability to identify recognise key threats or emergencies and have the timely information to assess priorities and address cyber incidents quickly and effectively. Collecting and analysing threat intelligence is a complex process however that requires significant engineering skills, specific technical infrastructures to be in place and in some cases human intelligence skills.

Having the right information at the right time is clearly important in preparing for and reacting to an emergency situation. However in the event of a situation where online networks and the information that flows through such systems is attacked or compromised it is also suggested that the ability to gain access to critical information assets is also important to an organisation's ability to respond and recover from an attack. Organisations are increasingly being targeted by online threats focused on gaining access to their data. Information is seen as a valuable commodity for cyber criminals that can be sold on the underground economy or used to develop more targeted sophisticated attacks. In addition attacks are also being seen where the aim is simply to disrupt or even suppress the availability of information or the network and systems upon which information is transmitted, for example in the case of distributed denial of service attacks. As a result the ability of organisation to recover from a cyber incident can rely not only on the ability to identify and stop an attack, but also the ability to gain access to key information assets needed to restore the availability of affected online systems. However, with the increasing take up of data virtualization and cloud computing the way in which organisations manage and store information is changing. However, in the event of a cyber incident the ability to gain secure access to the data needed to restore online services will be vital to the ability of organisations to recover quickly and effectively. Therefore it is considered important that organisations, both in the public and private sector, have in place the ability to gain access to key information assets securely using technological tools such as encryption and authentication as well as appropriate policies and procedures to enable the restoration of data and therefore the online systems and networks impacted.

· How effective is the strategic coordination between Government departments, public bodies, private bodies, sources of scientific advice and the research base in preparing for and reacting to emergencies?

As outlined above the resilience, stability and security of the internet is a joint responsibility that must be shared by all those using the Internet. Therefore coordination and cooperation between the public and private sector on cyber related issues is seen as an important component to a cyber security strategy not only in the UK but globally. It is suggested that coordination between public and private sector on cyber related issues occurs at many different levels and areas of the UK internet community depending on the sector involved, the specific type or level of seriousness of the threat or risk.

It is suggested that an example of an effective strategic coordination and cooperation between governments and industry, not only in the UK but globally, is the role of Computer Emergency Response Teams. CERTs provide a national focal point for information, guidance and provide warning, reports and alerts on cyber incidents. The CERT model brings together both government, industry as well as academic partners and is flexible to enable countries to develop multiple CERTS, or different types of CERTS, depending on the particular requirements and needs depending on the type or risk or threat activity that may need to be covered. Symantec supports the CERT model for coordination and cooperation and see it as an appropriate means of sharing information and encouraging a collaborative approach to addressing cyber related issues within countries between key partners involved in cyber incidents and also between countries internationally.

· How important is international coordination and how could it be strengthened?

As recognized by the Committee’s question addressing the cyber security challenges we face requires international coordination. Internet security is a global problem that requires a global approach given that threats and attacks can travel around the world simply at the click of a button. With the move away from closed, nationally protected computer networks to a more borderless, open, accessible, Internet based, networked environment means there is a greater dependency and reliance on internet based systems and networks internationally. This shift means the need to recognise that cyber related risks and attacks could now impact and affect more than just one nation but could have a regional or international impact. Therefore there is an increasing need to highlight and consider the role of international co-operation and collaboration in identifying and addressing cyber risks and threats.

The UK’s involvement in European and international forums where cyber security issues are discussed such as ENISA, UN Internet Governance Forum, ITU and OCED as well as the UK’s participation in cyber security related exercises such as Cyber Storm are welcomed and supported by Symantec and should continue going forward to ensure the UK can continue to play a leading role in international efforts as they may evolve.

Looking ahead and given the increased interdependency of countries networks and systems it is suggested that information sharing has a key role to play in effective cooperation and coordination against cyber related threats. A common and shared understanding of the threat landscape is necessary to not only enable greater identification and recognition of possible threats and risks but also ensure efforts to address possible risks or specific incidents are effectively deployed as and where appropriate. The proposed creation of a European Information Sharing and Alert System (EISAS) within the recent European Commission’s Communication on sharing information and providing alerts. It is important however that the development of any common European, or even international system, recognizes and takes into account the current activities already underway as well as the tools and solutions developed and implemented by industry. Given the experience of industry in this area it is important that ways are found to involve those in industry with the technical capabilities, skills and expertise in the development of any coordinated European or international approach.

To assist in the development of information sharing initiatives and as a way to ensure greater effectiveness in information sharing between European and international partners, Symantec believe consideration should also be given to the development of a common language, or terminology, for security incidents, response and escalation that could be used across the UK, Europe and beyond. The ability of stakeholder to speak the same technical language in the event of a cyber-attack could help promote greater cooperation and cohesiveness in responses to incidents not only across Europe perhaps but internationally.

However it is also important when considering how to encourage greater or strengthen international co-operation and collaboration between countries not only the action needed before an incident may occur but also the cooperation and collaboration that may be needed during and after a cyber incident. The events in Estonia and Georgia are real life examples of how sophisticated and targeted large scale cyber attacks can be. These incidents also raised questions over the extent to which relevant parts of EU Member states national administrators possess the technologies needed and e-skills to address cyber-attacks if they occur or address issues related to the protection of the internet. It is therefore suggested that a way to strengthen or enhance international cooperation may be by developing initiatives that can enable the sharing of technical expertise and guidance on how to address cyber security related incidents. The establishment of NATO Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia which is supported by Symantec is an example of a project that has developed to foster greater understanding and sharing of expertise on how to react to and address cyber related incidents.

However, while cooperation at a European or international level is important, this should not be a substitute for countries taking a national approach that is appropriate to their level of maturity, identified risk and therefore specific requirements. The publication of the UK’s cyber security strategy was welcomed by Symantec as an important move forward in helping to co-ordinate, and maximise, efforts already well underway across government that currently seek to address cyber security related issues. Also supported was the importance place throughout the strategy on the need to ensure international engagement and the importance of the UK contributing to international discussions on how to address the current and future online threat environment not only in the UK but on the global stage.

Symantec

October 2010

About Symantec

Symantec is a world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in California, Symantec has operations in more than 40 countries. Further information can be found at www.symantec.com.