Defence CommitteeWritten evidence from Russ Bubley

“Cyber” is already a broad term, and is subject to further creep.

(Almost?) No system is secure.

Solutions must not significantly degrade the user experience.

Unanticipated change will continue.

1 The term “Cyber” itself is unclear to most, and seems to be used by the media to refer to anything remotely connected to technology. With the increasing convergence of internet and voice communications (VoIP), as well as delivery of entertainment over the internet (eg BBC iPlayer, YouTube, etc.), “Cyber” could soon include most of our communications and media. Cyber-security has a similarly elastic definition.

2 This subject is often talked about only in terms of technical jargon. Very few of the issues are actually that complicated; the technical details can distract not illuminate.

3 Cyber-security issues tend to fall into several broad categories, in terms of impact:

Information leakage.

Misuse of computing resources.

Disruption to use of resources by intended users.

5 Cyber-security issues can be brought into effect by a variety of methods, but it can be helpful not to confound the impact of a security breach and the methods used to conduct that breach.

Information Leakage

6 Casual leakage. With the growth of social media people unwittingly give away more information than they intend to. By studying all of the information made available by an incautious or apathetic user, a detailed profile of a person could be built up: what family they have, what they like to do in their spare time, how frequently (and where) they holiday, their politics, plus details of their ongoing relationships in both a private and professional context. Anecdotally, this sort of information has formed the backdrop to social engineering attempts at blackmail (“Your daughter was injured on a bus to Veracruz…”) as well as giving potential kidnappers plenty of data both to select targets and ask for ransom from.

7 Accidental leakage. We read time and again of data compromises from people moving data off of a secure system onto an insecure one. Laptops that get stolen. Unencrypted memory sticks and CDs that wind up lost. E-mails sent to personal e-mail addresses.

8 Geolocation—where you are. Again, mainly from social media, but also from apps on mobile phones that encourage it, people disclose—both wittingly and unwittingly—where they are. There are many reasons why this could matter depending on the individual: personal privacy, implications for physical security, but also locations allow for inferences relating to the individual’s work to be made.

9 Theft of data—quite a broad area, and would include for example, the goals of espionage, identity theft, blackmail, and as we have seen recently, to sell newspapers.

Misuse of Computing Resources

10 “Botnets”—Taking over large numbers of computers (typically home computers), so that they can be used to further a secondary goal. Examples of these goals are:

Sending spam.

Conducting a DDOS attack (see below, paragraph 14).

Using computational power to solve a complex problem, eg breaking encryption.

11 Website defacement—This is where a hacker changes a website to show different information. While historically this has often been done purely for fun by hackers, more recently it has been a goal of “hacktivists”, who have replaced the usual content of websites with political or religious messages. A more insidious version of defacement is to spread propaganda, where defacements may not be obvious without close reading of the text on a website.

12 Unauthorised use—depending on the capabilities of the system, any of these could be misused to achieve an end. For example, databases could be manipulated to commit a fraud.

13 Secondary risks from impact on other technology systems, eg bringing down a telecoms network, or a utility company’s control systems. Stuxnet is probably the interesting case study here, where it is claimed that the Stuxnet worm succeeded in infecting control computers in an Iranian nuclear enrichment plant, resulting in several months of delay to their programme.

Disruption of use of Resources by Intended Users

14 DDOS—Distributed Denial of Service. This complicated term is simply co-ordinating lots of computers to make requests, typically of a web-site to the extent that the infra-structure can no longer cope and the website is effectively “down” to normal users. This has been a favoured tactic of activists, and has been likened to a modern-day form of political protest. The coordination of computers can be achieved either via a Botnet, or simply by organizing enough people to do it manually by either conventional or modern means. In a pre-Internet era (and still possible today), this has parallels with a letter-writing campaign—which can flood a post room to the extent that genuine post may be lost, or an orchestrated telephone campaign, which could easily flood a switchboard. During the Kosovo conflict, pro-Serbian hackers instituted a DDOS attack on NATO’s servers. More recently, numerous sites in Georgia were overcome by DDOS attack before and during the time that Russia was physically attacking.

15 Various other exploits have been used to effectively shutdown part or all of a set of computer systems, or mislead users into receiving incorrect responses to their queries.

Methods

16 Compromising passwords. There are many ways of doing this, but some typical ones are:

Social engineering—getting people to tell you passwords voluntarily, typically by lying to them. “Hi, I’m calling from your bank. Before I go into details, I need to ask you some security questions.”

Phishing—tricking people into entering their real passwords into a fake system. People are often led to the fake system by an e-mail purporting to be from a trusted organisation. “We have noticed some unusual activity on your account. Please log in here to verify your recent transactions.”

Brute force—trying passwords repeatedly, with the help of dictionaries until you find one that works

Keyloggers—devices either physically attached to a computer, or software installed on your computer without your knowledge. These keep track of every key you press.

Systems are generally more secure when they are either critical systems or systems which if compromised could be expensive (eg banks requiring some sort of key-fob token, some providers of expensive data require fingerprint scanners, etc.).

17 Hacking—probably the best-known of the cyber-security issues, and so the one on which I will comment least. A hacker will attempt to compromise a system, typically taking advantage of some sort of bug that enables the security to be bypassed. Probably the most important thing to understand is that no connected system should be considered secure against this sort of attack from a determined and well-resourced attacker. There is a continual arms race to improve security and defeat it. This is not helped by the fact that systems are rarely constant with both software and hardware being retired regularly, and each change bringing with it the potential for a new set of security problems.

18 Man-in-the-middle attacks—this is where an attacker stands in the middle of the flow of data, observing, and potentially changing data as it goes past. There are numerous well-documented cases of this form of attack, including ones where it is claimed they were carried out by state-sponsored actors.

19 There are many more esoteric methods some of these are well documented, but it would be prudent to assume that there are other methods not generally known.

Miscellaneous Issues

20 Cloud computing—data and computer processing, both for individuals and for organizations is moving from home computers to “the cloud”, where it is outside of your physical control. This trend is fuelled by the explosion of devices, and the desire to share data between them for convenience, and for reasons of economy: it is much cheaper to rent computers at a dedicated data-centre than to run them yourself. As cloud computing is typically accessed over the public internet, it becomes more susceptible to most types of cyber-attack. As a proof-of-concept, cloud computing has also been used to break cryptography.

21 BYOD—Bring Your Own Device. As people get more attached to their personal devices (smartphones, tablets, etc.), with their familiarity, ease-of-use, and integration into people’s lives, people are opting to use them for their work. Recognizing this trend, IT managers are allowing (or being forced to allow) these devices to access what would previously have been a more secure network.

22 Impact of research—a breakthrough could be made that makes defeating most of our current-day encryption possible. This could happen through better algorithms for factoring prime numbers (key to most secure communications) or through developing scalable quantum computers, for example.

23 Lack of experience/interest from today’s youth. Our computers are so sophisticated today, that users are not forced to interact with them in the same way as they were a generation ago. Put another way, IT and programming are no longer even closely related. Many claim that this will lead to a dearth of programming talent amongst the younger generation, leading, in the long term, to economic and security problems.

24 It is now possible to buy, for a few hundred pounds or less, personal reconnaissance drones—basically model aircraft with a camera attached. Some of these can be controlled in real-time from a smartphone. They have hit the media in several circumstances, at least one of them positive. See, for example, http://tinyurl.com/drone-image, where a member of the public in the US used one of these to expose alleged environmental abuses at a factory.

25 Cyber-security problems usually arise because of peoples’ behaviour, not because of technological wizardry. Education in cyber-security (not just “how”, but also “why”), and good management of people is important. If management structures value business effectiveness over security, and security is perceived as cumbersome or burdensome, it will be skipped or diluted.

26 Smartphones and tablets may become more of a cyber-security issue than computers. People rarely worry about security on their smartphones, beyond the physical security. Yet they contain vast amounts of highly personal data, and if compromised could be used for bugging, tracking, and many other nefarious purposes.

27 Anecdotally, travellers’ smartphones, tablets and laptops have been confiscated or searched when in foreign countries. Depending on circumstances this could compromise the travellers in any number of ways.

Observations

28 Psychology and security. Most people don’t care about security: they just want things that work. If things become too hard to use because of over-onerous security, people will go elsewhere or work around the security. Force users to change passwords too often, or to make them too complicated, and they will write them down. Ban them from using a website on a work computer, and they will turn to their smartphone or find a way around the technological ban. Education enables people to strike a balance between security and convenience.

29 Commercial reality and security. For many businesses, security probably should take second-place to reliability. If your website, or worse, your payment processing service is not working, you will lose customers. If you accidentally leak details of your customers to hackers, it may have a very limited impact on your bottom line. Provided you have “the little padlock-thingy”, people will assume that security is good enough.

30 Despite the varied problems that breaches in cyber-security could cause for an individual institution, the cost and effort in fixing them has to be compared not only to the potential costs of leaving them, but also to the cost of and cures for “business as usual” operational issues: a faulty computer in the server room may cause just as many problems as a hacker.

31 Censorship and intervention. Looking at the riots of last year, when it was suggested that social media be “turned off”, because it was letting people communicate freely brought forth comparisons with both the Arab Spring and censorship in more repressive regimes.

Relevance for National Security

32 Institutions will typically evaluate the potential impact of cyber-security issues as it affects them in isolation, they will not generally consider the impact of a systemic failure, or simultaneous failure of multiple institutions. A parallel could be drawn with the financial crisis.

33 Hostile actors, whether they be state-sponsored or otherwise have tried, and will continue to try to exploit flaws in Britain’s cyber-security for their own ends. Espionage, and particularly industrial espionage, has been cited to be on the increase. This should be expected, as cyber-security approaches to industrial espionage are much simpler, cheaper, and safer than traditional methods.

34 Expertise in cyber-attacks, once built up, can be redirected at different targets swiftly. If you have the know-how to compromise a technology company today, you may choose to switch to a newspaper, a bank, or a government department tomorrow.

35 Against this backdrop, it seems fair to ask what the House of Commons Defence Committee might do to help government in tacking these problems.

20 February 2012

Prepared 8th January 2013