Cyber Security and The Sick Man

We appear to have entered yet another cold war, an era when nation is fighting nation through a proxy of clandestine hacking groups, bodies that we imagine to be groups of pallid teenagers, cold pizza to hand, cola on tap, huddled round glowing screens in dimly lit rooms.

We do not visualise rooms of professional, well trained men and women with post-graduate qualifications, in well connected offices, paid salaries, the same normal stresses and complaints about work life balance as the rest of us.

This article could easily be around the challenges of hardening networks, about the endless cycle of discovering potential issues, whether Day Zero exploits or sloppy patching, but there are thousands of people more qualified than myself to write about such things. What I would like to consider are the implications of the nature and behaviours of the actors behind Cyber warfare and what this means in how we respond.

We can classify the actors into three broad groupings, each of which will carry a different fingerprint as it operates:-

1. Nation States - marked by significant funding and resourcing, typically a defensive focus, target acquisition and a recognition that as a state actor, an identified, targeted attack on a 3rd party's infrastructure could be determined an act of war.
2. State Sponsored Groups - marked by opaque funding, limited visibility of lines of control and an ability to translate target identification into target exploitation and a discriminate focus on offense.
3. Independent Actors - ranging from current and former employees, the unaffiliated intellectually driven and criminally driven individuals.

The importance of who we are dealing with cannot be overstated, because war, like life itself, is subject to legal framework. Governments are increasingly becoming aware of the implications of cyber security failure and across the UK’s 13 national infrastructure sectors: Chemicals, Civil Nuclear Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water, reviews have been taken and appropriately classified.

Where it is believed that ‘Those critical elements of national infrastructure (facilities, systems, sites, property, information, people, networks and processes), the loss or compromise of which would result in major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life.’, the state has stepped in, providing a buffer of sorts against the hacker through nothing more than the line of a pen.

It is a curious world where we can consider that a Critical National Infrastructure ('CNI') classification will influence behaviour, but the reality is that if ever we are to go to actual war over a virtual attack, these semantics are important. A direct, attributable cyber attack by one state against those assets a state has declared itself as trying to protect will increasingly be akin to a binary boundary, one which cannot be closed, which must be open, but which must be constantly monitored. CNI classification pushes the aggressor to move to more arms length, deniable operations, because the consequence of an infringement has been very publicly determined to carry so much more consequence.

This leads us to a very interesting conundrum with regards to the role of the state versus the private sector in the obligation, funding and capability of each party to protect its assets.

High profile cyber attacks on businesses are rare, often falling into crude DDOS attacks, machine encryption or phishing scams, both of which are increasingly facilitated by the rise of crpto-currencies, but the day when we see the global lockdown of a major business (in a similar way to the recent ‘power surge’ which allegedly caused British Airway’s recent problems) can only be a matter of time.

When this does happen, who will be watching, who will be responding, who will be helping us get back on track?

In countries where the state remains pervasive, where political oligarchs stand over arm’s length entities, any attack on a private business becomes an implicit attack on the state itself. That is not the case here in Western Europe and that is something that will shape the face of our war.

Imagine a world where a small, regional train company has its services disrupted, in a relatively minor manner - perhaps the communication notice boards, are knocked offline, perhaps their website and timetabling fails. You might be grumpy, you might be late home, but nobody dies, there is no loss.

Imagine a world where an over the air update to vehicle engine management systems triggers an emissions fault light to start appearing – erratically - on all the buses produced by a well known British manufacturer, taking them out of service. You’re frustrated – the trains have been delayed, you’re now really late getting home, but you’re oblivious to what has happened.

What has happened is that your local MP is getting complaints about the quality of the train service – something she can’t actually control. She raises a question in the house, but is told that there isn’t a national problem and with nothing solved, another tiny slice is taken out of her electoral majority.

What has happened is that a group of engineers have explained to their Board that they can’t find an issue in the 3 million lines of code in their engine management system – much of it is an outsourced black box after all. The Board talk about what they know, about new engine options and watch with despair while their share price falls and that new foreign entrant wins the latest contract. Frustrating, but then everybody knows their woes.

These businesses will be generally staffed by competent, professional people, but they are not generally equipped to deal with the kind of asymmetric capability which they are going to be increasingly faced with in the Cyber security arena.

Maybe a way forward is to increase the role of the state, to create a monolithic security service to protect us all, but that – for me at least – is something that is the antithesis of what I would hope for, because in an attempt to cover all bases, we risk eroding so many of the freedoms that mark out the innovation that has been the engine of our growth.

What I do think needs to be done however, is to increase the engagement between state and private sector, with the state acting as the purveyor of bad news, the early warning indicator that something is potentially amiss, but most of all the state needs to recognise that general business will not invest in cyber security in any way that they should, because of both cost and capability.

The next few years will prove critical, Government must invest, must work with selected trusted partners to build capability and protection across the country, because in a world of real cyber warfare, we are not facing a bullet, but a slow poison, insidious and damaging, but one where we can if we wish, insist that we are still healthy, while our faculties fail around us. If we are sensible, we will invest now, though it will be a brave politician to step forward and rally the cause in an age of austerity.

*** This is a personal opinion piece only. Comments and feedback are welcome - and if you've got to the end, please 'Share' on LinkedIn or Twitter ***