'Outdated cyber defences could be turned against us'
22 November 2011
Ahead of the launch of the government's cyber security strategy, former security minister Baroness Pauline Neville-Jones has argued that unlike traditional military defences, outdated cyber defences could actively aid the people they are trying to keep out
Cyber security and defence are complex and growing areas, taking up more and more time in the minds of the military and wider public sector alike. Who the main actors are, what are their targets and weapons of choice and what can be done to protect against cyber threats are questions without a single, convenient answer. Government, then, in coming up with its updated Cyber Security Strategy, must be prepared to develop a full understanding of the risks cyber-attacks present as well as a flexible way of dealing with a growing number of attacks against its own systems, and those of industry and private individuals.
At the Royal United Services Institute's cyber conference, former security minister Baroness Pauline Neville-Jones said that the country was very much at the beginning of its development in terms of being cyber secure.
"These are the foothills of a long journey where the world which we're inhabiting is changing extremely rapidly around us," she said, "and one of the features of the landscape is both its volatility and the rapidity of change, which makes it hard to handle."
Only "top-rate performance" will do in aiming for cyber security, said Neville-Jones, with mediocrity leaving systems open to all the risks associated with being out-of-date. Even slipping slightly behind the times in one area of cyber defence - not patching a critical security flaw in time, for example - would mean hackers may be able to turn those defences against their owners.
"Whereas it's not optimal to have a second rate gun in service, which will reduce capability, you wouldn't normally find yourself in a situation where that gun by its inferiority posed an active threat to you," she said. "That's perfectly possible, however, in cyber.
"An inadequately secure system which has been penetrated has not only had its integrity destroyed but it may be actively aiding the enemy. And another unusual feature of cyber, one we must take account of, is that you may be unaware its happening."
The breach of RSA's SecurID tags in March this year was agreed by many at the conference to be a 'game changer' for cyber security. The attack eventually led to around 40 million of the ubiquitous tags being replaced, but the damage had already been done and was said to have led to further attacks on systems that used SecurID, including an attempted breach of Lockheed Martin's computer systems in May.
"We are dealing in cyber with a revolutionary technology which overcomes the constraints of time and distance and which is quite clearly the base of globalisation," said Neville-Jones. "It flattens hierarchies and it transfers power in hierarchical societies from ruler to ruled; and it enables economies to leapfrog stages of development and each other in the world of competition for wealth creation.
"In this high stakes world, middling performance will not do. You cannot be half-secure."Strategy
The UK faces an "avalanche" of attacks on a daily basis, designed to steal intellectual property and assets from business, files from government servers and personal data from individuals. In that respect it makes sense for the shoring up of cyber defences to be a partnership between government and the private sector.
"The private sector runs the infrastructure in this country, by and large, it is the possessor of the intellectual property which we're trying to safeguard, which is the seed corn of our wealth," said Baroness Neville-Jones. "So it's much more intelligent for government in that situation to reach out for co-design than it is to try to impose rules."
The co-design should be built in to the government's forthcoming cyber security strategy, she said. "National security is clearly more than just the sum of policy in the FCO and the MoD. Cyber security requires a whole society response. I think it's fair to say that we haven't yet got far down this road –although government is aware of what is at stake and what needs to be done; and you can hear the gears grinding a bit.
"Too many people and organisations still regard responsibility for security generally - and for cyber security in particular - as somebody else's bag; and probably the government's. I don't think that's an attitude that can continue. Altering attitudes to the importance of security and personal responsibility for it and in it is one of the tasks that lies ahead of us."
The government's strategy must aim to make the key cyber players able to "repel and block" cyber attacks through built-in resilience, as opposed to just being able to mitigate their after effects, said Baroness Neville-Jones.
"That is a different order of ambition and is much harder to achieve," she said. "We do have to get serious about high levels of resilience in key parts of the system which I don't think we're doing at the moment. We are still at the stage now of quickly scrambling, nimbly, actually to deal with an emerging problem. We need to get to the stage where we have deterrence built in. That's a long way to go, and we haven't got there yet. We need, therefore, resilience embedded in systems - not just bolted on - and formidable enough to deter attack. That should be the long-term goal of what is described in the National Security Strategy (NSS) as a transformative policy.
"Whether the existing tranche of money [the £650m set out in the NSS] will get us all the way, I don't know. If you asked me to guess, probably not."
More investment and partnership must be joined by greater leadership on the government's part, said Baroness Neville-Jones. The need to secure classified and defence information on government systems is perhaps the most obvious aspect of government's cyber responsibility, and Whitehall should lead from the front in the bid to build defences.
"Government systems have to be models of resilience and security," she said. "You can't preach and then fail to act yourself. And it's obviously crucial in the area of defence. Government systems do have to incorporate defence intelligence and general government classified information."
The strategy must also look further into the future, beyond even its own lifespan, in tackling the UK's "very serious" cyber skills gap.
"We do not have and we are not training enough people who actually have the necessary skills," said Neville-Jones, adding that students are not taught that 'cyber' represents a viable career path.
"If you ask sixth former about a career in cyber they've never heard of it. It needs to be changed because it needs to be embedded in the mindset of the country."