Is UK doing enough to protect itself from cyber attack?

 

Is the UK any safer from cyber attack today than it was in 2010? Watch Mark Urban's full Newsnight report

In 2010 the British government designated the protection of computer networks as one of the country's most important national security priorities. In its Strategic Defence and Security Review (SDSR) it pledged, "the National Cyber Security Programme will be supported by £650m of new investment over the next four years".

What exactly has this investment bought, three years on?

Speaking on and off the record to insiders - from the government, intelligence agencies and security industry - it is apparent that the achievements in defending the UK from this threat have disappointed many.

Much of the available funding may actually have been directed at improving the UK's ability to target other countries' computer secrets.

A woman uses one of a line of cash dispensers in central London Critical national infrastructure could be affected if computer networks are not properly defended

Some point out that even if everything had gone to plan, an investment averaging £162.5m per year over four years could only have a limited effect on such a huge problem.

Security experts estimate that there are about 50 million cyber attacks a year in the UK, a number which they say is growing rapidly all of the time, and they put the damage to the UK economy at up to £27bn last year.

Yet, even according to government plans, less than half the total money committed has so far been spent.

There are suggestions that early strategising consumed many precious months and that the Cabinet Office, which is supposed to be giving overall direction to the project, has not yet allocated much of the money to specific projects.

"Some people have… said we're saving money for a rainy day," Mark Phillips, who helped draught the government's strategy, and is now at the Royal United Service Institute (RUSI) think tank, says. "To which my response is that we already have a rainy day, we have a high threat already with cyber."

Francis Maude, the minister responsible for cyber security, disputed this interpretation in a statement to BBC Newsnight, saying:

Some of the things that have resulted from the government's investment

A computer keyboard and a padlock
  • The Serious Organised Crime Agency (SOCA) took down 36 website domains that sold credit card data
  • 15,000 fraud websites were suspended
  • GCHQ announced a scheme to help companies deal with cyber attacks and give guidance on response to a compromise
  • Eight universities have been awarded Academic Centre for Excellence in Cyber Security and Research status for conducting world class research in cyber security
  • The Cyber Security Information Sharing Partnership (CISP) is to be launched

"Far from abdicating our responsibility on funding, to date we have spent over one third in the first two years of the programme. We are on target and in line with our public spending forecasts. The rapidly changing nature of cyber threats to the UK demonstrates the need for a flexible cyber security response so we reassess our spending priorities on a regular basis as was always the case. This is a prudent, sensible, smart approach as we move forward into the final two years of the programme."

Even if the full £650m is spent, as those close to the policy insist it will be, it is apparent that this will be done over five years rather than the originally promised four.

The other striking thing about the capability that has been taking shape is its offensive character; official figures show that 59% of the planned spend is meant to go to the intelligence agencies.

"We can achieve a tremendous amount these days through remote exploitation rather than face to face meetings with agents," says an MI6 officer referring to attacks on computer networks.

"GCHQ's offensive capability gives the UK an edge," a former senior officer at the eavesdropping centre in Cheltenham told me, adding, "a large proportion of that money has [therefore] gone into those capabilities".

John Bassett, now at RUSI and formerly GCHQ's Senior UK Liaison Officer in Washington, adds that much of the new government funding has gone on, "existing programmes... designed to get a really strong grip on global situational awareness".

Is this just a polite way of referring to stealing others' secrets?

Mr Bassett suggests that understanding the threat to UK computer security requires the exploration of adversary capabilities.

This argument, that the UK's defence requires the penetration of other countries' computer networks makes it hard to define whether most of the British cyber-security spend is actually going on offensive work - hacking for want of a better term - or whether that activity only accounts for some of it.

Mark Phillips, Chief of Staff to Security Minister 2010 Mark Phillips says an offensive programme was 'one of the two unstated objectives' of the UK plan

However, everybody one speaks to within the circle of secrecy assumes that this type of activity has consumed a significant proportion, measurable in the tens of millions, of the UK's total spending on cyber elements.

That emphasis on offensive work is remarkable given that the SDSR and the government cyber security strategy published in 2011 explained the rationale for the new spending almost entirely in terms of protecting the UK economy and government from attack.

Indeed, at an SDSR press briefing in 2010 a senior government official who I asked whether the UK even had an offensive cyber programme declined to confirm that it did, although another official subsequently contacted me to say that there was such an effort.

Mark Phillips, who was present at many of the meetings that formulated both policies, told us that the offensive programme was "one of the two unstated objectives" of the cyber security plan. The other, he implied, was providing support to allies, which in an intelligence context is usually taken as a reference to the US.

The UK Ministry of Defence (MoD) meanwhile has taken 14% of the new money for cyber security, spreading it more or less evenly between offensive and defensive roles, insiders suggest.

It has launched Project Watchtower - a series of programmes designed to crated a super secure cyber architecture for the MoD -in an attempt to secure the military's computer networks from sophisticated attacks, with experts suggesting some good progress has been made.

Start Quote

Nightmare scenarios such as hijackers taking control of an aircraft via its computerised systems, or shutting down a national power system or a country's entire internet, appear feasible... To what extent such risks are exaggerated by security firms touting for business is open to argument”

End Quote

On the offensive side, the MoD has established its Joint Cyber Unit, based at Cheltenham. The impetus for the creation of this outfit, several dozen strong, came from Nato's bombing campaign in Libya, says one Whitehall player.

Ministers asked why the MoD did not have the capability to switch off the Libyan air defence system from afar by means of cyber attack.

One MoD insider argues that the UK is some way from being able to take action of this kind, or match the unleashing of the Stuxnet virus on Iran's uranium enrichment plant, widely believed to have been carried out by the US, although they have not officially admitted it, but that the hold-up is on the policy and legal front rather than the issue of technical ability.

There has been a lively discussion among Whitehall law officers about whether the use of such a cyber attack would constitute an act of war or could under certain circumstances, for example switching off power to a hospital, be construed as a war crime.

Increasingly it is in this area, the development of cyber weapons or disruptive malware, rather than in the long established game of stealing secrets - state or commercial - that attention is focussing in the security community.

In 2011-12, for example, the US Department of Homeland Security tracked 23 cyber attacks on companies related to the national gas pipeline system. They assessed that the targeted information would have allowed an intruder to blow up hundreds of compressor stations, blacking out the US energy grid, "at the click of a mouse". Oil installations in Iran and Saudi Arabia have also had their control equipment hit by malware.

Mr Maude stressed to us that the UK's programme is "not just about securing government systems, though it helps do that too, but underpins all our objectives in tackling cyber crime, protecting our critical national infrastructure and making the UK one of the safest places in the world to do business in cyberspace." He noted that the Economist Intelligence Unit has put Britain top among the G20 countries for creating a secure environment for networks.

Rashmi Knowles is Chief Security Architect at RSA RSA's Rashmi Knowles says a lot more has to be done to raise awareness about cyber security

Notwithstanding this accolade, there is widespread concern about the vulnerability of the UK's national infrastructure to attacks of this kind.

"I don't think anyone is any more secure than they were," said Rashmi Knowles, Chief Security Architect at RSA, a leading cyber security firm, when I asked her whether Britain's infrastructure is any better protected than when the government launched its initiative in 2010.

In part this stems from constant evolution of the threat, with hackers far more dynamic, constantly evolving new techniques, than the government bureaucracies that try to stop them. As for the work that has been done to thwart them, some sectors, such as banking, have a far greater interest in investing in secure networks than the likes of public utilities.

Nightmare scenarios such as hijackers taking control of an aircraft via its computerised systems, or shutting down a national power system or a country's entire internet, appear feasible in the light of the US gas pipeline case. To what extent such risks are exaggerated by security firms touting for business is open to argument.

What almost all parties in the cyber security sector agree is that awareness of the risks is growing. For the government experts trying to devise a response, the risk is that their solutions may be judged inadequate to the scale of that challenge.

 
Mark Urban Article written by Mark Urban Mark Urban Diplomatic and defence editor, BBC Newsnight

Islamic State: Unlikely alliances forming in fight against threat

Unlikely alliances are forming in the battle against Islamic State, Newsnight's Mark Urban reports, but are they for the long term?

Read full article

More on This Story

The BBC is not responsible for the content of external Internet sites

Comments

This entry is now closed for comments

Jump to comments pagination
 
  • rate this
    +3

    Comment number 57.

    I have worked in IT since the early 90s, spent many years hacking just for the challenge of it, it is even easier nowdays as every company seems to want their staff to login from home or people to buy from their websites.
    The easiest way to get a password, look up the CEO, phone the office get the PA's name then look her up on facebook, you will get the password most times from her DOB or her pet!

  • rate this
    -1

    Comment number 56.

    . . . you cannot win a war by only defending. It is necessary to go on the offensive to defeat the agents who initiate these attacks. Its all very well having your home computer with an uptodate AV in place, but it would be much more effective to unload a cyber bomb on the originator of the attack in the first place

  • rate this
    0

    Comment number 55.

    #52 I'm inclined to agree. £27bn would be 3 months govt borrowing or 2 and a bit Olympics, renewal of Trident etc. Its a HELL of a large amount. However £27 million is only 40p per Brit. Not much at all. I suspect the real figure is somewhere in the middle but that no-one could ever accurately measure it as its based on so many unknowns.

  • rate this
    0

    Comment number 54.

    You could spend money on loads of good stuff, only to find out that by the time its rolled out it's obsolete
    -------

    This isn't about hardware, it's about software and programming skills and staying up with the front runners

    Britains Government will embrace it's ancient strategy

    "Keep Calm and Muddle Along"

    Then pray for a Mitchell or a Whittle or a Turing when the situation becomes critical

  • rate this
    +2

    Comment number 53.

    It appears that you are under cyber attack from a foreign dictatorial regime, McAfee has quarantined 328,000 items but cannot safely remove them until you renew your subscription...

  • rate this
    +1

    Comment number 52.

    sorry, but the figure of losses £27 billion, no categorically do not believe this. A gross exaggeration I would think by oh a thousand fold, "7 million may be.. Billion never. Or prove it.

    Everything these days has to be exaggerated, from crime figures to welfare costs... whatever you point of view there is an exaggerated figure for. The ministry of overstatement and job justification..

  • rate this
    0

    Comment number 51.

    #47
    Actually it's totally different.

    Spine could have worked there was a simple measureable goal, it was just a giant cock-up!

    This is a much more nebulous area. You could spend money on loads good stuff, only to find out that by the time its rolled out it's obsolete, Or it looks worse as attacks have shot up! Or you could be taken for a ride and be shown "proof" it's working when its not!

  • rate this
    +2

    Comment number 50.

    This whole story reminds me a lot of the £20bn+ that was wasted on the failed NHS spine nationwide computer system
    -----

    Computers are beyond the mental ability of most government guys... and every home has one

    Look at that electronic bomb sniffer scam

    http://www.bbc.co.uk/news/uk-22266051

    Police said the devices, modelled on a novelty golf ball finder, are still in use at some checkpoints.

  • rate this
    +2

    Comment number 49.

    I am sure they call it a cyber defense shield, but in reality it's just more snooping on us, only cyber snooping.

  • rate this
    +6

    Comment number 48.

    #36 On the contrary. It will take a Cray supercomputer a year to crack a 1930's Enigma message. We did it in hours at Bletchley by exploiting human failings. One idiot Luftwaffe radio operator in Brest always coded his call sign & ended with "Heil Hitler" (coded) so we knew the start & end of each of his messages. This let us work out that days settings and read all the messages sent that day

  • rate this
    +4

    Comment number 47.

    This whole story reminds me a lot of the £20bn+ that was wasted on the failed NHS spine nationwide computer system.

    and then I am not quite sure which computer networks they are "protecting"? I have a feeling a lot of it probably got spent on general public surveillance!

  • rate this
    +4

    Comment number 46.

    @44 LandOfTheMushroomPeople

    The Gary Mackinnon case was a PR disaster...
    One guy with a home PC drilled right through their so called "security" & instead of giving him a medal they hounded him for 10 yrs
    *
    Spot on! The Americans like to demonise him as a terrorist hacker, but he didn't need any elite skills

    http://www.computerweekly.com/feature/Average-hacker-skills-shut-down-US-defence-systems

  • rate this
    +5

    Comment number 45.

    £167.5m / year buys:

    The very best (government preferred) management consultants money can buy (because soon our ministers will be looking for civvy jobs after the next election) in total,

    45 full time consultants, 2 accountants, 3 partners, 1 senior partner, 3 lawyers, a bunch of OGC auditors and the rent on a very expensive office with expenses for bar bills, hotels, transport and meals.

  • rate this
    +1

    Comment number 44.

    The Gary Mackinnon case was a PR disaster

    Now the entire hacker community has gone underground, for good

    One guy with a home PC drilled right through their so called "security" and instead of giving him a medal they hounded him for 10 years

    Governments are so stupid they haven't a hope
    Loads of resources and violence are at their disposal

    But there's a critical shortage of braincells

  • rate this
    0

    Comment number 43.

    42. F Leonhardt
    ---
    I suppose outrage at my point of view would depend largely on whether you regard yourself as 'state-owned' or not. "If your bank account is plundered" - I'm pretty sure that's already well protected (guaranteed, outlawed) by other means. But yes if Bank A is leaving my money on the window sill it should be up to me to move to Bank B, not to the state to fix Bank A's windows.

  • rate this
    +1

    Comment number 42.

    @Sean - are you saying that government money should only be spent on protecting state-owned assets? Does this apply to spend on army and police? Corporates can probably protect themselves better than the government could anyway, but private users are sitting ducks. If your bank account is plundered, you'd want the (cyber)police to protect it. They'll spend unwisely on out-sourcing, of course.

  • rate this
    -1

    Comment number 41.

    Although the level of the computer interface used varies, the majority of hacking involves exploiting the stupidity of others.

    Often all it takes is the ability to guess naive passwords or tricking people into installing malign code.

    Perhaps the money would be better spent raising public awareness of the dangers from poor online security, especially with regard to personal details on Facebook!

  • rate this
    +2

    Comment number 40.

    37. Akkarrin "we keep arresting people who hack government computers,"

    This is the real reason why the Americans wanted to extradite Gary Mc Kinnon. He managed to get past millions of dollars worth of security with nothing more than a home computer a broadband connection and his ability to hack.
    America wanted him to show them how he did it.

  • rate this
    +2

    Comment number 39.

    50 million attacks a year? A day, surely. Or very possibly an hour. Hope this is corrected in the second "draught" :-)

  • rate this
    -5

    Comment number 38.

    Not one penny should be spent on 'protecting against cyber attack' of anything but publicly-owned assets. Even then, it should be no more of a budget headline than defence against termites.

 

Page 3 of 5

 

Features

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.