The Mandate of Heaven

eGov Monitor Version

“Parliament”, said my distinguished friend “has always leaked like a sieve”.

I’m researching the thorny issue of ‘Confidence in Public Sector Computing’ and we were discussing the dangers presented by the Internet. In his opinion, information security is an oxymoron, which has no place being discussed in a Parliament built upon the uninterrupted flow of information of every kind, from the politically sensitive to the most salacious and mundane.

With the threat of war hanging over us, I asked if MPs should be more aware of the risks that surround this new communications medium? More importantly, shouldn’t the same policies and precautions that any business might use to protect itself and its staff, be available to MPs?

What concerns me is that my well-respected friend mostly considers security in terms of guns, gates and guards. He now uses the Internet almost as much as he uses the telephone and the Fax machine and yet the growing collective threat posed by hacking, information theft, computer viruses or even the spectre of Internet terrorism, were on the margins of his interest.

But as 2002 draws to its close, I would argue that it would be wise for MPs to give the Internet a little extra thought. The problem of unsolicited email, Spam, may be the most immediate and highest profile nuisance but there exists a much wider threat which demands precautionary action on the part of anyone who might be connected to the World Wide Web.

October 25th set a new record for attacks on computers on a global basis. Len Hynds, the Director of the National Hi-Tech Crime Unit, informs me that a majority of UK companies have now been attacked or aggressively scanned for weakness from the Internet while one in five organisations have experienced a security breach according to research from PWC.

Internet attacks are increasingly politically motivated, according to research from Mi2G and eGov monitor reports that government departments have experienced more than 9,000 digital attacks on their IT systems so far this year. The security threat to government was revealed through responses by Ministers to a series of parliamentary questions tabled by Labour backbencher Brian White MP.

According to one report, 9th November saw the compromise of 13 computer servers on a New South Wales state government network in a synchronised assault on a single day

Over half of the attacks on UK government systems this year, were directed towards the Cabinet Office and its agencies, which during 2002 reported some 5,857 attacks, with 1,167 of these occurring in October alone (eGov monitor).

Last month, at the eSummit in London the Prime Minister applauded our continued success, as a growing Knowledge Economy and the conference heard that Broadband Internet access among the population had now grown to 1.2 million subscribers. However, where Broadband offers high-speed Internet access, it also hides a serious problem that most of the population are unaware of. Broadband is the equivalent of an open door into a personal computer, if there is no ‘Firewall’ behind the connection.

I sketched-out this well-know problem in a meeting at the Office of the e-Envoy earlier this year. On average, my own Personal Computer is scanned or attacked at least twice a day, according to the firewall log, which also keeps the many windows and doors into it locked tight shut. The last of these attacks was last night, when a security alert was displayed as the Firewall executed a “Default Block Backdoor/SubSeven Trojan horse”.

Most of us are aware of the computer virus threat, which causes nuisance and data loss on a global scale but few people are informed enough to realise that many of the latest viruses also carry ‘Trojans’, like the ‘SubSeven’ Trojan Horse, which when triggered allow a third-party to effectively control another computer from anywhere on earth.

Broadband makes this far worse because a clever hacker, like ‘Solo’ who wreaked havoc in the US Department of Defence, before being caught by the Hi-Tech Crime Unit’s ‘Operation Sidewalk’ , could effectively ‘take-over’ hundreds if not thousands of computers and turn them into a single weapon as part of a sudden ‘Denial of Service’ attack, which can put an international business like Amazon out of action in a matter of minutes. It’s my own very conservative guesstimate that of our 1.2 million Broadband users in the UK, at least 5% are likely to be infected by Trojan programmes where the owner is quite oblivious to the fact that at any time, somebody else in Shanghai or Sao Paolo, for no other reason than idle curiosity, can pop-in and have a look at what he or she is doing or worse, use a third-party’s machine as a springboard with a more sinister purpose.

So what does this information tell you, if you happen to be a Member of Parliament? It means that if you have Broadband or even dial-up Internet access and you don’t have a personal firewall in place, like ZoneAlarm or Symantec’s popular Norton Internet Security, that your own PC can easily risk compromise or virus infection through simply visiting another Web site.

Spam , unsolicited email can be more than a nuisance. Some Spam will attempt to re-direct the reader to Web sites with allegedly ‘Free’ sexual content. But very little on the Internet is really free and the ‘Content’, if viewed, can drop on of those Trojans I referred to earlier on to your system. Very often, it’s the sites ‘Raison d’Etre’.

If “Parliament leaks like a sieve” then perhaps its better that it does so in a more conventional or traditional sense, one more in standing with its historic purpose. However, as MPs become increasingly ‘Wired’ into the world of the Internet, then they need to be aware of the risks of fraud, identity theft, vandalism, business interruption and all the other crimes that have been given an opportunity that spans a global audience. When you use the telephone, you don’t expect to be bugged. When you speak or write in confidence to a newspaper, a colleague or a constituent, you may not wish to be overheard or have that communication intercepted by a teenager in the Philippines?

Members of Parliament should insist on the same information security precautions, products and policies as are available in the broader public and private sector domains which lie outside Parliament.UK. This exercise should extend to the constituency and advice on MPs’ own websites as well to reduce the risk of hacking or indeed, an MP’s own website being used as a potential host for malicious code.

Based on what I have heard most recently from my own sources, I have passed my concerns to Robin Cook. A sensible first step, might involve an immediate security assessment of the condition of Parliamentary computing, one capable of identifying potential threats and weaknesses to the organisation and its Members. Any business of comparable size to Westminster would conduct such an exercise as a matter of routine.

The second action should address information security and the integrity of the Members’ own personal computers and every MP should have personal firewall software installed on his or her PC by default and those using Broadband, as a matter of urgency. When this happens many may be surprised by what they find is already resident on their system or perhaps relieved to discover what is not.

In considering the Internet risks facing Members of Parliament, a final word goes to Liberal Democrat MP, Richard Allen who believes:

“The whole business of Parliament depends on a secure flow of information, both in terms of the availability of information systems and of the confidentiality of much of their content”.

“As we become increasingly dependent on new technology and networks for storing and transmitting that information, we should take sensible precautions against the potential threats to these systems that we can now see are substantial and growing."



Quick Facts

- October was the worst month ever for digital attacks with 57,977 attacks recorded, according to Mi2G’s Intelligence Unit

- The overall trend for digital attacks is on an upward curve with 31,322 overt digital attacks recorded in 2001 and 64,408 - more than double - recorded in 2002 already

- The revised projection for 2002 is for over 70,000 such attacks mostly targeted at small to medium size businesses. (Mi2G)

- In March of this year the UK Government, admitted facing an average of 84 attacks each week and that between 1st January 1999 and 29th January 2002, Government departments reported 13.146 hacking attempts of which ten resulted in sensitive data being disclosed or compromised. (UNIRAS)

- Europe's sharp plunge in attacks during November accounted for a large portion of the overall decline this was principally due to the UK, where attacks fell sharply by nearly 70% from 2,253 in October to 679 in November. (Mi2G)

- Upwards to $59 billion is lost each year in proprietary information and intellectual property, according to the 10th Trends in Proprietary Information Loss Survey by ASIS International, PricewaterhouseCoopers, and the U.S. Chamber of Commerce. The collective basis for these losses is a lower level of priority for information security—especially at the internetwork, desktop, and public sector user.

- High Tech, Financial Services, and Power and Energy companies continue to show the highest rates of attack activity per company (Riptech)

- On average, every new Web site will be accessed within 28 seconds and attacked within 5 hours (PWC)


Dr Simon Moores is a Director of Zentelligence Research (www.zentelligence.com) and will be speaking on the subject of information risk at the first eCrime Congress in London on 9th December. (www.e-crimecongress.org)

He has worked with the Cabinet Office as an ‘Advisor’ to the Office of the e-Envoy and has provided consultancy to companies which include Microsoft, Quizid Technologies and Symantec on matters relating to information security strategy and the Internet
.


Comments

Popular posts from this blog

A Short Guide to Collecting your Iranian Travel Visa in London

Plus Ca Change

Nothing New Here Folks