Skip to main content
Special Report - Moores on the Information Security Threat – Part One

Over the last three months, I’ve been looking closely at the question of information security and the Internet. I’ve collected the opinions of Civil Servants, MPs’, MEPs’ the Police, and leading experts from the different interests that divide opinion in the IT industry, Microsoft, IBM, Red Hat, Symantec and many more. When I mention my interest in the Public Sector I find reactions can be very different. With government as an important customer, The IT vendors are happy to discuss their own vision of the future for information security but in contrast, some parts of government have been rather less than enthusiastic, for reasons which will soon become clear.

If November was notable for the eSummit, a well-orchestrated celebration of progress towards the Prime Minister’s 2005 vision of joined-up government and ‘Broadband Britain’, then December offered a less well publicised but equally significant gathering in a quiet London hotel. This was the UK’s first ever e-Crime Congress, sponsored by the National Hi-tech Crime Unit (NHTCU) and which attracted a remarkable list of high-ranking delegates from law-enforcement agencies and governments around the globe, who listened politely to a keynote address from Home Office Minister Bob Ainsworth MP.

The irony of both events taking place within weeks of each was not lost on me. On the one hand, we are presented with an agenda of national importance, one that involves both a radical transformation of the public sector and with it, Britain’s emerging role as an example to other countries. In contrast, there were the conclusions that delegates took away with them from the eCrime congress. The Internet and its foundation technologies are open to organised criminal abuse on a scale which can’t yet be fully comprehended. At the conference, I discussed the many challenges associated with the collection of accurate statistics but Internet crime defies jurisdictional geography and like the drugs trade, it leverages the criminal code weaknesses of the poorer states. As a Ukrainian police officer told me:

“I have ten men, three large cities and very little budget in a country with many other urgent priorities”.

Today, we talk in terms of the Internet and its growing importance as part the ‘The National Critical Infrastructure’ but we might as easily think in terms of Swiss cheese when we are presented with relatively simple matters of information security.

To illustrate this view, there was yet another embarrassing ‘leak’ last month of a confidential Foreign & Commonwealth Office to the US-based Web site Cryptome.Org. The Sunday Times, which now makes a point of watching Cryptome for salacious gossip, picked-up a confidential memo which described the visit of Russia’s Defense Minister, Sergei Ivanov to London and what was discussed between our governments over dinner. Of course, there was the normal polite chat about Iran and Chechnya and weapons of mass destruction but according to the memo:

Chernov, one of Ivanov's staff at the PUS' dinner launched a diatribe about the threat which the internet and an "uncontrolled information space" posed to world security. He depicted the Internet as the major global threat over the next 5-10 years”.

Statistics are a problem for any of us attempting to grasp the scale of the security challenge. Last month, in an open letter to Members of Parliament, I noted that according to research by security consultancy Mi2G, October 25th set a new record for attacks on computers on a global basis and at the eCrime Congress, Len Hynds, (seen below) the Director of the National Hi-Tech Crime Unit, reported that over 80% of UK companies have now been attacked or aggressively scanned for weakness from the Internet while PWC reports that one in five organisations have experienced a security breach.

Len Hynds

I have described the present infrastructure as “The soft underbelly of the developed world” and in an increasingly tense geo-political climate, Mi2G claims that Internet attacks are increasingly politically motivated and intelligence and terrorism experts say that the Islamist presence on the Internet has expanded rapidly in recent months.

In December, eGov monitor reported that government departments have experienced more than 9,000 digital attacks on their IT systems so far this year. Over half of the attacks on UK government systems this year, were directed towards the Cabinet Office and its agencies, which during 2002 reported some 5,857 attacks, with 1,167 of these occurring in October alone. The security threat to government was revealed through responses by Ministers to a series of parliamentary questions tabled by Labour backbencher Brian White MP and Liberal Democrat MP, Richard Allan, stressed the importance of improving information security in a ‘Today’ programme interview on Radio 4.

Statistics do however need to be taken “With a pinch of salt”, in the absence of a single, authoritative and integrated source of information capable of presenting an impartial and evidential view of the growing security problem now facing both the private and the public sector. The eCrime Congress called for better and more centralised reporting to assist the NHTCU which sees its efforts “undermined by under-reporting” with its threat assessment task. But reporting, though useful, like any crime figures, only serve to inform the public of how bad the problem is after the event and can only encourage those with a responsibility for information security within their own department to take the threat seriously.

Scott Charney

According to Microsoft’s Chief Security Strategist, Scott Charney, (seen above) speaking at the eCrime Congress “More than half of all computers operate in an unmanaged environment”. While it’s hard to arrive at accurate figures, a significant percentage of systems are protected by either limited security or are accessible through default passwords, such as “Administrator”. The British hacker, Gary McKinnon, ‘Solo’ caught by ‘Operation Sidewalk’ last month caused at least $1.3 million dollars worth of damage among United States government systems through the relatively simple exercise of installing a remote access‘ PC Anywhere-type’ program on inadequately protected Servers.

Since the tragedy of 9.11, the US government is far more attentive than most to issues of information security and yet McKinnon allegedly compromised over ninety sensitive systems from his flat in North London.

Increasingly, the Bush administration also worries that Islamic extremists may be among the owners of U.S. companies involved in sophisticated computer activity. In In Dallas, at the end of Deecember, a posse of FBI agents arrested the operators of Infocom, an Internet service firm allegedly financed by a leader of the militant Palestinian group Hamas.

Where the UK may be a world leader in the development of eGovernment services and has an ambitious programme of universal citizen Internet access by 2006, the evidence suggests that both the private sector and perhaps to a broader degree, the public sector, is potentially more vulnerable to attack and information compromise than any of us would like to believe.

In the second part of this special report, I’ll be examing Microsoft's 'Trustworthy Computing' initiative and asking where both the problems and the responsibilities associated with Internet and information security lie in 2003.


Popular posts from this blog

Mainframe to Mobile

Not one of us has a clue what the world will look like in five years’ time, yet we are all preparing for that future – As  computing power has become embedded in everything from our cars and our telephones to our financial markets, technological complexity has eclipsed our ability to comprehend it’s bigger picture impact on the shape of tomorrow.

Our intuition has been formed by a set of experiences and ideas about how things worked during a time when changes were incremental and somewhat predictable. In March 1953. there were only 53 kilobytes of high-speed RAM on the entire planet.

Today, more than 80 per cent of the value of FTSE 500* firms is ‘now dark matter’: the intangible secret recipe of success; the physical stuff companies own and their wages bill accounts for less than 20 per cent: a reversal of the pattern that once prevailed in the 1970s. Very soon, Everything at scale in this world will be managed by algorithms and data and there’s a need for effective platforms for ma…
The Mandate of Heaven

eGov Monitor Version

“Parliament”, said my distinguished friend “has always leaked like a sieve”.

I’m researching the thorny issue of ‘Confidence in Public Sector Computing’ and we were discussing the dangers presented by the Internet. In his opinion, information security is an oxymoron, which has no place being discussed in a Parliament built upon the uninterrupted flow of information of every kind, from the politically sensitive to the most salacious and mundane.

With the threat of war hanging over us, I asked if MPs should be more aware of the risks that surround this new communications medium? More importantly, shouldn’t the same policies and precautions that any business might use to protect itself and its staff, be available to MPs?

What concerns me is that my well-respected friend mostly considers security in terms of guns, gates and guards. He now uses the Internet almost as much as he uses the telephone and the Fax machine and yet the growing collective t…

Civilisational Data Mining

It’s a new expression I haven’t heard before. ‘Civilisational data mining.’

Let me start by putting it in some context. Every character, you or I have typed into the Google search engine or Facebook over the last decade, means something, to someone or perhaps ‘something,’ if it’s an algorithm.

In May 2014, journalists revealed that the United States National Security Agency, the NSA, was recording and archiving every single cell-phone conversation that took place in the Bahamas. In the process they managed to transform a significant proportion of a society’s day to day interactions into unstructured data; valuable information which can of course be analysed, correlated and transformed for whatever purpose the intelligence agency deems fit.

And today, I read that a GOP-hired data company in the United States has ‘leaked’ personal information, preferences and voting intentions on… wait for it… 198 million US citizens.

Within another decade or so, the cost of sequencing the human genome …