Special Report - Moores on the Information Security Threat – Part One

Over the last three months, I’ve been looking closely at the question of information security and the Internet. I’ve collected the opinions of Civil Servants, MPs’, MEPs’ the Police, and leading experts from the different interests that divide opinion in the IT industry, Microsoft, IBM, Red Hat, Symantec and many more. When I mention my interest in the Public Sector I find reactions can be very different. With government as an important customer, The IT vendors are happy to discuss their own vision of the future for information security but in contrast, some parts of government have been rather less than enthusiastic, for reasons which will soon become clear.



If November was notable for the eSummit, a well-orchestrated celebration of progress towards the Prime Minister’s 2005 vision of joined-up government and ‘Broadband Britain’, then December offered a less well publicised but equally significant gathering in a quiet London hotel. This was the UK’s first ever e-Crime Congress, sponsored by the National Hi-tech Crime Unit (NHTCU) and which attracted a remarkable list of high-ranking delegates from law-enforcement agencies and governments around the globe, who listened politely to a keynote address from Home Office Minister Bob Ainsworth MP.

The irony of both events taking place within weeks of each was not lost on me. On the one hand, we are presented with an agenda of national importance, one that involves both a radical transformation of the public sector and with it, Britain’s emerging role as an example to other countries. In contrast, there were the conclusions that delegates took away with them from the eCrime congress. The Internet and its foundation technologies are open to organised criminal abuse on a scale which can’t yet be fully comprehended. At the conference, I discussed the many challenges associated with the collection of accurate statistics but Internet crime defies jurisdictional geography and like the drugs trade, it leverages the criminal code weaknesses of the poorer states. As a Ukrainian police officer told me:

“I have ten men, three large cities and very little budget in a country with many other urgent priorities”.

Today, we talk in terms of the Internet and its growing importance as part the ‘The National Critical Infrastructure’ but we might as easily think in terms of Swiss cheese when we are presented with relatively simple matters of information security.

To illustrate this view, there was yet another embarrassing ‘leak’ last month of a confidential Foreign & Commonwealth Office to the US-based Web site Cryptome.Org. The Sunday Times, which now makes a point of watching Cryptome for salacious gossip, picked-up a confidential memo which described the visit of Russia’s Defense Minister, Sergei Ivanov to London and what was discussed between our governments over dinner. Of course, there was the normal polite chat about Iran and Chechnya and weapons of mass destruction but according to the memo:

Chernov, one of Ivanov's staff at the PUS' dinner launched a diatribe about the threat which the internet and an "uncontrolled information space" posed to world security. He depicted the Internet as the major global threat over the next 5-10 years”.



Statistics are a problem for any of us attempting to grasp the scale of the security challenge. Last month, in an open letter to Members of Parliament, I noted that according to research by security consultancy Mi2G, October 25th set a new record for attacks on computers on a global basis and at the eCrime Congress, Len Hynds, (seen below) the Director of the National Hi-Tech Crime Unit, reported that over 80% of UK companies have now been attacked or aggressively scanned for weakness from the Internet while PWC reports that one in five organisations have experienced a security breach.

Len Hynds


I have described the present infrastructure as “The soft underbelly of the developed world” and in an increasingly tense geo-political climate, Mi2G claims that Internet attacks are increasingly politically motivated and intelligence and terrorism experts say that the Islamist presence on the Internet has expanded rapidly in recent months.

In December, eGov monitor reported that government departments have experienced more than 9,000 digital attacks on their IT systems so far this year. Over half of the attacks on UK government systems this year, were directed towards the Cabinet Office and its agencies, which during 2002 reported some 5,857 attacks, with 1,167 of these occurring in October alone. The security threat to government was revealed through responses by Ministers to a series of parliamentary questions tabled by Labour backbencher Brian White MP and Liberal Democrat MP, Richard Allan, stressed the importance of improving information security in a ‘Today’ programme interview on Radio 4.

Statistics do however need to be taken “With a pinch of salt”, in the absence of a single, authoritative and integrated source of information capable of presenting an impartial and evidential view of the growing security problem now facing both the private and the public sector. The eCrime Congress called for better and more centralised reporting to assist the NHTCU which sees its efforts “undermined by under-reporting” with its threat assessment task. But reporting, though useful, like any crime figures, only serve to inform the public of how bad the problem is after the event and can only encourage those with a responsibility for information security within their own department to take the threat seriously.

Scott Charney


According to Microsoft’s Chief Security Strategist, Scott Charney, (seen above) speaking at the eCrime Congress “More than half of all computers operate in an unmanaged environment”. While it’s hard to arrive at accurate figures, a significant percentage of systems are protected by either limited security or are accessible through default passwords, such as “Administrator”. The British hacker, Gary McKinnon, ‘Solo’ caught by ‘Operation Sidewalk’ last month caused at least $1.3 million dollars worth of damage among United States government systems through the relatively simple exercise of installing a remote access‘ PC Anywhere-type’ program on inadequately protected Servers.

Since the tragedy of 9.11, the US government is far more attentive than most to issues of information security and yet McKinnon allegedly compromised over ninety sensitive systems from his flat in North London.

Increasingly, the Bush administration also worries that Islamic extremists may be among the owners of U.S. companies involved in sophisticated computer activity. In In Dallas, at the end of Deecember, a posse of FBI agents arrested the operators of Infocom, an Internet service firm allegedly financed by a leader of the militant Palestinian group Hamas.

Where the UK may be a world leader in the development of eGovernment services and has an ambitious programme of universal citizen Internet access by 2006, the evidence suggests that both the private sector and perhaps to a broader degree, the public sector, is potentially more vulnerable to attack and information compromise than any of us would like to believe.

In the second part of this special report, I’ll be examing Microsoft's 'Trustworthy Computing' initiative and asking where both the problems and the responsibilities associated with Internet and information security lie in 2003.

Comments

Popular posts from this blog

The Nature of Nurture?

A Short Guide to Collecting your Iranian Travel Visa in London

Nothing New Here Folks