Skip to main content
Special Report - Moores on the Information Security Threat – Part One

Over the last three months, I’ve been looking closely at the question of information security and the Internet. I’ve collected the opinions of Civil Servants, MPs’, MEPs’ the Police, and leading experts from the different interests that divide opinion in the IT industry, Microsoft, IBM, Red Hat, Symantec and many more. When I mention my interest in the Public Sector I find reactions can be very different. With government as an important customer, The IT vendors are happy to discuss their own vision of the future for information security but in contrast, some parts of government have been rather less than enthusiastic, for reasons which will soon become clear.

If November was notable for the eSummit, a well-orchestrated celebration of progress towards the Prime Minister’s 2005 vision of joined-up government and ‘Broadband Britain’, then December offered a less well publicised but equally significant gathering in a quiet London hotel. This was the UK’s first ever e-Crime Congress, sponsored by the National Hi-tech Crime Unit (NHTCU) and which attracted a remarkable list of high-ranking delegates from law-enforcement agencies and governments around the globe, who listened politely to a keynote address from Home Office Minister Bob Ainsworth MP.

The irony of both events taking place within weeks of each was not lost on me. On the one hand, we are presented with an agenda of national importance, one that involves both a radical transformation of the public sector and with it, Britain’s emerging role as an example to other countries. In contrast, there were the conclusions that delegates took away with them from the eCrime congress. The Internet and its foundation technologies are open to organised criminal abuse on a scale which can’t yet be fully comprehended. At the conference, I discussed the many challenges associated with the collection of accurate statistics but Internet crime defies jurisdictional geography and like the drugs trade, it leverages the criminal code weaknesses of the poorer states. As a Ukrainian police officer told me:

“I have ten men, three large cities and very little budget in a country with many other urgent priorities”.

Today, we talk in terms of the Internet and its growing importance as part the ‘The National Critical Infrastructure’ but we might as easily think in terms of Swiss cheese when we are presented with relatively simple matters of information security.

To illustrate this view, there was yet another embarrassing ‘leak’ last month of a confidential Foreign & Commonwealth Office to the US-based Web site Cryptome.Org. The Sunday Times, which now makes a point of watching Cryptome for salacious gossip, picked-up a confidential memo which described the visit of Russia’s Defense Minister, Sergei Ivanov to London and what was discussed between our governments over dinner. Of course, there was the normal polite chat about Iran and Chechnya and weapons of mass destruction but according to the memo:

Chernov, one of Ivanov's staff at the PUS' dinner launched a diatribe about the threat which the internet and an "uncontrolled information space" posed to world security. He depicted the Internet as the major global threat over the next 5-10 years”.

Statistics are a problem for any of us attempting to grasp the scale of the security challenge. Last month, in an open letter to Members of Parliament, I noted that according to research by security consultancy Mi2G, October 25th set a new record for attacks on computers on a global basis and at the eCrime Congress, Len Hynds, (seen below) the Director of the National Hi-Tech Crime Unit, reported that over 80% of UK companies have now been attacked or aggressively scanned for weakness from the Internet while PWC reports that one in five organisations have experienced a security breach.

Len Hynds

I have described the present infrastructure as “The soft underbelly of the developed world” and in an increasingly tense geo-political climate, Mi2G claims that Internet attacks are increasingly politically motivated and intelligence and terrorism experts say that the Islamist presence on the Internet has expanded rapidly in recent months.

In December, eGov monitor reported that government departments have experienced more than 9,000 digital attacks on their IT systems so far this year. Over half of the attacks on UK government systems this year, were directed towards the Cabinet Office and its agencies, which during 2002 reported some 5,857 attacks, with 1,167 of these occurring in October alone. The security threat to government was revealed through responses by Ministers to a series of parliamentary questions tabled by Labour backbencher Brian White MP and Liberal Democrat MP, Richard Allan, stressed the importance of improving information security in a ‘Today’ programme interview on Radio 4.

Statistics do however need to be taken “With a pinch of salt”, in the absence of a single, authoritative and integrated source of information capable of presenting an impartial and evidential view of the growing security problem now facing both the private and the public sector. The eCrime Congress called for better and more centralised reporting to assist the NHTCU which sees its efforts “undermined by under-reporting” with its threat assessment task. But reporting, though useful, like any crime figures, only serve to inform the public of how bad the problem is after the event and can only encourage those with a responsibility for information security within their own department to take the threat seriously.

Scott Charney

According to Microsoft’s Chief Security Strategist, Scott Charney, (seen above) speaking at the eCrime Congress “More than half of all computers operate in an unmanaged environment”. While it’s hard to arrive at accurate figures, a significant percentage of systems are protected by either limited security or are accessible through default passwords, such as “Administrator”. The British hacker, Gary McKinnon, ‘Solo’ caught by ‘Operation Sidewalk’ last month caused at least $1.3 million dollars worth of damage among United States government systems through the relatively simple exercise of installing a remote access‘ PC Anywhere-type’ program on inadequately protected Servers.

Since the tragedy of 9.11, the US government is far more attentive than most to issues of information security and yet McKinnon allegedly compromised over ninety sensitive systems from his flat in North London.

Increasingly, the Bush administration also worries that Islamic extremists may be among the owners of U.S. companies involved in sophisticated computer activity. In In Dallas, at the end of Deecember, a posse of FBI agents arrested the operators of Infocom, an Internet service firm allegedly financed by a leader of the militant Palestinian group Hamas.

Where the UK may be a world leader in the development of eGovernment services and has an ambitious programme of universal citizen Internet access by 2006, the evidence suggests that both the private sector and perhaps to a broader degree, the public sector, is potentially more vulnerable to attack and information compromise than any of us would like to believe.

In the second part of this special report, I’ll be examing Microsoft's 'Trustworthy Computing' initiative and asking where both the problems and the responsibilities associated with Internet and information security lie in 2003.


Popular posts from this blog

Median Saleh

I mentioned in the last post, the 1981 expedition that took in Median Saleh, the ruined Nabatean city in Saudi Arabia

A temple carved from the rock from Petra's sister city.

By coincidence, one of the most important train stations on the Hejaz railway sat next to the ruins and when Lawrence of Arabia blew the line in 1917, the trains were trapped there and are still there today, gathering dust and with "Krupp" on the engine casings.

One of the trains, sitting where T.E. Lawrence left themwith Dr Paul Garnett as the passenger

Below, you can see one of the fortified train stations that Lawrence attacked along the Hejaz railway between Damascus and Medina.

More photos Medain Saleh can be found on THIS Site - Apparently you can catch a tourist bus these days, rather different from risking life and limb to cross an unfriendly Saudi Arabia twenty years ago!
A Christmas Tale

It’s pitch blackness in places along the sea wall this evening and I'm momentarily startled by a small dog with orange flashing yuletide antlers along the way. I’m the only person crazy enough to be running and I know the route well enough to negotiate it in the dark, part of my Christmas exercise regime and a good way of relieving stress.

Why stress you might ask. After all, it is Christmas Day.

True but I’ve just spent over two hours assembling the giant Playmobil ‘Pony Farm’ set when most other fathers should be asleep in front of the television.

I was warned that the Playmobil ‘Pirate Ship’ had driven some fathers to drink or suicide and now I understand why. If your eyesight isn’t perfect or if you’ve had a few drinks with your Christmas lunch then it’s a challenge best left until Boxing day but not an option if you happen to have a nine year old daughter who wants it ready to take horses by tea time.

Perhaps I should stick to technology but then, the instruc…

A Matter of Drones - Simon Moores for The Guardian

I have a drone on my airfield” – a statement that welcomes passengers to the latest dimension in air-travel disruption. Words of despair from the chief operating officer of Gatwick airport in the busiest travel week of the year. Elsewhere, many thousands of stranded and inconvenienced passengers turned in frustration to social media in an expression of crowd-sourced outrage.

How could this happen? Why is it still happening over 12 hours after Gatwick’s runways were closed to aircraft, why is an intruder drone – or even two of them – suspended in the bright blue sky above the airport, apparently visible to security staff and police who remain quite unable to locate its source of radio control?

Meanwhile, the UK Civil Aviation Authority, overtaken by both the technology and events, is reduced to sending out desperate tweets warning that an airport incursion is a criminal offence and that drone users should follow their new code of conduct. Yet this is not an unforeseen event. It was i…