Beware of cyber-complacency warns ex-MI5 director
A former head of the UK Security Service better known as MI5 says banks need to beware the danger of state agencies and others stealing or destroying confidential information.
Speaking at the TradeTech conference in Paris this week, Jonathan Evans, ex-director general of MI5, said: “When I worked at MI5 we initiated cyber-attacks on people who didn’t want us to have access to their information. But the barriers to cyber-espionage are getting lower and lower. Hacktivists, terrorists, criminals, state actors – they all use cyber-attacks to achieve their aims. As more of our lives revolve around internet-supported technology and the Internet of Things, I expect to see more ideologically-motivated attacks on infrastructure and civilian businesses. You need to be ready for that.”
Cyber-attacks on financial institutions have made headlines in recent months, notably in February 2015, when a joint international operation by Europol’s European Cybercrime Centre seized servers said to have controlled the Ramnit botnet that had infected 3.2 million computers internationally. Other recent attacks include the Carbanak cyber-attack which stole $1 billion from banks in 30 countries over the two years leading up to February.
According to Evans, there is now a market for outsourced cyber-crime: individuals or organisations planning to launch a cyber-attack can outsource it to another organisation in exchange for a payment. A DDoS attack can be readily purchased, the target can be specified in advance and even the length of the attack can be arranged. Likewise, if the aim is to obtain credit card details, these are available on a wholesale basis from the black market. The supply is so great that it outstrips demand – one reason the price is relatively low.
“If you want information on a company you can get it, if you want to test your malware, you can do that,” said Evans. “All this opens up risks. For example corruption of information as a cyber-warfare technique could be very powerful in financial markets. We rely on that data, but if someone were to tinker with the information, that could lead to a lot of damage.”
Some of the possibilities are relatively mundane – such as using the Internet of Things to hack into a rival’s home and cause irritation and confusion. But other scenarios were far more sinister – including attacks on critical civilian infrastructure such as water supplies, energy sources and dams.
“In the far east, electric toilet seats are connected to the internet,” said Evans. “You could give your neighbour a very nasty surprise by hacking his toilet seat. (audience laughs). They are eminently hackable. But there are major dams operated remotely by mobile devices, that are completely unprotected. Critical parts of national infrastructure are now part of the internet, and that is a serious concern. At first it was just a convenience – you can open the gates without going down there in person. But nobody thought about the consequences of that.”
The speed of change is another cause for concern. In August 2012, an attack on Saudi Aramco by Iranian hackers left 20,000 terminals unusable. At the time, the attack was arguably unprecedented. But it has been followed by plenty of other high-profile attacks on businesses. The TARGET attack on American retailers caused a 15% loss in footfall at TARGET’s stores, due to the negative reputational impact. It was later found to have been initiated by an individual from a bedroom. “Two years ago that attack would have been something even a state actor would have been proud of,” said Evans.
Views differ between corporates on the extent to which they are willing to invest in protection against cyber threats. Evans highlighted a heated exchange at a recent business forum between two senior executives. One made a comment suggesting that he did not see the business case for investing in anti-cybercrime technology. The next speaker came onto the podium, introduced himself as a representative of BAE Systems, and said “I’d just like to say to the previous speaker, your company is a supplier to us; due to your comments this afternoon, you will not be a supplier to us for much longer!”
“The final point is that you need to review your supply chain and partners,” said Evans. “We are not alone. We depend on our partners. If they fail, then we will fail. We need to live in an environment where the ecosystem is secure. I think this is positive. Any company on their own is vulnerable. But if we can build an ecosystem, the future could be considerably healthier than today.”