The UK faces the threat of an electronic 9-11, a recent information security exhibition heard. Mark Rowe reports.
We cannot afford to be complacent about the threat to the UKโs critical national infrastructure, Lord Toby Harris told Infosecurity Europe in April. It is complacent, he added, to rely on a system that is voluntary, powered by advice notes, which can be and indeed are ignored. He said: โIt is complacent, not even to know the number of computers and communications systems that make up the critical national infrastructure, let alone to have any system of reassurance that these are adequately structured and protected. And it is complacent not to have in place any recovery plan in the event of something happening that seriously damages that infrastructure.โ
Banks, the emergency services, utilities, telecoms, Government – all are vulnerable to serious disruption by cyber-attack. An attack is not a question of it, but when, he suggested. He gave the example of the Coastguard Service, laid low by the โSasserโ computer worm in May 2004. He warned: โThe threat could come from teenage hackers with no more motivation than proving that it could be done, but even more seriously it could come from organised crime intent on extortion or fraud โ or from cyber-terrorists intent on bringing about the downfall of our society.โ
Most of the critical national infrastructure is privately owned and operated, Lord Harris said. There it may not be in the commercial interests of those owners and operators even to admit a cyber-problem. In the public sector, nor may security feature in a in each departmentโs key performance indicators: โThe reality is that even within the public sector, compliance with security requirements is poor … If you are a manager, responsible for improving efficiency in, say, benefits payments the time lost or added process time involved in a high level of system security may seem largely irrelevant to immediate needs. How often do we see user passwords on Post-it notes attached to terminals?โ The National Infrastructure Security Coordination Centre (pronounced โNiceyโ) is the key, but it is only an advisory body: โNISCC does not even know how many computer systems comprise the UKโs critical national infrastructure.โ
Taking the Coastguard Service case, Lord Harris reported that Microsoft made available a patch that would have prevented the attack. The coastguards, however, failed to apply the patch.
Not that Lord Harris let off the private utilities and others: โI am told, for example, that certain UK financial institutions have advised their security departments to cease checking for computer system vulnerabilities because of the potential liabilities that may arise if vulnerabilities are identified but not corrected.โ Hence he called for regulation of the UKโs critical national infrastructure. NISCC should have more clout – for example, responsibility for developing and if necessary enforcing recovery plans. NISCC should have a way to test compliance; and penalise shortcomings – in a 24-7 operation. As Lord Harris said: โComputer network attacks take place and propagate widely in a matter of minutes.โ
While the speech was not new – Lord Harris, a member of the Metropolitan Police Authority, gave it to a Chatham House conference on protecting critical networks in March – he called on the new Government to pass legislation; for a senior minister to take charge; and for a โsecurity czarโ to make it happen.
