News Archive

Info 9-11 Fear

by msecadm4921

The UK faces the threat of an electronic 9-11, a recent information security exhibition heard. Mark Rowe reports.

We cannot afford to be complacent about the threat to the UK’s critical national infrastructure, Lord Toby Harris told Infosecurity Europe in April. It is complacent, he added, to rely on a system that is voluntary, powered by advice notes, which can be and indeed are ignored. He said: “It is complacent, not even to know the number of computers and communications systems that make up the critical national infrastructure, let alone to have any system of reassurance that these are adequately structured and protected. And it is complacent not to have in place any recovery plan in the event of something happening that seriously damages that infrastructure.”

Banks, the emergency services, utilities, telecoms, Government – all are vulnerable to serious disruption by cyber-attack. An attack is not a question of it, but when, he suggested. He gave the example of the Coastguard Service, laid low by the ‘Sasser’ computer worm in May 2004. He warned: “The threat could come from teenage hackers with no more motivation than proving that it could be done, but even more seriously it could come from organised crime intent on extortion or fraud – or from cyber-terrorists intent on bringing about the downfall of our society.”

Most of the critical national infrastructure is privately owned and operated, Lord Harris said. There it may not be in the commercial interests of those owners and operators even to admit a cyber-problem. In the public sector, nor may security feature in a in each department’s key performance indicators: “The reality is that even within the public sector, compliance with security requirements is poor … If you are a manager, responsible for improving efficiency in, say, benefits payments the time lost or added process time involved in a high level of system security may seem largely irrelevant to immediate needs. How often do we see user passwords on Post-it notes attached to terminals?” The National Infrastructure Security Coordination Centre (pronounced ‘Nicey’) is the key, but it is only an advisory body: “NISCC does not even know how many computer systems comprise the UK’s critical national infrastructure.”

Taking the Coastguard Service case, Lord Harris reported that Microsoft made available a patch that would have prevented the attack. The coastguards, however, failed to apply the patch.

Not that Lord Harris let off the private utilities and others: “I am told, for example, that certain UK financial institutions have advised their security departments to cease checking for computer system vulnerabilities because of the potential liabilities that may arise if vulnerabilities are identified but not corrected.” Hence he called for regulation of the UK’s critical national infrastructure. NISCC should have more clout – for example, responsibility for developing and if necessary enforcing recovery plans. NISCC should have a way to test compliance; and penalise shortcomings – in a 24-7 operation. As Lord Harris said: “Computer network attacks take place and propagate widely in a matter of minutes.”

While the speech was not new – Lord Harris, a member of the Metropolitan Police Authority, gave it to a Chatham House conference on protecting critical networks in March – he called on the new Government to pass legislation; for a senior minister to take charge; and for a ‘security czar’ to make it happen.

Related News

  • News Archive

    Laptop Thefts

    by msecadm4921

    Wigan Council has agreed to take action to comply with the Data Protection Act after the theft of a laptop computer containing…

  • News Archive

    Terror And Security

    by msecadm4921

    The changing threats of terrorism bring new pressures for security managers, Nissan Moradoff suggests. Described by Wilkinson, (1977:49) as ‘one of the…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing