Cyber has been identified by the UK government as a Tier One threat alongside terrorism, and cyber crime costs UK businesses vast sums of money every year – and that’s just the cyber crime we know about, because it is vastly under-reported.
Government and critical national infrastructure (CNI) remain key targets for the organised crime gangs that run a large proportion of cyber crime, as well as hostile nation states, although these are rarer. They do, however, sometimes outsource this kind of “work” to crime gangs.
So, cyber warfare (as we may well consider attacks on CNI to be) could, in fact, be in the hands of not only hostile nations, but the criminal element of those hostile nations, or indeed other nations.
The world has seen, several times in fact, what happens when they are successful (think about Ukraine’s power grid taken down three times, and WannaCry and NotPetya disabling businesses and the NHS). But is our security leadership developed enough to cope with this persistent and evolving threat?
“The biggest threat to security today is the general lack of conviction that any threat exists” – that was said by Lord Radcliffe in a Security Report in 1962.
In order to address this Tier One threat, there needs to be real understanding at the heart of government – it is several years now since the National Audit Office (NAO) criticised the lack of understanding and leadership around information security.
The number of remotely managed or web-enabled systems grows every year and, quite rightly, our CNI needs to benefit from the increased manageability and cost savings that these new ways of working provide.
At the same time, the rush to interconnect numerous legacy systems continues unabated, making systems that were never designed to be internet-facing, exactly that.
Connecting OT and legacy systems to the internet makes them a “legitimate” target to nation states using offensive attack capabilities and criminals and terrorists alike. They do not make distinctions based on any moral or ethical code – they seek a result.
So, if we continue to web-enable everything in our CNI, it would be forgivable to imagine that we have taken every possible measure to ensure their security and resilience.
Yet as recently as 2017, we discovered that over a third of infrastructure organisations in the UK had not completed basic cyber security standards issued by the UK government, known as the 10 steps to cyber security.
There can be little doubt, then, that there is a lack of long-term thinking around this area and what looks like an approach akin to “if it ain’t broke, don’t fix it”.
In other words, if it is still working, we know it might not be secure, but we are not going to outlay to replace it if it is still working. This is because patching may prove difficult or costly, possibly requiring a supplier intervention. The operating system it was built on may no longer be supported with security patches and the cost of maintenance or replacement has not been built into lifecycle costs.
Combine this with the disparity that now surrounds the concept of CNI and this places the UK into a very precarious position. CNI is now a loose collection of publicly and privately owned bodies or organisations that may not even be domestically owned.
There is only so long you can bury your head in the sand. The UK strategic landscape is dictated by the same people who are used to writing five-year strategies for five-year government terms. But cyber security does not work on five-year cycles; cyber works today and talking about genuine resilience cannot possibly happen unless this is accepted as a fact.
An agile, iterative and proactive response is needed. Waiting six years to update your cyber strategy simply underpins the observations of the NAO that the government does not fully grasp the threat.
That may or may not be true, but what is true is that dreams of getting on the front foot with UK cyber security will remain just that, until we get real about building strategies that address some of the more difficult and uncomfortable realities of how we actually behave, and review them regularly.