When Sony Pictures had its computer systems hacked and exposed in November 2014, the FBI stated that North Korea was responsible. In 2007, the websites of Estonia’s banks, media and government departments were crippled by a cyber-attack. Security experts fear even more serious attacks that could affect critical energy, utility and travel infrastructures. But how big is the risk, what difference does it make and what can be done in response?
At a recent Guardian seminar debate, sponsored by Fujitsu and Symantec, a panel of experts analysed these issues, accompanied by an audience of IT security professionals. The aim was to understand the scale of the threat and to share ways in which businesses and other organisations can take appropriate action to address the risk.
Introducing the debate, Symantec’s James Hanlon explained that state-backed attacks tend to be more complex than other forms of malware. “At Symantec we have a large community in research centres around the world looking at global threats. In November 2014 we released an in-depth research paper on a piece of malware we called ‘Regin’, one of the most complex we have seen to date.
“The level of complexity includes some things that we simply do not see in other cyber-attacks. Those types of indicators make us believe that it may well be a nation-based attack.”
This complexity is a consequence of the level of resources available to government hackers, the panel explained. State-based attacks are also more precisely targeted. Whereas criminal hackers look for a quick financial return, a state-based attack has a specific aim, such as obtaining strategic or technical information that may be used at a later date for disruption.
That said, Hanlon explained that “the more unusual types of methods are quickly being replicated and used by criminal organisations”, making it harder to differentiate between nation-based and criminal attacks. The lines between the two are blurred, said panellist Andy Herrington, head of cyber professional services at Fujitsu. “It is not a single nation versus a single nation – it is a very blurred and misty environment. We are seeing this advance in technology really taking off because of that collaboration.”
The panel agreed that there is evidence that nation-based cyber-attacks are increasing. Panellist Chris McIntosh, chief executive of ViaSat UK, said: “Growth is going to be astronomical. I see nations and governments being involved in cyber-attacks becoming the norm.”
McIntosh’s rationale was that cyber-attacks are relatively cheap and effective. “Therefore, when countries are considering how they can disrupt, how they can have political power and force over another nation, cyber is going to become the way that it will be done. Our critical infrastructures are poorly defended and nations are beginning to realise that.”
Panellist Stephen Bonner, a KPMG partner working on cybersecurity, took a more nuanced view, arguing that nations will exercise restraint because escalation is not in their best interests. “Most of the countries developing these capabilities are also very vulnerable to these kind of attacks, so setting a norm for this type of behaviour is terribly unwise. I’m not convinced that we will see an escalation.”
Bonner argued that since trusted global networks are good for international trade, diplomatic efforts may succeed in curbing the level of disruption.
International law has not kept pace with technology. “What is the body of international law that forms the backdrop to any response? The answer is there isn’t any,” said Paul Glass, senior associate at international law firm Taylor Wessing. “International lawyers and governments can’t even agree on the definition of a cyber-attack. It is very difficult to have a backdrop of recognised international law against which nation states can actually develop and work out a diplomatic, economic or even a military response to a cyber-attack.”
The debate turned to how the risk to organisations from such attacks can be quantified and what can be done in response. Simply developing more secure systems is not enough. “I had breakfast once with someone who works for a nation state [hacking] team,” said KPMG’s Bonner.
“I had always worked on the defence side of organisations, and was expecting it to be more like a game of chess; that for each of my moves in defence they would have to carefully understand and counter. He laughed and said: ‘No, I can break into anything anywhere.’”
The traditional reliance on electronic firewalls to prevent cyber-attack is not sufficient, because in a world of mobile devices and cloud computing, business is no longer contained within an internal network. “That hardened perimeter cannot exist anymore,” said Andy Herrington. “The ability to detect, understand and then deal with an incident is really where we should be investing.”
That said, the panellists stated that most businesses face little direct risk. “If you are in the middle of negotiating a merger and acquisitions deal with a sovereign wealth fund in a diplomatically tense environment you should worry because you probably are a target. If you’re making knitted sweaters in Cumbria you’re probably in the clear,” said Bonner.
“There are very few organisations who should be concerned about attacks from nation states,” said McIntosh. Human error and criminal malware or hacks are far more common reasons for data to leak.
Audience member Paul Simmonds, chief executive of Global Identity Foundation, asked: “Should we be differentiating between state attacks and any other form of attack? When it comes to defending, why do I care as a corporation?” Mcintosh responded: “The way you are going to defend yourself is going to be dependent on what you believe the threat is.”
Simon Bannister, who works on border-system security for the Home Office, raised his concern that state-backed cyber-attacks could escalate into physical warfare. “When does all of this escalate into an extremely dangerous scenario whereby a kinetic response might be triggered by a cyber attack?”
Fujitsu’s Herrington said: “I’d want the government and the powers that be to look at when there is a significant and large risk to the population itself before we start to consider those kinds of responses.”
In the second half of the seminar the room divided into several break-out groups where panellists and audience members focused on specific issues and reported back to the room. One covered formulating a response to state-sponsored hacking attacks. “Building links into intelligence and law enforcement gives you key benefits,” said Bonner.
“You get told intelligence about what is happening, which means your risk decisions are much better informed, and when you have an incident you know who to turn to for help.”
Several UK government organisations were mentioned during the seminar, including Cisp (the Cybersecurity Information Sharing Partnership), whose aim is to share information and intelligence on cybersecurity threats to make businesses more secure. Another is CESG (Communications-Electronics Security Group), the information security arm of the British intelligence organisation GCHQ, which both advises the government and provides sector-based services to industry. A third is CPNI (Centre for the Protection of National Infrastructure), which provides protective security advice.
The break-out discussion on hackers reported back on how hard it was to identify them. “Although all the organisations around the table had experienced attacks, it remains quite hard to establish beyond reasonable doubt where an attack is originating from,” said discussion chair Stephen Pritchard. This makes it hard for law-enforcement bodies, since they need a high burden of proof.
Those businesses trading with countries that require them to accept surveillance or give up encryption keys face a dilemma. “It comes back down to a risk analysis for businesses as to whether they are prepared to operate in countries that actually require that kind of surveillance,” said Glass.
Businesses on their own can mitigate but not eliminate the risks from state-backed cyber-attacks and it will be a growing issue, especially for those working in defence, government or critical national infrastructure. The group touched on the possibility of a chilling future where business is choked by constant disruption.
The solution, like the problem, has to come at an international level. “The role of government is to avoid this in the first place,” said Bonner. “We are walking towards a dark future in which we will see an exponential increase in these kinds of attacks. It is a future we can easily back away from if governments come together and take measures to combat it.”
On the panel
Stephen Pritchard (Chair)
IT Pro columnist and contributing editor, Infosecurity Magazine
James Hanlon
Cybersecurity strategy lead, Symantec
Andy Herrington
Head of cyber professional services, Fujitsu
Chris McIntosh
CEO of ViaSat UK
Stephen Bonner
Lead partner, cyber security, KPMG
Paul Glass
Senior associate, Taylor Wessing
This content has been sponsored by Symantec and Fujitsu (whose brands it displays). All content is editorially independent. Contact Ashley Evans (ashley.evans@theguardian.com). For information on debates visit: theguardian.com/sponsored-content
