Carrying the Crossfire

There was a time when communications were mostly harmless. If you wanted to hurt somebody, the worst would be to insult them. Not so any more. Now, the global communications industry is the carrier of a lot more than words. It is becoming the proxy battlefield of choice, a warfare deployment network of staggering proportions. Want to inflict damage on a faraway target? Do not build an aircraft carrier, just recruit a team of hackers. The grim USP of neutron bombs is said to be that they kill people whilst leaving buildings undamaged. Cyberwarfare goes one better - it threatens to kill an economy or shut down society but without fatalities. And the most terrifying aspect is that an attack can be launched without anyone really knowing who was behind it.

Sensational stuff, but it is a reality. In the last few days we have seen a ramping up of a massive Distributed Denial of Service (DDoS) attack against Burma. The attack is producing packet rates that are many times greater than the capacity of the country's main internet feed, effectively knocking the country off-line. There is plenty of speculation about who might be behind the attack, but the more fundamental message is that the potential for such attacks is now firmly proven. Cyberwarfare is not science fiction and the impact is very real even if the techniques are invisible.

Whilst Burma may not enjoy the greatest bandwidth in the world, it does not take much to imagine similar attacks scaled up, though denial of service is only one kind of threat. The European Network and Information Security Agency (ENISA) has just concluded its first pan-European 'wargame' exercise. This involved unleashing 320 injects in a bid to test the strength of current defences. ENISA will give a media briefing about the results on 10th November. It should be well worth hearing their draft conclusions.

Individual nations are also keyed up for the cyber security challenge. For example, the UK has been reviewing its defence plans as part of fixing the national budget in the wake of the global financial crisis. In a period of austerity, the British government said GBP500m (USD800m) of new spending will go towards cyber security. This followed the publication of a national security strategy which identified "hostile attacks upon UK cyber space by other states and large scale cyber crime" as one of the four highest-priority security risks, measured by both likelihood and impact. This followed a rare public speech by Iain Lobban, Director of the UK's GCHQ, which is one of the three British intelligence agencies and is focused on electronic information gathering and information security. In his speech, Lobban said that:

"It is true that we have seen worms cause significant disruption to Government systems – both those targeted deliberately against us, and those picked up from the Internet accidentally. There are over 20,000 malicious emails on Government networks each month, 1,000 of which are deliberately targeting them.

It is true that we have seen the use of Cyber techniques by one nation on another to bring diplomatic or economic pressure to bear.

It is true that we have seen theft of intellectual property on a massive scale, some of it not just sensitive to the commercial enterprises in question but of national security concern too. As Jonathan Evans said in September, Cyberspace lowers the bar for entry to the espionage game, both for states and for criminal actors.

And of course it is true that the risks in all these areas are growing along with the enormous growth of the Internet. At the moment it's expanding by about 60% a year. There are around ¼ of a trillion emails sent every day - even if 80% of these are spam. Cyberspace is contested every day, every hour, every minute, every second. I can vouch for that from the displays in our own operations centre of minute by minute cyber attempts to penetrate systems around the world."

Lobban's point about 'lowering the bar' is well taken. The internet lowers barriers for entry. Criminals and talented amateurs can also get to play on this battlefield. One recent story highlights the vulnerabilities with stupendous irony. ACS:Law is a British legal firm that specializes in intellectual property. I would point you at its website so you can check for yourself, but I cannot... it has been taken down. ACS:Law has been heavily engaged in sending claims letters to suspected online pirates on behalf of copyrights holders. Their nemesis has been the anarchic pranksters who congregate around the 4chan bulletin board. They launched 'Operation Payback' as punishment, a DDoS attack to wreak some mob revenge, but they could not have anticipated what mayhem would ensue. When recovering their site, ACS:Law briefly allowed an unencrypted backup of email correspondence to become publicly visible. These emails included spreadsheet attachments listing ACS:Law targets. In other words, the 'Payback' crew obtained access to personal details of thousands of people listed by ACS:Law as having unlawfully shared copyrighted content, including pornography. The 4chansters, being who they are, soon spread this personal data around the internet. The fallout has been significant. To begin with, the data breach is being investigated by the UK's Information Commissioner, and there is the prospect the Commissioner will use his new powers to levy fines in order to set an example to other lax businesses. Incumbent BT also got caught out, when it transpired they had emailed an unencrypted list of suspected filesharers to ACS:Law. BT responded by toughening their stance on disclosing information required by court orders. In a move welcomed by the Consumers' Association, BT has imposed tougher conditions on firms like ACS:Law before it will send them customer information. In addition, the focus on security has made it easier for BT to justify its data retention policy. This policy prompted the deletion of 80% of the filesharing data sought by lawyers working on behalf of Ministry of Sound, the nightclub and record label business.

The internet closes the gap between big and small, giving everyone access to a global playing field. When it becomes a battlefield, then every level of security comes into play: national security, corporate security, and the security of the individual. Nobody would ever have sued a phone company because somebody used their network to make an abusive call. Now networks are far more responsible for the consequences of what they carry. When looking at security, it is tempting to focus on the technical aspects, but the risk implications are very diverse. Telcos are expected to retain data about organized criminals and terrorists... but not be excessive in keeping data about the ordinary man in the street. The sliding scale of security, from national to personal, creates room for conflict in where telcos should balance their risks and responsibilities. There is a long relationship between telecoms and national security. I once worked for Cable & Wireless in Bletchley. It is not a coincidence that they had a facility just a short walk from Bletchley Park, famous home of the WW2 codebreakers who cracked the Engima cypher. What is changing is the scale of the potential harm when security fails. The potential harm can range from the macro to the micro, hurting a country or ruining the life of an individual. That means security risk can no longer be considered solely the responsibility of a standalone team of technical boffins. The risks are manifold: political, legal, operational, regulatory, reputational, and even personal. The CSP sits in a nexus between governments, criminals, terrorists, spooks, nihilists, conspiracy nuts, public services, pirates, big businesses, small businesses, regulators and, lest we forget, everybody else. That makes it a challenge to ensure the CSP is genuinely serving everyone's needs, whilst minimizing the risk of harm. Telcos have joined up the world. A joined-up world creates security risks that demand joined-up thinking.