The key to a successful defence

Cyber security is a much-abused term. It has become a label for a “catch-all” container into which are dumped the many and varied challenges of the Information Age. By its very nature it is misleading. Cyber security cannot and must not be managed in isolation from the more familiar (and thus often taken for granted) areas of physical and personnel security. Most successful attacks on both public and private sector organisations involve a blend of all three. A holistic approach to security is thus vital; unpublished research in the UK by the UK Institute of Directors, carried out in 2008, suggests a current pre-occupation with cyber security to the detriment of overall security strength.
There is also a widely held misconception that cyber security is all about technology. Whilst technological counter-measures are important, the key to successful defence lies in the education and motivation of people at all levels within an organisation. Over emphasis on technology, in ignorance of essential working practices, can lead to a view that the security function is a “business prevention” department. The ingenuity of ill-informed and irritated employees can be relied upon to subvert almost any technological security measure. Setting the right culture and policy framework for security is a key responsibility for the boards of departments, agencies and non-departmental public bodied (NDPBs).
What do we mean by cyber security?
The US Department of Defense defines cyber warfare as “the use of computers and the Internet to conduct warfare in cyberspace”. However, cyber warfare is merely one aspect of a much broader cyber security landscape. Cyber security can be segmented into five main areas:
• Cyber activism – attacks to damage reputation and credibility, for example through the defacement of websites, or the general release of confidential material (such as WikiLeaks).
• Cyber crime – attacks for financial gain. These can include identity fraud, intellectual property theft and destruction or falsification of information (for example DarkMarket).
• Cyber espionage – attacks for the specific purpose of information gathering or the identification of security weaknesses for future exploitation (for example see: The snooping dragon).
• Cyber terrorism – attacks by non-state actors against key infrastructure and economic targets, which undermine the ability to support national life and well-being (see The Crisis in our Critical National Infrastructure).
• Cyber warfare – attacks by state actors or clients against key infrastructure and economic targets, potentially as a “softening up” prior to conventional military intervention (see Cyber Probing: The Politicisation of Virtual Attack).
In all cases the defensive objective is to ensure the appropriate level of confidentiality, integrity and authenticity of information and systems, alongside their continued availability in the face for example of extensive distributed denial of service (DDOS) attacks.
Who are we defending against?
Potentially a full spectrum of attackers from:
nation states (with all the resources that implies);
organised crime either on their own behalf, or potentially offering deniability for state inspired action;
Internet organised activist groups;
industrial espionage – seeking confidential information for commercial gain;
disgruntled current or recent employees;
carelessness in the form of lost smartphones and laptops; through to
simple stupidity – plugging ‘special offer’ USB memory sticks into government PCs, (if not already locked out!).
What tools of attack are used?
“Viruses” that infect computers or other electronic devices and are passed on by user activity, for example by opening an e-mail attachment.
“Worms” that self-propagate using an Internet connection to access vulnerabilities on other computers and to install copies of themselves. They are often used as a conduit to grant attackers access to systems.
“Trojans” malware masquerading as something the user may want to download or install, that may then perform hidden or unexpected actions, such as allowing external access to the computer.
“Spyware” that transmits information gathered from a computer, such as bank details, back to an attacker. For example, key logging software records anything entered using the keyboard, such as passwords.
As indicated earlier, the cyber-element of attack is often blended with subversion, for example of a key employee to gain direct access to a trusted personal computer, passwords or access security device. Similarly weaknesses in physical security may be exploited to gain access to communications links or server systems.
What are the legal and social responsibilities?
Extensive government guidance through manuals and other materials is available, for example from the GCHQ Communications and Electronic Security Group (CESG) and the Centre for the Protection of National Infrastructure (CPNI) but due to classification, much is not available to quote in an article such as this. A comparison with the private sector may be helpful. Directors have a duty to exercise reasonable care skill and diligence:
“A director of a company must act in the way he considers, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole…”
“…and in doing so must have regard (among other matters) to:
likely long term consequences
employees’ interests
fostering business relationships
impact on community and environment
reputation for high standards of business conduct
act fairly between members”

Cyber security has implications for many of these requirements, for example through business continuity planning. There are also many items of specific legislation that apply, for example in the UK the Data Protection Act 1998 and the Computer Misuse Act 1990 as amended. There are regulatory compliance issues such as with the US Sarbanes Oxley requirements and with various European Union Directives, such as the Electronic Communications directive 2002 and the Privacy of Electronic Communications Directive 2003.
What actions can we take?
The key board-level requirement is to ensure that appropriate, holistic, security processes are in place and working across the organisation. It is also important to identify clearly a hierarchy of importance, applying the most stringent precautions only to material that genuinely justifies such protection. A key element of these security processes will be continuing employee education and communication, explaining the threats (for example phishing attacks) and the vital employee role of being alert to unusual activity both in systems and by other employees. In certain areas this may need to extend outside the organisation both up and down the supply chain.
Total security is a dangerous illusion and so it is inevitable that breeches will eventually occur. It is vital that the security architecture used ensures that any breach is contained within a single system rather than allowed to propagate across the organisation and that, in so far as is possible, key information is partitioned within separate systems such that a single breech compromises only a minimum amount. Defence in depth is required, not merely the cyber equivalent of a moat and castle walls.
It is also important to identify quickly if security has been breached and to regularly test defences. So called penetration testing by ethical hacking organisations can be a helpful tool as can the use of dummy targets (so called honey pots) within the corporate systems which appear to contain sensitive information but are in reality sophisticated traps.
Perhaps the most important role for senior management is one of leadership. There is a very clear message from IoD research that the greatest impact comes from the personal attitude and actions of the chief executive, or by analogy the permanent secretary.
Setting the right culture is vital. Security must not be regarded as simply a “sunk cost”. Instead it must be recognised as a key contributor to success.
For more informaiton:
Professor Jim Norton

Please register to comment on this article