The news from either side of the atlantic today sees the start of cyber battles between the USA and UK.
Rather than diplomatic relations taking a major downturn for the first time since the death of Thatcher the cat in 2009, this will see the national intelligence agencies GCHQ and NSA, aided by MI5 and the FBI, in stress-testing each other’s capabilities.
The development of cyber cells will see agents try out methods of attack against the Bank of England and commercial banks in the City of London, and against Wall Street in a bid to ensure adequate security measures are in place.
It has been named the War Games, though for those of us with a good memory for 1980s political efforts, it sounds more like the Star Wars effort of 1983. Despite that, surely any type of testing is good, be it stress, penetration or on a national scale? We asked some of security’s top thinkers on what they thought of the announcement.
John Walker, professor and BCS member
“The cyber threat has been allowed to creep up on us in proceeding years, and to a large extent it has been denounced and ignored as just hype. However with the current scale of successful cyber attacks against international businesses, and Governments, it has become very clear that the computer and its interconnectivity to the internet now represents a significant low cost weapon which may be leveraged to cause considerable damage on targeted system and infrastructures.
“Now link that position with an always on, always connected society which has grown to become over-dependent on technology to service their business and home-living, we may soon start to see the implications of this current cross-road we are at. The basic fact is that if this risk is not addressed and contained, we will be a society which will suffer such serious economic and sociological consequences.
“This new initiative taken by both UK and US Governments is refreshing, and time has arrived for us to think as do the attackers, understand the levels of unknown unknowns which represent points of cyber exploitation, and train enough resource to redress the balance to mitigate, and encounter any cyber attacks or attempted incursions of the future. This action by the UK and US is way overdue, and is an absolute necessity to fund if we are to assure electronic/cyber stability in 2015 and beyond.”
Roy Tobin, threat researcher at Webroot
“This programme has been needed for some time. Vital services already have regular drills against more traditional methods of attack, but with a growing number of cyber attacks on large companies – most recently Sony – the Government has recognised the need for far more comprehensive cyber warfare protection.
“These tests will go beyond the normal scope of internal security testing by usin
g custom malware built specifically to try and bring down a particular service. For example, in 2010 The Stuxnet worm, a custom piece of malware that was designed to target the Iranian Nuclear weapons program was released, the worm reportedly said to have shut down 20 percent of Iran’s nuclear reactors. This programme will finally test how banks fair in protecting vital infrastructure from these more complex attacks that require a high level of skill from the attacker.”
Darren Anstee, director of solutions architects at Arbor Networks
“Anything that focuses organisations on their incident handling processes and capabilities is a good thing, as the more these are used and tested the better our people and processes – and thus our defensive capabilities – become.
“Unfortunately determined, well-resourced and persistent attackers will usually find some way in to an organisation – what is becoming increasingly important is how quickly our tools and processes allow us to detect a threat and contain the problem when this happens.
Richard Horne, cyber security partner at PwC
“As the Prime Minister and US President point out, cyber attacks are a real threat to all businesses. In the digital world we now live in, all businesses rely on processes and data that is stored electronically. Protecting that data and those processes is fundamental, and now a core part of business management.
“The financial costs of not acting can be crippling. The average cost of an organisation’s worst security breach is rising significantly year on year. For small organisations, the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million. Due to the global nature of cyber risk, collaboration between the UK and the US is paramount to combatting the threat.”
TK Keanini, CTO of Lancope
“This is wonderful news and a sign that cyber security is being integrated to the business continuity plan. For the same reason firedrills were invented, organisations need a readiness to incident response and rehearsal and drills are a part of that readiness.
“Success is really just going through the motions and ensuring that everyone plays their roll and knows what information they need to drive good decisions. What does a successful workout look like? One where you improve and there is no injury and you are more fit than you were prior to the workout. This is the same type of mindset one must have when assessing the value of these exercises. When game day comes, you are ready to play hard.
“This should be a regular inter organisation exercise and should be adapted to model the modern threats we face. Just like in sports, you need to have an idea of your adversaries tactics and techniques so that you can raise the cost to them on game day.”
Mark Brown, executive director in cyber security and business resi
lience at EY
“Co-operation between the UK and US on increasing cyber skills is a significant milestone in tackling these threats. A real area of immediate concern lies with the lack of cyber professionals who are equipped to deal with and manage the risks.
“Both Government and business cannot be blasé about the potential dangers posed by cyber criminals and need to be able to respond with equally-matched cyber expertise.”