The UK’s military and economic and industrial assets are at risk of being “fatally compromised” by cyber attack because the government has not fully grasped “the opportunities and vulnerabilities that” the cyber world presents, say MPs.
The potential vulnerability of vital UK assets must be urgently addressed, a report compiled by the Commons Defense Select Committee, released Wednesday says.
Some recent examples of high profile cyber attacks on British interests include the leaking of thousands of email addresses and encrypted passwords, including 221 military officials, 242 NATO staff, and staff from the Joint Intelligence Organization, as well as the loss of 800 million pounds (US$1.28 billion) in revenue by a British company following cyber attacks by a foreign state.
The MPs also highlighted worrying gaps in strategy saying it was unclear exactly who would be in charge if the UK came under sustained cyber attack.
They also expressed alarm that the MoD and the British military were now totally reliant on cyber systems for communication and that the technology upon which they rely has no proven back-up.
“The evidence we received leaves us concerned that with the armed forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised,” the committee warned.
An unmanned official told the Independent in December last year that the Ministry of Defense (MoD) was under almost daily attack.
The MPs delivered a scathing attack on the government’s cyber-crime strategy, concluding, “The government needs to put in place –as it has not yet done – mechanisms, people, education, skills, thinking and policies.”
While they said the MoD had done a lot to secure its own systems, they expressed concern that other companies and organizations which work with the military on a daily basis, such as the firms that overhaul fighter jets, were often vulnerable to cyber-attack and this gave a “backdoor” route into the MoD.
Witnesses that the MPs talked to seemed to give “the impression that they believed an admission of the problem took them close to resolving the problem, it does not,” the report stated.
“It is not enough for the armed forces to do their best to prevent an attack…the government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so – and urgently create some,” the MPs said in a withering critique of the status quo.
Professor Paul Cornish, a professor in international security at the university of Bath and a contributor to the report, believes the nature of the cyber threat has, “blurred between military and civilian, and between the physical and the virtual; power can be exerted by states or non-state actors, or by proxy. Cyberspace has made it possible for non-state actors, commercial organizations and even individuals to acquire the means and motivation for warlike activity.”
The UK government has refused to publicly blame the countries it considers to be most likely responsible for carrying out cyber attacks, but MP’s drew on evidence given by the Security Community and GCHQ.
They said that, “The greatest threat of electronic attack continues to be posed by state actors and of those, Russia and China, are [suspected of carrying out] the majority of attacks. Their targets are in government as well as in industry.”
Although the report notes that the main purpose of these attacks is espionage and the acquisition of information, rather than to disrupt activities.
Aleksandr Gostev, chief virus analyst at Kaspersky Labs, told RT that such practices are commonplace amongst the major global powers, although all the evidence points to China as the most active player in this field.
“There are two main types of Chinese hackers, freelance teams who sell their information to anyone including the government, and specifically-assembled government operations, who have a specific task and target,” said Gostev.
He explained that as well as stealing technology one of the main targets of these cyber attacks is “ ‘mapping’ – finding weak spots in an existing security network, so that a serious attack can be carried out at a later time.”
The UK’s Cyber Security Strategy admits that the nature of the “borderless and anonymous nature of the internet, [makes] precise attribution difficult and the distinction between adversaries is increasingly blurred.”
But Jim Murphy, the shadow defense secretary, warned the report was worrying.
“Policy progress is falling behind the pace of the threat the armed forces face. Vulnerabilities must be tackled urgently and minsters must respond in detail to the demands in this report,” he told The Guardian.
The government, however, insists it is not being complacent.
“The MoD takes the protection of our systems extremely seriously and has a range of contingency plans to defend against increasingly sophisticated attacks,” Andrew Murrison, the minister for international security strategy at the MoD, told The Guardian.
As a result of the strategic defense and security review (SDSR) the coalition made cyber security a priority, setting aside 650 million pounds ($1.04 billion) to bolster the UK’s defenses, support online safety campaigns and boost investment at GCHQ, the government’s electronic eavesdropping center.
The MPs’ report draws on observations of former US Deputy Secretary of Defense William J. Lynn, who wrote that in cyberspace it is always the offense that has the upper hand.
“The internet was designed to be collaborative and rapidly expandable and to have low barriers to technological innovation; security and identity management were lower [priority] policies.”