There was a time when communications were mostly harmless. Sure, people might be badgered by nuisance calls, but that was the limit. Not so any more. Now, the global communications industry is the carrier of a lot more than words. It is becoming the proxy battlefield of choice, a warfare deployment network of staggering proportions. Want to inflict damage on a faraway target? Do not waste money on building an aircraft carrier. Recruit a team of hackers instead. The grim USP of neutron bombs is said to be that they kill people whilst leaving buildings undamaged. Cyberwarfare goes one better – it threatens to kill an economy or shut down society but without fatalities. And the most terrifying aspect is that an attack can be launched without anyone really knowing who was behind it.
Sensational stuff, but it is a reality. In the last few days we have seen a ramping up of a massive Distributed Denial of Service (DDoS) attack against Burma. The attack is producing packet rates that are many times greater than the capacity of the country’s main internet feed, effectively knocking the country off-line. There is plenty of speculation about who might be behind the attack. The more fundamental lesson is that what was just a potential danger is now well proven in practice. Cyberwarfare is not science fiction and the impact is very real even if the techniques are invisible.
Whilst Burma may not enjoy the greatest bandwidth in the world, it does not take much to imagine similar attacks scaled up, though denial of service is only one kind of threat. The European Network and Information Security Agency (ENISA) has just concluded its first pan-European ‘wargame’ exercise. This involved unleashing 320 injects in a bid to test the strength of current defences. ENISA will give a media briefing about the results on 10th November. It should be well worth hearing their draft conclusions.
Individual nations are also keyed up for the cyber security challenge. For example, the UK has been reviewing its defence plans as part of fixing the national budget in the wake of the global financial crisis. In a period of austerity, the British government said GBP500m (USD800m) of new spending will go towards cyber security. The announcement came shortly after the publication of a national security strategy. The national security strategy identified “hostile attacks upon UK cyber space by other states and large scale cyber crime” as one of the four highest-priority security risks, measured by both likelihood and impact. Both the security review and government announcement were presaged by a rare public speech by Iain Lobban, Director of the UK’s GCHQ. GCHQ is one of the three British intelligence agencies. It is best known for its role in electronic information gathering (techno-whizz spying) but the agency is also keen to assert its role in protecting information too. In his speech, Lobban said that:
“It is true that we have seen worms cause significant disruption to Government systems – both those targeted deliberately against us, and those picked up from the Internet accidentally. There are over 20,000 malicious emails on Government networks each month, 1,000 of which are deliberately targeting them.
It is true that we have seen the use of Cyber techniques by one nation on another to bring diplomatic or economic pressure to bear.
It is true that we have seen theft of intellectual property on a massive scale, some of it not just sensitive to the commercial enterprises in question but of national security concern too. As Jonathan Evans said in September, Cyberspace lowers the bar for entry to the espionage game, both for states and for criminal actors.
And of course it is true that the risks in all these areas are growing along with the enormous growth of the Internet. At the moment it’s expanding by about 60% a year. There are around ¼ of a trillion emails sent every day – even if 80% of these are spam. Cyberspace is contested every day, every hour, every minute, every second. I can vouch for that from the displays in our own operations centre of minute by minute cyber attempts to penetrate systems around the world.
Lobban’s point about ‘lowering the bar’ is well taken. The internet lowers barriers for entry. Criminals and talented amateurs can also get to play on this battlefield. One recent story highlights the vulnerabilities with stupendous irony. ACS:Law is a British legal firm that specializes in intellectual property. I would point you at its website so you can check for yourself, but I cannot… it has been taken down. ACS:Law has been heavily engaged in sending claims letters to suspected online pirates on behalf of copyrights holders. Their nemesis has been the anarchic pranksters who congregate around the 4chan bulletin board. They launched ‘Operation Payback’ as punishment, a DDoS attack to wreak some mob revenge, but they could not have anticipated what mayhem would ensue. When recovering their site, ACS:Law briefly allowed an unencrypted backup of email correspondence to become publicly visible. These emails included spreadsheet attachments listing ACS:Law targets. In other words, the ‘Payback’ crew obtained access to personal details of thousands of people listed by ACS:Law as having unlawfully shared copyrighted content, including pornography. The 4chansters, being who they are, soon spread this personal data around the internet. The fallout has been significant. To begin with, the data breach is being investigated by the UK’s Information Commissioner. It is likely the underpowered Commissioner will make best use of a rare opportunity and make an example of ACS:Law. Lax security is the norm, but it is rare for a business to be caught out so dramatically. The Commissioner will likely be keen to use his new power to levy hefty fines. But the consequences of this incident do not stop with ACS:Law. Incumbent telecoms operator BT also got caught out, when it transpired they had emailed an unencrypted list of suspected filesharers to ACS:Law. BT responded by toughening their stance on disclosing information required by court orders. In a move welcomed by the Consumers’ Association, BT has imposed tougher conditions on firms like ACS:Law before it will send them customer information. In addition, the focus on security has made it easier for BT to justify its data retention policy. This policy prompted the deletion of 80% of the filesharing data sought by lawyers working on behalf of Ministry of Sound, the nightclub and record label business.
The internet closes the gap between big and small, giving everyone access to a global playing field. When it becomes a battlefield, then every level of security comes into play: national security, corporate security, and the security of the individual. Nobody would ever have sued a phone company just because somebody used their network to make an abusive call. Now those networks are in the middle of the digital crossfire – and bear far more responsibility for what they carry. There is not much mileage in an argument that says telecom operators can peek into their customer’s data when it helps them to make money, but that they should take no interest otherwise. When looking at security, it is tempting to focus on the technical aspects, but the risk implications are very diverse. Telcos are expected to retain data about organized criminals and terrorists… but not be excessive in keeping data about the ordinary man in the street. The sliding scale of security, from national to personal, creates room for dispute about how to balance risks and responsibilities, and who exactly should be held responsible for what.
There is a long relationship between communications and national security. I once worked for Cable & Wireless in Bletchley. It is not a coincidence that they had a facility just a short walk from Bletchley Park, famous home of the WW2 codebreakers who cracked the Engima cypher. What is new about the relationship between communications and security is the scale of the potential harm when security fails. The damage caused can range from the macro to the micro, hurting a country or ruining the life of an individual. That means security risk can no longer be considered solely the responsibility of unknown teams of technical boffins. The risks are manifold: political, legal, operational, regulatory, reputational, and even personal. Networks sit in a nexus between governments, criminals, terrorists, spooks, nihilists, conspiracy nuts, public services, pirates, big businesses, small businesses, regulators and, lest we forget, everybody else. They somehow need to navigate a middle course, genuinely serving everyone’s needs, whilst minimizing the risk of harm. That last point is no longer trivial. The great Liberal thinker J.S. Mill asserted that power should only be exercised over an individual in order to prevent harm to others. Through the network, many can do harm to many others, but to deny them access and freedom to use the network is also a kind of harm. Humankind has had the genius and drive to build networks that join up the world. Now our rational powers face a potentially greater challenge. The relationships between freedom and security have never been so complicated. Having joined-up the world, we need to join-up our thinking.