Three different tales of terrorism mark the end of 2014 and the start of 2015 and make cyber security the hot topic for 2015:
Picture this – don’t let it happen to you
In December 2014 we witnessed the fallout from the attacks on Sony Pictures which destroyed data and hardware and proved very costly with the leak of a slate of films due for release. Whether or not North Korea were behind it, the events and initial capitulation by the studio damaged the studio’s brand inexorably. Cyber attacks are highly challenging and pose a serious threat to a company’s economic stability and security, as well as wider reputations.
Exploited by foreign governments, hackers, criminals and the disaffected who all probe computer networks daily, this New Year marks a timely opportunity for organisations to prevent their own “Sony situation”, by assessing and identifying any potential infrastructure weaknesses, updating processes, staff education and awareness – and implementing new, tighter measures and governance procedures to assure customers.
Securing communications data – an acceptable price for us Charlies?
On Friday 9th January 2015 two tragic terrorist attacks concluded in Paris, with the perpetrators treated as criminals and shot.
Incidents like this are frightening and a prompt for sombre reflection. Behind the Paris attacks is the multifarious use of the internet, social media, email, telephone and mobile communications connecting individuals and groups, to inform global audiences on extreme topics and ideologies. This has accelerated so fast in the last 15 years, that it makes control of such communications and intelligence gathering, challenging but highly essential if nations are to have any chance of preventing the next atrocity.
Both the UK and the US are responding by seeking to toughen up their legislative processes to track communications. In the UK, the Government wishes to collect data in bulk from all sources including social media, irrespective of citizen (from child to grandparent). This effort they believe, by intercepting communications would help identify new perpetrators and build up a body of evidence to be used in court.
Defenders of civil liberties with privacy concerns are correctly identifying the wider impact this would have on individuals and companies. However, when set against the motive of defending the public and infrastructures to keep the lights on, it is an increasingly hard position to argue against. Only time will tell, but it will be interesting to see if a bi-product becomes the further movement of information to sovereign controlled data centres to ensure improved access and regulation.
Cyber threats – an urgent and growing danger
Finally, Tuesday 13th January 2015, saw a CyberCaliphate attack breaching US Central Command’s Twitter feed Centcom and YouTube feed. With several thousand social media accounts, social media is seen as a fast and effective way for the US military to communicate globally with its staff and families – on anything from on-base events to power outtages. The ‘cyber vandalism’ as it is being described, only showed information widely available online – there was not believed to be any theft or disclosure of classified information.
The timing was embarrassing though and created a PR disaster for the President, given that he was outlining plans to strengthen cyber security when it happened. This was unlike the 2008 foreign intelligence breach via malware into the Pentagon mainframe computer system. This latest public hack is believed to have been caused by password disclosure (inadvertently or not) from an individual. US officials have duly updated passwords and issued tip sheets to staff to bolster online security advice and are reviewing processes. In social media, both Twitter and Google now recommend two-factor authentication, so anyone logging on to the account from a new computer has to enter a code sent to their mobile phone.
Whilst the Centcom attack did not have the impact that the perpetrators hoped for, lessons are there and must be learned and applied by all organisations using the internet. Financial systems, powergrids, pipelines, healthcare systems and wholescale society infrastructures run on networks connected to the internet. Safeguarding these are the crux to public safety and public health.
As we go to press today, David Cameron on a visit to Washington confirmed that MI5 and the FBI will be playing cyber wargames targeting the Bank of England, commercial banks, the City of London and Wall Street and be followed by “further exercises to test critical national infrastructure”.
As a healthcheck, businesses and organisations should do the following:
- ensure good password hygiene is maintained
- review and update processes regularly
- ensure internet security is up to date
- limit the number of administrators who can access accounts
- ensure accounts are regularly monitored
In this case, a sense of proportion needs to be maintained. Yes, it was embarrassing, but nobody died.