It was recently reported that some 60 million Euros had been stolen from bank accounts across the continent as a result of organised cyber crime, with attacks mainly targeting Italian, German and Dutch banks. This came soon after Jonathan Evans, head of the MI5, claimed that the organisation is fighting against an 'astonishing' level of cyber-attacks on UK industry. Evans also suggested that the target of cyber threats is shifting towards government and big businesses with MI5 investigating claims that one major London business has suffered 800 million in losses following an attack.
Evans warned that internet vulnerabilities were increasingly the target of nation states as well as cyber criminals. His stark warning of the increased cyber threat to our nation's secrets and industry comes in the wake of the recent Google announcement that the company will warn all Gmail account users if their account has been the target of a state-sponsored attack and the recent discovery of the Flame virus, described as the most sophisticated computer virus in the world, targeting Iranian IT systems.
Paul Davis, director of Europe at FireEye, commented: "Recent news surrounding state-sponsored malware attacks serves to reinforce the notion that we have entered a new era of cyber threats. As evidenced by Jonathan Evans' latest speech and breaking news of financial losses at banks across Europe, cyber espionage is more prevalent than people realise and it is time that governments and businesses take note. In most cases, the victim organisations perform damage control before the breach becomes public. That said, as attacks become more advanced and complex, it is very likely this type of activity will become more visible to the public particularly as cybercriminals begin to target critical infrastructure and other systems that could have a greater impact on human lives. More worryingly, as these attacks become more high-profile, others could potentially learn from these techniques, making future attempts even more difficult to defend against.
"Just as internet shoppers have credit card details that low-level hackers find alluring, businesses and governments have vast amounts of Intellectual Property and sensitive information that today's cybercriminals are targeting through advanced attacks. It is important that this shift in focus does not catch us off guard.
"Cyber attacks have become a new form of 'cold conflict', where nation states are able to affect each other through indirect means. This evolved threat landscape now means that any organisation, government or nation must urgently up the ante on pre-emptive security before it is too late. Over-reliance on traditional signature-based perimeter defences and heuristics means that too many are still lulled into a false sense of security - while woefully exposed to zero day, unknown attacks. Instead, more must be done to ensure continuous monitoring of all network activity so that attacks can be thwarted at an early enough stage to prevent any widespread damage. While this announcement from MI5 seems to point to the fact that we are waking up to the modern threat landscape, it is painfully clear that much more must be done to bring security procedures in line with the current threat level."
Ash Patel, country manager for UK & Ireland, Stonesoft, commented: "I am glad to see the government has finally stood up and announced the real concerns around cyber-attacks. It is unfortunate that they have taken so long to speak up, however, I imagine it was more of a case of ensuring they had all the correct information before making any announcements. Given the complexity and rate at which cyber-attacks are growing, I'm grateful that there is at least one organisation that is making an effort to safeguard us, and all our personal and sensitive data, along with our Critical National Infrastructure."
David Harley, senior research fellow, ESET, said: "MI5 is fairly typical of a security service in the Western World. It answers to the government, but doesn't have the same view of the world (or of security) as the government. Make no mistake: the Security Services and the Centre for the Protection of National Infrastructure was aware of and working against a wide variety of attacks long before cyber-terrorism and cyber-warfare became hot political issues, and long before UNIRAS/NISCC/CPNI became so publicly aligned with those elements of the private sector that are intermeshed with the public sector elements of the Critical National Infrastructure (CNI). Governments, on the other hand, are driven not only by the need to respond appropriately (whatever 'appropriate' means), but the need to reassure the electorate that they're doing something, and most governments nowadays have acknowledged the need to maintain defences against cybercriminals and cyber-warriors of all flavours, as well as acknowledging more often that they are working proactively in cyber-espionage and cyber-sabotage, and all the other cyber-nuisances and cyber buzzwords. Also, there has been plenty of discussion about the precautions being taken to minimize the dangers posed by the Olympics.
"Even though Ross Anderson's study was commissioned by the MoD, it seems fairly diffuse and largely focused on cybercrime. While in principle, I have to agree that it would be much more efficient if we could simply go after the gangs that have the most impact rather than spend money on purely technological solutions, that isn't the world we live in. For one thing, while crime doesn't recognise national boundaries, criminals are often well able to take advantage of such boundaries to evade the attentions of law enforcement. In fact, it's a fallacy to assume that the security industry is purely focused on selling antivirus and firewalls. Much of our research activity is focused on forensic investigation in cooperation with law enforcement and other agencies, but that kind of criminal activity isn't so easy to counter. Furthermore, it's the sales of products and services that allow security companies to contribute their research expertise to anti-crime and anti-terrorist activities that often have no direct economic advantage to them. That may not be the best, most effective economic model for fighting cybercrime, but right now that's what we've got. The per capita figures cited in the study don't begin to reflect the real costs of fighting crime, any more than the 27bn figure cited in the Detica report does."
Rob Cotton, CEO at NCC Group, commented: "Increased publicity for cyber security is a good thing as it can lead to increased awareness. However, sweeping, veiled statements such as this can cause more harm than good. A cursory glance at the newspapers shows that the cyber threat is real, big and multifaceted but not following up these comments with guidance will leave companies feeling helpless.
"Businesses need to know how they're at risk and what they can do to help themselves Jonathan Evans has given no practical advice. This is the job of the policy makers, who need to promote transparency from the top down. Whether that's through education, or government funding, businesses need more support."
Ross Brewer, managing director and vice president, international markets, LogRhythm, said: "The threat of terrorism is shifting from physical acts of violence to a more subtle, silent war that is fought from behind a computer screen. Cyber warfare is no longer a product of a Minority Report-esque era and it seems that MI5 is now placing the issue directly under the microscope. Considering the discovery of the Flame malware, Google's warning to vulnerable users about state-sponsored attacks, and recent headlines around the ACAD/Medre.A virus, it is becoming clear that Governments and businesses must take urgent action to boost security and ensure that any vulnerabilities are addressed.
"There are clear examples of how a cyber attack can lead to loss of information and financial repercussions for big businesses, but as this threat develops and becomes more sophisticated, the potential to compromise critical assets and cause real world damage grows exponentially. What's more, as our world becomes progressively more connected with the internet controlling most aspects of daily life from cars, to traffic systems to cash machines and other infrastructure the problem becomes more complex, vulnerabilities increase and urgent steps must be taken to ensure that security procedures are aligned.
"Some academics, such as the authors of the recently released Cambridge University cybercrime report, claim that more resources should be focused on catching and punishing cybercriminals as opposed to preventing computer crime but unfortunately this is as logical as waiting until you have been burgled before installing locks. The scale and nature of today's cyber threat calls for continuous, protective monitoring of networks to ensure that even the smallest intrusion or anomaly can be detected before it becomes a bigger problem for all. As traditional point security tools continue to prove their own limitations, more holistic strategies need to be adopted and log data is becoming an invaluable intelligence resource for anybody wanting to keep a close eye on all network activity. This level of visibility is also critical to facilitate deep forensic analysis into today's sophisticated cyber attacks, enabling them to be accurately attributed to the correct perpetrators."
Martin Sutherland, managing director of BAE Systems Detica, said: "We're aware of multiple cases where companies have experienced real business loss as a result of cyber espionage. In our Cost of Cyber Crime report with the Cabinet Office, we estimated that the theft of IP and industrial espionage cost the UK 17bn a year. These sorts of problems are not only deep in terms of financial losses, but also broad in terms of the increasing number of incidents we are seeing.
"It is clear that the cost of cyber crime is growing. The Government believes the threat is serious and needs to be tackled and has rated cyber attacks as a Tier 1 threat. Raising awareness and building capacity to resist threats across both the public and private sectors should be our top priority."
The recent 2012 Detica Cyber Security Monitor, conducted by MORI, identified as many as seven types of major online threats, including state sponsored spies. 43% of businesses in the Cyber Security Monitor pointed to those involved in industrial espionage as a likely threat to their company, while more than half (56%) of these respondents were also concerned about state sponsored spies.
It also revealed that 88% of businesses believe that 2011 was just the beginning and that high profile cyber attacks against businesses are likely to continue on similar or increased scales in the future.