National cyber security investment - A masterclass in scaremongering?

November will be remembered as a bloody month in Europe. While a nation came to terms with its loss, so governments and religious groups rallied, determined to find a solution.

France’s security was lifted to its highest level and Obama pledged to ‘redouble efforts’, fortify borders and continue diplomatic talks. In the UK, Muslims from the clerical community fiercely condemned the attacks.

COBR met swiftly, and the Chancellor committed £1.9 billion to security in his Autumn Statement. And, despite the speculation, policing budgets were left untouched. Looking closely at the Spending Review, George Osborne made provision to almost double the country’s investment to protect Britain from cyber attack and develop ‘sovereign capabilities in cyberspace’, over the next five years. Overall it takes total cyber spending to more than £3.2 billion.

Many have questioned the sums being allocated. That was until former Defence Secretary Lord Browne suggested that Trident could be rendered useless if a cyber attack was allowed to penetrate its systems.

So is it scaremongering or a genuine prospect? From my perspective, as a security specialist, the reality is that any national public or private infrastructure service, or defence facility such as Trident, could be hacked.

Cyber attacks are advancing all the time - nothing stands still. We now see more automated attacks than ever before (a 300 per cent increase on this time last year), using techniques that sustain intense attacks over long periods without a person being involved. Think of it a ‘good bot versus bad bot’. As automation becomes the norm in every day life, so we must ensure that every point in the networks that run our connected devices are continuously assessed for weakness – public or private.

Malware in Smart TVs, erroneous bar codes, mobile phone viruses, it’s no longer the preserve of the Minority Report. Any ‘thing’ linked to a network is a gateway for cyber attack. That’s why I believe companies need to make sure they design products that are inherently secure. It can’t be an overlay that’s added once the prototype is finished. It must been a milestone in product development.

Then of course there’s the supply chain. Smart meters connected to the mobile network, controlled by a phone, linked to energy billing through an app, includes many different companies from boutique software providers to utility giants. Understanding who owns the responsibility for cyber security is a legal matter that can’t be ignored. To do so would invite the risk of becoming a cyber domino – toppling other companies if your defences fail.

Even if you are not offering an internet of things service, it’s well worth looking at your customer list too. Take for example, Hexatom, a Paris based managed service provider. It won a contract with a gambling company. However, as soon as it brought it online, its infrastucture was repeatedly hacked. It didn’t realise that the gambling sector is the most hacked after government agencies and ISPs. It tells us a lot about how we should plan.

History also tells us a lot. You don’t need to be a security expert to see that the number of sustained and intense cyber attacks will only go upwards. What’s most interesting, and perhaps disconcerting, is that and in periods of global instability they spike.

For example, if you look back to the troubles between Russia and the Ukraine in 2014, we saw cyber attacks shoot up. There was an undeniable ‘ring of fire’ whereby, NGOs like NATO, infrastructure and utility providers, web hosting companies, broadcasters and financial institutions were attacked - distributed denial of service (DDoS) attacks accelerated in their force and number.

Of course, there are groups who see themselves as a force for good. Anonymous is the most well known. It made a stand against radicalism earlier in the year after the Charlie Hebdo attacks but has gone much further with its fight following 13 November.

Though some may question the validity of the campaign in terms of seeking out genuine ISIS sympathisers, and how the FBI and other enforcement agencies respond, you can’t help but notice the impact it has had on public opinion. Using hacktivism for a positive agenda has helped the public understand the threats. A united effort behind a cause is powerful, and people can see how a negative force could have similar results, yet with catastrophic consequences.

So while the sums seem extraordinary for national security and in particular Trident, they are probably realistic. In the same way companies need to work together, efforts will need to be focused on local defence and international collaboration in terms of intelligence gathering, and the physical technology that's required for intervention and prevention.

After all, it’s the best insurance policy we can have when lives are at risk.

Adrian Crawley, regional director for Northern Europe at Radware

Image source: Shutterstock/m00osfoto