Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss (theguardian.com)

Posted by msmash on from the up-next dept.

Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years", a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

66 comments

  1. James Bond by Anonymous Coward · · Score: 0

    Man I feel like I'm in a James Bond movie. National Cybersecurity Centre ? Seriously?

    1. Re:James Bond by hraponssi · · Score: 1

      Most countries, at least in Europe, have one. Just put "national cyber security centre" + name country. Of course, they have little to do with James Bond style cool stuff. More like national level network monitoring, situational awareness, threat intelligence, guiding and educating companies and public organizations as useful.

    2. Re:James Bond by Anonymous Coward · · Score: 0

      Think of it as the UK equivalent of amalgamation of NSA's information assurance, CERT-US and DHS infrastructure protection activities and information gathering.

    3. Re: James Bond by hey! · · Score: 1

      "National Cyber Security -- Vatican City"

      Nah. That's more Dan Brown than Ian Fleming.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    4. Re:James Bond by mikael · · Score: 1

      The fear of a massive DDoS attack, somebody breaks into the digital records of the inland revenue, Parliament (already happened with an email server), an encryption malware worm or an attempt to shut down or overload the electricity grid.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    5. Re: James Bond by sound+vision · · Score: 1

      It's more Michael Jackson if you ask me.

  2. MORE FUNDING! by brian.stinar · · Score: 4, Insightful

    Well, it sounds like the only reasonable thing to do would be to provide the National Cybersecurity Centre with much more funding!!

    1. Re:MORE FUNDING! by Train0987 · · Score: 5, Insightful

      Don't forget abolishing any privacy or encryption.

    2. Re:MORE FUNDING! by zuki · · Score: 1

      Surely this will come up for debate in the UK, especially once it manages to rid itself of any vestigial remaining compliance to European laws governing cyber-security.

      FUD-based balkanization of this once-great river of data proceeding apace....

    3. Re:MORE FUNDING! by AmiMoJo · · Score: 1

      Surely we should be de-funding these guys, since it's their incompetence and unwillingness to actually help protect us that has gotten us here.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:MORE FUNDING! by tinkerton · · Score: 1

      I tend to be just as cynical but I happen to agree with his advice: start working on damage control.

    5. Re: MORE FUNDING! by hey! · · Score: 2

      I've seen how government reacts to impending crisis, The money goes to contractors, agencies are just conduits.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    6. Re:MORE FUNDING! by rholtzjr · · Score: 1

      Mitigation is always the prudent path. I have lost count of the times I had been countered in a design meeting when asking what security approach we would use only to be told "features" outweigh "security". I hope that most companies actually did create a tested, repeatable and, current disaster recovery plan because I think they may need it in the near future.

    7. Re: MORE FUNDING! by Anonymous Coward · · Score: 0

      it will also rain soon, and their will be consecutive periods of light and dark.

  3. category 1? category 5? by Anonymous Coward · · Score: 0

    Why not use the same scale as hurricanes? A category 5 cyber should be the most dangerous kind of cyber. Personally, I tend not to go above category 2 cyber when I'm cybering. I think you need a safe word at category 3 cyber and above.

    1. Re: category 1? category 5? by Anonymous Coward · · Score: 1

      What part of "most serious tier" did you not get?

      Please let me know I don't get it either.

      This means they will actually delete stuff? More people spying on us? No really! WTF is this "tier?"
      Just FUD.

  4. He's right by bravecanadian · · Score: 1

    Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

    But what do you suppose the chances are that the leaders of these organizations magically start thinking that way?

    Also he forgot one important part. Planning for what to do when the inevitable happens.

    1. Re:He's right by KiloByte · · Score: 2

      Also he forgot one important part. Planning for what to do when the inevitable happens.

      Well, he did plan. He wants more funds and power right now, then again when the big attack will happen.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:He's right by tomtomtom · · Score: 1

      But what do you suppose the chances are that the leaders of these organizations magically start thinking that way?

      When their auditors, audit committees, and (where relevant) regulators require them to then it will happen. There is a fair degree of lobbying going on behind the scenes to effect it via this route in the UK at least. This kind of cultural change takes some time, but there are plenty of examples of it happening - employee health and safety, corporate governance, etc

    3. Re:He's right by ctilsie242 · · Score: 2

      They won't. "Security has no ROI" has been a mantra for the industry, and virtually the entire IoT campaign since its inception. Plus, with companies able to get away scot-free no how egregious the breach by saying, "we can't do anything, the hackers are too good" almost institutionalize the fact that shit for security is the standard.

      A "cat 1" breach is inevitable. I was at a meeting with someone from a Congressional committee several years back stating that an intrusion that would cause massive destruction and loss of life is going to happen. However, luckily it hasn't. I hope it doesn't, because I'm sure laws will hit the books like the CFAA which might get some teenager arrested and jailed for 20 years because they found perl world executable on their school's webserver, but won't do a single thing against organizations overseas who are well-heeled.

      What we need to do is have governments stop focusing on scare tactics and start tackling this problem in a methodical way:

      1: An organization like UL (Underwriters Labs) which does security testing, and does similar to Europe's Sold Secure. A Sold Secure Bronze router may be something OK, but a Sold Secure Gold router would be designed from the ground up using a secure microkernel OS with MAC/DAC protection on everything, specialized CPU, multiple cryptographic signatures on ROM images, source code audited by a clued third party or an organization like NIST, etc.

      2: Since most regulations (FERPA, FedRAMP, FISMA, HIPAA, CJIS, SOX, PCI-DSS, etc.) have overlapping items, take the core ones that all of them cover, and have a certification which allows for random auditing at any time without notice.

      3: Have multiple different certifying agencies, so regulatory capture becomes less of an issue.

      4: More data privacy laws like the EU should be enacted. That way, a company getting massively compromised might feel more than a few days of bad PR.

  5. Nothing but an excuse by Anonymous Coward · · Score: 1

    This is nothing but an excuse to grab power. What with the advent of cryptocurrencies, strong encryption, and a growing distaste for governments and corporations, you can bet your last penny the people in power will do anything to keep it. If we in the West do not stop this sorry power grab stuff that keeps happening, we'll end up like China as regards the Internet.

  6. so "soon" = "next few years" is cyber space? by sittingnut · · Score: 1

    so "soon" = "next few years" is cyber space?

    and it is possible to accurately predict future of online world and its evolution for few years into future? so accurately that funds and laws infringing on other needs, and privacy, can be reallocated?

    given the hurricane terminology, would there be a campaign against skeptics of these predictions, like against skeptics of climate change predictions?

    1. Re:so "soon" = "next few years" is cyber space? by Anonymous Coward · · Score: 0

      In cyber space no one can hear you scream...

  7. quick, better destroy and cripple our own freedoms by Anonymous Coward · · Score: 0

    nt

  8. Single Most Devastating Cyberattack by Anonymous Coward · · Score: 1

    "I’ve often thought that the single most devastating cyberattack a diabolical and anarchic mind could design would not be on the military or financial sector but simply to simultaneously make every e-mail and text ever sent universally public. It would be like suddenly subtracting the strong nuclear force from the universe; the fabric of society would instantly evaporate, every marriage, friendship and business partnership dissolved. Civilization, which is held together by a fragile web of tactful phrasing, polite omissions and white lies, would collapse in an apocalypse of bitter recriminations and weeping, breakups and fistfights, divorces and bankruptcies, scandals and resignations, blood feuds, litigation, wholesale slaughter in the streets and lingering ill will."

  9. Too late by cordovaCon83 · · Score: 2

    Maybe he's talking about in the UK specifically, or maybe his definition of a category one cyber-attack is different from my own (confession - I didn't RTFA to find out how cyber attacks are classified!) But if you want to talk about major acts of sabotage perpetuated through "cyber" - http://www.zdnet.com/article/u... Also, that whole Stuxnet thing

  10. Amm... So what? by Anonymous Coward · · Score: 0

    So... worst case scenario: Internet is out for... a week? Or FB is down? or Amazon is inaccessible? Bank site is down? WhatsApp doesn't work?

    I mean, what's the worst that can happen in a cyberattack?

    I think a more sinister "attack" would be to quietly change prescriptions/dosage at national pharmacies (CVS, etc.) such that nobody immediately notices.

    Will be have fast-and-furious like car swarms? Really???

    1. Re:Amm... So what? by sdinfoserv · · Score: 3, Informative

      How about these:: the power grid goes down, for several months. Dam flood gates open releasing enough water to flood towns down stream. Your car no longer starts. Raw sewage from treatment plants backs up into the streets of all major cities. Stop lights turn all green every direction.
      Like that? So what? Still?
      Ya, I thought so.

    2. Re:Amm... So what? by cordovaCon83 · · Score: 1

      No, you're right, those are all terrible things that are allegedly feasible through cyber attacks. However, the director insinuated that a category one cyber attack had never ever occurred before. Again, that may be true in the UK, but I guarantee the other two events that I listed warranted a "category one" cyber attack in their respective countries.

    3. Re:Amm... So what? by sdinfoserv · · Score: 1

      "allegedly feasible"... https://www.digitaltrends.com/...
      Allegedly 7 years ago.

    4. Re:Amm... So what? by Comboman · · Score: 1

      The last time someone made a claim that civilization was ending because of computers was the Y2K bug, and we all know how that turned out. Power grids, water, sewage and traffic control systems all existed and worked perfectly fine before there was an internet. If someone decided to connect them to an insecure network without the option to quickly and easily disconnect them again, that person should be fired.

      --
      Support Right To Repair Legislation.
    5. Re:Amm... So what? by cordovaCon83 · · Score: 3, Interesting

      Wrong thread Stuxnet, as stated in another thread, definitely happened, along with the Russian oil pipeline explosion in 1982. Those are definitely category one's. So yeah I'm with you, there's more to worry about than just Amazon going down for a couple of days. Still, I'd anticipate the attack vectors to be something other than municipal systems, depending on the motivation of the actor.

    6. Re:Amm... So what? by Anonymous Coward · · Score: 1

      I mean, what's the worst that can happen in a cyberattack?

      You have no idea what is going on, do you?

      Attackers could target the electrical grid and knock out the power to an entire region of the US. Or the entire country. And there are failure modes that destroy equipment.

      Bank site is down?

      How about the entire banking network? We could be talking about payment processing (Visa, etc) or the bank transaction network (ACH).

      WhatsApp doesn't work?

      Funny that you mention this, but the control system for cellular systems is notoriously outdated.

      A sophisticated actor may be able to disrupt the entire network. We've seen targeted attacks to eavesdrop on individuals, but no one has demonstrated DoS tools yet. There are numerous known vulnerabilities, yet the telecoms drag their feet on an upgrade/replacement.

  11. Managing risk by tomhath · · Score: 4, Interesting

    Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

    He has a good point. When an all out attack does happen you won't be able to stop it. So before it does, make sure your backups work, make sure your restores work, put fences up to stop the spread of an attack, etc, etc.

    In other words, assume the attack will succeed. Then what will you do?

    1. Re:Managing risk by Anonymous Coward · · Score: 0

      Then what will you do?

      "make sure your restores work, put fences up to stop the spread of an attack ..."

      That's pretty much it, after ensuring everyday security (anti-virus, firewall, DPI algorithm) works. The cloud storage is rented, as is the office space, as is the MAN/WAN. The computers are insured or similar models easily bought. Customer data can be taken from the customers again. I only have to ensure any surviving computers have security integrity and that business data (software, ledgers, contracts, wage/ purchase/ sales records) survives.

    2. Re:Managing risk by Anonymous Coward · · Score: 0

      In other words, develop resilience.

  12. Blah Blah and More Blah by EndlessNameless · · Score: 1

    The various corporations and governments have been warned for years that trade secrets and infrastructure are extremely vulnerable. This warning is more of the same.

    Repeated breaches have not convinced them to make the fundamental changes that are necessary. It seems that nothing short of a catastrophe will.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  13. he is right on risk management by hraponssi · · Score: 1

    Don't know where all the funding stuff comes from in here, except maybe the history of it always leading to that, hah.. But he is right that building cybersecurity or generally running a business without basing it on sound risk analysis makes no sense. Realizing that should not be rocket science but somehow people/organizations don't seem to do it anyway. I find it good that someone tries to bring the message..

  14. So could an asteroid hit... by Anonymous Coward · · Score: 0

    but I don't see them rushing to fund NASA.

  15. I propose a law... by dicobalt · · Score: 1

    ...which will imprison people for using the word "cyber". Each instance of the word would carry the penalty of 24 hours locked inside a smelly hall closet with a small television blasting the movie Lawnmower Man on an endless loop.

    1. Re:I propose a law... by gweihir · · Score: 1

      I would be completely on-board with that. "Cyber" immediately marks you as clueless and unaware of it.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. Somebody wants more power and budget.... by gweihir · · Score: 1

    Pretty obviously.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  17. The price of tinfoil is going up... by Anonymous Coward · · Score: 0

    Better order your tinfoil hat before it's too late.

  18. So instead of doing something sensible like... by Casandro · · Score: 1

    ... putting more research into actual advances into computer security, or making systems more secure, for example by banning the most insecure products and demanding minimum evidence based security standards...

    he probably just wants people buying exploits on the market in order to compromise the computational devices of innocent victims.

  19. he is in a position to actually do something! by Anonymous Coward · · Score: 0

    so why doesn't he take that position and use it to get the politicians to stop trying to back-door encryption? or get the politicians to enforce penalties for having these hacks happen on their watch?

    Because he actually doesn't understand a single bloody thing hes talking about. evidence FTA:

    "What that tells me is that the systems we've built, as technical systems, are not built for people. Techies build systems for techies, they don't build technical systems for normal people"

    Encryption is math, it is not built for anyone! as far as how the encryption is used, well that lies on the c suite execs who dont want to spend the money to actually educate their employees. you cant expect security officials to make things for normal people. as the saying does "make a program more idiot proof and a larger idiot will come along"

    another wonderful quote FTA:
    "Cybersecurity professionals have spent the last 25 years saying people are the weakest link. That's stupid!" he said, "They cannot possibly be the weakest link - they are the people that create the value at these organizations."
    just because a person creates value for an organization does not mean that they are not a security risk or the weakest link in the security chain. A sales person can make a company millions of dollars a year, yet re-use passwords over and over again and never be affected until a malicious person targets them.

    the only thing stupid here is this director.

  20. Re: category 1? category 5? by Anonymous Coward · · Score: 0

    . . . the recent WannaCry attack was only a Category Two attack by NCSC standards . . . a Category One attack would strike without warning, and require a government-level response.
    . . .
    "Sometime in the next few years, we're going to have our first Category One cyber incident - one where you need a national response,” he said."

    Clearly these are internal guideline to the NCSC, although I can't find them with a moment's Googling.

    Also,

    The attack will probably be caused by “one or two” people at an organisation doing something small that subverts the existing cybersecurity protection, leaving the company open to attack.

    "And once that had happened,” Levy says, “there was no way that the organisation could have protected itself, and they will be really, really sorry that this sort of thing will have happened."

    Actually, this sounds exactly like what Edward Snowden did, except the government is still too much in denial to admit what happened because calling it an "attack" is sort of a stretch - the attack is all the heart attacks people have when they learn the truth of how unconstitutional and ethically corrupt their government is.

  21. They're So Good That... by ytene · · Score: 4, Informative

    ... it took lone-contributor security researcher, Marcus Hutchins, to stop the WannaCry ransomware outbreak [by registering a domain name].

    Ian Levy, the Director of the UK National Cybersecurity Centre and the individual quoted in the OP, heads an agency that is so good, so capable, so on-the-ball, that it took a private individual to identify a means of neutering WannCry.

    Never mind the fact that it would have been Levy's organisation that was responsible for preventing the NHS and other UK government agencies from being compromised in the first place...

    To give you an idea for just how misguided the man's thinking is, here's another of his quotes, from the same article:-

    "“Cybersecurity professionals have spent the last 25 years saying people are the weakest link. That’s stupid!” he said, “They cannot possibly be the weakest link – they are the people that create the value at these organisations."

    So, let's just get this right. When we have an abundance of evidence that shows that it is people, not technology, who select easily-guessed passwords, people, not technology, that click the links in phishing emails, people, not technology, that try and promote code that hasn't been properly tested, "because they know it's OK, they don't need to test..." ... Mr Levy is certain that all this evidence is wrong, and he is correct.

    I think that having Mr Levy in charge at the NCC is actually more scary than his claims of a "Major Cyber Attack Happening Soon" ...

    1. Re:They're So Good That... by Anonymous Coward · · Score: 2, Funny

      Did he start out with a degree in music?

    2. Re:They're So Good That... by Anonymous Coward · · Score: 1

      Smoking weed at band camp one time still leaves you more qualified than half of the Trump Administration.

    3. Re:They're So Good That... by sgt_doom · · Score: 1

      No, no, no, it was really robots outside of the Pentagon who picked up those USB sticks, took them instead and against ALL Pentagon regulations inserted said sticks of unknown origin into their government computers. It's always those damn robots . . .

    4. Re:They're So Good That... by Anonymous Coward · · Score: 0

      Yea, they should know that keeping personal email servers locked in a bathroom closet and clicking on phishing links isn't good security. Or am I thinking of someone else?

  22. Powered by systemd by Anonymous Coward · · Score: 0

    A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years",

    Huh, putting a DNS server, a web server, and all that stuff into init increased the attack surface. Who knew?

  23. Physical just as important by Anonymous Coward · · Score: 1

    Don't need a cyber attack, just physical against several Critical Infrastructure sectors to cripple a society, or worse, a mixture of the two. Mainly electricity, fuel (natural gas, petrol), and water. It all falls apart without any of those 3, but take out 2 or more o them and it is crippling.

    But, as far as cyber goes, Ted Koppel's Lights Out is a great read. It's not just the US which would be crippled by such attacks.

  24. Is this coded talk???? by sgt_doom · · Score: 1

    Does this dood mean it's time to offshore even more Brit jobs to China???? These clowns are always soooo confusing . . .

    1. Re:Is this coded talk???? by Anonymous Coward · · Score: 0

      They're saying that they have plans to crack down on everyone's on Internet privacy.
      China already does that, so why would you want to move the jobs there?

      It's really warning companies to get out before they decide to build the Great Firewall of England.
      And if Trump has his way, the US won't be far behind.

    2. Re:Is this coded talk???? by AHuxley · · Score: 1

      Run a billing system on a consumer OS. Have support calls in another nation.
      If its just a consumer network and service it can fail often and for a long time.
      The coded talk is for the rest of the contractors and vital infrastructure. Say a power company lost its billing system and call centre? The lights stay on as the grid networks and OS are very different and not connected.
      Thats the coded warning.
      A gov will forgive and forget any consumer network, product or service been down for a long time.
      Dont spend the time to protect, secure and harden vital national infrastructure after been given directions to do so? Fail to help when asked by the security services?
      Then a government will have to think about how it deals with businesses who did not do what was suggested.

      --
      Domestic spying is now "Benign Information Gathering"
  25. Category Dumbass... by Anonymous Coward · · Score: 0

    I predict a category dumbass will hit us right now.\

  26. Put the equifax data out there by Anonymous Coward · · Score: 0

    Make the cybercriminals think they've hit paydirt!

  27. Scary monsters by petes_PoV · · Score: 1
    The guy might as well warn everyone that it is likely to rain "soon"

    This must count as the most inept warning - or is it merely a tragically poor attempt to scare a government into increasing their funding - for years.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  28. Major cyber-attack will happen soon .. by najajomo · · Score: 1

    Major cyber-attack will happen soon, followed by a call for even more onerous surveillance laws.

  29. Re:category 1? category 5? by Anonymous Coward · · Score: 0

    We do that with the problem in our IT department - a category five ****storm requires all staff to be inside the help desk and the main doors to be sealed and bolted shut until the crisis is over. Fortunately, we are in the basement next to the utility room, so they can't cut our air supply off.

  30. As if the UK wasn't Orwell enough by Anonymous Coward · · Score: 0

    What's that crazy-scared bitch going to do now? We all know who I'm talking about.

  31. Regulate network software by Anonymous Coward · · Score: 1

    The approach suggested, give up and expect to lose data, is just another wrong approach.

    Such an attack is likely to come in the form of IoT attack. Billions of devices are going online over the next few years.. Most of them use unpatched linux variants. A team of cunning programmers could exploit a few Linux zero days to spread a worm across the internet. They could in theory destroy billions of devices causing hundreds of billions in direct damage and hundreds of billions more in indirect damage from the the chaos .

    The right approach is legislation,. Mass production network enabled software/firmware should first be certified just like we certify electrical. We need to do this now in a level headed fashion before some hurricane hits because if it comes later much more draconian ill considered laws become more probable. Unfortunately people need Chicago to burn to the ground to figure out fire regulations are smart idea even if sometimes cumbersome.Thus is will take an internet outage that cripples the economy to finally sink in that software in the digital age presents a safety issue.

  32. Re:category 1? category 5? by AHuxley · · Score: 1

    If it was a fictional movie script what would 1 to 5 look like AC?
    1. An artist cant log into the cloud to get their online only art software to work. The consumer internet is no longer useful.
    2. The company buying the artists work for a larger project cant use their internet. The dedicated telco networks are having problems.
    3. Non vital infrastructure fails. Lights, billing, banking systems, power to towns, cities.
    4. Vital infrastructure fails. Contractor grade networks on dual use networks fail.
    5. Mil communications, mil networks fail. Special forces per city cant be tasked on existing mil networks. Surveillance of interesting people in real time stops. Voice print tracking fails and really interesting people in the community are no longer been tracked in real time.
    The most secure mil/gov/industrial sites can no longer report in on standard gov/mil networks in real time.

    --
    Domestic spying is now "Benign Information Gathering"
  33. What an easy prediction by Anonymous Coward · · Score: 0

    Anyone could predict that. Is that his only job?? Take up media time predicting the obvious?

  34. And the Equifax hack was what on this scale? by treczoks · · Score: 1

    OK, apart from this Levy guy being a tier one nut job, and his goal is primarily to get more powers and money after showing repeated signs of incompetence, what kind of attack does he expect?

    Maybe something that exposes important information to the public that would totally destroy confidence in a government or institution?