Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss (theguardian.com)

Posted by msmash on from the up-next dept.

Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years", a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

45 of 66 comments (clear)

  1. MORE FUNDING! by brian.stinar · · Score: 4, Insightful

    Well, it sounds like the only reasonable thing to do would be to provide the National Cybersecurity Centre with much more funding!!

    1. Re:MORE FUNDING! by Train0987 · · Score: 5, Insightful

      Don't forget abolishing any privacy or encryption.

    2. Re:MORE FUNDING! by zuki · · Score: 1

      Surely this will come up for debate in the UK, especially once it manages to rid itself of any vestigial remaining compliance to European laws governing cyber-security.

      FUD-based balkanization of this once-great river of data proceeding apace....

    3. Re:MORE FUNDING! by AmiMoJo · · Score: 1

      Surely we should be de-funding these guys, since it's their incompetence and unwillingness to actually help protect us that has gotten us here.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:MORE FUNDING! by tinkerton · · Score: 1

      I tend to be just as cynical but I happen to agree with his advice: start working on damage control.

    5. Re: MORE FUNDING! by hey! · · Score: 2

      I've seen how government reacts to impending crisis, The money goes to contractors, agencies are just conduits.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    6. Re:MORE FUNDING! by rholtzjr · · Score: 1

      Mitigation is always the prudent path. I have lost count of the times I had been countered in a design meeting when asking what security approach we would use only to be told "features" outweigh "security". I hope that most companies actually did create a tested, repeatable and, current disaster recovery plan because I think they may need it in the near future.

  2. He's right by bravecanadian · · Score: 1

    Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

    But what do you suppose the chances are that the leaders of these organizations magically start thinking that way?

    Also he forgot one important part. Planning for what to do when the inevitable happens.

    1. Re:He's right by KiloByte · · Score: 2

      Also he forgot one important part. Planning for what to do when the inevitable happens.

      Well, he did plan. He wants more funds and power right now, then again when the big attack will happen.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:He's right by tomtomtom · · Score: 1

      But what do you suppose the chances are that the leaders of these organizations magically start thinking that way?

      When their auditors, audit committees, and (where relevant) regulators require them to then it will happen. There is a fair degree of lobbying going on behind the scenes to effect it via this route in the UK at least. This kind of cultural change takes some time, but there are plenty of examples of it happening - employee health and safety, corporate governance, etc

    3. Re:He's right by ctilsie242 · · Score: 2

      They won't. "Security has no ROI" has been a mantra for the industry, and virtually the entire IoT campaign since its inception. Plus, with companies able to get away scot-free no how egregious the breach by saying, "we can't do anything, the hackers are too good" almost institutionalize the fact that shit for security is the standard.

      A "cat 1" breach is inevitable. I was at a meeting with someone from a Congressional committee several years back stating that an intrusion that would cause massive destruction and loss of life is going to happen. However, luckily it hasn't. I hope it doesn't, because I'm sure laws will hit the books like the CFAA which might get some teenager arrested and jailed for 20 years because they found perl world executable on their school's webserver, but won't do a single thing against organizations overseas who are well-heeled.

      What we need to do is have governments stop focusing on scare tactics and start tackling this problem in a methodical way:

      1: An organization like UL (Underwriters Labs) which does security testing, and does similar to Europe's Sold Secure. A Sold Secure Bronze router may be something OK, but a Sold Secure Gold router would be designed from the ground up using a secure microkernel OS with MAC/DAC protection on everything, specialized CPU, multiple cryptographic signatures on ROM images, source code audited by a clued third party or an organization like NIST, etc.

      2: Since most regulations (FERPA, FedRAMP, FISMA, HIPAA, CJIS, SOX, PCI-DSS, etc.) have overlapping items, take the core ones that all of them cover, and have a certification which allows for random auditing at any time without notice.

      3: Have multiple different certifying agencies, so regulatory capture becomes less of an issue.

      4: More data privacy laws like the EU should be enacted. That way, a company getting massively compromised might feel more than a few days of bad PR.

  3. Nothing but an excuse by Anonymous Coward · · Score: 1

    This is nothing but an excuse to grab power. What with the advent of cryptocurrencies, strong encryption, and a growing distaste for governments and corporations, you can bet your last penny the people in power will do anything to keep it. If we in the West do not stop this sorry power grab stuff that keeps happening, we'll end up like China as regards the Internet.

  4. so "soon" = "next few years" is cyber space? by sittingnut · · Score: 1

    so "soon" = "next few years" is cyber space?

    and it is possible to accurately predict future of online world and its evolution for few years into future? so accurately that funds and laws infringing on other needs, and privacy, can be reallocated?

    given the hurricane terminology, would there be a campaign against skeptics of these predictions, like against skeptics of climate change predictions?

  5. Single Most Devastating Cyberattack by Anonymous Coward · · Score: 1

    "I’ve often thought that the single most devastating cyberattack a diabolical and anarchic mind could design would not be on the military or financial sector but simply to simultaneously make every e-mail and text ever sent universally public. It would be like suddenly subtracting the strong nuclear force from the universe; the fabric of society would instantly evaporate, every marriage, friendship and business partnership dissolved. Civilization, which is held together by a fragile web of tactful phrasing, polite omissions and white lies, would collapse in an apocalypse of bitter recriminations and weeping, breakups and fistfights, divorces and bankruptcies, scandals and resignations, blood feuds, litigation, wholesale slaughter in the streets and lingering ill will."

  6. Too late by cordovaCon83 · · Score: 2

    Maybe he's talking about in the UK specifically, or maybe his definition of a category one cyber-attack is different from my own (confession - I didn't RTFA to find out how cyber attacks are classified!) But if you want to talk about major acts of sabotage perpetuated through "cyber" - http://www.zdnet.com/article/u... Also, that whole Stuxnet thing

  7. Re: category 1? category 5? by Anonymous Coward · · Score: 1

    What part of "most serious tier" did you not get?

    Please let me know I don't get it either.

    This means they will actually delete stuff? More people spying on us? No really! WTF is this "tier?"
    Just FUD.

  8. Re:James Bond by hraponssi · · Score: 1

    Most countries, at least in Europe, have one. Just put "national cyber security centre" + name country. Of course, they have little to do with James Bond style cool stuff. More like national level network monitoring, situational awareness, threat intelligence, guiding and educating companies and public organizations as useful.

  9. Re:Amm... So what? by sdinfoserv · · Score: 3, Informative

    How about these:: the power grid goes down, for several months. Dam flood gates open releasing enough water to flood towns down stream. Your car no longer starts. Raw sewage from treatment plants backs up into the streets of all major cities. Stop lights turn all green every direction.
    Like that? So what? Still?
    Ya, I thought so.

  10. Managing risk by tomhath · · Score: 4, Interesting

    Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

    He has a good point. When an all out attack does happen you won't be able to stop it. So before it does, make sure your backups work, make sure your restores work, put fences up to stop the spread of an attack, etc, etc.

    In other words, assume the attack will succeed. Then what will you do?

  11. Blah Blah and More Blah by EndlessNameless · · Score: 1

    The various corporations and governments have been warned for years that trade secrets and infrastructure are extremely vulnerable. This warning is more of the same.

    Repeated breaches have not convinced them to make the fundamental changes that are necessary. It seems that nothing short of a catastrophe will.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  12. he is right on risk management by hraponssi · · Score: 1

    Don't know where all the funding stuff comes from in here, except maybe the history of it always leading to that, hah.. But he is right that building cybersecurity or generally running a business without basing it on sound risk analysis makes no sense. Realizing that should not be rocket science but somehow people/organizations don't seem to do it anyway. I find it good that someone tries to bring the message..

  13. Re:Amm... So what? by cordovaCon83 · · Score: 1

    No, you're right, those are all terrible things that are allegedly feasible through cyber attacks. However, the director insinuated that a category one cyber attack had never ever occurred before. Again, that may be true in the UK, but I guarantee the other two events that I listed warranted a "category one" cyber attack in their respective countries.

  14. I propose a law... by dicobalt · · Score: 1

    ...which will imprison people for using the word "cyber". Each instance of the word would carry the penalty of 24 hours locked inside a smelly hall closet with a small television blasting the movie Lawnmower Man on an endless loop.

    1. Re:I propose a law... by gweihir · · Score: 1

      I would be completely on-board with that. "Cyber" immediately marks you as clueless and unaware of it.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Somebody wants more power and budget.... by gweihir · · Score: 1

    Pretty obviously.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. So instead of doing something sensible like... by Casandro · · Score: 1

    ... putting more research into actual advances into computer security, or making systems more secure, for example by banning the most insecure products and demanding minimum evidence based security standards...

    he probably just wants people buying exploits on the market in order to compromise the computational devices of innocent victims.

  17. They're So Good That... by ytene · · Score: 4, Informative

    ... it took lone-contributor security researcher, Marcus Hutchins, to stop the WannaCry ransomware outbreak [by registering a domain name].

    Ian Levy, the Director of the UK National Cybersecurity Centre and the individual quoted in the OP, heads an agency that is so good, so capable, so on-the-ball, that it took a private individual to identify a means of neutering WannCry.

    Never mind the fact that it would have been Levy's organisation that was responsible for preventing the NHS and other UK government agencies from being compromised in the first place...

    To give you an idea for just how misguided the man's thinking is, here's another of his quotes, from the same article:-

    "“Cybersecurity professionals have spent the last 25 years saying people are the weakest link. That’s stupid!” he said, “They cannot possibly be the weakest link – they are the people that create the value at these organisations."

    So, let's just get this right. When we have an abundance of evidence that shows that it is people, not technology, who select easily-guessed passwords, people, not technology, that click the links in phishing emails, people, not technology, that try and promote code that hasn't been properly tested, "because they know it's OK, they don't need to test..." ... Mr Levy is certain that all this evidence is wrong, and he is correct.

    I think that having Mr Levy in charge at the NCC is actually more scary than his claims of a "Major Cyber Attack Happening Soon" ...

    1. Re:They're So Good That... by Anonymous Coward · · Score: 2, Funny

      Did he start out with a degree in music?

    2. Re:They're So Good That... by Anonymous Coward · · Score: 1

      Smoking weed at band camp one time still leaves you more qualified than half of the Trump Administration.

    3. Re:They're So Good That... by sgt_doom · · Score: 1

      No, no, no, it was really robots outside of the Pentagon who picked up those USB sticks, took them instead and against ALL Pentagon regulations inserted said sticks of unknown origin into their government computers. It's always those damn robots . . .

  18. Re:Amm... So what? by sdinfoserv · · Score: 1

    "allegedly feasible"... https://www.digitaltrends.com/...
    Allegedly 7 years ago.

  19. Re:Amm... So what? by Comboman · · Score: 1

    The last time someone made a claim that civilization was ending because of computers was the Y2K bug, and we all know how that turned out. Power grids, water, sewage and traffic control systems all existed and worked perfectly fine before there was an internet. If someone decided to connect them to an insecure network without the option to quickly and easily disconnect them again, that person should be fired.

    --
    Support Right To Repair Legislation.
  20. Physical just as important by Anonymous Coward · · Score: 1

    Don't need a cyber attack, just physical against several Critical Infrastructure sectors to cripple a society, or worse, a mixture of the two. Mainly electricity, fuel (natural gas, petrol), and water. It all falls apart without any of those 3, but take out 2 or more o them and it is crippling.

    But, as far as cyber goes, Ted Koppel's Lights Out is a great read. It's not just the US which would be crippled by such attacks.

  21. Re:Amm... So what? by cordovaCon83 · · Score: 3, Interesting

    Wrong thread Stuxnet, as stated in another thread, definitely happened, along with the Russian oil pipeline explosion in 1982. Those are definitely category one's. So yeah I'm with you, there's more to worry about than just Amazon going down for a couple of days. Still, I'd anticipate the attack vectors to be something other than municipal systems, depending on the motivation of the actor.

  22. Re:Amm... So what? by Anonymous Coward · · Score: 1

    I mean, what's the worst that can happen in a cyberattack?

    You have no idea what is going on, do you?

    Attackers could target the electrical grid and knock out the power to an entire region of the US. Or the entire country. And there are failure modes that destroy equipment.

    Bank site is down?

    How about the entire banking network? We could be talking about payment processing (Visa, etc) or the bank transaction network (ACH).

    WhatsApp doesn't work?

    Funny that you mention this, but the control system for cellular systems is notoriously outdated.

    A sophisticated actor may be able to disrupt the entire network. We've seen targeted attacks to eavesdrop on individuals, but no one has demonstrated DoS tools yet. There are numerous known vulnerabilities, yet the telecoms drag their feet on an upgrade/replacement.

  23. Is this coded talk???? by sgt_doom · · Score: 1

    Does this dood mean it's time to offshore even more Brit jobs to China???? These clowns are always soooo confusing . . .

    1. Re:Is this coded talk???? by AHuxley · · Score: 1

      Run a billing system on a consumer OS. Have support calls in another nation.
      If its just a consumer network and service it can fail often and for a long time.
      The coded talk is for the rest of the contractors and vital infrastructure. Say a power company lost its billing system and call centre? The lights stay on as the grid networks and OS are very different and not connected.
      Thats the coded warning.
      A gov will forgive and forget any consumer network, product or service been down for a long time.
      Dont spend the time to protect, secure and harden vital national infrastructure after been given directions to do so? Fail to help when asked by the security services?
      Then a government will have to think about how it deals with businesses who did not do what was suggested.

      --
      Domestic spying is now "Benign Information Gathering"
  24. Re: James Bond by hey! · · Score: 1

    "National Cyber Security -- Vatican City"

    Nah. That's more Dan Brown than Ian Fleming.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  25. Scary monsters by petes_PoV · · Score: 1
    The guy might as well warn everyone that it is likely to rain "soon"

    This must count as the most inept warning - or is it merely a tragically poor attempt to scare a government into increasing their funding - for years.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  26. Major cyber-attack will happen soon .. by najajomo · · Score: 1

    Major cyber-attack will happen soon, followed by a call for even more onerous surveillance laws.

  27. Re:James Bond by mikael · · Score: 1

    The fear of a massive DDoS attack, somebody breaks into the digital records of the inland revenue, Parliament (already happened with an email server), an encryption malware worm or an attempt to shut down or overload the electricity grid.

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  28. Regulate network software by Anonymous Coward · · Score: 1

    The approach suggested, give up and expect to lose data, is just another wrong approach.

    Such an attack is likely to come in the form of IoT attack. Billions of devices are going online over the next few years.. Most of them use unpatched linux variants. A team of cunning programmers could exploit a few Linux zero days to spread a worm across the internet. They could in theory destroy billions of devices causing hundreds of billions in direct damage and hundreds of billions more in indirect damage from the the chaos .

    The right approach is legislation,. Mass production network enabled software/firmware should first be certified just like we certify electrical. We need to do this now in a level headed fashion before some hurricane hits because if it comes later much more draconian ill considered laws become more probable. Unfortunately people need Chicago to burn to the ground to figure out fire regulations are smart idea even if sometimes cumbersome.Thus is will take an internet outage that cripples the economy to finally sink in that software in the digital age presents a safety issue.

  29. Re: James Bond by sound+vision · · Score: 1

    It's more Michael Jackson if you ask me.

  30. Re:category 1? category 5? by AHuxley · · Score: 1

    If it was a fictional movie script what would 1 to 5 look like AC?
    1. An artist cant log into the cloud to get their online only art software to work. The consumer internet is no longer useful.
    2. The company buying the artists work for a larger project cant use their internet. The dedicated telco networks are having problems.
    3. Non vital infrastructure fails. Lights, billing, banking systems, power to towns, cities.
    4. Vital infrastructure fails. Contractor grade networks on dual use networks fail.
    5. Mil communications, mil networks fail. Special forces per city cant be tasked on existing mil networks. Surveillance of interesting people in real time stops. Voice print tracking fails and really interesting people in the community are no longer been tracked in real time.
    The most secure mil/gov/industrial sites can no longer report in on standard gov/mil networks in real time.

    --
    Domestic spying is now "Benign Information Gathering"
  31. And the Equifax hack was what on this scale? by treczoks · · Score: 1

    OK, apart from this Levy guy being a tier one nut job, and his goal is primarily to get more powers and money after showing repeated signs of incompetence, what kind of attack does he expect?

    Maybe something that exposes important information to the public that would totally destroy confidence in a government or institution?