Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss (theguardian.com)

Posted by msmash on from the up-next dept.

Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years", a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

11 of 66 comments (clear)

  1. MORE FUNDING! by brian.stinar · · Score: 4, Insightful

    Well, it sounds like the only reasonable thing to do would be to provide the National Cybersecurity Centre with much more funding!!

    1. Re:MORE FUNDING! by Train0987 · · Score: 5, Insightful

      Don't forget abolishing any privacy or encryption.

    2. Re: MORE FUNDING! by hey! · · Score: 2

      I've seen how government reacts to impending crisis, The money goes to contractors, agencies are just conduits.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. Re:He's right by KiloByte · · Score: 2

    Also he forgot one important part. Planning for what to do when the inevitable happens.

    Well, he did plan. He wants more funds and power right now, then again when the big attack will happen.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  3. Too late by cordovaCon83 · · Score: 2

    Maybe he's talking about in the UK specifically, or maybe his definition of a category one cyber-attack is different from my own (confession - I didn't RTFA to find out how cyber attacks are classified!) But if you want to talk about major acts of sabotage perpetuated through "cyber" - http://www.zdnet.com/article/u... Also, that whole Stuxnet thing

  4. Re:Amm... So what? by sdinfoserv · · Score: 3, Informative

    How about these:: the power grid goes down, for several months. Dam flood gates open releasing enough water to flood towns down stream. Your car no longer starts. Raw sewage from treatment plants backs up into the streets of all major cities. Stop lights turn all green every direction.
    Like that? So what? Still?
    Ya, I thought so.

  5. Managing risk by tomhath · · Score: 4, Interesting

    Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

    He has a good point. When an all out attack does happen you won't be able to stop it. So before it does, make sure your backups work, make sure your restores work, put fences up to stop the spread of an attack, etc, etc.

    In other words, assume the attack will succeed. Then what will you do?

  6. They're So Good That... by ytene · · Score: 4, Informative

    ... it took lone-contributor security researcher, Marcus Hutchins, to stop the WannaCry ransomware outbreak [by registering a domain name].

    Ian Levy, the Director of the UK National Cybersecurity Centre and the individual quoted in the OP, heads an agency that is so good, so capable, so on-the-ball, that it took a private individual to identify a means of neutering WannCry.

    Never mind the fact that it would have been Levy's organisation that was responsible for preventing the NHS and other UK government agencies from being compromised in the first place...

    To give you an idea for just how misguided the man's thinking is, here's another of his quotes, from the same article:-

    "“Cybersecurity professionals have spent the last 25 years saying people are the weakest link. That’s stupid!” he said, “They cannot possibly be the weakest link – they are the people that create the value at these organisations."

    So, let's just get this right. When we have an abundance of evidence that shows that it is people, not technology, who select easily-guessed passwords, people, not technology, that click the links in phishing emails, people, not technology, that try and promote code that hasn't been properly tested, "because they know it's OK, they don't need to test..." ... Mr Levy is certain that all this evidence is wrong, and he is correct.

    I think that having Mr Levy in charge at the NCC is actually more scary than his claims of a "Major Cyber Attack Happening Soon" ...

    1. Re:They're So Good That... by Anonymous Coward · · Score: 2, Funny

      Did he start out with a degree in music?

  7. Re:Amm... So what? by cordovaCon83 · · Score: 3, Interesting

    Wrong thread Stuxnet, as stated in another thread, definitely happened, along with the Russian oil pipeline explosion in 1982. Those are definitely category one's. So yeah I'm with you, there's more to worry about than just Amazon going down for a couple of days. Still, I'd anticipate the attack vectors to be something other than municipal systems, depending on the motivation of the actor.

  8. Re:He's right by ctilsie242 · · Score: 2

    They won't. "Security has no ROI" has been a mantra for the industry, and virtually the entire IoT campaign since its inception. Plus, with companies able to get away scot-free no how egregious the breach by saying, "we can't do anything, the hackers are too good" almost institutionalize the fact that shit for security is the standard.

    A "cat 1" breach is inevitable. I was at a meeting with someone from a Congressional committee several years back stating that an intrusion that would cause massive destruction and loss of life is going to happen. However, luckily it hasn't. I hope it doesn't, because I'm sure laws will hit the books like the CFAA which might get some teenager arrested and jailed for 20 years because they found perl world executable on their school's webserver, but won't do a single thing against organizations overseas who are well-heeled.

    What we need to do is have governments stop focusing on scare tactics and start tackling this problem in a methodical way:

    1: An organization like UL (Underwriters Labs) which does security testing, and does similar to Europe's Sold Secure. A Sold Secure Bronze router may be something OK, but a Sold Secure Gold router would be designed from the ground up using a secure microkernel OS with MAC/DAC protection on everything, specialized CPU, multiple cryptographic signatures on ROM images, source code audited by a clued third party or an organization like NIST, etc.

    2: Since most regulations (FERPA, FedRAMP, FISMA, HIPAA, CJIS, SOX, PCI-DSS, etc.) have overlapping items, take the core ones that all of them cover, and have a certification which allows for random auditing at any time without notice.

    3: Have multiple different certifying agencies, so regulatory capture becomes less of an issue.

    4: More data privacy laws like the EU should be enacted. That way, a company getting massively compromised might feel more than a few days of bad PR.