Lord Toby Harris Logo

Archive for the ‘Information security’ Category

Dec 24,2010

Hat-tip: Team Cymru

Dec 15,2010

Colin Talbot at Whitehall Watch has some interesting predictions here.

Nov 18,2010

We are told that there will be a revamped National Cyber Security Strategy published in the next few months.  This will explain what the £650 million of new money allocated for cyber security in the spending review will actually be used to deliver (I understand that Whitehall Departments are still bickering over who will get their hands on this money – the Ministry of Defence and the Home Office both believe it should come to them rather than the Cabinet Office).

However, I wonder whether it will also propose legislation.  In the United States a number of members of Congress are putting forward what they are calling the “Homeland Security Cyber and Physical Infrastructure Protection Act of 2010”.  This will give a statutory basis to the Office of Cybersecurity & Communications based in the Department of Homeland Security and would, in particular, create a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards responsive to the particular risks to the .gov domain and critical infrastructure networks.

This is an interesting model.  In the UK, the Government bodies that are responsible for protecting the critical national infrastructure do not have a statutory basis and do not have any formal powers.  In my view, this hampered the effectiveness of the old National Infrastructure Security Coordination Centre, which is now incorporated into the Centre for the Protection of the National Infrastructure and falls under the ambit of the Security Service.

I have long advocated that underpinning the “voluntarist” and consensual framework Government needs to have a statutory frmaework that – in extremis – can be used to require Government agencies and those private companies that supply much of the national infrastructure to meet certain minimum standards and can direct action effectively in the event of some major problem arising.

Nov 16,2010

This was drawn to my attention …..


Nov 14,2010

My invitation to attend the Nobel Prize presentations in Oslo seems to have gone astray again.

However, perhaps that’s just as well.

The Committee to Protect Journalists reports that:

“This weekend, staff at CPJ received a personal invitation to attend the Oslo awards ceremony for Nobel Peace Prize winner Liu Xiaobo. The invite, curiously, was in the form of an Adobe PDF document. We didn’t accept. We didn’t even open the e-mail. We did, however, begin analyzing the document to see was really inside that attachment, and what it was planning to do to our staff’s computers.

NGOs and journalists who work or report on human rights issues in China now regularly receive e-mailed attachments, often PDFs, which on closer examination prove to be malicious code sent from unknown sources. These attachments contain embedded programs that execute when the file is opened, and take advantage of local security flaws to install concealed software on their victims’ machines.

This secret software can delete or create files, commandeer the computer for cyber-attacks on other targets, or just sit and record keystrokes and network traffic, which it will then report to a remote “command-and-control” server elsewhere on the Net. A computer with this malware installed is an open book to whoever is controlling the program.

Malware is a problem for everyone. We’re all used to shady characters spamming us e-mail with enticing subject titles. But vulnerable journalists and activists receive far more sophisticated, customized messages that use narrow intelligence about their contacts and interests in order to trick their recipients into opening them. This Nobel e-mail, for instance, was sent from a colleague at a known NGO who I’ve personally met and who has invited CPJ to events in Oslo previously. The PDF, when opened, showed a legitimate-looking invitation with the organization’s logo and the signature of the NGO’s founder.”

I would probably have opened the attachment without thinking, despite being aware of the dangers. What would you have done?

Nov 13,2010

You cannot spend any time in the Palace of Westminster without being aware of the deep dissatisfaction that MPs have with IPSA, the Independent Parliamentary Standards Authority.

So I am somewhat surprised that there has not been more fuss about the fact that the Information Commissioner has reprimanded IPSA for a security breach just before the summer recess when MPs’ personal information – including banking details and home telephone numbers – were at risk for 21 hours.

According to ITPro:

“A data breach at the Independent Parliamentary Standards Authority (IPSA) led to MP’s information being placed at risk, including banking details and home telephone numbers.

The breach occurred on 13 July following IT maintenance on an MP expenses database, allowing people with an expenses account and their clerks to access the information.

The security loophole was left open for 21 hours and the Information Commissioner’s Office (ICO) has ordered the IPSA to take steps to ensure such a breach does not occur again.

“This case highlights how any work carried out on a database must be subject to rigorous security testing before being re-launched,” said Mick Gorrill, head of enforcement at the ICO.

“MPs carry out a high profile role and the information their expenses claims include could put them at risk of fraud and endanger their security.”

The IPSA, which said it reported the breach to the ICO as soon as it happened, has now signed an undertaking, which includes a requirement to ensure system administrator accounts are reviewed regularly.”

IPSA will shortly be offering courses on how to win friends ……

Oct 14,2010

There was a two hour debate in the House of Lords this evening on a Lords’ Select Committee report on protecting Europe against large-scale cyber-attacks.

My contribution (which followed an excellent maiden speech from Lord John Reid) was as follows:

“My Lords, it is an enormous pleasure to follow my noble friend Lord Reid of Cardowan and his maiden speech, in the course of which he paid a very graceful tribute to his successor as Member of Parliament. He told us that she had already attained the ripe old age of 25. I am informed that the noble Lord started his political career some considerable period earlier than 25. I am told, in fact, that he led his first strike at the age of about 14 and a half when he was still at school and was objecting to the practice of the fairly disciplinarian head teacher that the children should be kept outside, irrespective of the weather, until the school started. He called a strike of his fellow pupils on the basis that, if they were not allowed in until nine o’clock, they would not go in after nine o’clock. My understanding is that he was successful in that, which demonstrates a robustness and forceful nature, which we have seen in this afternoon’s speech. However, we have also seen the noble Lord’s other side—his erudite and thoughtful nature. I understand that it is that side that comes in particularly useful in his latter-day role as chairman of Celtic Football Club, where erudition and thoughtfulness is particularly important.

The noble Lord has had 10 years in very senior roles as a member of Her Majesty’s Government. He was in the last Government what I think should be described as a “big beast”, with the emphasis on some occasions on the word “beast”. I worked closely with him in a number of those roles, in particular in his time at the Home Office. One of the achievements of that period is a lasting one: the creation of the Office for Security and Counter-Terrorism. This country will learn to realise how significant and important it has been, and that is down to my noble friend. His contribution today has demonstrated the qualities of robustness and erudition that we will all expect to hear much more of in the time ahead. We do indeed look forward to many further contributions of a similar nature.

I am grateful to the noble Lord, Lord Jopling, for his introduction of the report and his work, and the work of his colleagues, in pulling together the report which we have had. It is a very important Select Committee report, and I had the privilege of sitting in on a couple of the evidence sessions to hear the discussion. As the noble Lord pointed out, we are having quite a timely debate following the reported comments of the director of GCHQ in the past few days. He has talked about the significant level of attacks on government systems, many of them precisely and deliberately targeted at those systems. The debate is unfortunately not quite as timely as it might be in that we do not yet have the benefits of the results of the security and defence review or the comprehensive spending review. We will have to wait a few more days for those. However, I hope that that fact of timing will not prevent the Minister from providing us with some more information on how the Government’s thinking on these matters is developing.

I have high hopes for the noble Baroness, Lady Neville-Jones, because I am aware of her continued personal interest in matters of cybersecurity and information assurance. I have attended so many meetings over the past few years which she has been at, and which have discussed these matters, that I know that she takes these matters extremely seriously. That includes, for example, her chairing for a period the Information Assurance Advisory Council, which brought—and continues to bring—together industry, academia and government to talk about these matters. We have high expectations of the Minister in what is going to be done in this field over the months and years to come, and I am sure that she will not disappoint us today in her response to this debate.

It is important that we recognise several elements in the issues around cyberattacks and the matters which this report has covered. A few years ago, a lot of these matters were dismissed as the actions of teenage cyberjuvenile delinquents who were merely interested in getting into systems because they were there and, perhaps, in gaining some element of self-respect by leaving their mark on those systems, proving that they had been there—a sort of petty vandalism, expressed in the cyberworld as opposed to the physical world that other juvenile delinquents might be engaged in. Yet we have to recognise that those juvenile delinquents have grown up. Some have grown out of those issues, but others have started their own criminal enterprises; some have been bought up by much more organised and serious criminal enterprises; some have, no doubt, become fundamentalist in their religious views; others are being employed by nation states. We have to recognise the scale and effectiveness of the targeting that can now be done.

We therefore have not only the continued action and vandalism of the juvenile delinquents but the issues around cyberactivism, of people trying to make a political or other point by mass cyberaction. We have small-scale crime, but more significantly we have an enormous wave of organised crime using the techniques that are now possible through the internet. That is now having an effect. We also have otherwise respectable businesses making use of these criminal techniques to inform themselves of their competitors’ activities and, indeed, trying to obtain intellectual property. Then we have state-sponsored activity, some of it at the commercial end but some of it much more about creating the opportunity to attack other nation states if that is necessary. The noble Lord, Lord Jopling, has talked about what happened to Estonia, and numerous incidents are now reported of what are perceived as being—although this is not necessarily the case—attacks sponsored by one nation state against another in this sphere. We have yet to see a serous terrorist act perpetrated through these means, but it is only a matter of time before terrorists also make use of these techniques as an adjunct, as part or as the main focus of their attack.

We therefore have to examine the issues raised by this report in a number of ways. First, while they might not quite meet the definition that the noble Lord, Lord Jopling, gave of a cyberattack, the activities of serious and organised criminality in terms of fraud and all the things that it is trying to do are of such a scale that Governments—national, Europe-wide and worldwide—should be taking them seriously and acting on them.

Secondly, we have to look at the scale of what is happening in terms of corporate raiders, intellectual property theft and the potential for industrial disruption. Again, some of this is by organised crime, but my understanding is that a significant proportion of that is carried out by nation states or at their behest.

Thirdly, and this is particularly important in terms of the responsibilities of our Government and the Minister, there are issues around the attacks on, and the vulnerability of, our own critical national infrastructure. Some of those attacks on government systems are about espionage, but some of them are about creating the potential for disruption.

I have a number of questions or issues that I hope the Minister will be able to respond to. The first relates to the sheer volume of criminality and whether as a nation we are equipping ourselves to keep up with those who are trying to defraud our citizens or otherwise cause problems. There has been a history of law-enforcement initiatives taken in this field. The National Hi-Tech Crime Unit, which was very successful, appeared to disappear when its responsibilities were taken over by the Serious Organised Crime Agency, so much so that the police had to set up a new unit, the Police Central E-Crime Unit—I declare an interest as someone who has been closely involved in that, as a member of both the Metropolitan Police Authority and the ACPO board that oversees it—which has had a series of successes, like the arrests a few months ago of the five men and one woman engaged in stealing the details of more than 10,000 bank accounts and allegedly netting themselves more than £3 million as a consequence. That unit, working with the private sector and levering in resources from it, has been remarkably successful, but it is still new and fairly fragile.

I understand that there are rumours that this unit should be subsumed into the proposed new national crime agency. I have no objection to the new agency, once it is established, maybe taking on this responsibility; it must certainly have a capacity to deal with these matters. My concern is that if we move too quickly to that process, the idea of subsuming a body that is only just beginning to work into a new body that will be going through its own birthing pains is not necessarily sensible. We have had evidence from the outgoing chief executive of the Child Exploitation and Online Protection Centre about the fragility of those structures and the private sector funding of them. He suggested that Microsoft may propose to withdraw the resources that it puts into CEOP because of the uncertainty about its future. I hope that the Minister will give us some assurances today about the continued budget to enable the police to play their role in fighting e-crime, that we will not see the fragile new arrangements subsumed too early into a national crime agency and that there will at least be time for any national crime agency to be established, and to establish itself, before such a change takes place—if that is what happens.

The second issue was referred to by the noble Lord, Lord Jopling, when he talked about the so-called Stuxnet attacks on the control systems of the Iranian nuclear power programme. I have been concerned, as have several noble Lords and others, about the vulnerability of SCADA systems to attack. Is the noble Baroness personally satisfied that enough is being done at present to protect such control systems for our critical national infrastructure, against both the sort of electronic attack that the Stuxnet attack seems to have been and the electromagnetic pulse attacks that the noble Lord, Lord Reid, referred to? He made the valid point that exploding a nuclear device might be rather a visible way of producing an electromagnetic pulse. However, there are regular cycles of sunspot activity that could produce the same sort of effects. The issue of protection remains, whether it is an external attack, a natural event or something triggered electronically.

I would also like the noble Baroness to tell us whether enough is being done to protect the intellectual property of the United Kingdom against electronic attacks. In this context, is she satisfied that the major contractors that provide services to government departments are themselves adequately protected against this sort of penetration? I have heard stories about some of those major contractors being heavily penetrated in possibly state-sponsored incidents. If that is the case it is extremely serious. It is important that the noble Baroness should give us her assurance as to what can be done.

Finally, I hope the noble Baroness will give us, in the course of her remarks, a route map that tells us who is in charge of the various key elements of this matter. Who is in charge of setting the standards of security for our critical national infrastructure? Who is responsible for attributing where attacks are coming from? Who is responsible for managing resilience and recovery, should an attack take place? Who is responsible, if necessary, for retaliation or taking out those who are carrying out these attacks?”

Oct 12,2010

I have taken an interest in the safety of children and young people using social networking sites for some time, so I was interested to attend the launch by DigitalME of Safe, a new social networking safety programme for primary schools.

The programme is:

“designed to support primary school pupils in learning the essential skills to enjoy social networking, whilst remaining safe online. With children sharing content online and joining social networks at an increasingly younger age, there is a greater need to ensure primary aged pupils are equipped with the knowledge to understand potential risks and the skills to manage their digital footprint.”

It provides downloadable teacher resources so that primary school pupils can be given fun activities that help them improve their digital literacy skills.  As teachers were heavily involved in its preparation, it is designed to meet their needs, to fit in with the curriculum and aims to satisfy headteachers’ requirements (eg. a plaque to put up in the school hall) as well.

The programme is essentially free (although there is a charge for the plaque) and it certainly looks like a worth-while initiative to me.  I wish it well.

Oct 10,2010

My attention has been drawn to the following news item:

“A police commissioner has warned that there will definitely be an increase in cyber crime both this year and next. Even as he spoke, somebody had stolen 4 laptops from his office. “Obviously, this proves a point!” he said.

In Seine News found out from a friend who is a Freemason that following the government’s announcement of cutbacks in the numbers of uniformed policemen walking the beat in public, they invented this excuse as a smokescreen to make it more acceptable to the public.

The commissioner added; ” In the good old days we had as many as 2,000 officers walking the beat at any one time. Now we have only 4, which will shortly be cut to 2 and even they will have to go together because it is not safe to go out alone! The other 2 will be employed in the office fighting cyber criminals – these are the worst type of criminals, because they are the ones that have robbed the good old English taxpayer of his hard-earned money that keeps us in a job!”

“It’s a vicious circle really – the more people that are laid off, the more that will seek to pass away their time on the Internet and statisticians project that over 75% will turn to cyber crime in some way or other – whether it’s watching pornography, selling stolen goods on eBay or stalking people on Facebook – these are all crimes for which you can be sent to prison. It is quite evident that there will be not enough prisons to hold these people and so new ones will have to be built.”

“Looking on the bright side, there is light at the end of the tunnel; there will be plenty of employment for people in the building trade – exciting times are ahead!”

Source:  The Spoof

Oct 3,2010

The Metropolitan Police Commissioner, Sir Paul Stephenson, has issued an important reminder about specialist policing in an article in today’s Sunday Telegraph.  In it he highlights the valuable work of the Central e-Crime Unit based in the Metropolitan Police, saying:

“Four criminals obtained the personal financial details of hundreds of people, allowing them to identify up to £8 million they could steal. They siphoned off £750,000 from 64 victims before police arrested them.

In another operation, detectives working with the financial sector found a network of 600 criminally-controlled bank accounts waiting to be used to ‘cash out’ the proceeds of cyber theft.

In other cases, suspects have allegedly offered sophisticated online courses in cyber fraud.

And last week, detectives from the Metropolitan Police Central e-Crime Unit (PCeU), working with the FBI to investigate the theft of money from online bank accounts, charged 11 people.”

I have been closely involved in the setting up of this Unit over the last few years, so it was gratifying to see Sir Paul’s acknowledgement of its contribution to the fight against crime.

Sir Paul points out:

“All these cases indicate the scale of the challenge facing us. Yet my investigators tell me the expertise available to them is thin, compared to the skills at the disposal of cyber criminals.

In a modest south London office block, the PCeU’s small team of officers and civilian support staff are working to tackle cyber criminality.”

As it happened I was in that “modest south London office block” last week, looking at another of the Metropolitan Police’s specialist units, but as I passed the PCeU I was reminded yet again how small a unit it is given the scale of the problems and organised criminality that it is facing.

But Sir Paul was not simply praising a small team of dedicated police officers and staff.  He was making a much more fundamental point:

“They are unseen officers, as far as the public and some politicians are concerned. They work with the financial and internet industry to tackle the use of the internet to facilitate criminality and cyber crime, and to close down illegal sites.

However, the significance of the unit goes to the heart of the current debate about what policing should look like in an era of significant budget cuts.

Some commentators argue that we should concentrate on uniformed policing and draw back from specialised work that could be done by others. Leave cyber crime to the banks and retailers to sort out, the argument runs.

It is a fundamentally misguided argument.

If the debate about police cutbacks gets bogged down in arguments about ‘uniforms before specialists’ we will not serve the public well. It is vital to have a balanced model of policing with visible uniformed officers and specialist units such as PCeU, as well as other key units like the Kidnap Unit, Child Abuse Investigation and homicide teams.”

Sir Paul has hit the nail on the head.  Policing must be about much more than “Bobbies on the beat”.  Neighbourhood presence is of course essential.  But so too is having the specialised resources to tackle organised crime and terrorism – if  these are neglected the ultimate impact on all of our qualities of life is potentially catastrophic.

Current debates about police budgets must not fall into the trap of focusing all the attention on visible policing.  Balance will be essential.

And round the corner what will be the impact of the proposed directly-elected Policing and Crime Commissioners?

There is a danger that a populist focus on visible local policing may appear to be an election-winning formula and that the essential balance in policing will be lost.  If there are to be directly-elected Commissioners – and the Coalition appears to be pretty determined that there should be – it will be vital that a clear legal duty is placed on the new Commissioners to deliver an effective contribution to the fight against organised crime and terrorism.  The new legislation must make sure that the balance between visible local policing and specialist resources, like the PCeU, is maintained.