My attention has been drawn to Kevin Anderson’s very sensible and balanced analysis of the Gary McKinnon extradition case. It is far more measured than Mayor (and part-time Telegraph columnist) Boris Johnson’s rant. I wonder who earns the most from his journalism – the one who provides analysis or the one who rants with cavalier regard for fact?
I attended a meeting this morning where in passing there was a reference to the new British Telecom network upgrade (21CN) that is now underway. The presentation had just included a warning to British businessmen travelling to China (after all, even a senior No10 aide had been caught). Then it was pointed out that a key component of 21CN was manufactured in China by a manufacturer with close links (don”t they all?) to the Chinese Government, that Government departments and most businesses allowed at least some of their key data or their voice communications to go over BT networks. So by implication any malign intervention wouldn”t require a honey-trap on someone visiting China but could be done remotely via the components in 21CN.
Apparently, one of the suppliers of 21CN”s Multiservice Access Nodes (and let”s be honest, I am not sure precisely what these are, but they sound important) are Huawei Technologies. Huawei promise that their success in winning the contract will create “many new jobs in the UK”.
Obviously, it is possible for people to be paranoid (and many are) that anything electronic manufactured in China (or anywhere else that we don”t trust this week) might contain “hidden” code capable of broadcasting back the contents of communications or even allowing control of equipment to be passed to those with malign intent overseas. But as we know being paranoid, doesn”t mean that people aren”t out to get you.
So how worried should we be about the security of British business and of the UK”s critical national infrastructure?
I cannot assess the real scale of the threat, although there does seem to be a growing consensus that the Chinese Government are building up their capacity to wage cyber war and that there is the intent to achieve cyber dominance by 2050. The Chinese are certainly investing heavily in high technology and there is substantial US concern about the Chinese capacity for conventional and industrial espionage by electronic means.
What I am clear about is that as a nation we do not take information security as seriously as we should – and this applies both in the public sector but also in the private sector. If there is a threat from BT”s 21CN, it may now be too late to do anything about it, and that leaves the real question what is being put in place to ensure that the threat is being mitigated.
I have now received from Lord Stephen Carter a response to the points I made in the debate. Unfortunately, the response slightly misses the point (by about a mile, actually). It sets out the measures being introduced to improve the enforcement of consumer law applying to on-line transactions. This is all good stuff – a single online complaints register for people encountering an online scam; investment in new equipment, training and staff for on-line consumer law enforcers; and a review of enforcement powers in an on-line world. However, this is not really going to provide much reassurance for people nervous about letting an unknown person into their homes to fidedle around with their computer systems.
I have now written back to Stephen Carter – although my letter may well have arrived after his last day in office (he is one of the GOAT ministers who is resigning this month). My letter says:
“Thank you for your letter of 8th July. I am grateful for the clarification you have provided on the points I raised following your statement to the House on 16th June.
However, I would like to come back on the second issue I raised. This related to the need to ensure that consumers have adequate protection when dealing with suppliers, such as “The Geek Squad” or “The Tech Guys” – both specifically mentioned in “Digital Britain”.
In your response, you mention the measures being taken to improve enforcement of consumer law applying to on-line transactions. Whilst these measures are valuable, they rather miss the point of my concerns. Both “The Geek Squad” and “The Tech Guys” involve the consumer permitting individuals to access their computer equipment (and usually their homes). Such individuals are being given a position of trust by the consumers concerned, who will assume that they are (1) honest and (2) know what they are doing. As far as these points are concerned, it is extremely unlikely that the consumer will have the technical knowledge to understand (or indeed to be able to detect) what has been done to their equipment – that is after all why they have asked “The Geek Squad” or “The Tech Guys” to visit or to look at their equipment.
If you engage a security guard from a security firm, the individuals engaged are required to be registered with the Security Industry Authority and will have been vetted for criminality and there are requirements relating to their training. Yet the activities of most security personnel will usually be visible and will normally be comprehensible to the person engaging them. Should there not be some similar system of regulation and customer assurance of the quality of work in place for those individuals engaged by “The Geek Squad”, “The Tech Guys” or any other similar service? If no such system is in place, most customers – who are likely not to be skilled technically – will be vulnerable to data being stolen from them, to malicious code being placed on their machines or to more traditional forms of criminality.
I would welcome your comments on what can be done to address this. I am copying this letter to Lord West of Spithead (in view of the information security implications) and to Alun Michael MP (in view of his role chairing the Tripartite Internet Crime and Security Initiative).”
I will be interested to see if the civil servants get the point this time.
This morning I took part in a breakfast discussion on the Lords Terrace (over orange juice and croissants, but fortunately under cover as it was pouring with rain) with Lord Young of Graffham and Lord Razzall about what can be done to re-energise the British technology sector. The occasion was the launch of the Micro Focus Technology Manifesto, “Making BrITain Great Again“. It was well-attended and the Q&A session at the end was lively and could clearly have continued for much longer.
The central theme was that Britain has the potential to generate a much larger proportion of its GDP from the technology innovation-driven sector and the manifesto is designed to kick-start a debate about what can usefully be done to create an environment in which the sector can thrive, expand and create new and sustainable jobs in the UK. The manifesto has five strands:
- increasing the supply of world-class technology talent in the UK
- harnessing the expertise and goodwill of successful leaders around the world to mentor leaders of UK-based emerging technology businesses
- changing substantially the tax incentives available to companies and individuals who want to invest in growing technology businesses in the UK
- implementing fiscal incentives for UK-based companies seeking to take forward world-leading R&D
- encouraging overseas technology companies to invest in a UK hub
I hope that the manifesto does kick-start a debate on these issues and that all the main Parties will commit to following the direction of travel indicated. Indeed, I would hope that the core principle would be readily endorsed. Future UK prosperity can only be sustained if the country is able to offer something significant to the world economy and that something in my view has to be that Britain is able to exploit innovation effectively and can deliver substantial value-added in technology and intellectual property. The UK will never compete by trying to cut wage costs to Third World levels, we no longer have a heavy manufacturing base and there is a limit to how much national income that can be generated from tourism and heritage. The only route to sustainability has to be through becoming a leading force in innovation and technology.
I remain concerned that too many young people do not see careers in technology as exciting, that too many further and higher education courses are irrelevant to the technology sector’s needs, and that for those who do emerge from further and higher education there are too few entry-level job/training opportunities. Moreover, as a country we do not do enough to foster entrepreneurialism, nor to support investment in innovative start-ups and to support the growth of such enterprises as they develop. The Micro Focus manifesto contains a number of suggestions as to how these issues may be addressed. I am sure it is not definitive, but the future of the UK economy requires that this debate starts now and is taken seriously.
The Health Services Journal (reporting an investigation by More4 News) says that NHS computer systems were infected by more than 8000 viruses in the last year, most of which would have been avoided if the NHS Trusts concerned had kept their anti-virus software up-to-date.
This would be worrying enough (consequences described included the breakdown of patient appointment systems), but the complacent response of the Department of Health is breathtaking.
According to the HSJ:
“The revelation that NHS trusts have been poor at keeping their anti-virus software up to date has provoked concerns that they are vulnerable to viruses that could cause confidential patient data to be disseminated.
“But a spokesman for the Department of Health said the electronic patient records systems provided through the national programme for IT were “protected by the highest levels of access controls and other security measures”.”
However, my understanding has always been that once an individual machine has been compromised – depending on what malware has been installed – then all the data accessed or stored by that machine is potentially vulnerable. So if so many Trusts are failing to maintain up-to-date anti-virus software, then confidential patient data IS at risk.
The Department of Health spokesperson went on to say that:
“local NHS trusts were legally responsible for complying with data protection rules and were expected to record any breaches.”
So that’s all right then …….
According to the FBI, Goldman Sachs fell victim to potentially one of the most costly losses of information ever when one of their computer specialists decided that the $400,000 a year he was being paid was not actually sufficient compensation for his talents and decided to move to another company who were prepared to treble his salary. In the few days before he left, the employee apparently copied part of the code controlling Goldman Sachs’s electronic trading platform which enables them to respond almost instantly to market movements (probably in a way that makes those market movements even more destasbilising for the rest of us but is highly profitable for Goldman Sachs).
Of course, it could have been worse, he could have tinkered with the code as well before he left, so that the trading platform would have bankrupted Goldman Sachs instead of making them enormous profits. At least, I assume that would have been worse …..
Moral: be nice to the geeks in your IT department.
I have tabled a question for written answer on electromagnetic pulses and the National Security Strategy arising from the meeting I went to yesterday:
To ask Her Majesty’s Government:
“What consideration was given to the threat to the critical national infrastructure of a high intensity electromagnetic pulse, produced either by malign intent or as a result of solar activity, in preparing the National Security Strategy.”
Earlier today I went to a meeting (organised by the Henry Jackson Society) in one of the more remote Commons Committee Rooms chaired by James Arbuthnot MP, the Chairman of the Select Committee on Defence. He began by intoning that we were all attending “the most important meeting you will ever go to”. I am not sure about that, but it was undoubtedly one of the scariest I have ever attended.
It was addressed by Avi Schnurr, President of EMPACT (The EMP Awareness Coordination Taskforce) and concerned the threat of an electro-magnetic pulse that could permanently disable the electricity grid and most electrical systems.
In 1962, the United States conducted “Starfish Prime,” a nuclear weapon test over a remote region of the Pacific Ocean. The test was successful, with one unexpected result: fifteen hundred kilometers away in Hawaii streetlights burned out, TV sets and radios failed and power lines fused. This was unexpected and demonstrated that a nuclear warhead set off above the atmosphere causes an Electromagnetic Pulse, or EMP. Unlike a ground burst, an EMP blast can mean (depending on how high in the atmosphere the explosion takes place) continent-wide catastrophe, a capability potentially in the hands of any rogue nation or terror organization that can acquire a single nuclear-tipped missile.
With some of the world’s most unstable regional powers acquiring or already in possession of nuclear weapons, the United States Congress established the Electromagnetic Pulse (EMP) Commission, tasked with evaluating this growing threat. The Commission, based on testimony from throughout the federal government, warned that America’s current vulnerability invites attack. They concluded, remarkably, that “EMP is capable of causing catastrophe for the nation,” as “one of a small number of threats that has the potential to hold our society seriously at risk, and might result in defeat of our military forces.”
During the Cold War, the USA and the USSR relied on deterrence, but because of the threat from EMP (which could have limited their capacity to respond after a first warhead had detonated) both would have responded to a single missile in flight by a full maximum response within minutes – hence the briefcase with the codes that still follows the US President.
However, if one postulates a rogue state or a rogue group having access to a quite small nuclear device and a rocket powerful enough to send it into the upper atmosphere above the target nation or nations (perhaps launched from a boat), deterrence is no longer the answer. The attraction for a North Korea or an Iran (and in both countries there is evidence according to Avi Schnurr that the military elites are not only aware of the potential of EMP attack but have also actively discussed it) is the comparative simplicity of delivering such an attack that would disable the United States or Europe and that it could be done stealthily. The same attraction would also be there for terrorist groups.
And there is no question that the effect of an EMP attack could be devastating. Electricity grids would be destroyed as transformers burnt out (and although these could be replaced the process would take years and again according to Avi Schnurr there is only one company in the world that makes the transformers on which the US electricity grid relies). Control systems for parts of the critical infrastructure (eg the water supply) and even for vehicles would be destroyed by an EMP attack. For a significant period the infrastructure could not function, distribution systems (eg for food) would not function, and the internet would not work. Given the nature of modern society, social structures would break down very rapidly.
And as if the threat from a rogue state or terrorists was not enough, electromagnetic pulses can occur naturally as part of solar activity. Avi Schnurr quoted the US National Academy of Sciences as warning that solar activity can produce effects of equivalent magnitude and does so approximately every hundred years or so. The last such massive solar surge was in 1859 and shorted out telegraph wires and caused widespread fires. The next occasion when there might be such a surge is 2012 (although it might not be the big one, but that is when the next peak of solar activity is anticipated).
I will have to check but I don’t remember any of this being mentioned in last month’s National Security Strategy. I can feel some Parliamentary Questions coming on …
Alan Johnson, the Home Secretary, has made it clear that ID cards will not be compulsory. In a press conference, he said that the pilot schemes for airside workers to have ID cards in Manchester and London City Airports would not now be compulsory for UK citizens.
“Holding an identity card should be a personal choice for British citizens – just as it is now to obtain a passport. Accordingly I want the introduction of identity cards for all British citizens to be voluntary and I have therefore decided that identity cards issued to airside workers, planned initially at Manchester and London City airports later this year, should also be voluntary.”
At the press conference, he was asked by journalists if ID cards would be made obligatory and said quite clearly that they would not be.
In a Parliamentary written statement he said:
“There will be significant benefits to individuals from holding an identity card which will become the most convenient, secure and affordable way of asserting identity in everyday life. Identity cards will also be valid for travel throughout Europe in place of a British passport. ….. However, holding an identity card should be a personal choice for British citizens – just as it is now to obtain a passport. Accordingly I want the introduction of identity cards for all British citizens to be voluntary.”
This is a sensible and proportionate approach to adopt.
I have always felt that identity cards were mis-sold when they were first announced. They were never going to be a magic bullet in the battles against terrorism or organised crime – although that was what was claimed when the proposals were first aired. However, a simple system enabling the citizen to demonstrate – should they wish to do so – who they are always seemed to me to have enormous value (certainly better than having to turn up at a bank with a driving license, a council tax receipt and a utility bill). In essence, that is the system that the Government is now saying we will be moving towards.
The Government has today published its much-heralded “Cyber Security Strategy of the United Kingdom“. The document is welcome and will lead to an Office of Cyber Security (OCS) being set up to “provide strategic leadership” across Government. In addition, a Cyber Security Operations Centre (CSOC) will be set up as part of GCHQ. This Centre will be responsible for “incident response”, as well as monitoring “the health of cyber space” and providing advice and information.
This all looks extremely positive, as does the philosophy under-pinning the Strategy which includes working in partnership with industry, being more integrated within government, tackling security challenges early, and being grounded in a set of core values based on human rights.
As ever, (forgive the lapse into cliche) the devil will be in the detail – and the detail is not contained in the Strategy. How much clout and authority will the OCS have within Government? Will the CSOC have the resources it needs to be sufficiently pro-active and will it have the legal powers to take appropriate action?