Sophos Cloud Optix
George Osborne MP, the UK’s Chancellor of the Exchequer, has said that British government computers are on the receiving end of over 20,000 malicious email attacks every month.
In a keynote address at the Google Zeitgeist event in London today, Osborne claimed that foreign intelligence agencies are responsible for many of the attacks, with the intention of stealing sensitive information.
Here’s part of what he said:
In any given month there are over 20,000 malicious emails sent to government networks.
Here is a salient story from my time as Chancellor.
During 2010, hostile intelligence agencies made hundreds of serious and pre-planned attempts to break into the Treasury’s computer system.
In fact, it averaged out as more than one attempt per day.
This makes the Treasury one of the most targeted departments across Whitehall.
At some point last year, a perfectly legitimate G20-related email was sent to HM Treasury and some other international partners.
Within minutes it appeared that the email had been re-sent to the same distribution list.
In fact, in the second email the legitimate attachment had been swapped for a file containing malicious code.
To the recipient it would have simply looked like the attachment had been sent twice.
Fortunately, our systems identified this attack and stopped it.
The full text of George Osborne’s speech can be read here.
The “20,000 malicious emails sent to government networks” statistic is getting a lot of press, but actually it’s the same as the one revealed last year by the director of the UK Government’s Communications Headquarters (better known as GCHQ).
At that time it was claimed that 5% of the attacks (1,000 a month) were specifically targeted against government departments.
Earlier this year, UK Home Secretary William Hague revealed that attackers had successfully infected government departments with the Zeus trojan (also known as “Zbot”).
Of course, most of the attacks said to be hitting the UK government are hitting other organisations and businesses around the world too. Governments and firms alike face the challenge of keeping their systems secure, and their sensitive data out of the hands of cybercriminals.
Does the UK government keep its systems properly up-to-date?
Clearly up-to-date security software has an important part to play in all this, but I would recommend that the British government also takes a close look at its computers and applications to ensure that they are properly patched against vulnerabilities.
One key question I would pose, for instance, is whether the web browser and PDF viewer being used by the British Government is properly up-to-date and patched. That’s even before we consider Microsoft Office, Java, Adobe Flash, and so on ad nauseam.
In early 2010, the British Government was strongly criticised for its unwillingness to upgrade from the chronically insecure Internet Explorer 6, and thousands of people signed a petition calling on government departments to upgrade their browsers.
In October last year, the Home Office announced plans that it would at last upgrade to Internet Explorer 8.
It’s unclear whether all UK Government departments are now up-to-date in the browsers and other application they use, but it seems to me that if their computers are being attacked by foreign powers with boobytrapped documents and dangerous links that to do anything less would be negligent in the extreme.
And who exactly do you think approves the technical security case for using IE6 in government?
Dear Mr Osborne,
The Emails to which you are referring to are commonly known as Spam. http://en.wikipedia.org/wiki/E-mail_spam
Regards,
IT
My money is on the fact that the MP is probably just as informed as any other MP, not very.
I work in a UK government dept and only today e mailed our Security and IT people asking if they were going to upgrade IE. We still have IE6
IE 6 is still used in Local Government due to the fact that departments, without the advice of IT sections, go off and sign contracts with poor vendors, with no support clearly defined, who supply them with terrible applications that are only supported by IE6.
In my experience, IE7 and 8 cause rendering issues with such applications (or is that the other way round?)
It's outrageous!!
We sell to the American government and UK government at my company. in my experience the vendor usually has an updated product working with the latest and greatest, however its just the government doesn't want to buy it whether it be financial reasons, bureaucracy, security or a host of other reasons, my favourite personally is a engineering life-cycle that takes nearly 3 to 5 years to make it to the customer approval phase on something that should take months. At which point the customer asks why is everything out of date and why systems are failing and proceeds to add 3 years normal wear and tear to the punch list before approving and paying for the system from which they got 2 years of free partial use. At which point a cost benefit analysis is done by the vendor to determine if continuing on the project is even worth it.
So what's wrong with installing Firefox and using that instead of IE? FF works on any platform – and would be IMHO far more secure that IE, plus FF is free to download and use, plus there are plenty of security addons available.