The Director General of MI5, Jonathan Evans, has given a speech discussing the growth of organised cybercrime targeting UK businesses and government.
In a rare public speech, the head of the British Secret Service described how “one major London listed company” estimated that it had lost “some £800m as a result of hostile state cyber attack – not just through intellectual property loss but also from commercial disadvantage in contractual negotiations.”
The MI5 chief described the extent of the problem as “astonishing – with industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organised cybercrime”, and called upon the private sector and government to improve its information-sharing about cyber attacks.
I presume Jonathan Evans meant “astonishing” to the man in the street, and not to himself or those involved in computer security, as the last few years have shown a clear indication of a new pillar of cybercrime.
We started off with the hobbyists, hacking systems or coding malware for fun or for the intellectual challenge. Much of what they did would fall foul of computer misuse laws about unauthorised access or modification, but the motivation was often to show off to their pals rather than to make money.
Some of these hobbyists still exist, although their numbers have depleted as they have realized that it can be a dangerous game to play if the authorities take a dim view of their activities.
Then we saw the financially-motivated cybercriminals – stealing banking passwords, installing keyloggers, hijacking computers to display adverts for money-making schemes, recruiting compromised computers into botnets in order to send spam. These remain a considerable force to be reckoned with, and account for the majority of the attacks that we see.
More recently we have seen the rise of hacktivism, with more hackers breaking into systems to expose what they view as corporate hypocrisy or lax security or to spread a political message. Hackers waving the banners of Anonymous and LulzSec have engaged in crippling denial-of-service attacks, data breaches, and defacements with often no obvious financial motivation in mind.
And then there’s state-sponsored cybercrime and internet espionage. This area of cybercrime is shrouded in the deepest, thickest fog – and attribution continued to be a monumental problem – but speculation about government and military use of the internet to spy continues to grow.
Whether it be the USA and Israel building malware to infiltrate Iranian nuclear systems, the mystery of who would want to break into computers at Japanese submarine manufacturing plants, or the British speaking bullishly about its willingness to launch a pre-emptive strike across the internet against aggressors, it would be naive to think that countries are not using the net for such purposes.
And why shouldn’t they? After all, it’s probably cheaper and less dangerous to spy on another state’s government or a foreign company using malware than to use the old-fashioned method of planting a physical agent there.
So, yes, I’m not astonished to read that UK businesses and governments are believed to be under internet attacks from other states. But I also acknowledge that my own country is likely to be doing the very same thing.
That means that all of us, wherever we are in the world, should be working hard to maximise our computers’ security.
Keep your protection software and patches up-to-date, educate your staff about threats and how their systems can be compromised, make sure that computers are only connected to the systems that they need to be connected to, and ensure that your sensitive data is properly encrypted and safely hidden behind a layered defence.Follow @gcluley