Let’s set the scene: James Bond is in hand-to-hand combat on a speeding train in order to recover a stolen hard drive from a MI6 laptop. Later, the hard drive has been decrypted and the critical details of all MI6 undercover agents been posted on YouTube. Unlike the usual James Bond plot lines which generally involve stealing Vulcan bombers, hiding a bomb in a circus or hijacking space shuttles in order to release deadly poison into the atmosphere from a space station; the theft of a hard drive is highly plausible and an issue that could face any government.
The plot highlights how IT security has never been so high on the public radar. However, while highly visible, misinformation is rife in addressing the actuality of threats and the technology involved. In today’s security environment, government security services and the military are the most up-to-date when it comes to the implementation of technology and strategy. But in the 21st Century the threat to IT security has evolved to encompass not only governments as targets but Critical National Infrastructure (CNI) providers and increasingly the private sector. IT security is no longer a niche area of interest but something that all sectors need to be conscious of and proactive about.
Reality versus fiction
As one might expect, security services are particularly proactive in regards to the implementation of IT security. As demonstrated in Skyfall, the Security Services encrypt data on hard drives not because the data might be stolen; but because of the assumption that given time, data inevitably will fall into the wrong hands. This strategy is well advised given repeated experience. For example, in 2009, a Serious Organised Crime Agency (SOCA) officer lost a USB stick containing the names of undercover agents involved in the drug war in Ecuador; as well as information relating to five years’ worth of investigations. The blunder not only jeopardised the physical safety of the agents working in the field but put the whole operation at risk, costing the UK taxpayer in the region of £100 million.
While human error is a predictable factor it can be mitigated against; making such blunders a thing of the past. Currently encrypted hard drives used by security services are accredited to CESG CAPS level 4, the highest level of encryption that can be attained and approved for Top Secret data. If you think of data as a book, standard encryption moves the data around page by page so that you simply have to re-organise the pages to make the information intelligible again. Encryption used by governments at Top Secret level is akin to moving around all the individual words or even letters, as well as the spaces and punctuation in between; a mammoth undertaking for any potential hacker to make sense of.
Encryption technology at this level has been proven in the strictest use cases, from being used to secure on-board systems in theatres of war to protecting information during covert operations. For example, military aircraft and land vehicles now encrypt data to ensure no information falls into enemy hands if a vehicle has to be abandoned. This eliminates the need to ensure a vehicle and any data it holds are completely destroyed if abandoned – a risky and difficult enterprise to properly achieve even when it is possible. These systems should also include software or hardware purge buttons to delete all data encryption keys, preventing authentication even with system passwords and tokens; and so providing full data protection in the event of enemy capture. An encrypted device used by a fellow colleague of James Bond would, one might expect, also include such capabilities as an additional precaution against theft.
For any attempt at hacking an encrypted hard drive, thieves have two options: guessing the authentication parameter, such as a password, or guessing the encryption key. For the first option, most authentication systems limit the number of attempts and then lock out the user if entered incorrectly. While this precaution can be physically overridden, encrypted drives used by government organisations should be manufactured in such a way that attempting to physically access the electronics of the device itself will also irreparably destroy the device and its data.
If we are attempting the second option a hacker would need to guess the key value and run this to decrypt the data. For AES-256 encryption there are approximately 1.15 x 10^77 values (that’s a 1 followed by 77 zeros). This is a massive number – 115,000 million million million million million million million million million million million million different values. This is an almost impossible task: even with substantial brute force computing power, finding the correct key would take many, many lifetimes. As a result, it is always more viable to guess the authentication value than the key. As in so many areas, this comes down to relying on the people holding the data as the weakest link. One would hope that based on the available evidence, 00 agents are made of sterner stuff.
The combined effect of strong authentication parameters (strong passwords, two factor authentication) and encapsulated hardware to limit the number of authentication attempts makes the probability of hacking the drive an extremely small, but finite number. This would be the number of attempts allowed multiplied by the probability of guessing all of the authentication values correctly. The good news is that if a hard drive was stolen in real life from Her Majesty’s Secret Service it shouldn’t cause much of a stir.
Learning from the best
Unfortunately attacks are not focused solely on government departments such as the security services or military, who through their expertise and technology are best positioned to ward off such threats. All parts of the government need to recognise that each of them in their own way are attractive targets for terrorists; and that they would benefit greatly by learning from their more experienced counterparts in the security services to ensure that they implement the necessary security.
However, it is not the devices or software the security services and military use that others could benefit most from but their holistic approach to IT security which considers the entire system. Every point of weakness and potential interaction with the outside world needs to be identified, whether it is how passwords are stored; moving data across unsecured lines; remote access points; or even policy regarding the use of personal devices. It is then a case of implementing technology and procedures that will ensure that none of the technology works in isolation but combine to ensure that there are no backdoor entry points vulnerable to attack.
If you think of your IT system as Fort Knox, targeted cyber terrorists are not going to focus on the front gate. They will go for weak points in the structure, or tunnel in, or disguise themselves as the US army, or simply bribe the guards; in short, any point of weakness. An example of this being put into practice by the military is the protection of sensitive information in the field. Not only is it encrypted but it is also then backed up with a Kill Switch which will scramble encryption keys when triggered by a certified source. A well-prepared military will also have backup communication channels to share data in case one connection is compromised. It should be noted, however, that any best-formed strategy needs to be supported and implemented at every level in order to have any chance of success: after all, human error is always coming up with new ways to bypass security.
The adoption of a comprehensive approach to IT security is something that Critical National Infrastructure (CNI) is learning the hard way. While CNI providers have been quick to adopt internet connectivity into their systems, they have been slow to adopt improving levels of security. In fact, in my opinion our CNI is woefully under protected for the level of threat they are potentially facing. This is supported by the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team Annual Report for the 2012 fiscal year, which reported that 40 per cent of reported attacks were against the energy sector.
Critical National Infrastructure
One attack took out a power plant for three weeks. This is especially crucial as CNI increasingly becomes the target of terrorist attacks, as seen in the Middle East.
Traditionally, protecting critical infrastructure has meant physically protecting a power station with fences and security personnel and then assuming these barriers will deal with any threat. Attackers are now targeting more vulnerable substations that provide access points for malicious infiltration as an easy route onto the power network. Furthermore, this has been amplified through the use of smart meters connected to grids over the internet creating even more points of entry. The end result is essentially a spider’s web with every strand a viable point of entry. It is a case of organisations implementing new technologies but not simultaneously updating their security to match.
Organisations need to make the most of the latest technology that enables CNI operators to generate a virtual view of their networks, energy, water, oil and gas, and transportation operations. As well as these essential operations, support crews should be able to manage security with a mouse click based on real-time intelligence information. Sensors can continually update the information, creating a hierarchical view that operators can use to identify issues, than drill-down to individual nodes to contain or fix them. It may seem straightforward but CNI operators have been slow to adopt such an all-encompassing approach. However, it is important to note that as crucial as a holistic methodology is; it is not enough to simply implement and walk away. As I’m sure Saudi Aramco Co. and Qatari Rasgas realised after attacks against them last year were discovered, governments and businesses need to be perpetually vigilant and agile in order to effectively respond to the constantly evolving threats.
Finding the balance between cost and capabilities
So far this year, the government’s IT security has been subject to reviews by the National Audit Office and the Defence Committee. Each report identified perceived issues with the government’s and military’s spending on IT security. Gone are the days when governments and militaries could spend unlimited amounts to ensure security. For example, in order to achieve the required levels of security the Ministry of Defence (MoD) has to constantly balance cost and capabilities. While no one debates that IT security is a very real and imminent terrorist threat, the security services no longer have the budget for Q to work away on endless technology projects. This is especially true of the Military which faces a further £735 million in budget cuts; around a fifth of all departmental reductions. However, this is not an issue that governments need to feel they are dealing with on their own; they can also benefit from the expertise developed in the private sector.
In many cases, commercial technology can easily cover the gaps that specialist procurement can’t; in IT, commercial computers can fulfil many necessary functions with the right modifications. Commercial security software can even meet many of the security services’ everyday needs while being available for considerably less than the cost of a custom designed solution. From vehicles to communications, governments and others should consider commercial off-the-shelf (COTS) technology to reduce the procurement burden and support bespoke technology projects.
The Hydra’s many heads
The threat to IT security can be compared to the heads of the Hydra; unlimited, immortal and constantly manoeuvring to attack where you are weakest. In an era of constant austerity, the most effective way for governments to combat terrorist attacks on IT infrastructure is to not only collaborate with the private sector on a technological level, but also share knowledge and expertise. Nowhere is this more important and potentially more effective than in the field of IT security.
When the proper approach and collaboration is taken it can be hugely beneficial to combating attacks on IT security. The Spanish police demonstrated this when they were able to shut down a cyber-criminal ring targeting Spanish nationals, through cross-organisational collaboration which resulted in the arrest of 11 individuals suspected of running a 1 million euro a year ransomware scam. In order to achieve this, Interpol coordinated an operation involving the Spanish police, the anti-virus company Trend Micro and the European Cybercrime Centre (EC3) at Europol. If organisations draw on the specialist skills across military, security services, government organisations and the private sector then we can continue to meet the growing threat of cyber-attack now and well into the future.
The enemy is behind the lines
Collaboration between the public and private sectors in technology and knowledge can go a long way towards matching the constantly evolving threat of cyber attack. However at some point, hopefully soon, governments, security services and the private sector need to realise that cyber defence involves far more than building walls around networks; the Trojan Horses are already inside the walls of most organisations. It is crucial that organisations assume they are contaminated. Actively monitoring their networks; isolating areas of concern; and eliminating malware are essential for returning systems to full operation speedily and with minimal disruption. This is only possible through the adoption of a truly holistic approach that uses the talents of 007, Q and M to tackle defence and IT security.