In the UK there’s always been a reluctance to acknowledge the extent to which government computer systems are subjected to and often fall victim to cyber-attacks from those trying to plant malicious code so as to steal or manipulate data. My attempts to obtain statistics (however imperfect) by Parliamentary Questions to Government departments were blocked, as were my offers to arrange external penetration testing of individual systems.
It is refreshing therefore to come across the openness with which these issues are discussed in the United States. The front page of today’s ‘USA Today’ carries a story saying ‘Raids on federal computer data soar’ quoting data from US-CERT (US Computer Emergency Readiness Team) that shows a 40% increase in the installation of hostile programs between 2007 and 2008. According to Joel Brenner, counter intelligence chief in the Office of the Director of National Intelligence, this reflects ‘a dramatic, consistent increase in cybercrime and intelligence activities.’
They take it seriously in the USA – we ought to do the same in the UK. (Of course, maybe we do, but there is nothing public that I have seen that gives me confidence.)
This apparent complacency by Government is exacerbated by complacency in many parts of the private sector (of course, much of the critical national infrastructure is owned or run privately), where I hear many firms are cutting costs to cope with the economic situation by getting rid of information security professionals.