A former senior analyst to the US Secretary for Defense has warned that:

“Chinese companies apparently have a covert capability to remotely access communications technology sold to the United States and other Western countries and could disable a country’s telecommunications infrastructure before a military engagement.”

 Writing on Friday, F Michael Maloof reported that:

“The Chinese also have the ability to exploit networks “to enable China to continue to steal technology and trade secrets,” according to the open source intelligence company Lignet, which is comprised of former U.S. intelligence analysts.

The issue centers on the Chinese firm Huawei Technologies Co. Ltd., which U.S. intelligence sources say has direct links to the Chinese government and the People’s Liberation Army, or PLA. These sources assert that Huawei and other Chinese telecommunications firms such as ZTE Corp. have “electronic backdoors” to telecommunications technology sold to the U.S. and other countries.”

This is the same Huawei that I have reported before as providing key components to this country BT network and is being investigated by the US Congress but not by any equivalent UK body.

Huawei tell me that they are much-maligned and say that they are not linked to the People’s Liberation Army, but are just a private company trying to expand their business outside China.

In the UK the Government seems to be unconcerned that increasingly large parts of the country’s critical national infrastructure are under foreign ownership or are dependent for key components on overseas suppliers (there are a series of stories in yesterday’s Sunday Times behind its paywall about Chinese or Russian interests buying into the UK energy supply industry).

It is not clear why it can be assumed that these interests are necessarily benign and the UK Government doesn’t even seem to be interested in asking the question let alone doing anything about it.

How complacent can they get?

Seven and a half years ago, I warned in a debate in the House of Lords about the risk to the nation’s critical national infrastructure of a concerted cyber-attack, saying:

“As a nation, the systems that are essential for our health and well-being rely on computer and communications networks – whether we are talking about the energy utilities, the water and food distribution networks, transportation, the emergency services, telephones, the banking and financial systems, indeed government and public services in general – and all of them are vulnerable to serious disruption by cyber-attack with potentially enormous consequences.  …

The threat could come from teenage hackers with no more motivation than proving that it could be done, but even more seriously it could come from cyber-terrorists intent on bringing about the downfall of our society. “

I have been delighted to contribute a foreword to a guide produced by my good friends at The Risk Management Group for parents to help them keep their children safe online.

The guide “The A to Z of Safe Children Online” is available here.

Nearly three years I posted about the threat of an electro-magnetic pulse that could permanently disable the electricity grid and most electrical systems.  I followed this up with some parliamentary questions and a further post this time last year that concluded:

“So the good news (heavy irony) is that the Government may have got round to working out what “the reasonable worst case scenario” might be.”

At the risk of coming over all I-told-you-so-ish, we now learn in today’s Observer that:

“Explosions on the sun that blast solar winds towards the Earth have been identified for the first time as one of the biggest threats to the UK’s ability to carry on normal daily life, according to a new official government register of major risks to the country.

A significant event on the sun could leave large swaths of the country without electricity, lead to the immediate grounding of planes, disable communications and even destroy household appliances.

The danger has been prioritised in the Cabinet Office’s National Risk of Civil Emergencies as the sun enters the most active point in its 10-year cycle – its solar max – raising the chances of a damaging burst of radiation, plasma or energetic particles (such as neutrons).

More significantly, the UK is regarded as particularly vulnerable because scientific advances have made the country more dependent on technology than ever before. Ministers have been advised by scientists that the most advanced technology is also the most delicate and that “high levels of energetic particles produced in the atmosphere by solar radiation storms can greatly enhance error rates in ground digital components found in all modern technology”.

The newly published risk register lists severe space weather alongside terrorist attacks, coastal flooding and pandemic influenza as likely sources of “serious damage to human welfare”.

It says: “Severe space weather can cause disruption to a range of technologies and infrastructure, including communications systems, electronic circuits and power grids.”

The register adds: “While storm impacts in the early- to mid-20th century appear relatively benign, dependency on technology vulnerable to space weather has pervaded most aspects of modern life, and therefore the disruptive consequences of a severe solar storm could be significant.”

The threat was placed on the register after a panel of experts, including two scientists from the Meteorological Office, produced a “reasonable worst case scenario” for ministers.”

There is an excellent article in the New York Times that explains the behavioural psychology that is now linked to supermarket loyalty cards and on-line shopping patterns to target and personalise adverts and offers.

It describes an incident in a Target store (a major US chain) as follows:

“a man walked into a Target outside Minneapolis and demanded to see the manager. He was clutching coupons that had been sent to his daughter, and he was angry, according to an employee who participated in the conversation.

“My daughter got this in the mail!” he said. “She’s still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?”

The manager didn’t have any idea what the man was talking about. He looked at the mailer. Sure enough, it was addressed to the man’s daughter and contained advertisements for maternity clothing, nursery furniture and pictures of smiling infants. The manager apologized and then called a few days later to apologize again.

On the phone, though, the father was somewhat abashed. “I had a talk with my daughter,” he said. “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

A Police Service with a sense of humour?

How would the Met shape up if their website was hacked?

John Naughton in today’s Observer has an interesting article on the proposed new EU data protection directive and the way in which Facebook is getting “its retaliation in first”.  The proposed “right to be forgotten” is likely to conflict with Facebook’s newish “timeline” facility.  And the retaliation?  This is how John Naughton puts it:

“The day before the commission made its announcement, Facebook’s chief operating officer, Sheryl Sandberg, gave a speech to a technology conference in Munich. Her menacing subtext was neatly summarised by the New York Times thus: “Concerned about privacy? Maybe you should be concerned about the economy instead.” Translation: mess with us, Eurotrash, and we’ll screw you.

Sandberg’s speech was revealing because it exposes the line of argument that Google, Facebook, et al will use to undermine public authorities that seek to control their freedom to exploit their users’ identities and abuse their privacy. The argument is that internet companies create lots of jobs and are good for the economy and European governments shouldn’t stand in their way.”

Apparently, to back this argument Facebook referred to a report that they had commissioned from Deloitte which concluded that Facebook had  indirectly helped create 232,000 jobs in Europe in 2011 and enabled more than $32bn in revenues.

John Naughton is sceptical pointing out that Facebook itself only has about 3,000 employees world-wide and he continues:

“Inspection of the “report” confirms one’s suspicion that you couldn’t make this stuff up. Or, rather, only an international consulting firm could make it up. Interestingly, Deloitte itself appears to be ambivalent about it. “The information contained in the report”, it cautions, “has been obtained from Facebook Inc and third party sources that are clearly referenced in the appropriate sections of the report. Deloitte has neither sought to corroborate this information nor to review its overall reasonableness. Further, any results from the analysis contained in the report are reliant on the information available at the time of writing the report and should not be relied upon in subsequent periods.” (Emphasis added.)

Accordingly, continues Deloitte, “no representation or warranty, express or implied, is given and no responsibility or liability is or will be accepted by or on behalf of Deloitte or by any of its partners, employees or agents or any other person as to the accuracy, completeness or correctness of the information contained in this document or any oral information made available and any such liability is expressly disclaimed”.”

Although Deloitte is normally regarded as a respectable organisation, these caveats plus the rather tendentious conclusions should raise alarm bells.

Or as John Naughton puts it:

“The sole purpose of “reports” such as this is to impress or intimidate politicians and regulators, many of whom still seem unaware of the extent to which international consulting firms are used by corporations to lend an aura of empirical respectability to hogwash.”

Yet reports like this with sensational conclusions seem a particular feature of commentary on the internet.

And especially so in respect of information security, last year the UK Government published figures saying UK cyber crime was costing £27 billion per year and not to be out-done Symantec suggested that the global figure was $388 billion.  The reality is that all these figures are unverifiable – and whilst I am quite clear that cyber-crime is a very serious problem for the world economy these estimates are, to use John Naughton’s word, “hogwash”.

Spurious precision – whether it is Symantec’s $388 billion or Facebook’s 232,000 jobs in Europe – should always be treated with caution.

The Wall Street Journal reports that:

“British intelligence picked up “talk” from terrorists planning an Internet-based attack against the U.K.’s national infrastructure, a British official said, as the government released a long-awaited report on cyber security.

Terrorists have for some time used the Internet to recruit, spread propaganda and raise funds. Now, this official said, U.K. intelligence has seen evidence that terrorists are talking about using the Internet to actually attack a country, which could include sending viruses to disrupt the country’s infrastructure, much of which is now connected online. The official spoke on condition of anonymity and didn’t say when the infrastructure threat was detected and how it was dealt with.

Terrorists, however, are still more focused on physical attacks that lead to high casualties and grab attention. “For the moment they prefer to cover the streets in blood,” he said.”

I first started raising these concerns more than seven years ago, pointing out in a debate in the House of Lords on the 9th December 2004:

“As a nation, the systems that are essential for our health and well-being rely on computer and communications networks – whether we are talking about the energy utilities, the water and food distribution networks, transportation, the emergency services, telephones, the banking and financial systems, indeed government and public services in general – and all of them are vulnerable to serious disruption by cyber-attack with potentially enormous consequences.  Indeed, the Coastguard Service was laid low by the “Sasser” worm in May this year.

The threat could come from teenage hackers with no more motivation than proving that it could be done, but even more seriously it could come from cyber-terrorists intent on bringing about the downfall of our society. “

At the time, I was assured that there was no intelligence to suggest that such a threat was significant.  The then junior Home Office Minister, Lord Steve Bassam, now no less a person (if such a thing were possible) than the Opposition Chief Whip in the Lords, said:

“there are also terrorists who would challenge and seek to undermine democratic society using any methods within their grasp. It is not complacent to say this; but perhaps it should be made plain that at the moment they do not appear to be interested in attacking us electronically.”

Of course, in the intervening seven years there has been a burgeoning realisation of an increasing number of cyber-threats and, if there is now intelligence to suggest that international terrorists are thinking in that way, I take no satisfaction from having predicted it in 2004.

What is important is that the substantial resources provided to GCHQ under the Government’s new Cyber Security Strategy, published last week, are used effectively to combat the threat. GCHQ and the other intelligence agencies are to get 59% of the £650 million that the Government has allocated to cyber security over the next three years.  It is unlikely that there will ever be much detail published as to how the resources are used, so we can only hope ….

I see that the US Congress is to investigate Chinese equipment suppliers Huawei and ZTE to see whether they present a threat to US national security.  According to PC World, the House Intelligence Committee wants to:

“examine if Huawei’s and ZTE’s expansion into the U.S. market gives the Chinese government an opportunity to hijack the nation’s infrastructure to conduct espionage. U.S. lawmakers worry that the networking equipment sold could secretly contain Chinese military technology to spy and interfere with U.S. telecommunications.”

Huawei has many links to the Chinese Government and its security apparatus.  As Jeffrey Carr summarises the key facts as follows:

1. The company’s founder Ren Zhengfei was an engineer in the PLA prior to forming his company.
2. The company’s chairwoman Sun Yafang worked for the Ministry of State Security and while there helped arrange loans for Huawei before joining the company as an employee.
3. The government of China is Huawei’s biggest customer; specifically the State-owned telecommunications services.
4. Huawei equipment is used to intercept communications in China for state-mandated monitoring.

Nevertheless, despite this its products are already widely used in the UK’s infrastructure particularly given its role in providing key components to BT.  I have expressed concern about this before and back in 2006 Newsweek recorded the Conservative Party’s concerns, saying:

“Political conservatives in Britain expressed the same security concerns about Huawei last spring. In April, the company won a $140 million contract to build part of British Telecom’s “21st Century Network,” a major overhaul of its equipment. But when rumors began circulating that the Chinese company might then bid on Marconi, a landmark electronics and information technology firm that was being put up for sale, a Conservative Party spokesman sounded the alarm. The Tories asked the British government to consider the implications for Britain’s defense industry of a Chinese takeover of Marconi. In the end, Huawei didn’t make an offer, and the Swedish telecom giant Ericsson is in the process of buying Marconi.”

Huawei continue to try and expand their access to the UK infrastructure market – see, for example, their wooing of Mayor Boris Johnson with an offer to provide mobile phone infrastructure for the Underground in time for the London Olympics.  In August, they recruited the former Government chief information officer, John Suffolk.

Their latest move to gain respectability is to sponsor a charity Christmas concert in support of The Prince’s Trust at the Royal Festival Hall next month, to which they have invited large numbers of senior Government officials and Parliamentarians.

No doubt, Huawei will say they are much-maligned, but I do wonder whether a UK Parliamentary Committee shouldn’t be following the lead of the US House Intelligence Committee and launch an investigation into the company’s growing influence in the UK and any possible implications for security.

I’ve already asked what exactly was William Hague’s grand international conference on cyberspace for, but it is clear that my scepticism is shared by the journalists who were sent to cover it and came away disappointed or as the Daily Telegraph put it:

“So what did we learn over the course of the two-day meeting? Well, in short, almost nothing. ….

As the show limped to its finale on Wednesday, many of Mr Hague’s conclusions could have been written at any point in the last six months.

“All delegates agreed that the immediate next steps must be to take practical measures to develop shared understanding and agree common approaches and confidence-building measures,” the Foreign Secretary declared. Well, quite.”