Lord Toby Harris Logo

Archive for the ‘Information security’ Category

Monday
Jul 22,2013

I have tabled a question for oral answer in the House of Lords this afternoon, as follows:

“To ask HM Government what proportion of the United Kingdom’s critical national infrastructure is owned by foreign-owned companies; and what assessment they have made of the benefits and disbenefits of that level of ownership”

I am sure I will receive a courteous answer but I rather suspect that what it will boil down to is (1) the Government don’t really know what proportion of our infrastructure is in foreign hands; (2) that they haven’t really got a policy on it; and (3) even if they wanted to do something about it they feel it is either too late or there is nothing that they can do.

Earlier this month the Government announced, in response to a critical report from the Intelligence and Security Committee, that it would be reviewing the role of Chinese-owned Huawei in the UK’s telecommunications and security infrastructure.  This is welcome, if a bit late.  I have been banging on about this for ages: for example here and here.

Six years ago the think tank Chatham House reported that

“as much as 90% of the UK’s critical national infrastructure is not government owned and a large proportion of that is under foreign ownership.”

Most of London’s electricity is provided by Electricite de France.  Does anyone seriously doubt what would happen if it was a choice between switching the lights out in London or Paris because of some crisis?

In the last 10 years, Ferrovial of Spain has bought BAA, the operator of Heathrow and Stansted airports, Germany’s RWE has acquired npower, and Australian bank Macquarie has taken control of car parks by buying NCP.

German group Deutsche Bahn recently bought rail and bus operator Arriva, while ports company P&O, which owns assets at Tilbury and Southampton, was also bought by Dubai’s DP World in 2006.

This Government bangs on about the threat to British sovereignty presented by the UK’s membership of the EU, but they seem to be utterly silent on the implications for our sovereignty of having so much of our infrastructure controlled by foreign governments or its future being determined  at the whim of foreign investors who are unlikely to have the UK’s national interest at the top of their priorities.

Very few other nations would be so sanguine.

Tuesday
Nov 6,2012

Last week I signed up to become an IWF Champion.  This means that I fully support the important work that the Internet Watch Foundation (IWF) does to remove child sexual abuse images on the internet.

The IWF was established in 1996 by the internet industry to provide the UK internet Hotline for the public and IT professionals to report criminal online content in a secure and confidential way.

The IWF Hotline service can be used anonymously to report content within its remit. The IWF successfully works in partnership with the online industry, law enforcement, government, and international partners to minimise the availability of this content, specifically:

  • child sexual abuse images hosted anywhere in the world
  • criminally obscene adult content hosted in the UK
  • non-photographic child sexual abuse images hosted in the UK.

The IWF helps internet service providers and hosting companies to combat the abuse of their networks through its ‘notice and takedown’ service which alerts them to content within its remit so they can remove it from their networks. The IWF also provides unique data to law enforcement partners in the UK and abroad to assist investigations into the distributors. As a result of this approach the content the IWF deals with has been virtually removed from UK networks. As sexually abusive images of children are primarily hosted abroad, the IWF facilitates the industry-led initiative to protect users from inadvertent exposure to this content by blocking access to it through their provision of a dynamic list of child sexual abuse web pages.

I am proud to be associated with an organisation that has successfully:

  • Assessed over 390,000 web pages over the last 16 years;
  • Had 92,000 URLs removed for containing criminal content;
  • Reduced the proportion of child sexual abuse content hosted in the UK from 18% in 1996 down to less than 1% over the last decade;
  • Gets child sexual abuse content that is hosted in the UK removed within 60 minutes and cut the time taken to remove content hosted outside the UK by half to 11 days; and above all
  • By sharing intelligence with police, aided the identification and rescue of 12 children in the past two years.

 

 

Sunday
Nov 4,2012

Over the last few years, I have repeatedly expressed concern about the potential importance of the threat of an electro-magnetic pulse that could disable or destroy electronic installations.  Such a pulse could come from an errant solar flare or other extreme space weather or it could be produced by a nuclear warhead exploded in the upper atmosphere.  Both could have devastating impacts on ground-based electronic equipment and on electric power grids.

Now comes news of a weapon that could be carried in a cruise missile that can be programmed to disable the electronic systems in individual buildings.  Apparently, the U.S. Air Force and its contractor Boeing, along with Raytheon, have created the High-powered Microwave Advanced Missile Project, or CHAMP, which was just tested over a Utah desert.

The cruise missile, which was launched from a U.S. bomber, was pre-programmed to fly over a target and shoot a burst of high power microwaves at a two-story building. It knocked out rows of personal computers and electrical systems which were shown in a video taken of the test.

Following the first target, the cruise missile then was guided to six other targets, resulting in knocking out all electronics.

Even if this was a US initiative, it sounds as though more effort needs to go into protecting UK infrastructure and critical systems against such attacks – which is more or less what I was saying about three and a half years ago.

Wednesday
Jul 11,2012

The Joint Committee on the National Security Strategy (of which I am a member) has just published a report criticising the Government for failing to take seriously the concerns that it expresses in its First Review of the Strategy.

In particular, the report points out that the Government has failed to respond adequately to the Committee’s concerns about the implications for the National Security Strategy of major shifts in US strategy, of the Eurozone crisis and the potential impact of Scottish independence.

The Joint Committee had urged the Government to press ahead with planning the next national Security Strategy, allowing sufficient time to involve academics and experts external to the Government in the process and to allow the next Comprehensive Spending Review and the Strategic Defence Review to be properly integrated in the process. The 2010 National Security Strategy was rushed and weaker as a result.

The Government has acknowledged that it is “important to start thinking about the work plan” for the next National Security Strategy “well in advance of 2015″.  However, there is no indication that any effort has been made to start drawing up plans to ensure that the next Strategy is a more candid and more explicit document that properly addresses difficult questions.

Even more disturbing is the absence from the Government of any indication that it intends to draw up the next Strategy in a way that achieves a broad national consensus on the foundations necessary to plan for our nation’s security in the longer -term.

Failure to build such a consensus will be a wasted opportunity – without such a consensus any future Strategy will not have abroad enough basis of buy-in and consent and that in turn will weaken the Strategy and also National Security itself.

 

Wednesday
Jul 4,2012

I have only just caught up with this story (courtesy of Naked Security from Sophos) and it is a salutary reminder to make sure that your home wifi connection is properly secured – as otherwise you don’t know who else might be using it and what else they might be doing.

According to the Sophos summary:

“After spotting threats posted online, a heavily-armed police SWAT team broke down the door of a house in Evansville, Indiana, smashed windows and tossed a flashbang stun grenade into the living room where an eighteen-year-old girl and her grandmother were watching the Food Network.

Can you imagine how terrifying it must have felt to have been in that room when the grenade was thrown in, and the house stormed by police with their guns drawn?

Oh, and just a small detail – the police had the wrong house. The home had an open WiFi connection, which meant that it could be used from an outside location.  ….

The somewhat rattled Stephanie Milan and her family were released without charge once the mix-up became obvious, and police looked further afield for the culprit who had posted messages like the following online:

"Cops beware! I'm proud of my country but I hate police of any kind. I have explosives :) made in America. Evansville will feel my pain."

…  The Milans’ door and window are now being repaired at the city’s expense. And presumably the family are taking steps to secure their WiFi connection.”

To make things worse the Evansville police had invited the local TV cameras along for the raid ….

It couldn’t happen here, or could it?

Guess who: Mayor of London Boris Johnson joined riot police on raids of addresses as part of a Met crackdown on burglary and robbery

Tuesday
Jun 26,2012

My good friends at The Risk Management Group have produced “The A to Z of Safe Social Media” (a sister guide to their earlier “The A to Z of Safe Children Online”.  It is available for free download here and even contains a foreword from me!

Monday
Jun 11,2012

A former senior analyst to the US Secretary for Defense has warned that:

“Chinese companies apparently have a covert capability to remotely access communications technology sold to the United States and other Western countries and could disable a country’s telecommunications infrastructure before a military engagement.”

 Writing on Friday, F Michael Maloof reported that:

“The Chinese also have the ability to exploit networks “to enable China to continue to steal technology and trade secrets,” according to the open source intelligence company Lignet, which is comprised of former U.S. intelligence analysts.

The issue centers on the Chinese firm Huawei Technologies Co. Ltd., which U.S. intelligence sources say has direct links to the Chinese government and the People’s Liberation Army, or PLA. These sources assert that Huawei and other Chinese telecommunications firms such as ZTE Corp. have “electronic backdoors” to telecommunications technology sold to the U.S. and other countries.”

This is the same Huawei that I have reported before as providing key components to this country BT network and is being investigated by the US Congress but not by any equivalent UK body.

Huawei tell me that they are much-maligned and say that they are not linked to the People’s Liberation Army, but are just a private company trying to expand their business outside China.

In the UK the Government seems to be unconcerned that increasingly large parts of the country’s critical national infrastructure are under foreign ownership or are dependent for key components on overseas suppliers (there are a series of stories in yesterday’s Sunday Times behind its paywall about Chinese or Russian interests buying into the UK energy supply industry).

It is not clear why it can be assumed that these interests are necessarily benign and the UK Government doesn’t even seem to be interested in asking the question let alone doing anything about it.

How complacent can they get?

 

Monday
May 28,2012

Seven and a half years ago, I warned in a debate in the House of Lords about the risk to the nation’s critical national infrastructure of a concerted cyber-attack, saying:

“As a nation, the systems that are essential for our health and well-being rely on computer and communications networks – whether we are talking about the energy utilities, the water and food distribution networks, transportation, the emergency services, telephones, the banking and financial systems, indeed government and public services in general – and all of them are vulnerable to serious disruption by cyber-attack with potentially enormous consequences.  …

The threat could come from teenage hackers with no more motivation than proving that it could be done, but even more seriously it could come from cyber-terrorists intent on bringing about the downfall of our society. “

The Ministerial reply I was given at the time bordered on the complacent – even though I was assured that it wasn’t:

“there are also terrorists who would challenge and seek to undermine democratic society using any methods within their grasp. It is not complacent to say this; but perhaps it should be made plain that at the moment they do not appear to be interested in attacking us electronically.”

Late last year, the Wall Street Journal reported that:

“British intelligence picked up “talk” from terrorists planning an Internet-based attack against the U.K.’s national infrastructure, a British official said, as the government released a long-awaited report on cyber security.

Terrorists have for some time used the Internet to recruit, spread propaganda and raise funds. Now, this official said, U.K. intelligence has seen evidence that terrorists are talking about using the Internet to actually attack a country, which could include sending viruses to disrupt the country’s infrastructure, much of which is now connected online. The official spoke on condition of anonymity and didn’t say when the infrastructure threat was detected and how it was dealt with.

Terrorists, however, are still more focused on physical attacks that lead to high casualties and grab attention. “For the moment they prefer to cover the streets in blood,” he said.”

Again, the official line was inclined to dismiss the likelihood of an attack …
Now comes news that a video captured by FBI agents last year and now released by the Senate Committee on Homeland Security purports to show an al Qaeda leader calling on ”covert mujahidin” to launch cyber attacks against The video explicitly calls for cyber attacks against the networks of both government and life-sustaining critical infrastructure, including the electric grid, and compares vulnerabilities in U.S. critical cyber networks to the vulnerabilities in our aviation system prior to 9/11.
PHOTO: In this screenshot obtained by the FBI, an Al Qaeda video calls upon the ?covert Mujahidin? to commit ?electronic jihad?.
So – boringly – I was right (again).
The question remains are our cyber-defences going to be adequate.
Saturday
Apr 21,2012

I have been delighted to contribute a foreword to a guide produced by my good friends at The Risk Management Group for parents to help them keep their children safe online.

The guide “The A to Z of Safe Children Online” is available here.

Sunday
Mar 18,2012

Nearly three years I posted about the threat of an electro-magnetic pulse that could permanently disable the electricity grid and most electrical systems.  I followed this up with some parliamentary questions and a further post this time last year that concluded:

“So the good news (heavy irony) is that the Government may have got round to working out what “the reasonable worst case scenario” might be.”

At the risk of coming over all I-told-you-so-ish, we now learn in today’s Observer that:

“Explosions on the sun that blast solar winds towards the Earth have been identified for the first time as one of the biggest threats to the UK’s ability to carry on normal daily life, according to a new official government register of major risks to the country.

A significant event on the sun could leave large swaths of the country without electricity, lead to the immediate grounding of planes, disable communications and even destroy household appliances.

The danger has been prioritised in the Cabinet Office’s National Risk of Civil Emergencies as the sun enters the most active point in its 10-year cycle – its solar max – raising the chances of a damaging burst of radiation, plasma or energetic particles (such as neutrons).

More significantly, the UK is regarded as particularly vulnerable because scientific advances have made the country more dependent on technology than ever before. Ministers have been advised by scientists that the most advanced technology is also the most delicate and that “high levels of energetic particles produced in the atmosphere by solar radiation storms can greatly enhance error rates in ground digital components found in all modern technology”.

The newly published risk register lists severe space weather alongside terrorist attacks, coastal flooding and pandemic influenza as likely sources of “serious damage to human welfare”.

It says: “Severe space weather can cause disruption to a range of technologies and infrastructure, including communications systems, electronic circuits and power grids.”

The register adds: “While storm impacts in the early- to mid-20th century appear relatively benign, dependency on technology vulnerable to space weather has pervaded most aspects of modern life, and therefore the disruptive consequences of a severe solar storm could be significant.”

The threat was placed on the register after a panel of experts, including two scientists from the Meteorological Office, produced a “reasonable worst case scenario” for ministers.”

 Only took a year, so lucky that last week’s solar flare passed off without problems.