It is a fact universally acknowledged that organised criminality is now heavily engaged in cyber-crime.
So much so that a secondary market has developed of entrepreneurs selling cyber-crime services to less technically advanced criminals.
The “malware authoring community” is apparently now promoting its activities on Twitter.
So what next?
An iPhone app?
It sounds as if we are getting close.
I gave the keynote address last week at the International Secure System Development Conference. One of the suggestions I made was that there might be a “kitemark” system on software giving consumers some assurance that industry-agreed security standards were applied in any software that they bought displaying the mark. Some people clearly liked what I said.
The Liberal Democrats held a Special Conference to endorse Nick Clegg’s decision to join a Coalition Government with the Conservatives. The Conference held on 16th May approved the coalition but added a number of conditions. One of these was:
“Conference urges Liberal Democrat ministers and MPs to take all possible steps to ensure the repeal of those sections of the Digital Economy Act 2010 which are inconsistent with policy motion Freedom, Creativity and the Internet as passed at Spring Conference 2010.”
So all those LibDem activists must be really pleased to see that Jeremy Hunt, the (Tory) Culture Secretary has taken their concerns on board and now says:
“We’re not going to repeal it.”
And there is nothing in the Queen’s Speech.
So looks like a betrayal to me.
There are Presidential Elections in Colombia at the end of this month. Whilst there are no doubt attempts to influence the result through scare tactics, the country’s Defence Minister has warned that “hackers plan to disrupt” the Elections. This apparently follows an attempt to disrupt the legislative elections that were held in March that affected the company hired to transmit the results over the internet and explains why the head of the National Electoral Council has said that the voting system is “falling apart”. However, his solution was to propose a wider use of electronic voting systems, which would not obviously deal with the problems if there are concerns about people hacking into the existing systems.
It certainly raises questions about whether enough work has been done on the protection and security of electronic voting systems and of electronic counting systems like those used in the London Mayoral elections.
I hear that, although John Penrose MP is to be a Parliamentary Under Secretary of State in both the Department for Business, Innovation and Skills and the Department for Culture, Olympics, Media and Sport, in practice “digital economy” policy is to be led by DCOMS.
UPDATE: I now hear it is not John Penrose but Ed Vaisey MP who is the shared Parliamentary Under Secretary of State. or at least that is what the No 10 website says – the Cabinet Office website still has John Penrose!
I do wonder about the logic of this. The effective development of the digital economy is going to be vital for UK business. It will require the effective utilisation of British innovation and as a nation we should be investing to a much greater extent in developing the skills of the next generation of the workforce in this area. Surely, this is much more the core role of DBIS?
Maybe David Cameron was not prepared to trust Vince Cable with the overall responsibility for this area of policy.
I have just spoken at the Counter Terror Expo, an enormous exhibition and conference at Olympia. I was standing in for Patrick Mercer who was apparently taken by surprise by the fact that there was going to be a General Election campaign going on when he agreed to speak.
My main theme was that we could envisage that we would be living in a much riskier society over the next twenty-five years. The UK would be in a world:
“in which there will be greater political extremism and conflict and where radicalisers can flourish with a volatile and disaffected population in whose minds their ideas can take root. This will be an environment in which international crime will be stronger and the restraints on it from the international community will be weaker. There will be problems in building an international consensus as to what needs to be done as the current international certainties dissolve into a multi-polar future.
This will be a riskier society as state and city authority break down in many places and where international crime and terrorism can flourish and be nurtured in such lawless areas.
At the same time, society itself will become more vulnerable through its increasing reliance on ICT.”
I recognised the success of the Government’s CONTEST strategy with its four strands: Pursue, Prevent, Protect and Prepare. I pointed out that:
“This has been accompanied by substantial investment. By next year, there will be £3.5 billion spent on counter-terrorism. The number of police engaged in CONTEST has risen by 70% and the Security Service has doubled in size.
The strategy has been effective. Since 2001, 200 people have been convicted of terrorist related offences and over a dozen significant plots have been disrupted In addition, in the last four years, some 250 people have been excluded from the country on national security grounds or on the basis of their activities.”
But went on to point out that in the future more will need to be done:
“to ensure that the CONTEST strategy builds in expecting the unexpected. We must be ready to look beyond al Qaeda, recognising the developing picture of dissident republicans in Northern Ireland, other political and regional struggles elsewhere in the world (certain in the knowledge that the diaspora from those struggles will be here in London) and new challenges such as those holding extreme ecological views who may have come to believe that mankind is so bad for the future of the planet that that future would be improved if mankind’s population was dramatically reduced.
We must be constantly vigilant about symbolic and iconic sites, economic targets, and all places of mass resort. We must recognise the risks posed by terrorist groups or individuals seeking to have access to CRBRN weapons or materials and the implications of both our greater cyber-dependence and the opportunities that that provides to an increasingly cyber-aware opposition.
And at the same time we must continue to work with all our communities to build support for and trust in the responses that are being made.”
And as I said:
“Whoever is responsible for taking counter-terrorism forward after 6th May is going to have their hands full.”
I have just come from a meeting addressed by the Information Commissioner. As an aside, he told us that the end of his reporting year – 31st March – is next week and that he is rushing through adjudications on Freedom of Information Act appeals, so that he can improve his performance statistics before the year-end.
As Information Commissioner adjudications seemed to have provided the bulk of the (limited) substance of the Leader of the Opposition’s contributions to Prime Minister’s Questions earlier in the day, one cannot help but wonder what David Cameron would have done without them (his questioning was otherwise rather thin on substantive attack lines).
In any event, the Information Commissioner seems to be promising more adjudications over the next week – although he didn’t indicate the subject matter. Assuming there is a PMQs in the week after Easter and given that Nick Clegg seems to working hard at his David Cameron-lite look, we now know where the Leader of the Liberal Democrats will be looking for his inspiration …..
Admiral Lord Alan West, the Security Minister, has spoken out today about the cyber-threat that Britain faces. I am pleased that he has tackled the subject so directly. Too many businesses and too much of Government have been complacent about what has been happening for years.
When I first started raising the problem in the House of Lords more than five years ago, I was repeatedly assured that there was no significant threat and that the protection around the critical national infrastructure was more than sufficient to fend off any problems.
When I started asking questions of each Government Department about how often their systems had been compromised, it was apparent from the answers that some Departments simply didn’t know. I was clearly making progress when two years ago, I started being told it was “not in the national interest” to divulge the information.
When I found three reputable penetration-testing companies prepared to check Government systems pro bono, I was assured such external testing was not needed.
Now – at last – the real and present danger of such cyber-attacks is being acknowledged and the necessary systems to combat it are starting to be put in place. I just hope it is not too little too late.
Scott Charney, the Microsoft Vice President in charge of Trustworthy Computing, is speaking today at the RSA Conference in San Francisco. He is re-stating both Microsoft’s commitment to “End-to-End Trust” but also the need for business, government and the public to work together to ensure that those using the internet are safe and secure.
The message is an important one: responsibility for internet security has to be shared. The House of Lords Committee on Personal Internet Security, on which I sat, reported nearly three years ago and used a road transport analogy to make the point: safe road use requires responsible behaviour by drivers and pedestrians, but cars need to have safety features embodied in them, roads themselves need to be well-maintained and properly lit, there need to be laws regulating safe behaviour on the roads (speed limits etc) and those laws need to be properly enforced.
If anything the message has become even more important since our Committee reported. More and more commercial and personal interactions take place on line. Social networking sites are booming and an increasing proportion of commerce is conducted via the internet.
The threats to security have also become more pronounced. The threats are no longer from isolated individuals, but from organised crime and it is also becoming abundantly apparent that some nation states are operating in the same way to infiltrate commercial and government networks for their own purposes.
And the technology itself is developing. Cloud computing is becoming the norm and this presents its own challenges. Certainly, this has raised the issue of security for many people (although it is not automatically a given that the security of data held in a cloud is necessarily worse than if it is held on your own servers, particularly if it turns out that they are inadequately protected).
So how do we move forward?
Partnership is certainly essential. Governments have to work together in setting an international framework for collaboration and for law enforcement. And at a national level they must also work with IT service providers and with business in general.
But above all, the individual user must be at the heart of all this. Sensible security arrangements that make sense to the individual have to be devised. It needs to be acknowledged that most individual users of the internet, whether they are trying to do their weekly shopping or organise their social lives, are rushed and busy. Moreover, they are not technological experts. They have inadequate levels of knowledge, so an error message or system alert that makes sense to an IT professional will probably be gibberish to most of us.
And critical to all of this is the need for robust identity management.
Surely, it is not too much to ask that people can feel confident that their personal details are secure, that they can communicate with others secure in the knowledge that the person or organisation with which they are communicating is who it says it is, and that when they are asked to identify themselves they need reveal no more about themselves than is necessary for the transaction concerned.
If today’s discussions at the RSA Conference take us further towards those objectives, we will be making real progress and we can all feel more hopeful that a trusted and secure internet environment is being built.
The ubiquitous Guido Fawkes reports this morning that he has received personal details of every Conservative Parliamentary candidate – courtesy (presumably a mistake) of Conservative Central Office.
Looks like a potential breach of the Data Protection Act to me.
And the Information Commissioner can now levy heftier fines …..