I have heard a number of stories about breaches in information security at the Ministry of Defence in the last week. It sounds as if the problems occurred in a number of places with malicious code compromising a series of computers, including some on board Royal Navy ships. It has also been suggested that not only did this lead to a variety of system breakdowns but also that information was transmitted away from the secure system.
If these stories are true, it is significant at a number of levels: first, it would appear to have been a co-ordinated attack on multiple systems (therefore highly organised and credibly sponsored by a nation state); second, it appears to have caused major disruption; and third, it successfully penetrated the existing information security systems.
I have been concerned for a number of years about the inadequate priority given to the information security of the UK’s critical national infrastructure. When I first started raising this in Parliament with a series of questions, I was essentially told that the Government was satisfied that there were adequate protection systems in place and that in any event there was no evidence or intelligence to suggest that either other nation states or terrorists might seek to exploit any information security vulnerabilities.
Since then, we have seen the Titan Rain cyber-attacks on US and UK systems in 2007 (allegedly sponsored by China), and cyber-disruption aimed at Estonia and Georgia in 2008.
The UK Government has started taking the threat much more seriously than it did and I am not in a position to know whether the arrangements now in place are sufficient. However, this week’s reports of the attacks on Ministry of Defence computers suggest that there is still a lot more to be done.
For about four years, I asked a series of Parliamentary Questions of each Government Department about the number of incidents of malicious breaches of their IT systems. The answers obtained were interesting if not very meaningful. Each year, by far the largest number of breaches were reported by the Ministry of Defence. This possibly suggested that their systems were the subject of more attacks, but certainly indicated that they had the best system for monitoring what was going on within their IT systems. In a sense, much more worrying was the fact that up to half of Government regularly reported that they had suffered no malicious attacks whatsoever. This, of course, could mean that their systems to avoid malicious penetration were perfect or that their systems were regarded as so boring that no-one had bothered to attack them. Much the more likely explanation, however, was that their systems were not detecting when they had been attacked.
Last year, my Parliamentary Questions were answered with a standard answer that “it was not in the national interest” to provide the data as it might provide assistance to those who were trying to undermine our national security. It is therefore impossible to gauge the significance and relative scale of the latest attack. However, if it raises the importance attached to having the highest levels of information security surrounding the UK’s critical national infrastructure, then some good will have come of it.
At the moment, I am not sure whether there is anything to be gained by trying to get more details of what has happened and more importantly what is being learned from the latest attack. Maybe I will feel more energised tomorrow ….