What is the threat?

Few areas of our lives are remain untouched by the digital revolution. Across the world, there are now more than 1.8 billion broadband internet users and four billion mobile phone accounts; every 24 hours, we send 247 billion emails and ten billion SMS messages. Modern society depends on the continued availability, accuracy and confidentiality of Information and Communications Technology (ICT). We need it for our economic health, for the machinery of our governments, for national defence and for our day-to-day social and cultural lives.

Of course, this increasing dependence means that everyone – from individuals, and communities, to businesses and governments – is potentially exposed to significant risk. Protecting information is challenging enough in a relatively benign environment without the threat of a targeted cyber attack or the risk from inadvertent information accidents. Access over the Internet to sensitive information, financial resources, intellectual property and control systems makes all nations especially those with knowledge-based economies highly vulnerable to a growing range of new threats, from disruption and denial of service to fraud and theft. Evidence is also gathering of a more advanced and persistent threat capable of bypassing current network security measures and causing potentially catastrophic damage to national infrastructure.

Information security risks in an uncertain world

There are several reasons why such cyber attacks are attractive:

  • Information is valuable – much of the economy is underpinned by knowledge, know-how and intellectual property. Many organisations, particularly those in government and engineering, pharmaceuticals and manufacturing, invest heavily to build differentiated products and approaches. Similarly, pricing and bid information is particularly valuable to services companies. Criminals, unscrupulous competitors or nation-states can gain access to this information to obtain an unfair advantage. 
  • Information needs to be kept confidential – protecting confidential information is not just the responsibility of its originator. When it is shared with other organisations or trusted agencies, the responsibility for protecting it in accordance with relevant legislation is multiplied. A determined attacker need only find the weakest link in the chain. The loss or theft of the information can have implications for citizens, customers, industry, government departments and even entire nations.
  • Information needs to be accurate – some attackers set out to corrupt or delete valuable data rather than steal it. If these acts go unnoticed, the impact can be devastating – important bids lost, engineering designs rendered dysfunctional, patients misdiagnosed or incorrectly medicated. But the potential loss of trust can have far wider-reaching implications, not just for companies but also for government services.
  • Information needs to be made available – many organisations and governments depend on being able to provide, ‘always-on’ services to a wide customer base or group of citizens. The loss of these services, even for a short time, can have a major impact. This is particularly important for organisations that form part of Critical National Infrastructures or where the provision of key services is time-sensitive, such as in the financial markets.
  • Information can affect infrastructures in the real world – the recent discovery of the ‘Stuxnet’ worm illustrates just how much cyberspace and the real world now overlap. Attacks in cyberspace can have an impact on the real world. For example, an attack on utility companies could mean the disruption of water, sewerage and electricity services.

Advanced persistent threats

Significant harm can result from cyber attacks that originate from determined and malicious sources, especially organised criminal groups. The principal aim of these attacks (sometimes referred to as ‘Advanced Persistent Threats’ or APTs) is to disrupt operations or steal sensitive information — for example protected or classified government information, valuable intellectual property, and financial or pricing data.

Most security departments employ anti-virus, intruder detection systems, spam filtering, firewalls and other point-security solutions designed to defend and protect their infrastructure and information assets. No matter how rigorous they are, these can only provide effective defences against attacks characterised by known signatures or obvious traffic anomalies.

Determined attackers will simply adapt their behaviour to use less well-known or entirely new methods and tools until they get a foothold in the organisation.  In some cases, attacks will exploit a newly-discovered and un-patched vulnerability in application software – a so-called ‘zero-day attack’ – and are unlikely to be detected by conventional security systems. Our experience shows that as few as ten per cent of such vulnerabilities are found and fixed in any year. Given how widespread some software applications have become in government as well as industry, zero-day attacks represent a very significant risk.