British Intelligence Speaks Out On Cyber Threats

British Intelligence Speaks Out On Cyber ThreatsJonathan Evans, head of Britain's internal security service, MI5, warned British civic and business leaders that cybercrime has become as serious a threat as terrorism.

Evans delivered his warning in the inaugural Lord Mayor's Defense and Security Lecture, delivered at Mansion House in London. His remarks came on the eve of the Olympic Games, which called attention to more traditional security threats such as terrorism.

But cyber threats, said Evans, also pose risks to businesses, which he said are comparable to the threat posed to the public and public agencies. He noted that cyber attacks cost one London-based company losses of 800 million British pounds (more than $1.25 billion) in intellectual property losses and contractual negotiation setbacks. Evans characterized these cyber attacks as "state-sponsored."

In fact, cyber attacks are now coming from a broad range of sources, including state-sponsored hackers, independent but politically-motivated "hactivists," and criminal organizations. The lines among these may sometimes be blurred.

Another factor that is increasing the risks from cyber attacks is the emerging "internet of things."
The Internet no long just links stand-alone computers and communications devices. It now also links a host of consumer and industrial devices – meaning that hacking can now have direct physical consequences.

The potential consequences of hacking the "internet of things" has been vividly demonstrated by the Stuxnet worm, which reportedly wrecked thousands of centrifuges used in the Iranian nuclear program. Stuxnet evidently took over the centrifuges' control systems, ordering them to overspin and thus self-destruct.

Stuxnet is widely believed to have been created by the US, Israel, or both working together. The same teams may have developed the Flame surveillance virus as well as the newly reported Gauss virus, which is reportedly stealing bank information across the Middle East.

These examples demonstrate both the power of cyberweapons and the readiness of major powers to deploy them. And there is no Geneva Convention to protect civilian data. Companies should take note, and safeguard themselves accordingly.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."