The past few months have seen a number of cyber attacks in the headlines, including (and by no means limited to):
• an attack on the International Monetary Fund (which installed software designed to give a nation state a “digital insider presence”); • Citigroup Inc was assailed by hackers using a customer-facing website to bypass conventional safeguards and steal the account details of more than 200,000 customers; • Google was targeted by hackers attempting to break into the personal Gmail accounts of hundreds of top US officials, military personnel and journalists last month; • an attempted attack on the security networks of US military contractor Lockheed Martin; • in April, the Sony Playstation network was disabled after hackers stole the personal data of around 100 million accounts; and • an attack in March on the e-mail systems of the European Commission, which followed the hacking in January of the EU Emissions Trading Scheme resulting in the theft of €30 million of carbon allowances from national registries.
In response to the recent spate of attacks, governments around the world have voiced proposals to enhance cyber security for their own systems as part of their national defence strategies, and to introduce legislation to protect the systems of others.
Direct government action As part of its strategic defence and security review, the UK government has set aside a fund of £650 million to improve cyber security. Part of this fund is being used by the Ministry of Defence to recruit cyber experts to reduce the UK’s vulnerability to cyber attacks and espionage, as well as to bolster the UK’s critical infrastructure and vital government networks.
In addition, the UK military is developing a toolbox of “cyberweapons” to be used offensively in response to cyber attacks or threats, although the nature of the weapons under development can not be disclosed at present.
The European Commission is also currently setting up a Computer Emergency Response Team (CERT) of IT security experts to review the Commission’s systems and assess how a full-scale CERT should be set up for European Union institutions.
Legislation in the pipeline Last September, the European Commission put forward a proposal for a Directive on Attacks against Information Systems. The draft legislation (i) lists crimes such as illegal access to, or unauthorised interference with, IT systems, the theft or deletion of data and the interception of non-public data transfers and (ii) introduces longer criminal sanctions for transgressors. The UK took the decision to opt into the directive in February this year.
This month, the UK also ratified the Budapest Convention on Cybercrime, which it signed in 2001. The international treaty seeks to harmonise national laws, improve investigative techniques and increase cooperation among signatory countries on issues such as hacking, online fraud and infringement of intellectual property rights, and will come into force in the UK on 1 September 2011.
Responses worldwide In the US, meanwhile, the Pentagon is expected to release the unclassified sections of its first formal cyber strategy next month. As widely reported in the press, the Pentagon has taken the view that a cyber attack originating from another country could constitute a use of force synonymous with an act of war, permitting the US to respond with military force. The strategy’s object therefore, at least in part, is to act as a warning to potential saboteurs.
Similarly, the Australian government announced last week that it will begin work on a major new whitepaper to provide clarity on cyber security issues, which is expected in the first half of 2012.
Opportunities for the cyber security sector What is increasingly evident is that there are numerous opportunities for technology companies to cater to the mounting need for cyber security, and for individuals to do well in this burgeoning industry.
To encourage more people to consider entering the cyber security profession, the Cyber Security Challenge 2011, a competition sponsored by the Cabinet Office, The Open University and numerous industry leaders, was launched last month. Prizes include bursaries to undertake university courses, internships and access to professional expertise in the cyber security sector.
Legal advisors to the defence industry need to get to grips with the cross-departmental nature of the challenge, as well as the variety of tactics used by cyber—criminals.