guardian.co.uk,
Nick Hopkins, Thursday 3 May 2012
Shaw said
the UK had to develop an array of its own cyber-weapons because it was
impossible to create entirely secure computer systems. Photograph: Daniel
Law/PA
Computer
hackers have managed to breach some of the top secret systems within the
Ministry of Defence, the military's head of cyber-security has revealed.
Major
General Jonathan Shaw told the Guardian the number of successful attacks was
hard to quantify but they had added urgency to efforts to beef up protection
around the MoD's networks.
"The
number of serious incidents is quite small, but it is there," he said.
"And those are the ones we know about. The likelihood is there are
problems in there we don't know about."
Government
computer systems come under daily attack, but though Shaw would not say how or
by whom, this is the first admission that the MoD's own systems have been
breached.
The Serious Organised Crime Agency, took its website offline on Wednesday night after
becoming the target of a cyber-attack. A spokesman said the attack did not pose
a security risk to the organisation.
Shaw, a
veteran of the Falklands and Iraq wars, also said the MoD had to be prepared to
embrace unconventional and "wacky" ideas if the military wanted to
catch up with, and then stay ahead of, rivals in the cybersphere. Getting
"kids on the street" to help the military was vital, he said.
"My
generation … we are far too old for
this; it is not what we have grown up with. Our natural recourse is to reach
for a pen and paper. And although we can set up structures, we really need to
be on listening mode for this one."
He added:
"If we want to work the response, if we want to know really what is
happening, we really have to listen to the young kids out in the street. They
are telling us what is happening out there.
"That
will pose a real challenge to us. This thing is moving too fast. The only
people who spot what is happening are people at the coal face and that is the
young kids. We have to listen to them and they have to talk to us."
A former
director of UK special forces, Shaw, 54, said he thought the military could
learn a trick or two from firms such as Facebook.
The company
has a "white hat" programme in which hackers are paid rewards for
informing them when they have found a security vulnerability.
Nine people
in the UK have been paid a total of $11,000 (£6,785) for working with Facebook.
Shaw said this was the kind of "waacky idea we need to bring in".
Shaw has
spent the last year reviewing the MoD's approach to cyber-security, and the
kind of cyber-capability the military will need in the future.
He says
next year's MoD budget is expected to include new money for cyber-defence – an
acknowledgment that even during a time of redundancies and squeezed budgets,
this is now a priority.
The general
said the MoD wasn't "doing badly … but we could do a hell of a lot better.
We will get there, but we will have to do it fast. I think it was a surprise to
people this year quite how vulnerable we are, which is why the measures have
survived so long in the [budget] because people have become aware of the
vulnerabilities and are taking them seriously."
China and
Russia have been accused of being behind most of the sophisticated
cyber-attacks, with state-sponsored hackers targeting military secrets from
western governments, or intellectual property from British and American defence
firms.
Shaw
refused to point the finger at any nation, but admitted the UK was "trying
to engage the Chinese on rules of the road in cyberspace", pressing the
argument that new international treaties are not necessary to stop this kind of
theft and espionage.
Shaw said
the number of attacks was "still on an upward curve … and the pace of
change is unrelenting".
In his last
interview before retiring, Shaw said the UK had to develop an array of its own
cyber-weapons because it was impossible to create entirely secure computer
systems.
"It is
quite right to say that pure defence, building firewalls, will not keep the
enemy out. They might be inside already … there is no such thing as total
security. You have to learn to live with certain insecurities.
"One
needs to engage in internal defence and be quite aggressive about it. And if
you are going to manoeuvre in cyberspace, that is something that obviously
involves action across the spectrum."
Shaw said
he intended to "mainstream" cyber-capabilities across the MoD by
2015. This included ensuring military commanders had a range of cyber-options
to use from a "golf bag" of weapons systems.
But he
thought cyber-weapons would complement rather than replace more conventional
weapons.
"As
new capabilities come on the block, you reassess whether you need the old ones,
whether they are complimentary or duplicatory.
"People
have asked me whether cyber-weapons will make conventional weapons redundant.
Absolutely not. A hard bomb is actually quite a good cyber-weapon because it
can take out a broadcasting station, take out a server."
The
military top brass, he said, had been the "hardest to convince" about
the cyber-threat, because high-ranking officers tend to be set in their ways.
"We are the wrong guys to deal with this."
Shaw said
it still surprised him that the MoD's headquarters in Whitehall "is the
only building, main defence security establishment, where you don't leave your
mobile phones and Ipad in a box outside your office … people's personal
behaviours are not good enough. When we look at cyber-security in the MoD, we
are looking at preserving intellectual property and our networks and stopping
people spying on us.
"The
real challenge is how we secure our supply chains. We are dependent on industry
for our technological edge … and preserving that intellectual property is
absolutely vital."
He added:
"Cyber implies something technical. To the average person in the street,
cyber means it is someone else's problem. But it is everyone's problem. We
can't just leave it to the techies."
An MoD
spokesman said: "The MoD takes all possible precautions to defend our
system from attack from both unsolicited, for example 'spam' email, and
targeted sources. It would be both misleading and naïve to assume that any
system is 100% secure against all possible threats which is why we take
additional steps to detect suspicious activity within our own systems.
"We
also ensure that our most sensitive networks are not connected to the internet
and have additional physical and technical measures in place to defend
them."
No comments:
Post a Comment