Battling the rising tide of cyber crime demands a local, national and global response, but above all common sense, writes Kyran FitzGerald.
IN the past week, more than a million people discovered — some for the first time — what it is like to be a victim, or at least potential victim, of a criminal conspiracy carried out online.
On Tuesday last, it emerged that over 500,000 credit card customer accounts may have been compromised, while the names, addresses and phone numbers of 1.12 million people may have fallen into the wrong hands.
The firm targeted by the suspected cyber criminals, or hackers, Loyalty Build, acknowledged a major security breach. It has shipped a very big hit.
Also badly affected are customers of Loyalty Build including Super Valu, Axa and Stena Line. The attackers had concentrated on holiday promotions run by these companies through Loyalty Build.
By coincidence, the Institute of International and European Affairs organised a conference on Friday at the Mansion House in Dublin.
The keynote speaker was Michael Daniel, President Obama’s US cyber-security coordinator.
Mr Daniel warned that the threat posed to cyber security at all levels is becoming broader due to the spread in online technology. Malware is getting harder to detect. ‘Phishing’ by the cyber criminals is now much harder to detect than it was in the days when ‘Princes of Nigeria’ were offering generous payouts in exchange for bank account numbers.
“Everyone on the Net lives at the edge of the network. Security is a shared responsibility. It cannot be assigned to any group,” he warns.
The US cyber chief says we must accept that networks are penetrated and with this in mind, constantly test systems and have in place back-up plans. Organisations, public and private, must share information rapidly and frequently.
“Cyber security is a team sport. No single entity has all the competencies needed.”
The real concern is that the attackers could take down major national infrastructure such as electricity networks.
Estonia, South Korea and Saudi Arabia’s top oil company have all been targeted in recent years. The finger has been pointed at North Korea, Russia, China and Iran. Western intelligence agencies, too, are accused of using underhand techniques in this game of dirty underground IT tricks.
The Snowden revelations have been particularly damaging to the reputation of the US, serving as a reminder that as far as Washington is concerned, nations have no real friends, only interests.
Estonia is a particularly interesting example. Its Government has been particularly go- ahead in the technology sphere. Over 85% of its citizens have security encrypted ID cards. The use of digital signatures is common. One quarter of Estonians now vote online in national elections.
In 2007, it was the victim of what appear to have been state -sponsored attacks. Little damage appears to have been done, due to the vigorous response of the Estonians, who harnessed private sector expertise to fight off the attacks.
In 2010, Estonia formed the cyber defence league, a volunteer organisation of IT security specialists, run from the Ministry of Defence. The country’s main technology institute now offers an MA programme in cyber security and the capital, Tallinn, hosts NATO’s cyber defence centre of excellence.
Heli Tiirmaa-Klaar is a top EU cyber security advisor. She warns that Europe is behind the curve on cyber security, lacking institutions, proper coordination, skilled people and awareness. The problem is that traditionally hierarchical Governments find it hard to deal with nimble criminal entities.
“When you put networks against hierarchies, the latter will lose.”
Currently, there are three different models for combating this type of crime: The Nordic, based on public-private partnership; the British, based on state agencies like MI6; and the Continental-French, which favours prescriptive regulation.
Slowly but surely, Western powers are moving to grasp the nettle. President Obama has issued an executive order aimed at promoting partnerships among owners of critical infrastructure. Cybersecurity is now a core concern in US foreign policy, says Mr Daniels. Law enforcement cooperation between the US and Europe, in particular, is a major focus.
Brian Honan is the founder of the Irish Reporting and& Information Security Service. He also lectures on IT security at the UCD Centre for Cyber Security.
“Four hundred and thirty two incidents were reported to us in 2012. The criminals are looking not only to steal data, but also intellectual property and personal information. Underground markets in the sale of credit card data have developed,” he says; spam attacks and ‘botnets’ where viruses are sent out, seizing control of networks. “Computers take part in attacks without the knowledge of their owners,” he says, adding that 74% of incidents last year involved ‘phishing’ emails sent to systems.
Honan dismisses the idea that teenage boys playing heavy metal in basements are behind many of the attacks. Rather, 95% of attacks are run through organised crime.
AND the problem is that we make it too easy for them. Many of us fail to update anti virus software. Our passwords are easily accessed, often because we use the same passwords, or easily guessed-at variants. Our computer servers are not ‘patched’ — that is, kept in good order, regularly.
All too often, firms end up paying ransoms to the criminals to prevent expensive loss of data. The message is clear: Keep systems in order. Carry out regular checks. Cooperate with other firms.
Dr Ian Levy of Britain’s GCHQ warns against falling prey to tech salespeople. “If someone tries to sell you a security system and they can’t explain what it is, don’t buy it.” And he warns against cyber hype. “There are not omnipotent cyber ninjas out there. It is just code!”
The key is regularly auditing a system and, as the Estonian experience shows, cyber security — global, national and local — is as much about commonsense as anything else.
© Irish Examiner Ltd. All rights reserved