Page 104

CEP template 2012

Cyber security: The threat to governments and business John Hawes Hacking and malicious software have become very real and very serious threats to consumers, businesses and governments alike. When this is combined with the increasingly complex international cybercrime investigations and prosecutions, the growth of as yet unregulated ‘crypto-currencies’ such as Bitcoin and a growing awareness of privacy issues among the general public, there is a lot for governments to do to ensure they are properly addressing the issues of online security and safety. Malware and cybercrime affect us all The year 2014 was a bumper one for cyber threats of all kinds, and 2015 is likely to bring further breaches at major corporations and institutions. With the internet underpinning an ever larger proportion of our communications, entertainment, banking, commerce and interaction with public service providers, anything that dents our confidence in its security will reduce the uptake of cost-saving online services, just as it impacts trust in the organisations involved. The hacking and malware threat has also moved firmly into the political arena, with numerous incidents of data-stealing software targeting politicians and government institutions discovered and blamed on nation states in the last few years. At least one major threat, the Stuxnet worm – which, discovered in 2010, targets nuclear processing equipment in Iran – is now generally believed to have been orchestrated by Western government agencies. Over the last few years most national disputes have spawned at least some form of online offshoot. While so far these have mostly been little more than digital vandalism and propaganda, such as the social media compromises routinely perpetrated by the ‘Syrian Electronic Army’, there have been indications of more serious attacks targeting critical infrastructure. There are also indications that government-sponsored hackers are targeting foreign business interests as well as spying on foreign diplomats, with both the USA and Canada openly accusing China of industrial espionage in 2014. Relations between the USA and North Korea were heavily strained throughout late-2014/early-2015 after a cyber-attack on the systems and data of Sony Pictures Entertainment led to extensive leaks of sensitive data and pressure on the firm to suppress one of its films. This attack was widely claimed (including by the FBI) to be the work of North Korean hackers. All this means a lot of effort is required of governments around the world, from a number of angles, to keep the heavily relied-upon online world from collapsing under the weight of fraud, theft, impersonation and improper access to protected systems. Consumers need to be reassured of the relative safety of conducting their lives online, educated on how to improve their safety, and shown how to deal with incidents of fraud and impersonation. Businesses need to be regulated and monitored to ensure the proper efforts are being made to protect corporate networks and the data held on them, which often includes highly sensitive information on clients and customers and also, in some cases, sensitive internal information that may be of interest to rival businesses. Perhaps most importantly, government bodies designing and implementing digital services need to ensure the highest standards of security are built in from the start. Governments need to store vast amounts of information on the people, organisations and businesses under their aegis. Much of this information is highly confidential and sensitive, and any leak, loss or misuse of this data can be hugely damaging both to the institution holding the data and the individual or body to which the data relates. Health services are particularly at risk, given the combination of extremely sensitive information and the need for rapid access in emergencies. At the other end of the scale, governments need to operate critical infrastructure such as power generation and supply, waste removal and disposal, and transport. These areas are also increasingly controlled by computers that are, in turn, increasingly connected to the internet for centralised operation and monitoring, which puts the stability of infrastructure at great risk should those computers or the communications between them be compromised by malicious actors. Military resources and activities are similarly delicate targets for both espionage and terrorism. Outdated and vulnerable authentication methods One of the major issues underlying all these problems is authentication: the way we confirm people are who they claim to be when granting access to information systems and services. In the flesh-and-blood world, many institutions still rely on outmoded methods of identifying people, such as signatures, social security code numbers (SSNs) or the possession of ‘official’ paperwork such as utility bills as proof of address. We also continue to treat bank account and credit card numbers as secrets that should only be known by their proper owner. Similarly, online we mostly depend on simple usernames and passwords to access accounts of all kinds, and traditional backup methods relying on personal information (‘mother’s maiden name’, ‘name of your first pet’ and so on) are also highly dubious in a world where vast amounts of information on just about anyone can be dug up in moments. Commonwealth Governance 102 Handbook 2014/15


CEP template 2012
To see the actual publication please follow the link above