Ministry of Defence cyber chief: UK needs to emulate Estonia

 Just got back from Cyber Security 2011, another information security event in central London with an impressive list of speakers ranging from former home secretaries David Blunkett and John Reid to Europol assistant director Troels Oerting and the government deputy CIO, Bill McCluggage.

Standout for me, however, was major general Jonathan Shaw, head of the defence cyber operations group at the MoD, who certainly didn’t pull his punches in sharing his judgement on the UK’s cyber security posture.

“It’s a bit like the 80s when everyone knew about AIDS but were shagging without condoms anyway,” he told the attendees.

Fair point, if a little bluntly put. As was his remark that the UK is behind Estonia in terms of cyber readiness. We need to move from being a country in “pre attack mode” to one, like the Baltic state, in “post attack mode”, where security is taken far more seriously by all citizens, he argued.

It’s surely only a matter of time before a massive cyber incident hits these shores, knocking out key national infrastructure, but will that be enough to focus minds on the importance of “cyber hygiene”, as Shaw called it?

I’m not so sure. It’ll certainly take more than a Get Safe Online campaign to do it, although if Shaw’s estimate that 80 per cent of threats could be nullified by such measures is true, it is certainly an end goal we need to try and achieve.

Is the UK government’s Cyber Security Strategy any good?

The British government released its long-awaited Cyber Security Strategy on Friday, just over a year after its initial decision to plough £650m into the area was revealed.

Some of the key parts of the strategy include:

• a cyber security ‘hub’ where government and businesses will be able to exchange information on threats and responses, with GCHQ at the forefront of this cross-fertilisation of skills and knowledge.
• A cyber crime unit to be set up within the new National Crime Agency with input from the Met’s PCeU and Soca’s e-crime unit

•  a single fraud reporting system for cyber crime.
•  recognition of the need to protect critical infrastructure with the strengthening of the Centre for Protection of the National Infrastructure
• creation of a new Joint Cyber Unit hosted by GCHQ which will further develop military capabilities.

• User education was also highlighted as key, with Get Safe Online’s web site getting a revamp, and the government also work with ISPs to form a new voluntary code of conduct to help users identify if their computers have been compromised and what they can do about it.
• Finally, on the international front, the government said it would continued to foster dialogue between companies as per the recent London Conference on Cyberspace which I reported from.

All told I think the government has made a pretty good stab at things here. Although it has been a long time coming, I can’t really think of an area which it hasn’t addressed and in general the commentators are all making the right noises about this one.

The tone seems to be very much of engaging with private sector, of knowledge sharing and of improving user education, which experts in the industry have been crying out for for so long now.

My only slight concern is that there has so far been no mention of exactly how much money Get Safe Online will get. It blatantly needs a significant profile boost as despite the best efforts of Tony Neate and co, it is still somewhat marginalised.

The other worry is that the PCeU will also lose its voice if it is subsumed into a larger National Crime Agency body, just as the NHTCU was when its work was folded into Soca.

These are minor concerns though and the government is certainly on the right path. Trend Micro EMEA director of security research Rik Ferguson even went so far as to tell me  that if delivers on the report’s goals, “it will put us in a leading position in Europe and globally to prevent online crime in the first instance and take action where it does arise”.

He also explained that the government had consulted heavily with industry to draw up the strategy, which in itself is a positive step. The only way to make headway against cyber crime / warfare is to take an inclusive, collaborative approach like this –  government and industry together is a far more formidable prospect for the bad guys.

Xbox Live customers phished – another bad day for static passwords

So I’ve just been working on a story here about yet another phishing incident, this time affecting Xbox Live customers.

Some reports suggested the criminals involved managed to pilfer millions of pounds from their Xbox victims all over the world, cunningly only siphoning off small amounts of money to avoid detection once they’d managed to phish the initial bank account details.

One thing really struck me looking at this story, and having recently spoken to Cryptocard MD Jason Hart (it’s an authentication security firm if you were wondering). That is, Microsoft was very quick to clarify that its Xbox Live service was not hacked in any way, which is lovely for them, but short on long term answers.

Redmond said how it was helping all its affected customers in any way it could, by trying to “investigate and/or resolve any unauthorised changes to their accounts” which may have occurred as a result of the phishing, but what about preventative measures?

It became clear to the banking community some time ago that one time passwords and two factor authentication were the way forward, when are the big gaming companies finally going to realise that it does their reputation no good at all when stories like this one get out?

It will only take one firm, I predict, to set the ball rolling and soon they’ll all be at it, which will be good news all round for customers and the industry in general.

You’ve got to start somewhere…

… And this is it. My own personal piece of the web. Expect to find in the coming months and years a healthy dose of opinion, analysis and commentary on any technology related topics that take my eye. I’ll also try and post links to or excerpts from some of my more interesting content  that gets published elsewhere.