By all accounts, May seems to have been a terrible month for the security of government computer systems.
First the Serious Organised Crime Agency (SOCA) announced that they were taking their website offline, after an attack claimed by a hacker group.
Then in an interview with the Guardian, Major General Jonathan Shaw, who has spent the past year heading a review of the Government’s online security, announced that a number of Ministry of Defence (MoD) computers had been compromised, and it was likely that there were other problems still undiscovered.
So are these incidents related? And if so, does it mean that we are losing the war against computer crime? And should we be scared?
Well, I have some good news, some very good news, but also some bad news.
The good news is what I have just christened Rowntree’s first law of computer journalism. It enables anyone, without any technical knowledge whatsoever, to decide if an article on computer security has anything useful to tell them, and it reads:
The amount of insight in a computer security article is inversely proportional to its use of the word ‘cyber’.
A cyber or two sprinkled in an article to spice up a boring piece is understandable, but if cyber-chiefs are preparing cyber-weapons to defend against cyber-attacks in cyberspace, you can relax in the knowledge that the article contains absolutely no useful information at all.
Most of the pieces reporting these two stories fell into the latter category, so the good news is that you can safely ignore virtually all of them.
The very good news is that the SOCA attack and the MoD compromises are almost certainly not related.
The SOCA attack has been widely attributed to the anarchist hacker collective LulzSec. This is despite the group having previously announced it was disbanding, following a string of arrests of alleged members.
But the attack was certainly of a type made by these kinds of groups, and was more akin to vandalism than espionage. It exploited a weakness of all websites – that while they can be viewed by more than one person at a time, there is an upper limit to how fast the computer that runs a site can churn out data. The attackers control a large number of computers to make a vast number of simultaneous requests to the website, effectively drowning it, and preventing anyone else from using it while the attack continues.
However, such attacks rarely do any real damage. The victim needs only take their site offline until the attack finishes. We assume that SOCA aren’t crazy enough to put any sensitive information on a computer connected to the internet, so at its worst, the SOCA attack simply denied the public the opportunity to laugh at their preposterous logo for a few hours.
In contrast, the MoD compromises are almost certainly espionage rather than vandalism.
Most governments now have computer espionage departments. Their main problem, as for the hackers attacking SOCA, is that the spies don’t put their database of double-agents on computers connected to the internet, so humans usually need to be compromised as well.
There have been some well-known compromises at defence agencies around the world, but they have usually relied on human fallibility, such as someone plugging an insecure USB stick into a secure computer, leaving a laptop on a train, or emailing sensitive information to their gmail accounts.
In his interview, Major General Shaw told the Guardian that some of these compromises have involved the MoD, and this is widely known.
He also said that there are likely to be some compromises that have not yet been discovered, and of course this is also true, just as there are thieves, fraudsters and even murderers still pacing up and down at night, hoping they won’t be found out. The police have always been one step behind the criminals. It’s how law enforcement works, after all.
But the very good news is that the anarchist hackers, who seem to be able to bring down public-facing websites at will, are mostly powerless against national governments, so long as the agencies involved follow basic and routine security procedures.
So much for the good news. The bad news about computer security is that the real problems are rather closer to home.
There was a time when computer hackers wrote virus programs that wanted to wipe your hard drive and print a rude message on your screen. You might almost get nostalgic about those times, because they are long gone. Today, hackers try to write programs that slip into your computer via the back door, and lurk there quietly, undetected.
Computer hacking is now a vast online industry, and the fastest growing branch of organised crime. The most lucrative areas, such as sending unsolicited (spam) emails, and stealing online banking details or credit card numbers, rely on the criminals being able to build up vast networks of infected machines to do their dirty work for them.
And the networks really can be enormous. When one was dismantled in 2010, it was found to contain over 30 million computers, and be capable of sending over 3 billion spam emails a day.
Many of these computers are also scanning likely areas of the internet for vulnerable machines to add to their rogue network, and number of computers doing the scanning is now so large that every connection to the internet is being scanned around once a second, in case a vulnerable computer happens to connect there.
The elephant in the room, is that your home, office, and school computers are under attack right now, and attempts are being made to steal your information, then get your machine to start stealing from other people, over 85,000 times every day, 31 million times every year. And the bad news is that even the basics of how to stop this happening, are not being widely discussed.
So the answer to whether we are losing the war against computer crime, is that by and large we’re not even fighting it, because there’s very little discussion about where the battleground actually is.
And given the lack of any serious attempts by governments or computer manufacturers address the problem, yes I think we should be scared.