12 November 2016

UK's New Cybersecurity Strategy - No Strike-Back Required


November 8, 2016 

U.K. Chancellor Philip Hammond used the launch of Britain's new five-year National Cyber Security Strategy to trumpet the country's strike-back capabilities. But other parts of the strategy - including more automated defenses - hold much greater promise. 

In a speech delivered last week in London, Hammond, who as Chancellor of the Exchequer is Britain's chief financial minister, promised that the U.K. "will strike back in kind" to cybersecurity attacks. 

"We will not only defend ourselves in cyberspace; we will strike back in kind when we are attacked," he said. 

The concept of striking back, however, presumes accurate attribution - namely, that you can tell how an attack was launched and who was behind the keyboard. It also presumes striking back is always the best option, compared to diplomatic moves, sanctions or looking the other way. 

In short, Hammond's bluster suggests a lack of knowledge about how to better combat and police online attacks and cybercrime, which is worrisome from the person who was using his speech to announce the launch of Britain's new five-year National Cyber Security Strategy

Hammond promises the program will be underpinned by £1.9 billion ($2.4 billion) of "transformational investment." It's also tied to GCHQ's newly launched National Cyber Security Center, which has absorbed Britain's computer emergency response team CERT-UK and the cyber-related responsibilities of the country's Center for the Protection of National Infrastructure. 

As an example of what the program can deliver, Hammond said it will be focused, in part, on rolling out "a more active cyber defense approach - supporting industry's use of automated defense techniques to block, disrupt and neutralize malicious activity before it reaches the user." 
NCSC's 'Threat-o-Matic' 

Despite a reference in government documentation to various automated defenses feeding into a "threat-o-matic," University of Surrey computer science professor and Europol adviser Alan Woodward notes that the related program is "definitely not a joke." 

UK's "active defence" strategy in a nutshell - from @ncscpic.twitter.com/bhmZSjIoc3

— Alan Woodward (@ProfWoodward) November 3, 2016

Indeed, in a blog post, Ian Levy, technical director of GCHQ's National Cyber Security Center, says automation is key to blocking more attacks. "It's not a panacea but should help us mitigate the impact of a significant proportion of the attacks we see," he says. "It won't affect the really targeted attacks (at least initially) but we're hoping that we can reduce the noise enough to make the defenders' jobs easier when tackling those very targeted attacks." 
Dropping DDoS Traffic 

As an example, Levy says GCHQ wants to work with ISPs to block traffic associated with distributed denial-of-service attacks as well as text-message scams, for starters. 

"We think we can get to a point where we can say a U.K. machine can't participate in a DDoS attack," Levy told Britain's Sunday Telegraph. "We think that we can fix the underpinning infrastructure of the internet through implementation changes with ISPs and CSPs [communications service providers]." 

What would be required, he said, includes changes to the Border Gateway Protocol and Signaling System 7 to better block attackers from inappropriately rerouting traffic. 

"I suspect this is about 'getting the house in order' before pushing [international] ISPs to do the same, which would be a big win," says Matt Tait, CEO of U.K. security consultancy Capital Alpha Security. Tait formerly served as an information security specialist for GCHQ and Google Project Zero, among other roles, and tweets as "Pwn All the Things." 

I suspect this is about "getting the house in order" before pushing intl ISPs to do the same, which would be a big win.

— Pwn All The Things (@pwnallthethings) November 7, 2016

These are constructive discussions. But the problems associated with BGP and SS7 are well known. What's not clear is whether all ISPs internationally can be brought together to put costly fixes in place. 

"A large amount of hardware will need upgrading to make sure whatever changes are made are propagated throughout the world," James Blessing, chair of the Internet Service Providers Association, an ISP trade body, told the Sunday Telegraph. "Government is more than welcome to fund the efforts, like the National Security Agency does in the U.S." 
The Strike-Back Follies 

Still, such broadly focused moves could pay huge cybersecurity dividends. They're far superior to any strike-back threats or vows to get tough on cybercrime. As the satirical Twitter account Sir Bonar Neville-K notes, such threats have failed to blunt cybercrime, including crimes committed by individuals who are, legally speaking, children. 

Indeed. The serried ranks of spotty teenagers will rue the day they sought to tweak the whiskers of Her Majesty's Government. https://t.co/gZqg6K40SX

— Sir Bonar Neville-K (@sirbonar) November 1, 2016

Her Majesty Needs Hackers 

While many cybercrime operations are run from non-EU countries, there are still numerous examples of hack attacks against U.K. targets being traced to U.K.-based suspects, including the attack against London-based telecommunications provider TalkTalk

To better battle domestic cybercrime, the head of the U.K.'s national cybercrime unit at the National Crime Agency will reportedly ask the government to create a "Cyber Prevent" program designed to keep children from experimenting with hacking or other types of computer crime, the Guardian reports. The program would reportedly be modeled on the U.K. government's controversial "Prevent" program, which is designed to counter radicalization. 

"A lot of kids are stumbling into this crime," Saunders told the Guardian, adding that the program would target individuals aged 12 to 25. "This activity has consequences for them and others. There are legitimate opportunities for their skills." 


No comments: