Thoughts on British ICT, energy & environment, cloud computing and security from Memset's MD
There has recently been a lot of news about cyber security, and it is a hot item in Whitehall and at the top levels in the IT industry. Further, London City University recently announced it is opening a Centre for Cyber and Security Sciences, with the aim of uniting researchers from various backgrounds in order to research and analyse the cyber security landscape and threats posed by both state-sponsored terrorism and organised crime.
However, is this new cyber security concern warranted and do we need government and/or academia to get involved with a dedicated centre for tackling the issue? In short, I don’t think so, and this is why.
As a hosting company we are players in a constant cyber war going on quietly behind the scenes that most people are not aware of. We have been successfully defending ourselves and our customers against hackers, script kiddies and DoSers for as long as I’ve been in the industry (since 1998). The weapons (bot nets and internet connections) have got bigger and the complexity of the systems and hacks has become more sophisticated, but we have evolved too.
We host 20,000 of Britain’s largest and busiest Web sites. In just the last week our automated denial of service (DOS) protection system, affectionately known as the “DOS-squasher”, blocked just over 200 attacks aimed at our clients. None of them even knew that anything untoward had happened.
On my personal server alone in the last week there were over 50 break-in attempts, all automatically deflected by a combination of good password choice, operating system lock down and firewalling. Multiplied up across our entire server estate that amounts to someone trying to compromise one of our customers’ servers every few seconds.
We regularly handle phishing sites and such which have been set up by criminals on compromised customer servers (it should be noted that they are generally only hacked only when we are not managing the security for them and usually as a result of a poor password) as part of the day job. Again, nothing terribly exciting for us and where necessary we liaise with the police.
I am uncertain that a government- or education-run department would add much value here. Instead I would advocate their drawing on the vast experience of the hosting and Internet Service Providers’ businesses in the UK by encouraging or incentivising us to pool our best minds to tackle possible threats to national infrastructure.
Now, it is true to say that we struggle to find good people with the right skills, but again I don’t think a university programme focussed on cyber security is necessarily the right approach. The soldiers and lieutenants in the silent cyber war are systems administrators and network engineers. They have the skills, but more of the good ones get those skills on the job. What I would like to see is more universities doing courses like those found at Portsmouth.
Half of our recent operations recruits have come straight from their computer network management and design BSc, a course that actually teaches them the skills they need to be a systems administrator. I’d like to see more courses like that, including modules on cyber security training for as standard within them. I do not believe it needs a special skill set since security should be part the curriculum for any IT training.
As well as kids in bedrooms with an axe to grind some cyber threats fall into the category of serious crime. On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion. Take a typical gambling Web site; they could easily be bringing in tens of thousands of pounds per day. They get a major distributed denial of service attach (dDOS) which takes them out for a few minutes. Rattled, they then receive an email demanding thousands of pounds with threats of a much more prolonged dDOS if they don’t pay up. What do they do? Well, they pay. I can’t name names, but I know this has happened.
dDOS attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests Unfortunately the only real defense against such is to have more bandwidth than an attacker, but with more companies moving to cloud providers with massive pipes like us that means that the attacker would need a bot net of many thousands of machines to cause damage.
This is serious crime and as with any crime should be the domain of the police. A good central authority that was able to track down hackers, phishers and protection racketeers, working with us, would be welcome. At present the police are not especially responsive and often don’t appear to understand the issues at hand.
When looking at a national level, such as the rumored attacks against Georgia originating from Russia back in 2008, that is something that central intelligence agencies such as CESG should be prepared for. However, again, the people who have the expertise and the means to help are the existing ISPs.
One concept I did quite like, however, was that of being able to “attack back”. One possible way to defend oneself against dDOS attacks is to launch your own attack on the originating sources from a number of ultra-high bandwidth locations. This has the effect of tying up, or even crashing, the bot net computers and making it difficult to control them. The problem here is that the bot net are innocent, zombies if you will that have been infected and are only guilty of having poor security (aka. “running Windows” ;). The real target should be the command and control servers, but determining where they are is not usually a quick task. Again, here, it should be the job and/or CESG of finding out who the perpetrators are and bringing them to justice.
Regardless, as I said before, the best defence against this sort of real cyber war is to have bigger pipes than your attacker. If we want to ensure our national network is not vulnerable then we need to be investing in it, and in our international connectivity, so that we can stay ahead of developing nations. Last year we were falling behind Eastern Europe, but we may have recovered a little now.
In short, cyber crime and cyber warfare are nothing new – it is just that they have recently entered the public and political consciousness. Government should simply support us, the ISPs, in our existing activities.
As for education, they should a) stop putting off teenagers by teaching them that “ICT” means “Microsoft Office” and b) at a university level actually teach students the skills that the industry needs, not dead operating systems and languages.