SOME of the smartest people in the world of internet security, including leaders of global electronic intelligence agencies, met in Glasgow this week.
The CyberUK conference, run by GCHQ's National Cyber Security Service, was a giant information-sharing exercise, not least for specialist private firms. But it was also a chance for experts to try and get over simple messages about what is happening online. David Leask has distilled down some of those messages in to five basic lessons.
LESSON ONE: WHAT REALLY KEEPS GOVERNMENT CYBER EXPERTS AWAKE AT NIGHT
The summer before last, on the very day British voters went to the polls for a snap general election, people working in the power sector got some routine emails. Some were on-spec job applications with CV attached as simple word files. Others were boring admin, all with attached contracts or legal documents. Busy employees clicked them open. And the attack began.
Government cyber security officials say Russian state hackers used those CVs and dull contracts to infect the computers of the companies which keep Britain's lights on. Crudely, once inside the UK power network, these invisible invaders moved to steal passwords and worm their way close to command systems.
In a new digital Cold War, a foreign government was looking for the ability to click a mouse and turn the electricity off. Did the Kremlin really want a British blackout? Maybe not. But as voters turned out to elect a new Westminster on June 8, 2017, Vladimir Putin's regime was trying to get power over our power.
A blackout is what security experts and officials call a "Category 1" cyber attack. This is their nightmare. Its definition? Category 1, to use the jargon, is "a cyber-attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or loss of life". It might be the power system. It might be the NHS. Or water supplies. Or telecoms, all the things which officials, again using their argot, call CNI: critical national infrastructure.
Britain has never suffered a category one. The lights have stayed on. Other places have not been so lucky. Back in December 2015, so-called "phishing" attempts - using those dreary Word attachments - compromised electricity systems. A couple of hundred thousand people were left in the dark for hours.
In Glasgow this week, the men and women who carry the can for protecting "CNI" and securing cyberspace gathered to say what worries them most. At the CyberUK conference, there were representatives of the electronic intelligence services of all "Five Eyes", the intelligence alliance of the English-speaking world, Britain, Australia, New Zealand, Canada and the United States.
One was Scott MacLeod, an assistant director general at the Australian Signals Directorate, his country's version of GCHQ. “Our two priorities now are electricity and elections,” he told a panel discussion. Mr MacLeod did not mention the election day power hack that hit the UK. But this case study almost summed up the threats he fears most.
State actors, in particular, can and do target election processes. They frequently combine hacking with propaganda. Donald Trump's presidency, for example, has been overshadowed by allegations his campaign colluded with Mr Putin's Kremlin. At the heart of those claims: a Russian military intelligence hack of the Democrats' HQ followed by a social media and state media propaganda campaign.
A dozen Russian intelligence officials have been formally accused of that operation. But cybersecurity experts make it clear they are not just worried about one country. Other state and non-state actors can and do have a capacity to carry out a Category 1 attack.
Back in February Australian Prime Minister Scott Morrison said all three of his country's main parties had been hacked “sophisticated state actor,” which he did not name. Mr
Mr MacLeod and his colleagues are now looking to protest Australian democracy as the country prepares for election s.
He said: “The government has established a task force that looks at all the different areas of cybersecurity.” he said.
Ciaran Martin, the chief executive of the National Cyber Security Centre, the front-facing part of GCHQ which hosted CyberUK, has been saying for years that a Category 1 attack in Britain is a question of "when not if". So how do we protect ourselves?
LESSON TWO: BEING SAFE DOES NOT HAVE TO BE COMPLICATED
As we dwell on the nightmare of a category one attack, it is easy to get wrapped up in the image of super-clever internet baddie. We probably think of a James Bond villain stroking his cat before pressing a button and unleashing some highly sophisticated internet bomb that delivers us all to digital hell.
But so much of the chat - formal and informal - at CyberUK focused on a far more straight-forward set of threats. After all, many attacks, such as the phishing emails to power companies, are really simple, even if their potential effects are very much category one.
So the message from GCHQ and its international partners was very much about helping ordinary non-technical people working in critical infrastructure, public or private, to have good digital hygiene. An analogy? Medical scientists might well be trying to develop super-drugs or pioneer surgical techniques. But they can do a lot to keep people safe by encouraging doctors or nurses to wash their hands - or getting patients to quit smoking.
Really basic internet security training is rolled out at many companies and government agencies, helping staff identify dodgy websites, email attachments and discouraging them from using things like USB memory sticks.
And just keeping software updated - patching programmes to keep them resilient to known threats - is crucial. A system, after all, is only as strong as its weakest link.
Scott Jones, head of the Canadian Centre for Cyber Security, said: "Patching is remarkably effective. Let’s start to work on some the essentials first, then let’s start working on the all-new cyber laser that that’s going to shoot down malicious packets."
His concern is not just academic. Take WannaCry, the ransomware that hit NHS Lanarkshire two years ago. It was far from clever. This attack, eventually traced to North Korea, led to cancelled appointments and affected more than 1000 computers. An internal report found that some of the PCs hit were left ‘vulnerable’ due to their software.
That is because they were using old operating system, Windows XP, because they controlled medical equipment that used XP. Microsoft, which used the software, eventually found a patch for the system to keep WannaCry at bay. The lesson? "Make do and mend" works.
Sometimes being safe online is simple as "one-two-three, or rather "not one-two-three". Earlier this month, NCSC found that the password "123456" had been breached, worldwide, on 23.2 million occasions. "That we know of," clarified Mr Martin. Common passwords also included ‘qwerty’ and ‘password’, common first names or even popular football clubs lke "Liverpool" or "Man U" or bands or musicians like ‘Blink182’ or ‘50cent’. Hacking can be easy. Do you really, therefore, always need rocket scientists or brain surgeons to stop it?
LESSON THREE: CYBER SECURITY IS NOT JUST FOR COMPUTER GEEKS
We all know the image of a hacker, a boy, usually pimply, sitting in a front of a screen with his hoodie up. This is not too different from how we think of those defending the web from attacks.
But as officials, globally, fret about a lack of trained cyber-security staff, there were reassuring noises at CyberUK. There are jobs to be had, lots of them, and not just for people with a background in STEM subjects. Why? Because cyber security is like a cyborg, a messy blend of technology and humanity.
To combat cyber threats, you need people who understand wires and chips and people who can patch miles of coding. But you also need people who understand what makes internet surfers tick, what makes a grandmother or a teenage boy click on an inviting link; or even what makes a government or criminal group create that link in the first place.
Mr Jones, of the Canadian Centre for Cyber Security, said his team needed social scientists as much as computer scientists. NCSC's Mr Martin cautioned against "despair" that universities were not churning out enough graduates in cybersecurity. People can be trained. "There is a certain element sometimes that the skills situation is so bad that we cannot do anything. Well, give it a try! And, being a pragmatist, you have got to give it a try with the people you have got."
But there was another message at the conference: that cyber-security is not just for the IT departments. Everybody has to take responsibility, especially bosses. Mr Martin's NCSC has been encouraging the ruling boards of businesses or public bodies to always have someone who is responsible for security.
Source after source, speaker after speaker, said cyber security must now be core business in the state, voluntary and private sectors. And no executive should be making any decision without thinking about cyber. "You wouldn't be a car without any locks or a house without doors," said one. "So why buy a computer system without security?" What about north of the border? Are decision-makers here skimping on cyber security?
LESSON FOUR: SCOTLAND IS RELATIVELY RESILIENT TO CYBER ATTACK - BUT NOBODY IS COMPLACENT
"There are gaps, bluntly, in every area." Kate Forbes, the Scottish government minister responsible for the digital economy, is far from complacent about cyber security. She admits there are weak spots in Scotland's defences, not least in small businesses or rural areas. And she reckons a population-wide effort is needed to plug them. That, she told the CyberUK conference, means growing a cadre of professionals. And it also means getting non-specialists to wise up too.
Ms Forbes said she wanted a "vibrant, out-looking digital nation". But, she added: "I’m very mindful as a politician that’s great rhetoric and a great vision but unless we get our cyber resilience right it’s nothing but rhetoric and an empty vision.
“Skills is cited as probably the biggest challenge that the cyber security sector faces.
“If we don’t equip our citizens with a basic understanding of cyber threats and how to navigate them, if we don’t have the skilled individuals coming through our education systems to meet the needs of industry and the needs of government, we cannot hope to make any progress in the way I’ve already set out.
“We’re trying to embed cyber resilience learning in Scotland’s curriculum from the earliest of ages and to try and plug the skills gap."
However, Scotland does not have a bad story to tell about cyber resilience. Mr Martin of NCSC suggested there was something about the scale of the country that helped it brace for the threat.
Speaking to reporters, he said: “What I’m impressed about is the way Scottish society, public and private sector, mobilises itself in the various resilience forms and so forth where you can get most of the people in a room of about this size (around 20 people) that you need to coordinate that sort of resilience plan.
“Frankly, sometimes we try some things out in Scotland because for some work it can be an optimal size of population – big enough but not too big to do that sort of cross-sectoral kind of work.” NCSC officials said Scottish councils were "leading the way" in using a GCHQ service checking websites.
Mark Murphy, of Scottish Water, one of those vital utilities nobody wants to see fall victim to a cyber attack, said his organisation simply did not use the internet to control reservoirs and water pipes. Sometimes cyber security, it seems, is being offline. But Mr Murphy added that systems were not just electronically vulnerable. Not letting strangers in to your buildings is pretty important too. Water, like power, is firmly in the realms of CNI. It is the kind of asset that, at times of conflict, would be a target. Is that fair? Should there not be some kind of Geneva Convention, some rules for online war?
LESSON FIVE: ROGUE STATES PLAY DIRTY ONLINE AND THERE IS LITTLE CHANCE OF GLOBAL RULES TO STOP THEM DOING SO
WAR has rules. They might be ignored, but they exist. There are conventions on how prisoners are treated. There are bans on land mines and chemical weapons and negotiated deals on nuclear bombs. But there are no rules for cyber-conflict. It is a free-for-all. How do you even know if you are at war with another state? And what amounts to a fair, legal or proportionate response to digital aggression?
The UK has quietly signalled that it has an offensive cyber capability. British officials talk of deterrence. A year ago, at CyberUK 2018, the director of GCHQ announced a "major offensive cyber-campaign" against Islamic State.
So would the UK retaliate against a state that, say, meddled with its power supplies or NHS? Officials are coy. Why? In a propaganda climate of "he said, she said" claim and counter-claim, Western allies do not want to end up accused of causing fatal blackouts or other critical infrastructure damage.
Mr Martin or NCSC declined to expand on any specific online vulnerabilities of the four states most frequently linked with cyber attacks: China, Russia, North Korea and Iran.
Officials from the other Five Eyes agencies all stressed the importance of naming and shaming perpetrators - although this, they said, was always a political decision. Is embarrassment, or a threat of sanctions, a deterrent.
Mr Martin, referring to a debate at CyberUK, said: “I think you heard in the Five Eyes panel that there are countries that, by and large, behave towards some form of internationally acceptable norms and behaviour – and countries that don’t."
But he doubted there was an immediate chance of a deal to impose an online Geneva Convention. He said: “I think that the prospects of that sort of process taking off at large-scale, intergovernmental level in the short term aren’t very high. That is an assessment, rather than a view. Who knows? I think it is probably a long-term issue.
“I wouldn’t rule anything out in the long run,” he added. Meanwhile, the UK senses there are laws online, even if its adversaries do not. Mr Martine said Britain's "starting point" was that "international law applies in cyberspace". He added: "The question is how, not if. I think that’s a starting point for our approach."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here