Experts berate cyber insecurities

Following on from last month's FutureWatch on security, Business & Technology held a breakfast briefing on cybercrime at the...

Following on from last month's FutureWatch on security, Business & Technology held a breakfast briefing on cybercrime at the Infosecurity 2001 show last month. It turned out to be a lively debate, as Rod Sweet reports

Britain is under cyber siege, we warned last month. Our subsequent briefing for IT directors showed widespread support for the proposition.

Bob Ayers is VP of Para Protect Europe and former director of a security programme at the US Department of Defense

Q: Bob, in 1995 you led a team that hacked into and gained control of thousands of US DoD IT systems. Could that happen to the DoD again?

"Yes. Defence systems are no better than they were before. Because they're changing all the time - new patches, network designers, end-users, operating systems - they're always going to be vulnerable."

Detective Sergeant Geoff Donson works for the Metropolitan Police Computer Crime Unit

Q: Are you busy, Geoff? How real is the threat to UK businesses?

"Well, we're not busy with reports from major industry, who have the real problem. Industry is very reluctant to report IT crime of any form. We really do need more information to weaken the methodologies being deployed outside, and to test and improve our skills.

"People have no confidence in the fact that we can keep it out of the public domain. We're more than happy for people to report computer crime without it going public. We won't take things to court unless you want to. You're in the driver's seat."

Yag Kanani is a secure e-business partner at Deloitte & Touche

Q: If I had only £1,000 to spend on security for my company, Yag, what should I spend it on?

"Obviously it's not enough, but the first use of that money should be in risk assessment because fundamentally security isn't a technical issue, it's a business issue. A DTI survey [see] says that 37% of organisations have done a risk assessment - so a great many more haven't. Policies and procedures are not, in the main, properly thought out. Even where they exist they collect dust because no-one monitors compliance."

Dr Andrew Rathmell of King's College chairs the Information Assurance Advisory Council

Q: You're calling for better standards for the way cybercrime is reported, Andrew. Why is that important?

"We simply don't know what the trends are, partly because even within companies there aren't any proper costing methodologies. You can cost laptop theft, but how do you cost denial of service? Until you have that kind of information you can't do risk assessment - and, more importantly, you can't enforce security.

"We suggest information sharing, developing threat assessment tools and making security more of a corporate governance issue.

"No company wants to reveal incident information. But if we treat it as a perfectly normal business risk and nothing to be embarrassed about, and put those incidents into annual reports, then people won't be so embarrassed and we may get some good threat information out there."

Nigel Hickson is the head of e-commerce at the CBI

Q: Nigel, you claim more damage is done by people spilling coffee over their computers than by hackers. Aren't you complacency-mongering?

"No, I'm not. If you look at the statistics, the damage isn't through hacking, external threats or altering Websites, it's simple procedural issues: power supplies, inadequate software.

"If you look at the actual downtime companies suffer, the majority isn't from external attacks, it's from internal problems - stealing and all the rest of it. We have to get things into perspective, otherwise we become paranoid."

Are the Police Clueless about Cybercrime?

Q: Geoff, who's in charge, local authorities or the National High-Tech Crime Unit?

Donson: "If it has to do with organised crime and has an international dimension or goes beyond the boundaries of London, then the NHTCU will take primacy in the investigation."

Q: There's police coverage in London, but what about the regions?

Donson: "You'll get a good service. The NHTCU is London-based but made up of people from all over the UK, on secondment, with loyalty to their own forces. If they're not seen to be producing the goods, they'll be pulled."

Hickson: "What stops companies going to the police isn't fear that the information will get into the public domain, but the belief that the police won't understand what they're talking about. The NHTCU must establish a forum where businesses can have some confidence that what they're coming to the police to talk about isn't only confidential but will be acted on."

Q: The NHTCU is getting about half the amount of money it actually bid for. Won't this damage its image? Also, it's not talking to the public enough about what it does and how it will work.

Donson: "I'm not part of the unit yet so I can't speak for it. Yes, the funding issue is unfortunate, but it has to be balanced with all the other demands placed on the police this year. I don't perceive the funding as a credibility problem. On the second point, you have to bear in mind the organisation only came into existence this month, so it hasn't had the opportunity to to inform people what it's intending to do."

Ayers: "Over two months ago I invited the NHTCU to come and sit on a panel here at Infosec 2001 to explain to attendees what its mission was and how it was going to execute that mission and it declined. It couldn't get approval to appear in public and explain its mission, so I don't agree with you that the NHTCU hasn't had the opportunity. It did have the opportunity but turned it down for reasons that are still not defined."

Rathmell: "We shouldn't attack Geoff because he's not part of the unit yet. Frankly, the Home Office doesn't have any form of systematic prioritisation. Individual chief constables can decide what they allocate and the Home Office can add something to that, as it did with the NHTCU. And chief constables have their own local priorities, headline priorities and political issues, particularly before an election. Political issues do not include computer crime. And remember we also have the National Infrastructure Security Coordination Centre, based in the Home Office. So we actually have two national centres for dealing with computer crime. I know they're trying to work out what each of them do and what the demarcation is, but we've had NISCC for almost two years, and I'll leave you to put the question to it what it has or hasn't done in that period of time."

Hickson: "Here we have the NHTCU and NISCC, which are supposed to be taking on board these really serious business issues. Surely we should call publicly for them to appear at a panel discussion. These are civil servants. I was a civil servant. Ministers turn to civil servants and say 'Get on that stage and tell the public what this organisation's about!'"

Does the BS7799 Standard Work?

Q: Does the CBI support the BS7799 standard for information security?

Hickson: "The CBI supports BS7799 but it's not something that should be rammed down people's throats. We didn't want it to be like ISO 9000. It's been a great disappointment that business hasn't taken it up in the way we think it should have done."

Donson: "We promote 7799 heavily. One of the biggest problems in investigating IT crime is that companies can't provide evidence. BS7799 provides a minimum standard of measurement for providing evidence."

Ayers: "The biggest problem with 7799 is that it asks 'Do you have a policy for X'? You just have to answer 'Yes'. Is it a good policy? Again, you just have to say 'Yes'. 7799 doesn't demand any technical validation that the policy has been implemented in the way one is led to believe."

Is the Law an Ass?

Q: Do we need new legislation to tackle computer crime?

Hickson: "I'll be saying this again and again: the Computer Misuse Act must be amended. Recent cases show it doesn't give sufficient protection."

Donson: "It's woefully out of date, trying to crack a nut with a sledgehammer. It's hopeless and it's a priority that we get that changed."

Q: Is there serious danger of a company being completely taken out by a hacker, as Barings was by a single trader?

Rathmell: "Most companies focus on their own vulnerabilities, but looking at non-cyber disruptions like the fuel crisis we see just how dependent we are on each other. It's really a question of the weakest link, not just how well protected you are."

Read more on Antivirus, firewall and IDS products