£53 billion

"Worldwide online fraud is estimated at £53bn. Logistics, utilities and communications all depend on the internet to varying degrees."

Amazon, the worlds biggest online store has a turnover of £12 billion. So what they're saying there makes absolutely no sense. You're telling me that the fraud is 4 times bigger than the worlds dominant internet store?

"The other point made was that this was not about esoteric online-only attacks - 90 per cent of UK high street transactions are online in some sense. "

How are HIGH STREET transactions ONLINE? If you mean the restock order from the shop to the warehouse? And what is your attack scenario for these terrorists for that? And how do you intend to protect against that?

Sounds like they want IMP justified a different way...

Zzzzzzz zzzzzzz

This is just a smokescreen for the government to exert more control over the interweb.

Now that the interweb can be (mis)used as a weapon, it has to be controlled, and only in the safe hands of government IT "experts" (GOD HELP US ALL).

Lord West's has said that "Al-Qaeda is planning cyber war". And to combat these, a unit at GCHQ will "monitor, analyse and counter cyber attacks as they happen." How will they do that, one wonders.

Cyber "attacks" are very rare. DDOS is pretty rare, and more of a nuisance. So GCHQ will using this excuse to monitor ALL traffic, nearly all of which will not be damaging. It's just interception, dressed up as security.

On the surface...

The education of business and government in matters of security seems emininently sensible and appears to be the first governmental stance on information systems security about which I may feel quietly optimistic. The emphasis on the devolved responsibility of the individual is particularly excellent. However, I feel the desirability of this department will depend entirely on the following caveats:

1) Any modification to civil liberties and personal privacy rights resulting from threat investigation are balanced directyly and objectively against risk (as opposed to force of political will, ho, ho, ho. See Great Firewall of Australia),

2) The operation remains a civilian concern and open to public scrutiny,

3) The department employ people that actually understand the technologies involved and what may or may not be achieved: their manifesto implies they are fighting people that very definitely do understand these things. This particular point is of paramount importance.

As a final note, I am moderately surprised to learn that they're distancing themselves from toeing the f*ing terrorist line. Which is nice.

Good strategy change

For far too long, cyber-criminals have employed this physiological terror tactic, closely observing the effects of their consequences as the victims try to respond and thereafter manouvering their ways with newer tactics. The tables are now being turned - the hunter becoming the hunted. But even with this strategy change being public knowledge - as indeed with any info published in the web - will these cyber-criminals not devise counter-strategies to defeat it?

What do you do with a scammer?

Imagine these people follow the money being paid for fake anti-virus software to a criminal in Russia or China. What are they going to do once they find him?

The best defence is a good defence: Use proper passwords. Do not use the same password for several accounts. Disable Javascript and Flash. Use an operating system designed with a proper security model (not some toy from Microsoft where security is a bolt on afterthought compromised for backward compatibility).

Strike Back

If they were allowed to target compromised PCs being used for a DDOS attack and nobble/fix them, that would be a result. One less PC in the botnet and one PC owner newly clued up about security. Or more likely, just reinstall everything and fall back into the same botnet, but at least they'd be out of the way for a couple of days.

*sigh*

--------

How are HIGH STREET transactions ONLINE?

--------

How exactly do you think chip and pin works?

The INTERNET !== WWW

So lets run the plan

Al Qaeda plans a terrorist CYBER attack to get back at those drones that kill hundreds in Pakistan.

Osama: "We need to show these decadent capitalist pigs that they cannot use drones to kill our people!"

Mustafah: "Why are you speaking like a cold war clique Osama?"

Osama: "Never mind that, we will hack into Mango's supply computers and place an order for the Chipping Norton branch to receive all *Summer* clothes in the middle of *Winter*!"

Mustafa: "Devilishly clever, when the westeners see the stylish yet unsuitable clothing, they will purchase it and freeze to death!"

Osama: "Exactly, that will show them".

Meanwhile in GCHQ, ten thousands servers monitoring all communications into and out of the UK notice that a Mango Chipping Norton's Internet is being probed.

Dudly Dooright: "Quick call the Prime Minister, Mango's Chipping Norton Branch is central to the UK economy, we must protect it at all cost or people will die! DIE I SAY! We must send millions of packets or they will never be able to get their order for winter legins through!"

Prime Minister: "But how can you tell it's an attack"

Dudly Dooright: "Because all other internet traffic surfs for porn, BTW, tell Alistair Darling to approve our budget, tell him 'flat chested midgets in leather" think its a good idea..."

Yep, that sounds right, nothing to do with the Internet Mass Surveillance program (IMP), absolutely nothing at all, our High Street stores face the threat of AlQaeda cyber attack and hence we need to protect them from, erm, terrorists thingamibobs. THE THREAT IS REAL!

If they gave a shit about online security....

... then some part of the government/legislature would take an active interest in ongoing fraud - but they don't. Nobody is interested - the local police forces tend to take the "we don't know, have no jurisdiction, can't be arsed, go to central government" approach but the centralised bodies are only geared up to investigate, collect statistics and report after a month or so. If the online crooks are agile i.e. they move/mutate their operations around the Internet/real world, they aren't likely to be caught. Why don't they just make someone responsible for actively pursuing online crime while it is in progress?

I can't see how "offensive operations" are to the benefit of the Internet and the online community in general.

@Sigh

"How exactly do you think chip and pin works? The INTERNET !== WWW"

Wait, so you're suggesting that GCHQ would not just be monitoring our Internet communications but also every Chip and Pin Transaction too???? And those terrorists in Pakistan they have access, not just to the Internet, but also into the Chip and Pin network?

Devilishly cunning those terrorists.

so...

a whole bunch of government computers got pwned by script kiddies (PEBKAC) and now they want to take over the internet.

great.

Thumbz up from I'z too

I iz Ur ordinary yooth on diz streets and me and me homies are totally Ok with them GCHQ doods totally watching us backs.

Only dem der drug dealers and terrorists would disagreez with the man.

Yeh I needz more security doods, they don't earn nealy enough dough dem spooks!

And dey is handsome too.

Rad to the max!

UK Government go Renegade

they should get their own house in order first, but screw that they appear to have been taken over by a bunch of script kiddies.

There are many problems with this approach, but one of them is they have made themselves a useful patsy; if government systems are expected to attack other systems, then what are people going to do when they find themselves under attack from a UK government system, not much.

If it is goes to court, then there is already the admission the government are doing this, and even if they get the correct person, it can be easily argued that they haven't and they are just making stuff up. This paints a huge red target mark on all government systems, it is so badly thought out.

Some Thoughts on cyber defense

The first law of holes states that when you find you are in one- STOP DIGGING! To that end I have some suggestions. Priority should be given to avoiding increasing our vulnerability to attack via the net. To that end, I suggest a moratorium on developments such as "smart meters" and "the internet of things" until robust security measures can be implemented in the base architecture. If anyone knows of an example where security has successfully been backfitted atop a platform not designed to be secure, tell me, because I have yet to hear of such a thing working.

In addition to this I would recommend that we make it illegal to connect controls for critical physical infrastructure (usually via SCADA systems) to the Internet, you can't hack what you don't have access to. I would also put a time table in place for disconnecting such systems that have already been connected (though this, in truth, is really a "getting yourself out of the hole" measure as opposed to a "stop digging" one). While I consider such attacks low probability (this is not something that script kiddies will be doing for teh lulz) the potential consequences are severe enough to warrant taking action.

Another concept that, I suspect, would work well here in the States at least, is to make a company's negligence in security a cause of action for a lawsuit with triple damages. As part of this, put together a list of security best practices and make following those an absolute defense against such suits. If there is a better way to enforce adherence to good security practice, tell me about it.

I am somewhat pessimistic about the whole "good offense is a best defense" concept. One characteristic about the attacks I have seen thus far is that they lack a clear set of "fingerprints" pointing to who exactly did it. Was the Estonian DDoS attack the work of Putin and Co. or was it "patriotic" Russian hackers deciding for themselves to punish Estonia on their own, for instance. Even if one does find out who did it, it is likely to be long after the fact- not very useful for deterrence purposes.

@IndianaJ- The original source of "cyber" is not SF, but MIT's own Norbert Wiener who coined the term "cybernetics". It was from there that Gibson looked to come up with the Term cyberspace for his Sprawl universe, the setting for Neuromancer (hardly a work for "children" BTW). Besides, is not the content of a proposal far more important than the terminology used in the proposal?

lolz

I've always been a fen of an defensive network and striking back but that sort of behavior at least in the states is highly frowned upon. Larger ISPs don't want to have to deal with the backlash they will get from putting insecure computers on the internet.

Although we could implement technology over here just as we have done with curbing greenhouse gasses theres nothing that will be done to curb the abuse we see from the third world.

I think as time goes on you will just see the internet start to separate. I personally could deal just fine with only about 5 countries having access to our intranets, theres nothing legitimate comin out of Africa, China or Nigeria, not at least for us.

The UK might be setting a bad example by going on the offense though, I guess time will tell. They only seem to have the balls to go after white radio talk show hosts and not actual bad guys that are among them calling for their demise.