GCHQ lines up BAE and pals for 'Cyber Incident Response' Eavesdropping spook base GCHQ is drawing up a list of companies that can help power stations, banks and other crucial UK organisations fend off and recover from hacking attacks. The "Cyber Incident Response" scheme - launched today by CESG, the data security arm of GCHQ, and the Centre for the Protection of National …
"I Struggle.. to work out what's actually wrong with this initiative."
What's wrong is that the starting point is wrong, in an assumption by government that all (or a lot of) our critical infrastructure is cobbled on to the internet with no more security than a password of "password", and a user ID of "admin". I'm sure there's more than a few instances of dodgy security, but the implied threat is largely fictitious, like most of the things government work bravely and tirelessly to save us from.
However, to appoint BAe (involved in every major defence overspend and procurement failure in the past forty years) to give advice on this is not going to end well. The consultants will undoubtedly come up with a series of recommendations with a high cost, to be paid by you through your utility bills, but in reality offering no material advantage to your security.
All of this "cyber security" claptrap is being parroted by a government that has virtually no IT or science expertise amongst its MPs (or civil servants, if we judge by results), and you can be sure that BIS or whoever will have drawn a narrow remit that precludes any bigger picture application of common sense. So you might feel happy that the electricity companies are going to be paying for BAe's expertise, but what do you think National Grid's IT bods have been doing all these years? Even then, the physical threat remains, so that you could for example bring down the power grid to the entire south east of England with a handful of well placed devices, and in a manner that would take weeks to resolve.
We certainly do need to keep in mind the threat of systems intrusion and electronic attack, but the limited success of Stuxnet with the backing of the largest and smartest world technology power, and the delivery by the world's most effective spying, intelligence and sabotage power (Israel) shows that the whole cyber warfare risk is over-rated.
Very fair points.
You might also have chosen to mention the Nimrod crash inquiry (Haddon Cave inquiry) which lambasted BAe (and Qinetiq, and the MoD) for their technical and commercial incompetence (and worse) which they had hidden behind a culture of Powerpoint and "tick the box, regardless".
If they're even half-way serious about cybersecurity, the government has to move away from simply giving advice to getting companies that know about the subject (assuming these ones do) involved.
Following the links it is apparent that these four have been chosen to help the government sort out what it wants, at which point others can get involved. So not necessarily a big money earner yet.
Next up : forcing the private sector to take it all seriously as well.
Thank you for grasping the point.
The idea that BAE=Bad may be perfectly true, but it's irrelevant. Detica may be owned by BAE but they have a reasonable track record in investigative and forensics work and I'd use them again.
I take issue with the idea that Stuxnet had limited success - it was designed to take down Iranian centrifuges and that's exactly what it did. Demonstrating that it's perfectly realistic (if bloody hard work) to build targetted malicious code to do a specific job.
Zero day attacks are being used all the time to attack elements of our critical national infrastructure at the very least for the purpose of intelligence-gathering and quite frankly we need all the help we can get. Bitter experience tells me that you can firewall to your heart's content, deploy antivirus all you like and this stuff will still get through.
The paradigms are changing. People need to understand that.
"paradigms are changing"
This expression is usually deployed when something obviously pants is being defended, like ludicrous stock valuations. I continue to dispute that our critical national infrastructure is at risk - the limits of e-attacks are largely spying and defacing a company's marketing.
Stuxnet DID have limited success. it hasn't stopped Iranian enrichment, merely delayed it. If you're easily pleased then that could of course count as success, but as I see it the original problem hasn't gone away, and in the time bought no new solutions have supplied themselves. Moreover, the effective announcement of Stuxnet as Western cyber warfare effectively justifies the same peace time approach by everybody else.
The other aspect about Stuxnet is that it got onto air-gapped SCADA systems. So what exactly will the genii at Detica be suggesting? Air gapping clearly has limited value, proprietary systems are not immune, and security through obscurity doesn't work.
BAES can't even set up a merger that works. Astute is over budget, the aircraft-free carriers are over budget. Every single Nimrod variant was over budget, Typhoon is over budget. Type 45 is over budget - need I go on?
"Stuxnet DID have limited success."
It succeeded.
If its goal had been to affect only the Windows-centric parts of the installation, it would have succeeded massively, by anybody's definition.
Its apparent goal was more complicated (much more complicated, technically) than that, involving hiding its payload in a hard-to-spot way inside the programs on the automation devices, so that it could disrupt for an extended period, rather than destroy (and provoke retaliation?).
It did that too, for a while.
The success of Stuxnet in penetrating places where penetration should ideally have been very very difficult should have been a warning to IT departments around the world, especially to Windows-dependent IT departments (and automation builders, etc).
It wasn't taken as a warning.
That's very sad. And quite frightening.
It honestly baffles me that people think that anti virus is some magical thing that protects your computer from threats.
Simplistically, it's just a blacklist of programs that you don't allow to run. If the virus isn't on the blacklist (anti virus definitions) then AV doesn't help a bit. To get on that list, the AV manufacturer has to have had a sample, or seen something substantially similar.
Windows can let programs run on a whitelist basis with Software Restriction Policies; just set the default policy to disallowed and then allow the programs (or paths) you want. Assuming that you don't allow temporary internet files and don't give unrestricted permissions to entire drives, then you can kiss goodbye to executable code entering your network via 1) web browsing 2) email and 3) any form of removable media.
Personally, I think allowing the users to run any executable code they want (ie .exe email attachments) is fundamentally insecure. I'd go so far as to say that I think it's impossible to satisfactorily secure such an environment.
Are you relying on your end users to not open viruses, or plug in a dodgy USB stick? I do wonder if people have much better users than I have, or just a lot of misplaced faith.
But looking at the companies listed are they not more ''after the event' focussed rather than 'trying to prevent'. Unless all they'll say is "You really should go to Prolexic, Lockheed Martin, Verisign" etc. "Oh and that will be an arm please".
What active service do these guys provide?
"We help organisations improve their security and limit the impact of a targeted cyber attack, saving operational costs and avoiding the costs of a breach which may amount to tens of millions of pounds. We do this using Detica Treidan technology. It detects targeted attack activity, intelligently prioritises alerts and doubles the speed at which analysts are able to investigate them"
http://www.baesystemsdetica.com/services/cyber-security/what-you-can-do/monitor/
Rather on the expensive side, I'm afraid....
the whole cyber warfare risk is over-rated. .... Ledswinger Posted Wednesday 7th November 2012 12:59 GMT
I would be of a different opinion, Ledswinger, and counsel that the whole cyber warfare risk thing is seriously misunderestimated ....... and fiat currency capitalist systems are a prime juicy target with no possible effective defences against smart attacks which lay bare the virtual nature of printed wealth magically created and electronically transferred to numbered accounts.
What active service do these guys provide? … taxman Posted Wednesday 7th November 2012 13:26 GMT
And are they reactive, for tidying up after an event, or HyperRadioProActive in initiating events which are disruptive/constructive/subversive/irregular and unconventional/novel?
Only the latter leads.
And if one doesn't know how to attack and defeat a system, one certainly wouldn't have a clue about providing effective defence for one. And the billion dollar question then always is, why defend a corrupt system whenever you can crash it and replace it with something better and more stable/secure/mutually beneficial to all, ideally.
turn to bid for bloated military contracts in advising power stations and other critical infrastructure( The home secretary's facebook page) how to stay working
Do you all think £6 billion would be seen as a bit excessive for a pair of sissors sent to every power station to cut off the internet access of any PC/computer linked to critical command and control functions?
With further instructions sent to the effect that if anyone is seen with a USB stick or USB phone cable, the sissors are to be implanted in their body repeatedly and at high velocity.
A bomb... because some people deserve one
If GCHQ cannot counter and better ....*Today, we live in a globally-networked society that is increasingly dependent upon cyberspace access and security. Our ability to gain and maintain superiority in cyberspace has become essential to our ability to deliver global reach, power, and vigilance. As an integral member of the joint warfighting team, the Air Force is committed to growing, sustaining, and presenting highly skilled and well-equipped forces to joint force commanders who can deliver decisive effects in, from, and through cyberspace, while assuring our mission against an asymmetric cyber threat.
Freedom of action in the cyberspace domain enables our command, control, communication, computers, intelligence, surveillance, and reconnaissance capabilities. Our modern defenses, industrial base, and global commerce, as well as that of our nation’s enemies, depend on free use of land, sea, air, space, and cyberspace. Leverage in cyberspace affords influence and control across all other domains. This leverage increases our forces’ access, speed, reach, stealth, and precision. ....... then must one conclude that they play second fiddle to AIMaestros tunes and Master Pilots which stretch future time and physical place into virtual reality space with CHAOS to Order the Bedlam in Mayhem and Madness, for they recognise the above is a necessary minimum default ability for brokers dealing future stability, current power and ......... well, everlasting control would be quite a nice guarantee to be able to offer and provide as an added prize for a perfect price.
"Eavesdropping spook base GCHQ is drawing up a list of companies that can help power stations, banks and other crucial UK organisations fend off and recover from hacking attacks".
Don't connect your 'computer' directly to the Internet, rather connect through an encrypted VPN running on embedded hardware. Design such hardware so at it would require physical access to alter the firmware. Use a second system to monitor the first and keep an irrevocable audit trail of data passing through the network.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
