UK armed forces could be 'fatally compromised’ by cyber attack UK armed forces’ dependence on information and communication technology could leave the nation vulnerable in the event of a cyber attack, according to a study by a committee of MPs. A report by the Commons' Defence Committee suggests that the UK Government still has some ground to cover in its approach to the nation’s cyber …
"It's particularly worrying that the best advice offered is repeatedly to simply update antivirus protection – far more sophisticated and sustained responses are needed."
It's particularly worrying that the best advice offered is repeatedly to simply update antivirus protection – far more expensive responses are needed.
There, corrected for you.
"It's particularly worrying that the best advice offered is repeatedly to simply update antivirus protection – far more expensive responses are needed."
It seems official secrets acts do more to protect the idiots in charge than to protect us from external threats. No wonder WikiLeaks has many of these turkeys frazzled--and they set on WL's destruction.
Well, that "external threat" was an internal one, one caused by negligence upon the part of the commander down for that PFC.
DoD and more germane, US Army regulations required that when the PFC was flagged for negative personnel action, he would lose access. He didn't, as his commander and every officer and NCO down the chain failed to do their duty and restrict his access, as vengeance is a big part of many espionage cases.
It was a failure at the start of command, it further was damaged by a failure to monitor those who were to be discharged for mental issues. It was compounded by Manning himself.
So, what did the Wikileak actually accomplish? Reveal that some diplomats despise each other? That isn't news, never was, never will be. Did it reveal one attack on men with an RPG and AK47's? Yes and reporters that were stupid enough to venture into the middle of shooting to interview the shooters. I'd have pulled the trigger too.
As far as Wikileaks is concerned, I have no use for them at all. They don't honor their word to remove personal information, but instead publish it. Their leader is a wanted criminal who hides behind some mythical "wanted by the US" nonsense, which some ignore and think that if the US wanted him, he'd not be long ago got.
Sorry, but they're only noise and nuisance.
It's a start. Consider the 2008 network attack on the US.
Up to date antivirus definitions stopped it cold on my installation, other installations fared far less well. To the tune of one billion dollars for the first infection, the second one remains classified in expense.
So, it's a start. A second option is IPS systems inline with the firewall that can be modified when an attack is beginning and ongoing.
There are various other methods to protect a network, including host based IDS/IPS systems and custom designed IDS systems for the network. One can even buffer headers of all traffic across the network, though that creates an obscene amount of data to archive, the US does it at the DoD level.
The very first step is to keep the antivirus up to date in version and definitions. The second step is keeping patches up to date.
The final and most important step is to educate the user to not plug a found USB drive into a computer to see what's on it or even format it, as that is how the 2008 network attack was accomplished initially. Other successful attacks were phishing attacks and spear phishing attacks.
One accomplishes defense by one method, defense in depth, with layers of defense.
However, one also is mindful of the budget, lest one lose out in important areas when securing secondary or tertiary areas before the primary areas are secured.
Readers of El Reg will see a lot of this stuff, given our jobs, employers and interests. Speaking as an employee of one of the "target sectors" mentioned, I'm not entirely convinced that we put any of our critical systems at risk by making them available using insecure web connections, but it seems to me that there's only one way to see what the risk is, and that's some targeted war gaming - not desktop studies, but to actually try and hack in and disrupt the operations of water, electricity or gas et al. And try and bring down some military systems. You don't have to attack all these systems simultaneously, and with forewarning the operators can make sure that they have backup available (because all these systems are at risk of mechanical or electrical failure anyway, and have to have some form of standby), and ideally this would enable the providers to prevent any really expensive damage, but even if that does occur, better to to find out before you're really at war.
Personally I think this cyber risk stuff is dramatically overplayed, either by committees of MP's who know nothing, or by suppliers hoping to sell something, but either way, isn't it about time that the decision makers started from a few facts?
It's with regret that anyone capable of testing these systems to their limit are automatically catagorised as a 'cyber terrorist' by our governments and locked up until they've gone absolutely mad.
So... it's all about which one of their Eton pals needs in insanely large amount of money for doing very little, behind time and over-budget all in the name of 'freedom'
Wrong. Those who test said systems with permission are not locked up at all. They have a signed contract to perform said testing.
It's only the scofflaw who is locked up. And good riddance to bad rubbish, as far as I'm concerned.
But, do give the UK's network to the Russians, Chinese and assorted others. It's no skin off of my nose if you do.
It'll just suck to be you at the end of the day.
Sorry to burst your bubble, but it's real, it exists and it's ongoing.
It's not overplayed at all, but actually underplayed, as it both reveals sources and means of gathering said intelligence and also embarrasses the government with its pants about its knees.
But then, I have access to classified information, you do not. It is what it is. Accept advice or not, to your own peril and whoever you are employed by.
But then, I know some of the foreign military performing said attacks by name and address, due to their attitude that you share.
"Sorry to burst your bubble, but it's real, it exists and it's ongoing...I have access to classified information."
OK then, 007. Where's the proof?
And I'm not talking about the sort of script kiddy DOS attacks on US retail banks that have recently been blamed on the Iranians, nor espionage You're saying the infrastructure and military threat is real, in which case where's the power grid failure? Where's the crashed trains, and the gridlocked roads? Where's the flaming wreckage of the gas transmission system? Where's the water treatment works pumping sewage through my taps? Where's the complete failure of the food supply chain?
I'm not disputing the ill-will between differing countries, I'm happy to accept that there's espionage, hacking, and a desire to do harm. On the other hand I'm calling the bluff of those who are trumpeting the imminence of Cybergeddon.
The proof is in the threat intelligence feeds that the likes of companies such as mine sell and the monitoring we do. As we see a huge amount of very sophisticated targeted threats and it is very much real.
Data exfiltration destroyed Nortel by taking all its IPR out of its boundaries and its happening across all major sectors. You would not believe what we see and who we see it coming from.
And re Cybergedon, all it takes is for something to compromise a SCADA system and you will have major damage. Look up on wikipedia the loudest man made explosions and one of them is from an oil pipeline that was running stolen canadian SCADA code (which unfortunately for whoever stole it the US has already modified knowing that there was a plan to steal it). if you can steal it you can change it.
Anon obviously
Your comments may very well be correct. Having worked in or alongside various public services, and now as a member of the public all I can say is that we have been constantly deceived in the past and assured that we have the best "this that or the other" whether it be physical kit (eg the SA80), public services or whatever and constantly it turns out not to be true, yet we are patronised by our elected rulers and the civil service/local government/etc. whenever we try to enquire about how they are running our country on our behalf and supposedly in our interest.
We now find that we don't in fact have the best police service in the world (although many of the individuals in it are excellent) as management colluded with or turned a blind eye to the massive invasions of privacy by the press, often for reasons of self interest. Our NHS is failing on a number of levels, not just due to demand exceeding supply but due to the relentless and often (upon judicial review) illegal suppression of any dissent in the form of whisteblowing. I could provide many more examples and I am sure other readers could do so as well. Lewis' occasional pieces about defence procurement being run in the interest of firms such as BAe (for example) rather than the interest of the country or even the people having to use the kit should it become necessary are an example and not wide of the mark either, and repeated examples of what is effectively similar corruption at all levels of government abound.
This then is perhaps the reason for the instinctive distrust when the same sorts of people "in authority" simply tell us not to worry our pretty little heads about things and that it's all in hand. The only way we'll find out that it is not is when it all goes tits up, and it certainly wont be the officials in charge bearing the consequences.
You may very well be correct that in this instance there is some (more or less rightly) secret activity going on behind the scenes to ensure that the national infrastructure is resilient, however there's a huge trust deficit that has accumulated and you should perhaps understand and forgive the cynicism of those without access to the facts that you have.
I seem to have heard this old tune so, so many times. They all have one thing in common - BIG MONEY.
All the now micro-sized military needs is a ruggedised cell-system connected to a satellite system fed from MoD. They don't need InterNet.
Costing around £200 per smartphone, a ruggedised Android device made in the UK. And GSM technology is tried and tested. The present (wo)man radio used by the Army costs around £8,000 EACH. Compared to the modern Android smartphone features, these £8,000 radio's are crippled. Base stations can be duplicated and placed in several 'hard' vehicles so if one gets knocked out, the rest carries the load.
And the American designed junk the UK bought was a fantastic failure. Even the US military are using smartphones for ground troops, now.
Unfortunately, the MoD doesn't want off the shelf, they have wet dreams about what they need. They want some friendly military contractor to dream up an expensive system, lots of parties and confabs and testing.
The trouble is that the MoD and the MPs are all besotted with buying big, so the UK will get ripped once again.
Erm, look up the 2008 cyber attack upon the US some time. You might learn something, it was far worse than broadcasted to the world. The first attack cost the US one billion dollars to recover from and every asset from the US, including the NSA to clean up. Then, it happened again, due to lunacy on the part of certain parties controlling said networks.
As for "smartphones", they're specially encrypted, I'll not discuss how. So, they're secure, end to end.
The US DoD also uses COTS (Commercial Off The Shelf) software AND proprietary software developed in house to secure the network.
But, do what you want to do, make as much noise as you wish to make. You might end up giving China revenge for imperial events against them.
Because, it is what it is, even though it's ugly.
As Georgia how well they fared after angering Russia. With their networks becoming notworks.
I looked at the list of people giving evidence and there was only one with even a vague prospect of being able to actually tell the committee what assets, plans and contingencies the MOD has. Funny enough he was the Head of Defence Intelligence who are not in the routine habit of divulging secrets!
The MOD is hardly going to tell a bunch of politicians how they actually intend to fight a cyber war. So the short answer is probably that there may be some gaps in capability, but the committee is highly unlikely to know what they are, much less state confidently whether the military is vulnerable or not!
" there may be some gaps in capability"
Some gaps? The MoD are the same people that launched two separate wars of choice without sufficient equipment (helos, surveillance, fast air, personal protection, armoured ground mobiles), and even had stuff they'd specified, paid for and had delivery of, but they had then certified as not airworthy (the Chinook mk3). There's the whole sorry saga of MoD incompetence over Nimrod (AEW3, refuelling on MR2s, and MRA4), they failed to order a proper attack jet to replace the ageing Tornado, so that they're now sellotaping bombs onto aircraft designed as fighter jets (but they don't have enough trained crews fotr them anyway....
I could go on, and on, and on, but the point is MoD are grossly and persistently incompetent. They wouldn't have a clue about cybersecurity.
"......The MoD are the same people that launched two separate wars of choice....." FAIL! The MoD has never launched any wars, they're launched by politicians, usually the same ones that castrate the MoD's budgets and lead to shortages in kit. And how did those politicians get in charge? Well, they were voted for by numpties like you.
" FAIL! The MoD has never launched any wars,"
Shorthand, my simple-witted son, shorthand. The MoD are consulted by the pols, and had they declared that they couldn't fight the war, and that they'd go public about the kit if one were launched, then the pols would have had to have slunk off and found something different to do. I do apologise to other readers for having to spell out the fucking obvious for Matt.
For anybody that stands up in that way, it will cost them their job, but that's the price of doing the right thing. Knob ends like you won't understand that concept. But instead all the well paid senior military and snivel servants at the MoD pretend publicly that all is well, privately counsel that the kit is "sub optimal" and keep accruing the pension. Who pays the price? Only the grunts who die for lack of helicopters, or in the laughably inappropriate snatch landrovers. Or aboard the MR2 that went down over 'stan.
And, as usual you're spouting shit about what you think I believe or I do with your silly, childish little comment "voted for by numpties like you", since I haven't voted for any politician in a national election for a decade now, because that offers legitimacy to the twerps.
But instead of your usual whiney sniping from the sidelines, why not give us the benefit of your deep expertise and wisdom in this field?
".....The MoD are consulted by the pols, and had they declared that they couldn't fight the war, and that they'd go public about the kit if one were launched, then the pols would have had to have slunk off and found something different to do....." The MoD told Thatcher that they didn't have the kit to kick the Argentinians out of the Falklands, she decided to disagree. The press at the time was full of stories about who in the forces was short of what, but I don't remember anyone getting fired as you insist they would have. Maybe because it's all just male bovine manure.
".....I do apologise to other readers for having to spell out the fucking obvious for Matt....." Don't worry, anyone that has to suffer your attempts at wit will be used to you apologizing and mis-stating the obvious with alarming regularity.
".....why not give us the benefit of your deep expertise and wisdom in this field?" I fear I'd have to use far too many long words for somone of your limited abilities to comprehend. Might be best if you left the conversation to the adults.
MY experience was that of sending off US SF forces and NATO forces to scrounge up 9mm ammunition from supply and signal units in Afghanistan.
Some folk in the supply chain figured we'd have little use for such in the middle of a shooting war.
One arrives, at the end of the day with two things.
Disgust.
Respect for the Peter Principle.
And a final thing, disgust for the latter.
"MY experience was that of sending off US SF forces and NATO forces to scrounge up 9mm ammunition from supply and signal units in Afghanistan....." I have to sympathise, but also point out the budgets for the MoD to buy said ammo was set by politicians, and then even more constrained by the politicians wanting to give jobs tied to their constituents and not those of their political opponents. It's proably not any consolation, but in 1998 when the UK outlawed handguns I had to surrender a fully-working Browning Hi-Power to be destroyed, one which had not fired more than a few hundred rounds since it was manufactured in WW2, plus a considerable amount of matching ammunition that I no longer had a need for. At the time I did ask if I could donate it to the Paras but was told I could not. As a final example of political bungling, please note that the same 1998 Act means the MoD is (finally) buying Austrian-made Glocks to replace the Brownings you were probably scrounging ammo for, having killed the UK companies that could have made a competing weapon.
Wait! Do you mean that the MOD lacks the ability to declare war? ;)
Seriously, we in the US have the same problems. Hence, the Iraq debacle. And I lost several good friends in that mess, all because "they tried to kill my dad".
Still, post on. I had forgotten about the term numpties, as our "mutual language" has diverged over the centuries. I'd actually had forgotten that term. :/
Good night all, it's late here in the east coast of the US. I'm going to bed, lest my wife become enraged with me by my absence of flatulence or blanket stealing. ;)
"But then, if it weren't for a few friends on your island, I'd not care if the bloody thing sank into the ocean."
Why bother hanging round a UK web site if that's how you feel? Likewise, I've got friends in the US, but don't see the US as a friendly nation, or a trustworthy one. But I don't use US-centric web sites mouthing off with those rather unhelpful views.
An interesting comment, as I've rode within said "not airworthy" aircraft in Afghanistan. Right alongside of your SAS, who were rather interesting people in a peer environment.
I guess they are also incompetent in your world view. In that case, would you wish to invite them to take you on?
Or perchance, would you admit that politicians the world over are incompetent in special areas of expertise and rely upon true experts in those areas?
But then, if it weren't for a few friends on your island, I'd not care if the bloody thing sank into the ocean.
"An interesting comment, as I've rode within said "not airworthy" aircraft in Afghanistan"
I wasn't making that claim - if you're going to comment here, then do try and make sure that you are aware of the background:
http://www.publications.parliament.uk/pa/cm200809/cmselect/cmpubacc/247/9780215526663.pdf
And from that report's summary:: "We examined the procurement of these eight helicopters in our report on Battlefield Helicopters and considered it to be one of the worst examples of equipment procurement that we had ever seen"
Erm, ministers in the UK, congresscritters in the US, all are the same. Either trustoworthy enough to not disclose classified information or not.
The not get no clearance to disclose that which should not be disclosed, lest an entire nation suffer over the outlaw behavior of one person.
This post has been deleted by its author
Costing around £200 per smartphone, a ruggedised Android device made in the UK. And GSM technology is tried and tested. The present (wo)man radio used by the Army costs around £8,000 EACH. Compared to the modern Android smartphone features, these £8,000 radio's are crippled. Base stations can be duplicated and placed in several 'hard' vehicles so if one gets knocked out, the rest carries the load.
Cell phones needs base stations to operate properly. They are magnificently easy to DF, and Jam. Bowman doesn't need the base stations, it isn't easy to DF, and much more resilient to jamming.
Fear not for Blighty Preparedness against Cyber Attack. Stealthy IntelAIgent Defenders are Everywhere to be Found in Special Operations Forces, forces about which there is a "need to know" firewall which protects against general public access to special intelligence service services securing sensitive information from vital knowledge for greater intelligence.
Methinks Blighty might be very well fixed in the Realm of Cyber Security, when it be at least as shared above, and with every expectation of ongoing performance exceeding expectation and specification.
Makes you wonder why the UK does nothing fabulous with IT ...... ergo are current concerns entirely valid and in urgent need of speedy attention and resolution?
No matter. The Great Game is Changed to Virtually APT Player Control with Remote EMPowering and SMARTR Enabling Creative AIdDrives .... Stealthy Operating Systems.
It is just the way of the future, which you have to agree, will be nothing like the present or the past and therefore will be thought weird whenever uncovered and explained.
Well just imagine, they wouldn't have gone to DOS and Windows, but stayed with terminals and Unix/VMS whatever servers.
Today they could simply use VPN concentrators and SSH to connect to them. Everything would run on those servers, should a client get lost, nothing would happen. They would have had a lot less security issues. They'd only need a small number of skilled administrators taking care of those central servers.
How about "factually compromised" ;)
Also, do they rreally really mean "fatally" like as in, all dead, like, literally, man. Seriously doubt that, some are in subs! Does the same "super-virus" or "information-super-highway-attenuator" also affect old V8 LandRovers in exactly the same way as subs and various ages of planes? Yeah, yeah sure. Uh-huh.
Also if they really were interested in averting such things they wouldn't be using virus-prone kit..... or possibly invest in some decent network security boxes to help protect the vulnerable stuff as a nice start?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
