Defending the private sector against cyber attack

google-76522_640In 2009, Google was the victim of a cyber attack, later dubbed Operation Aurora, that left attackers with access to confidential information related to active investigations by the FBI and other US law enforcement agencies.  An article published in Vanity Fair magazine in 2011 said of the attack: ‘Google called the National Security Agency (NSA) and said, “You were supposed to protect us from this!” The NSA guys just fell out of their chairs. They could not believe how naive the `Google guys had been.’

But should the NSA have protected Google? How far should government security agencies go to help strengthen the defence of private companies against cyber attacks?  In this blog post, Ashley Sweetman draws on his PhD research and the writings of Gordon Corera in his new book, Intercept, launched by the Strand Group in July 2015, to consider these questions.              

Operation Aurora

Operation Aurora was reputedly a counterespionage operation run by the Chinese government. This targeted malware attack exploited a “zero day” flaw in Internet Explorer- a previously unknown or undisclosed software vulnerability – in order to steal intellectual property from its targets, in this case over 30 major companies.

As the Vanity Fair quote discloses, Google believed that the NSA should have been defending them against cyber attacks such as Operation Aurora.  This was not a view shared by the NSA and Google’s reaction left them shocked that they had a duty to act. In his book, Intercept, Gordon Corera also cites this quote to highlight the incredulity of NSA employees to Google’s reaction.  But how actively involved should government security agencies be in helping to bolster the resilience of companies such as Google against cyber attacks?

We learn from Intercept that this is not a recent question but one that has been front of mind of intelligence services since the Second World War. Corera describes how after the War the US forged ahead of Britain in computing due to a close relationship that developed between spies and private companies, something that was absent in the UK. This ‘unique relationship’, Corera says, manifested itself in huge amounts of NSA and Pentagon money being ploughed into the private sector and saw most of the major US computer companies opening new, security cleared departments to work with the intelligence agencies.

Protecting critical infrastructure

In the UK this is also a significant question – with such a large proportion of the country’s critical infrastructure owned and operated by the private sector, the need for strong relationships between security agencies and the private sector is more vital than ever. A particularly illuminating example, and the subject of part of my PhD research, is that of UK security services working with key financial companies – ones that the Bank of England deems critical to the UK economy.

The question is should GCHQ – the British intelligence and security service – step in and bail out a bank if it is breached by a cyber attack? Would it even be possible for them to do so? What would be the implications globally if an intelligence agency were to step in and offer its offensive capabilities to the private sector as a counter measure?

The likely answer is that a bank would not be rescued in such a way, but in a similar fashion to the US after the Second World War, there would almost certainly be constant communication between the bank and GCHQ. This information sharing, although described by one businessman in Intercept as a one-way relationship, is key to the ongoing monitoring of potential threats.

Sharing is caring

Financial institutions should in theory be more acutely aware of the sophistication of their resilience and continuity plans for an attack as a result of the CBEST vulnerability testing that they are recommended to carry out by the Bank of England. But, with only 5 of the 35 critical institutions having completed these tests by July 2015, we have to ask; what can be done to further incentivise these institutions to undertake the testing and see cyber resilience as a key business (as opposed to purely technical) issue?

The UK’s financial stability is highly dependent on these financial institutions being sufficiently resilient to attacks, in particular to the sustained barrage it suffers in cyberspace. It is crucial then that security agencies find a cohesive way to work with financial institutions to share vital information related to cyber resilience.  Perhaps even more important is the sharing of this intelligence between businesses themselves, something that is as it stands relatively well-developed in the UK.

No more surprises

As Corera says in Intercept, ‘Industry has often proved itself either incapable or unwilling to spend the money [to defend itself from cyber attack]…Government is reluctant to get into the business of protecting anything but the most core national assets in the private sector because the job is so vast.’

But, if even a company like Google can be taken by surprise in such a manner, are the efforts of intelligence agencies to support them futile? Rapidly evolving and increasingly targeted and sophisticated attempts at breaching these companies’ systems mean that the sharing of intelligence gathered by both government and the private sector, especially in sectors such as energy, telecommunications and finance that are integral to the stability of the nation, is more vital than ever.

Otherwise, intelligence officials worldwide may find themselves falling off their seats more often than they would wish.

Ashley Sweetman – PhD student and Technology Coordinator for the Strand Group

Creative Commons License
This blog by Policy Institute at King’s is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>