Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss (theguardian.com) 66
Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years", a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.
Re: (Score:1)
Most countries, at least in Europe, have one. Just put "national cyber security centre" + name country. Of course, they have little to do with James Bond style cool stuff. More like national level network monitoring, situational awareness, threat intelligence, guiding and educating companies and public organizations as useful.
Re: James Bond (Score:2)
"National Cyber Security -- Vatican City"
Nah. That's more Dan Brown than Ian Fleming.
Re: James Bond (Score:2)
Re: (Score:2)
The fear of a massive DDoS attack, somebody breaks into the digital records of the inland revenue, Parliament (already happened with an email server), an encryption malware worm or an attempt to shut down or overload the electricity grid.
MORE FUNDING! (Score:5, Insightful)
Well, it sounds like the only reasonable thing to do would be to provide the National Cybersecurity Centre with much more funding!!
Re:MORE FUNDING! (Score:5, Insightful)
Don't forget abolishing any privacy or encryption.
Re: (Score:2)
FUD-based balkanization of this once-great river of data proceeding apace....
Re: (Score:2)
Surely we should be de-funding these guys, since it's their incompetence and unwillingness to actually help protect us that has gotten us here.
Re: (Score:2)
I tend to be just as cynical but I happen to agree with his advice: start working on damage control.
Re: (Score:2)
Re: MORE FUNDING! (Score:3)
I've seen how government reacts to impending crisis, The money goes to contractors, agencies are just conduits.
Re: category 1? category 5? (Score:1)
What part of "most serious tier" did you not get?
Please let me know I don't get it either.
This means they will actually delete stuff? More people spying on us? No really! WTF is this "tier?"
Just FUD.
Re: (Score:2)
1. An artist cant log into the cloud to get their online only art software to work. The consumer internet is no longer useful.
2. The company buying the artists work for a larger project cant use their internet. The dedicated telco networks are having problems.
3. Non vital infrastructure fails. Lights, billing, banking systems, power to towns, cities.
4. Vital infrastructure fails. Contractor grade networks on dual use networks fai
He's right (Score:2)
Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.
But what do you suppose the chances are that the leaders of these organizations magically start thinking that way?
Also he forgot one important part. Planning for what to do when the inevitable happens.
Re: (Score:3)
Also he forgot one important part. Planning for what to do when the inevitable happens.
Well, he did plan. He wants more funds and power right now, then again when the big attack will happen.
Re: (Score:2)
But what do you suppose the chances are that the leaders of these organizations magically start thinking that way?
When their auditors, audit committees, and (where relevant) regulators require them to then it will happen. There is a fair degree of lobbying going on behind the scenes to effect it via this route in the UK at least. This kind of cultural change takes some time, but there are plenty of examples of it happening - employee health and safety, corporate governance, etc
Re: (Score:3)
They won't. "Security has no ROI" has been a mantra for the industry, and virtually the entire IoT campaign since its inception. Plus, with companies able to get away scot-free no how egregious the breach by saying, "we can't do anything, the hackers are too good" almost institutionalize the fact that shit for security is the standard.
A "cat 1" breach is inevitable. I was at a meeting with someone from a Congressional committee several years back stating that an intrusion that would cause massive destruc
Nothing but an excuse (Score:1)
This is nothing but an excuse to grab power. What with the advent of cryptocurrencies, strong encryption, and a growing distaste for governments and corporations, you can bet your last penny the people in power will do anything to keep it. If we in the West do not stop this sorry power grab stuff that keeps happening, we'll end up like China as regards the Internet.
so "soon" = "next few years" is cyber space? (Score:2)
so "soon" = "next few years" is cyber space?
and it is possible to accurately predict future of online world and its evolution for few years into future? so accurately that funds and laws infringing on other needs, and privacy, can be reallocated?
given the hurricane terminology, would there be a campaign against skeptics of these predictions, like against skeptics of climate change predictions?
Single Most Devastating Cyberattack (Score:1)
"I’ve often thought that the single most devastating cyberattack a diabolical and anarchic mind could design would not be on the military or financial sector but simply to simultaneously make every e-mail and text ever sent universally public. It would be like suddenly subtracting the strong nuclear force from the universe; the fabric of society would instantly evaporate, every marriage, friendship and business partnership dissolved. Civilization, which is held together by a fragile web of tactful phr
Too late (Score:2)
Re:Amm... So what? (Score:4, Informative)
Like that? So what? Still?
Ya, I thought so.
Re: (Score:1)
Re: (Score:2)
Allegedly 7 years ago.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:1)
I mean, what's the worst that can happen in a cyberattack?
You have no idea what is going on, do you?
Attackers could target the electrical grid and knock out the power to an entire region of the US. Or the entire country. And there are failure modes that destroy equipment.
Bank site is down?
How about the entire banking network? We could be talking about payment processing (Visa, etc) or the bank transaction network (ACH).
WhatsApp doesn't work?
Funny that you mention this, but the control system for cellular systems is notoriously outdated.
A sophisticated actor may be able to disrupt the entire network. We'
Managing risk (Score:5, Interesting)
Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.
He has a good point. When an all out attack does happen you won't be able to stop it. So before it does, make sure your backups work, make sure your restores work, put fences up to stop the spread of an attack, etc, etc.
In other words, assume the attack will succeed. Then what will you do?
Blah Blah and More Blah (Score:2)
The various corporations and governments have been warned for years that trade secrets and infrastructure are extremely vulnerable. This warning is more of the same.
Repeated breaches have not convinced them to make the fundamental changes that are necessary. It seems that nothing short of a catastrophe will.
he is right on risk management (Score:1)
Don't know where all the funding stuff comes from in here, except maybe the history of it always leading to that, hah.. But he is right that building cybersecurity or generally running a business without basing it on sound risk analysis makes no sense. Realizing that should not be rocket science but somehow people/organizations don't seem to do it anyway. I find it good that someone tries to bring the message..
I propose a law... (Score:2)
Re: (Score:2)
I would be completely on-board with that. "Cyber" immediately marks you as clueless and unaware of it.
Somebody wants more power and budget.... (Score:2)
Pretty obviously.
So instead of doing something sensible like... (Score:2)
... putting more research into actual advances into computer security, or making systems more secure, for example by banning the most insecure products and demanding minimum evidence based security standards...
he probably just wants people buying exploits on the market in order to compromise the computational devices of innocent victims.
They're So Good That... (Score:5, Informative)
Ian Levy, the Director of the UK National Cybersecurity Centre and the individual quoted in the OP, heads an agency that is so good, so capable, so on-the-ball, that it took a private individual to identify a means of neutering WannCry.
Never mind the fact that it would have been Levy's organisation that was responsible for preventing the NHS and other UK government agencies from being compromised in the first place...
To give you an idea for just how misguided the man's thinking is, here's another of his quotes, from the same article:-
"“Cybersecurity professionals have spent the last 25 years saying people are the weakest link. That’s stupid!” he said, “They cannot possibly be the weakest link – they are the people that create the value at these organisations."
So, let's just get this right. When we have an abundance of evidence that shows that it is people, not technology, who select easily-guessed passwords, people, not technology, that click the links in phishing emails, people, not technology, that try and promote code that hasn't been properly tested, "because they know it's OK, they don't need to test..."
I think that having Mr Levy in charge at the NCC is actually more scary than his claims of a "Major Cyber Attack Happening Soon"
Re: (Score:2, Funny)
Did he start out with a degree in music?
Re: (Score:1)
Smoking weed at band camp one time still leaves you more qualified than half of the Trump Administration.
Re: (Score:2)
Physical just as important (Score:1)
Don't need a cyber attack, just physical against several Critical Infrastructure sectors to cripple a society, or worse, a mixture of the two. Mainly electricity, fuel (natural gas, petrol), and water. It all falls apart without any of those 3, but take out 2 or more o them and it is crippling.
But, as far as cyber goes, Ted Koppel's Lights Out [tedkoppellightsout.com] is a great read. It's not just the US which would be crippled by such attacks.
Is this coded talk???? (Score:2)
Re: (Score:2)
If its just a consumer network and service it can fail often and for a long time.
The coded talk is for the rest of the contractors and vital infrastructure. Say a power company lost its billing system and call centre? The lights stay on as the grid networks and OS are very different and not connected.
Thats the coded warning.
A gov will forgive and forget any consumer network, product or service been down for a long time.
Don
Scary monsters (Score:2)
This must count as the most inept warning - or is it merely a tragically poor attempt to scare a government into increasing their funding - for years.
Major cyber-attack will happen soon .. (Score:1)
Regulate network software (Score:1)
The approach suggested, give up and expect to lose data, is just another wrong approach.
Such an attack is likely to come in the form of IoT attack. Billions of devices are going online over the next few years.. Most of them use unpatched linux variants. A team of cunning programmers could exploit a few Linux zero days to spread a worm across the internet. They could in theory destroy billions of devices causing hundreds of billions in direct damage and hundreds of billions more in indirect damage from th
And the Equifax hack was what on this scale? (Score:2)
OK, apart from this Levy guy being a tier one nut job, and his goal is primarily to get more powers and money after showing repeated signs of incompetence, what kind of attack does he expect?
Maybe something that exposes important information to the public that would totally destroy confidence in a government or institution?