Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security Technology

Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss (theguardian.com) 66

Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years", a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.
This discussion has been archived. No new comments can be posted.

Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss

Comments Filter:
  • MORE FUNDING! (Score:5, Insightful)

    by brian.stinar ( 1104135 ) on Friday September 22, 2017 @01:46PM (#55246057) Homepage

    Well, it sounds like the only reasonable thing to do would be to provide the National Cybersecurity Centre with much more funding!!

    • Re:MORE FUNDING! (Score:5, Insightful)

      by Train0987 ( 1059246 ) on Friday September 22, 2017 @01:47PM (#55246071)

      Don't forget abolishing any privacy or encryption.

      • by zuki ( 845560 )
        Surely this will come up for debate in the UK, especially once it manages to rid itself of any vestigial remaining compliance to European laws governing cyber-security.

        FUD-based balkanization of this once-great river of data proceeding apace....
    • by AmiMoJo ( 196126 )

      Surely we should be de-funding these guys, since it's their incompetence and unwillingness to actually help protect us that has gotten us here.

    • I tend to be just as cynical but I happen to agree with his advice: start working on damage control.

      • Mitigation is always the prudent path. I have lost count of the times I had been countered in a design meeting when asking what security approach we would use only to be told "features" outweigh "security". I hope that most companies actually did create a tested, repeatable and, current disaster recovery plan because I think they may need it in the near future.
    • I've seen how government reacts to impending crisis, The money goes to contractors, agencies are just conduits.

  • Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

    But what do you suppose the chances are that the leaders of these organizations magically start thinking that way?

    Also he forgot one important part. Planning for what to do when the inevitable happens.

    • Also he forgot one important part. Planning for what to do when the inevitable happens.

      Well, he did plan. He wants more funds and power right now, then again when the big attack will happen.

    • But what do you suppose the chances are that the leaders of these organizations magically start thinking that way?

      When their auditors, audit committees, and (where relevant) regulators require them to then it will happen. There is a fair degree of lobbying going on behind the scenes to effect it via this route in the UK at least. This kind of cultural change takes some time, but there are plenty of examples of it happening - employee health and safety, corporate governance, etc

    • They won't. "Security has no ROI" has been a mantra for the industry, and virtually the entire IoT campaign since its inception. Plus, with companies able to get away scot-free no how egregious the breach by saying, "we can't do anything, the hackers are too good" almost institutionalize the fact that shit for security is the standard.

      A "cat 1" breach is inevitable. I was at a meeting with someone from a Congressional committee several years back stating that an intrusion that would cause massive destruc

  • by Anonymous Coward

    This is nothing but an excuse to grab power. What with the advent of cryptocurrencies, strong encryption, and a growing distaste for governments and corporations, you can bet your last penny the people in power will do anything to keep it. If we in the West do not stop this sorry power grab stuff that keeps happening, we'll end up like China as regards the Internet.

  • so "soon" = "next few years" is cyber space?

    and it is possible to accurately predict future of online world and its evolution for few years into future? so accurately that funds and laws infringing on other needs, and privacy, can be reallocated?

    given the hurricane terminology, would there be a campaign against skeptics of these predictions, like against skeptics of climate change predictions?

  • by Anonymous Coward

    "I’ve often thought that the single most devastating cyberattack a diabolical and anarchic mind could design would not be on the military or financial sector but simply to simultaneously make every e-mail and text ever sent universally public. It would be like suddenly subtracting the strong nuclear force from the universe; the fabric of society would instantly evaporate, every marriage, friendship and business partnership dissolved. Civilization, which is held together by a fragile web of tactful phr

  • Maybe he's talking about in the UK specifically, or maybe his definition of a category one cyber-attack is different from my own (confession - I didn't RTFA to find out how cyber attacks are classified!) But if you want to talk about major acts of sabotage perpetuated through "cyber" - http://www.zdnet.com/article/u... [zdnet.com] Also, that whole Stuxnet thing
  • Managing risk (Score:5, Interesting)

    by tomhath ( 637240 ) on Friday September 22, 2017 @02:12PM (#55246259)

    Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.

    He has a good point. When an all out attack does happen you won't be able to stop it. So before it does, make sure your backups work, make sure your restores work, put fences up to stop the spread of an attack, etc, etc.

    In other words, assume the attack will succeed. Then what will you do?

  • The various corporations and governments have been warned for years that trade secrets and infrastructure are extremely vulnerable. This warning is more of the same.

    Repeated breaches have not convinced them to make the fundamental changes that are necessary. It seems that nothing short of a catastrophe will.

  • Don't know where all the funding stuff comes from in here, except maybe the history of it always leading to that, hah.. But he is right that building cybersecurity or generally running a business without basing it on sound risk analysis makes no sense. Realizing that should not be rocket science but somehow people/organizations don't seem to do it anyway. I find it good that someone tries to bring the message..

  • ...which will imprison people for using the word "cyber". Each instance of the word would carry the penalty of 24 hours locked inside a smelly hall closet with a small television blasting the movie Lawnmower Man on an endless loop.
    • by gweihir ( 88907 )

      I would be completely on-board with that. "Cyber" immediately marks you as clueless and unaware of it.

  • ... putting more research into actual advances into computer security, or making systems more secure, for example by banning the most insecure products and demanding minimum evidence based security standards...

    he probably just wants people buying exploits on the market in order to compromise the computational devices of innocent victims.

  • by ytene ( 4376651 ) on Friday September 22, 2017 @02:39PM (#55246489)
    ... it took lone-contributor security researcher, Marcus Hutchins, to stop the WannaCry ransomware outbreak [by registering a domain name].

    Ian Levy, the Director of the UK National Cybersecurity Centre and the individual quoted in the OP, heads an agency that is so good, so capable, so on-the-ball, that it took a private individual to identify a means of neutering WannCry.

    Never mind the fact that it would have been Levy's organisation that was responsible for preventing the NHS and other UK government agencies from being compromised in the first place...

    To give you an idea for just how misguided the man's thinking is, here's another of his quotes, from the same article:-

    "“Cybersecurity professionals have spent the last 25 years saying people are the weakest link. That’s stupid!” he said, “They cannot possibly be the weakest link – they are the people that create the value at these organisations."

    So, let's just get this right. When we have an abundance of evidence that shows that it is people, not technology, who select easily-guessed passwords, people, not technology, that click the links in phishing emails, people, not technology, that try and promote code that hasn't been properly tested, "because they know it's OK, they don't need to test..." ... Mr Levy is certain that all this evidence is wrong, and he is correct.

    I think that having Mr Levy in charge at the NCC is actually more scary than his claims of a "Major Cyber Attack Happening Soon" ...
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Did he start out with a degree in music?

      • by Anonymous Coward

        Smoking weed at band camp one time still leaves you more qualified than half of the Trump Administration.

    • No, no, no, it was really robots outside of the Pentagon who picked up those USB sticks, took them instead and against ALL Pentagon regulations inserted said sticks of unknown origin into their government computers. It's always those damn robots . . .
  • by Anonymous Coward

    Don't need a cyber attack, just physical against several Critical Infrastructure sectors to cripple a society, or worse, a mixture of the two. Mainly electricity, fuel (natural gas, petrol), and water. It all falls apart without any of those 3, but take out 2 or more o them and it is crippling.

    But, as far as cyber goes, Ted Koppel's Lights Out [tedkoppellightsout.com] is a great read. It's not just the US which would be crippled by such attacks.

  • Does this dood mean it's time to offshore even more Brit jobs to China???? These clowns are always soooo confusing . . .
    • by AHuxley ( 892839 )
      Run a billing system on a consumer OS. Have support calls in another nation.
      If its just a consumer network and service it can fail often and for a long time.
      The coded talk is for the rest of the contractors and vital infrastructure. Say a power company lost its billing system and call centre? The lights stay on as the grid networks and OS are very different and not connected.
      Thats the coded warning.
      A gov will forgive and forget any consumer network, product or service been down for a long time.
      Don
  • The guy might as well warn everyone that it is likely to rain "soon"

    This must count as the most inept warning - or is it merely a tragically poor attempt to scare a government into increasing their funding - for years.

  • Major cyber-attack will happen soon, followed by a call for even more onerous surveillance laws.
  • by Anonymous Coward

    The approach suggested, give up and expect to lose data, is just another wrong approach.

    Such an attack is likely to come in the form of IoT attack. Billions of devices are going online over the next few years.. Most of them use unpatched linux variants. A team of cunning programmers could exploit a few Linux zero days to spread a worm across the internet. They could in theory destroy billions of devices causing hundreds of billions in direct damage and hundreds of billions more in indirect damage from th

  • OK, apart from this Levy guy being a tier one nut job, and his goal is primarily to get more powers and money after showing repeated signs of incompetence, what kind of attack does he expect?

    Maybe something that exposes important information to the public that would totally destroy confidence in a government or institution?

"Ignorance is the soil in which belief in miracles grows." -- Robert G. Ingersoll

Working...