As cyber attacks continue to escalate, John Lyons, CEO of the International Cyber Security Protection Alliance, tells Robert de la Poer how international co-operation is key to combating the threat to critical systems
RP: Governments around the world are currently scrambling to find new ways of enhancing cyber security. What, if any, do you see the most likely targets for a large-scale cyber attack?
JL: You’re presupposing that there may be or will be a large-scale attack – and I’m not sure that is a realistic scenario. If you’re looking at government targets, I suspect that they will fall into a number of categories: defence, intelligence and security, business and treasury. Attacks will be aimed at gathering information that is of use to a foreign state and, as I outlined in a recent presentation to RUSI delegates, these attacks are simply an extension of good old-fashioned espionage activities – something in which nations have been engaged for a very long time. Governments’ use of the Internet, and their desire to place information on systems connected to the Internet, provides those engaged in espionage and intelligence gathering work with a much larger target, and one which is proving to be very fruitful. Of course, this works equally well for all – and so we should not be surprised when we are attacked in this way nor surprised with the intensity of such operations.
RP: What could be the potential impact of a successful cyber attack on part or parts of the critical national infrastructure?
JL: That of course depends on the specific target or targets. We have seen incidents involving electricity grids, and the effect that this has on the ability of business and society to function. Outages which last up to 12 hours can cause considerable inconvenience, but not lasting economic damage. Backup systems are in place to keep essential services operating. But outages for an extended period would begin to have an exponentially greater effect on our ability to function and, as such, would clearly have significant social and economic adverse consequences. One could imagine that an attack on water supplies either to disrupt supply or to contaminate them would have an immediate impact on a region’s ability to function – causing major disruption, harm to citizens and would place considerable strain on blue light services. Of equal importance, the damage such an attack would do to our confidence in the provision of basic services – and of our government’s ability to defend us – would be significantly eroded.
RP: State-sponsored “cyber warfare” has been a growing concern in the past few years (albeit at a fairly low level so far), as has cyber crime. Do you think there is an additional threat from non-state actors such as terrorist groups, or are the capabilities beyond them?
JL: It depends what you mean by “cyber warfare” – but if we look at it as an extension of state-sponsored warfare generally, then I would expect that governments will deploy multiple means of conducting cyber warfare. Farming out or outsourcing cyber warfare operations would make sense for a government that is keen not to have its activities attributed to it. I would expect nations to “employ” any and all avenues, collaborate with groups that have capability, fund additional resource where necessary and run these operations ahead of and during any full-scale cyber offensive operations.
RP: Would you agree that the activities of so-called “hacktivists” could be seen as a form of cyber terrorism? How should the problem be addressed?
JL: I don’t like the term “cyber terrorism”. Terrorist groups engaged in activity and operations are currently using the Internet and networked systems to support the administration, financing, planning and execution of operations. Again, it’s just another tool which they will use in support of their illegal activities. If you accept this fairly crude definition, then you can decide whether any group, by whatever name or label you attribute to it, is engaged in terrorism or not. I would not, therefore, suggest that “hacktivist” activities fall within the term “cyber terrorism”.
RP: What can organisations like the ICSPA do to improve cyber security standards internationally? Is it just a forum for information sharing?
JL: The ICSPA and its member companies are engaged in helping countries that face the greatest cyber challenges. With the assistance of our law enforcement partners (Europol and the City of London Police) we and our members are working with such countries to help them enhance their cyber security, capability and resilience in four key areas. These are: cyber legislative frameworks and laws, justice, home affairs and prosecution services; law enforcement; critical national infrastructures; and public information campaigns and programmes aimed at helping their businesses and citizens understand the nature of cyber threats and what they can do to mitigate those threats. Of course, information sharing on good practice forms a part of this work – but most importantly, we are not a talking shop!
RP: Given the unique nature of each country’s critical infrastructure, IT capabilities, law enforcement and cyber security resources, how useful are international bodies like the ICSPA? What are the major challenges of operating in this international arena?
JL: Actually, most countries’ critical national infrastructures have much in common. What differs from country to country is their capability, competency and their resourcing to meet the challenges that are presented by operating in cyberspace. And it’s not just developing nations that have unique challenges – we all of us face the very difficult job of securing our governments, businesses and citizens from cyber attack, cyber fraud, intrusions and the myriad of new MOs and platforms that those who wish to attack us can now deploy.
The ICSPA provides a focus for nations who want to improve their cyber security and resilience posture by deploying good-practice advice and solutions which will render practical improvements for the benefit of their businesses and citizens. That’s how the ICSPA operates and how we will demonstrate that together we can make really tangible, beneficial improvements to the cyber infrastructures of the countries in which we operate.
RP: What benefit could law enforcement bodies and private companies gain from association with ICSPA?
JL: Working together to enable our businesses, citizens and governments operate more safely and securely in globally interconnected marketplaces will provide the basis for national economic stability and growth. Countries and businesses that operate securely in this networked environment will be the winners. The involvement of law enforcement in this process is key to ensuring that businesses deploy the right level of preventative solutions. When these solutions do not work as they should, or have not been deployed, every country needs law enforcement cyber crime units that have the right levels of capability and resource to mount credible crime fighting operations that result in criminals being brought to justice. Working together in a collaborative group like the ICSPA makes sense for us all.
RP: ICSPA has recently launched “Project 2020”. What are the major aims of the project, and who will benefit from its findings?
JL: Project 2020 has been established to look at the evolution of cyber crime over the next eight years to provide governments, businesses and law enforcement agencies with an authoritative study of what and how we expect cyber criminality to shift over the coming years. To assist policy makers, technology providers and users understand ahead of time what measures might need to be put in place to mitigate new threats before they take shape, and before they have the adverse consequences that we regularly see in what is, after all, the very early stages of our latest technology revolution.
RP: Is enough being done, in your opinion, to address the evolving cyber security threats? What more should governments be doing? Is it just a question of throwing more money at the problem until it goes away?
JL: We need better international collaboration on defensive cyber techniques and solutions. Leaving aside state-sponsored cyber operations, which by implication will never recede, nations could be doing more to prevent organised criminal groups profiting from their illegal activities on the Internet. For example, money is the oxygen which fuels online criminality. Governments, financial institutions and regulators could be collaborating successfully to choke off the funding that criminal groups gain from their illegal endeavours. They make many millions of dollars from their exploits – cash which, in turn, causes real harm to citizens and businesses around the world. You would think that we could and should be doing more to prevent this flow of funding taking place right under our noses – but right now, there does not seem to be the political will to do so – there are too many vested interests involved making huge sums from the provision of financial facilities to make this an easy job to do.
John Lyons is Chief Executive of the International Cyber Security Protection Alliance (ICSPA), a business-led, international not-for-profit organisation which aims to provide private and public sector funding and support globally to law enforcement agencies engaged in the fight against cyber crime. Lyons’ previous public service included 20 years in the Royal Air Force (Security Branch) and subsequently at the National Hi Tech Crime Unit.
This article was first published in the February 2012 issue of the Counter Terror Expo newsletter. John Lyons will be speaking at CTX in April.