Q&A: Reed Henry on cybercrime and the CSOC

The first of two offices due to be set up under Gordon Brown’s National Cyber Security Strategy announced last summer will start operations on 10 March.

The Cyber Security Operations Centre (CSOC) will comprise about 20 staff and co-ordinate incident response as well as preventative measures - it will also provide advice and information about the risks associated with cybercrime to business and the public.

Just ahead of the opening, Computing spoke to Reed Henry, senior vice president of cyber security firm ArcSight, about cybercrime and the role of the CSOC in fighting it.

ArcSight works with the UK government and 26 other nations to protect their critical infrastructures against cyber attacks.

Computing: How has cybercrime evolved over the past five years?

(Reed Henry) RH: The attacks are not random anymore. Five years ago most of them – such as the slammer worm - were made by novices, but they have evolved from scatter-shot to rifle-shot. They can take the form of corruption or disruption of computer networks and software, hacking, computer forensics and espionage.

There is now a sophisticated crime element that includes advanced technological knowledge. These criminal groups have research and development arms and write code that is customised to target the specific government agencies or private companies they want to target.

The vast majority of the attacks are for financial information or intellectual property that can then be sold on.

According to a report released by Verizon in 2008, 93 per cent of such attacks are on financial institutions or government.

What is the single most worrying element in all this?

The fact that it is increasingly being used as part of real warfare. For example, 10 minutes before Russia attacked Georgia in 2008, a series of pro-Russian slogans appeared on news service websites, then the planes hit. The cyber-attack was traced back to the Russian Business Network, a notorious cybercrime organisation that has carried out a range of malware exploits, most famously the Storm Worm. It originated as an ISP for child pornography, phishing and spam.

There are 250 hacking groups that are tolerated within Russia; arguably these groups are in some ways a national asset.

So where are these attacks coming from primarily?

Well, the obvious country to cite is China, in light of the recent reports around Google hackers there, but in fact the attackers are situated all over the world. A high percentage of attacks come from Eastern Europe, Russia, Brazil and even the US. A report recently published on Network Access Control by the IISS estimated that 200 nation states were building up their cyber-warfare capabilities.

However, these attacks are notoriously difficult to trace.

It is estimated that between 12 and 15 per cent of the 1.6 billion computers worldwide are controlled by botnets, but you wouldn’t know you had one if you did. It would follow your access of online banking for example, collect your details and steal your credentials.

What can the government do about these attacks?

It can co-ordinate its critical infrastructures which would include financial infrastructures, the telecoms network, power [electric grids], water and healthcare systems to control and protect the cyberworld surrounding them.

These infrastructures, which until now all had their own individual cybersecurity capabilities, will now use the CSOS to share threat information, including “attack vectors”, which describe the type of servers that are vulnerable to a specific type of malware because they are lacking a patch update, for example.

The CSOS will be looking at cyber-espionage and warfare in an offensive and defensive capability.

The centre will create a protocol around the sharing of threat information with MI5, MI6 and GCHQ.

Whenever a threat is recognised there will be a log file generated, containing the code used and other details. This would then be published to a common clearing site where tech experts would run through all the information with a fine-tooth comb.

The financial services industry in the US has run a system like this since 1998.

There also needs to be open communication between nation states.