Top 10 security stories of 2013 so far
Computing looks back at the most important cyber security stories of the past six months
Security is perennially a hot topic for IT professionals. In the private sector there are persistent fears that precious IP will be stolen from corporate servers by way of industrial espionage, or that malicious outsiders - or more worryingly, insiders - will find ways to smuggle out critical data for their own dubious purposes.
In the public sector, the fears are very much the same, with espionage a top concern.
But problems can equally occur less by malicious design, and more by accident as staff leave laptops, mobiles or tablets on taxis, trains or just about anywhere else. For a cash-strapped public sector organisation in the UK, that usually means a hefty fine from the ICO.
With that in mind, let's have a look at the top 10 security stories of the year so far.
10 - HTC settles with FTC over mobile security flaws
With mobile devices increasingly carrying sensitive corporate data, it is imperative that they are secure. Back in February smartphone manufacturer HTC agreed to settle Federal Trade Commission (FTC) charges that the firm failed to take "reasonable steps" to patch security vulnerabilities in its products, thus putting information belonging to millions of customers at risk.
9 - UK cyber security 'becoming more consolidated', says ENISA
Attempts to consolidate all the various bodies that have some responsibility for the UK's cyber security have made steady progress, according to the European Network and Information Security Agency (ENISA).
The government has been heavily criticised in the last year for a "lack of cohesion" between the various UK organisations set up to work towards its cyber security strategy.
Former head of the GCHQ and CESG, Nick Hopkinson, told Computing last year that there was a need for rationalisation between the organisations, as co-ordinating a policy and strategy would be a challenge when dealing with the numerous bodies involved.
But a year on from Hopkinson's comments, ENISA's head of unit, resilience and CIIP, Dr Vangelis Ouzounis, has said that every country including the UK is trying to consolidate their own strategy.
"In every member state there are different distributions which have been developed for different purposes, now they all have slightly different responsibilities around cyber security and of course there are overlaps. Every country is trying to consolidate their national strategy and ENISA does not intervene because although we recommend the simplification and avoidance of overlaps, it is up to the member states [to take action]," he told Computing at ISACA Insights World Congress 2013, in Berlin.
[Please turn to next page]
Top 10 security stories of 2013 so far
Computing looks back at the most important cyber security stories of the past six months
8 - Outsourcing a 'major component' of two-thirds of IT security lapses
Outsourcing was identified as a key attack vector in almost two-thirds of security investigations carried out by security services company Trustwave, again in February.
The claim was carried in the company's 2013 Global Security Report, which draws on the incident-response investigations that it has carried out on clients' behalf, as well as the results of thousands of penetration tests and millions of website and web application attacks.
"In 63 per cent of incident response investigations, a major component of IT support was outsourced to a third party... Many third-party vendors leave the door open for attack, as they don't necessarily keep client security interests top of mind," stated the report
In some cases, organisations that have outsourced a portion of their IT functions are unaware of the demarcation between themselves and their outsourced partner, leaving gaping holes that no one takes responsibility for. This also accounts for a large proportion of the attacks in the retail sector, added the report, because many small retail chains outsource some or all of their IT functions.
7 - European Union security directive slammed by Ross Anderson
Earlier this year computer security guru Professor Ross Anderson criticised the European Union's proposed computer security directive which, he says, represents "yet another unfortunate step towards the militarisation of cyberspace".
The directive forms the centrepiece for the EU's new cyber security strategy, which was launched in February.
In an analysis, Anderson wrote that "it will oblige member states to set up single 'competent authorities' for technical expertise, international liaison, security breach reporting and CERT [computer emergency response team] functions. In the UK, these functions are distributed across GCHQ, MI5/CPNI, the new National Crime Agency, the Information Commissioner's Office and various private-sector bodies".
As a result, it will no doubt put the security services in de facto charge of the internet, while also damaging co-operation between government agencies and the private sector, which runs most of the internet infrastructure in the UK and across Europe.
"Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness. Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cyber security co-operation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play," he added.
6 - Arms dealers turn to cyber security
Arms vendors are moving into the cyber security sector in response to a decline in sales of their traditional weapons, according to the Stockholm International Peace Research Institute
It is the first time that annual arms sales have fallen since 1994. According to the Institute, the 100 largest arms-makers' revenues fell by five per cent in 2011 and, in response, many are moving into cyber security as this is an area of security spending that has not yet come under pressure from government austerity measures.
"Companies such as Raytheon, BAE Systems and EADS Cassidian are seeking alternative revenue channels from the civilian sector while maintaining ties to military spending in this market. These companies' cyber security activities are focused on data and network protection software and services; testing and simulation services; training and consulting services; and operational support," claimed the Institute.
Furthermore, these cyber security services are also in demand worldwide among governments of all types, with demand stimulated by recently uncovered threats. The Stuxnet and Flame attacks against Iranian nuclear facilities, especially, demonstrated how national infrastructure can be targeted by determined attackers even when the supporting computing infrastructure is not internet-connected.
[Turn to next page for the Top Five]
Top 10 security stories of 2013 so far
Computing looks back at the most important cyber security stories of the past six months
5 - Barack Obama signs cybersecurity executive order
Back in February - which was evidently a busy month for the security sector - US President Barack Obama finally signed a much-anticipated executive order to protect key elements of the country's critical infrastructure against cyberattacks.
Covering power plants, water utilities and other high-profile targets, the eight-page order - entitled the "Cybersecurity Framework" - is a direct response to US fears of cyberattacks from China and Iran, among others.
The idea of the order is to lay down minimum security standards for major industries in order to try to prevent huge-scale attacks that could potentially bring down vast swathes of the country's industry.
"We know hackers steal people's identities and infiltrate private email," said Obama.
"We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems," he continued.
In order for the US to avoid a scenario in which "we look back years from now and wonder why we did nothing in the face of real threats to our security and our economy", the executive order states that the government will work closely with organisations in the private sector to develop the standards voluntarily.
The National Institute of Standards and Technology took the lead in implementing the framework. It is expected to report back later this year with a complete set of guidelines.
4 - Pentagon accuses China of hacking US government computer systems
A couple of months after Obama's cyber security order, the Pentagon released a report accusing the Chinese government of cyber attacks against military and civilian computer systems in the US.
It marked the first time US authorities directly suggested that Beijing is behind computer hacking, with the accusation coming as part of an annual Department of Defense report to Congress.
"In 2012, numerous computer systems around the world, including those owned by the US government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military," said the report.
"These intrusions were focused on exfiltrating information. China is using its computer network exploitation (CNE) capability to support intelligence collection against the US diplomatic, economic and defense industrial base sectors that support US national defense programs."
The Pentagon suggested that China is using the information to boost its own military and defence programmes. According to the report, China's development of cyber warfare capabilities is in line with strategy set out in publications by the Chinese People's Liberation Army (PLA).
"Developing cyber capabilities for warfare is consistent with authoritative PLA military writings. Two military doctrinal writings, 'Science of Strategy' and 'Science of Campaigns' identify information warfare (IW) as integral to achieving information superiority and an effective means for countering a stronger foe.
"Although neither document identifies the specific criteria for employing computer network attack against an adversary, both advocate developing capabilities to compete in this medium."
China dismissed allegations that it facilitates cyber crime, calling them "groundless".
[Turn to next page for Top 3]
Top 10 security stories of 2013 so far
Computing looks back at the most important cyber security stories of the past six months
3 - China has "mountains of data" about cyber attacks coming from US
Responding to US allegations of malicious attempts to infiltrate its government systems and those of its top corporations, China in turn accused the US of the same activity.
A top Chinese official claimed in June to have "mountains of data" showing evidence of hacking originating from the US.
Huang Chengqing, director of the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), made the comments ahead of President Barack Obama's meeting with Chinese President Xi Jinping in California.
Huang said that cyber espionage goes both ways between China and the US, although he avoided directly accusing the US government of computer hacking.
"We have mountains of data, if we wanted to accuse the US, but it's not helpful in solving the problem," Huang told a government-run Chinese newspaper.
"They advocated cases that they never let us know about," he continued, before calling for more co-operation.
"Some cases can be addressed if they had talked to us, why not let us know? It is not a constructive train of thought to solve problems."
The week before, it was revealed that Chinese hackers had gained access to secret US government files about advanced weapons systems.
Huang didn't deny the cyber attack had occurred, but suggested that if the American government wanted to keep the information secure, it shouldn't have been connected to the internet in the first place.
"Even following the general principle of secret-keeping, it should not have been linked to the internet," Huang said.
2 - European Commission demands answers on Prism
Moving to even more recent events, EU Commissioner for Justice Viviane Reding has raised her concerns over the Prism surveillance and information-sharing programme with the US Attorney General Eric Holder, who she is to meet in Dublin on Friday.
In a statement on her website, Reding cited the importance of trust and privacy to individual citizens, companies, and the wider digital economy.
"The respect for fundamental rights and the rule of law are the foundations of the EU-US relationship," she began.
"This common understanding has been, and must remain, the basis of cooperation between us in the area of Justice. Trust that the rule of law will be respected is also essential to the stability and growth of the digital economy, including transatlantic business. This is of paramount importance for individuals and companies alike."
The Prism programme apparently gives the US National Security Agency and the FBI access to data from Google, Microsoft, Facebook, Apple, Yahoo and Skype, though each firm denies that it has given any agency access to its servers.
The controversy arose when former CIA employee Edward Snowden stated that US agencies gathered and shared data on the public's phone and internet use.
Google has responded to the controversy by publishing a letter it claims to have sent to both US Attorney General Holder and the FBI, in which it states that while it complies with legal requests for information, that does not extend to "unfettered access" to its data.
"Assertions in the press that our compliance with these requests gives the US government unfettered access to our users' data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation."
[Turn to next page for the top security story of 2013 so far]
Top 10 security stories of 2013 so far
Computing looks back at the most important cyber security stories of the past six months
1 - UK's investment in cyber security is "embarrassing", say experts
The government's investment in cyber security is embarrassing, according to security experts talking to Computing back in April.
The government announced plans in 2010 to invest £650m over a four-year period on cyber security, after the National Security Strategy rated cyber attacks as a "Tier I" threat.
The funds were allocated to a four-year National Cyber Security Programme (NCSP), which is now incorporated under the UK's Cyber Security strategy, announced at the end of 2011.
In the UK cyber security strategy document, the government claims that "despite a tight fiscal situation, we set £650m aside over four years to develop our response [to cyber threats]". Judy Baker, founder of the Cyber Security Challenge UK, believes that this shows how highly Whitehall regards the Cyber Security strategy.
"The government has recognised the importance of the issue by investing £650m at a time when it was not investing in other areas," she said.
But Bob Ayers, former US cyber intelligence officer at the Department of Defense, slammed the idea that a £650m investment would be enough.
"Let's not go round patting ourselves on the back, saying that government has recognised the problem and is actually spending money on it," he said. "Over 20 years ago the US government had an organised cyber security programme with 155 assigned staff and a $100m-a-year budget - and that was a continuing $100m a year."
He added: "Now, 20 years later, the UK is spending a phenomenally smaller figure and starting into [its cyber security strategy] and we're saying this is good? No, this is embarrassing."
Mark Brown, director of information security at professional services firm Ernst & Young, agreed that the amount spent is not a big sum of money.
"£650m over four years, when you calculate that, equates to £2 per UK national per year and when you look at that statistic, it shows that the investment isn't that large," he said.
Baker added that a short-term investment will not solve the problem and that there needs to be a longer, continuous investment - something that is not happening appropriately from either companies or government, at the moment. Another concern is the lack of a plan, at least in the public eye.
"What happens when the £650m stops? Where is the government commitment to the next pot of money after that? Because we're not far off from that, and people need to be planning now to spend that sensibly," Baker said.
And that wraps up the top 10 security stories of 2013 so far. Are there any critical stories you think we missed? Let us know in the comments below.