Cyber-security: Does the UK government's approach make sense?

“It is in the political interest to invest in cyber-security. Both the Government and opposition can claim this as essential for the protection of the British people and economy.”

Hide

In the wake of the Islamic State's bombings and shootings in Paris in November, British Chancellor George Osborne announced that ISIS is plotting cyber-attacks against the United Kingdom. Targets could include hospitals, air traffic controls and electricity stations.

To combat this threat, the Chancellor has resolved to double spending on cyber-defence to £1.9bn by 2020. With the financing of its own secure networks and cyber-security, the Government is devoting a total of £3.2bn to the effort. About 1,900 new jobs will be created in the National Cyber Centre at the Government's electronic intelligence agency GCHQ. There are plans to improve recruitment and provide general cyber-training.

But will the effort be effective?

The Wrong Approach

Of the thousands of cyber-attacks that happen every year, only a handful of perpetrators are caught and brought to justice. Even fewer see long-term prison sentences and there are no restrictions placed on their access to the Internet in the future. Even the identification of a suspect can be difficult when separating factual from fictitious information is essential to attributing blame for a cyber-attack.

The reality is that there are times when perpetrators will get away with attacks because they have hidden their location so well, or their location is known but it is outside of British jurisdiction.

The Islamic State has shown itself to be adept at using the Internet for gaining footholds among dissident populations in Western countries. Their use of social media and propaganda suggests a strong team of people with some level of computer training.

Consider British native and Islamic State recruiter and hacker Junaid Hussain, convicted in 2012 of hacking into the personal address book of former Prime Minister Tony Blair. Born in Birmingham, Hussain spent a year in jail for his cyber-attacks, but two years after his release, he moved to Syria with the apparent intention of joining ISIS.

Hussain was implicated in the hacking of US Central Command in January 2015. But was Hussain a core member of ISIS or simply a fan who desired little more than to fit into an anti-British campaign? With his recent death, it is unlikely that we will ever know the full extent of his involvement.

The majority of ISIS work is done outside of the jurisdiction of Britain and its allies, a point that Osborne seems to have neglected when it comes to his spending. While money is being poured into recruitment and training, there is little that will actually be done to catch those responsible for cyber-attacks. While a few successful cases have been brought against hackers, the majority of these defendants are low-level ISIS members or part of a "fanboy" community.

Accurate attribution is a problem. A good hacker will conceal their identity to make it almost impossible for their location or personal information to be obtained. Large, state-sponsored cyber -attacks can take years to detect, as was the case with the US Stuxnet assault on Iran's nuclear programme, if they are ever discovered.

In early December, Britain’s higher education network JANET was down for a day, with severe disruptions continuing throughout the week, because of a Distributed Denial of Service attack on its servers. The perpetrators remain unknown, and there is little that the Government can do to reassure citizens that attacks like this will not recur.

It is in the political interest to invest in cyber-security. Both the Government and opposition can claim this as essential for the protection of the British people and economy.

But what Britain actually needs is a more long-term focus to ensure the safety of Britain’s networks. This would include an extra £1 billion for updating routers to make them more secure and to ensure that more businesses around the country have proper anti-virus software. Money on research into better encryption would also be well-spent. Internet infrastructure should be the priority, rather than an exclusive chase after cyber-attackers.

Unfortunately, these are not the measures that gather headlines or garner media approval. And so that may be why Britons get a National Cyber Centre that the politicians, rather than the public, need.