lolloj - Fotolia

Nation state cyber attacks affect all, says former GCHQ boss

Cyber attacks by nation states used to be a small part of the problem for state authorities to address, but now all organisations are potential targets of nation state attacks, according to former GCHQ head

High-level nation state cyber threats are a problem for all organisations either directly or indirectly through cyber crime groups acting as state proxies, according to Robert Hannigan, former director general of GCHQ.

“We are seeing a cross over between nation states and criminal groups acting on their behalf, sometimes with the same people working on nation state cyber activities by day and criminal activities by night,” he told Infosecurity Europe 2018 in London.

“However, most cyber attacks, even the most sophisticated nation state attacks, exploit the same things – namely poor patching, network configuration and password management, –so simply by doing the basics properly, 80% to 90% of attacks can still be prevented or mitigated,” he said.

The other piece of good news, said Hannigan, is that most company boards now understand the importance of good cyber security and are planning to invest more in this area, and this has been accelerated by the need to comply with the General Data Protection Regulation (GDPR).

Hannigan said he was also encouraged and delighted by the success of the National Cyber Security Centre’s Active Cyber Defence Programme.

“This is being piloted in government with the plan of rolling this out nationally through internet service providers. This programme is demonstrating that it is possible to take effective measures at a national level, and the UK is leading the way internationally in this kind of experimentation,” he said.

A commoditised industry

One of the biggest changes in recent years that Hannigan highlighted is the fact that cyber criminals no longer need technical skills to mount attacks.

“The number of cyber crime actors and cyber attacks is increasing mainly due to the availability of cyber crime tools and services on the deep or dark web,” he said. “Cyber attacks are now cheaper and easier than ever, and that has helped to escalate the threat.”

This commoditised industry is being driven by organised crime groups that are able to pull in whatever skills they need from anywhere in the world, said Hannigan.

“The commodity crimeware market is the ultimate gig economy. It is a powerful business model, and the top groups have an impressive agility in moving from one money making opportunity to the next,” he added.

However, Hannigan said cyber criminals typically go after the easiest, softest targets. “For cyber defenders, this means it is really about hardening everything to the point that it is not worth the attacker’s effort rather than achieving perfection,” he said.

Defenders also need to be aware that attackers are now scanning for common vulnerabilities, said Hannigan, which means they will strike wherever they find an opportunity, adding that this is an area where attackers are most likely to start using artificial intelligence (AI) technology.

“Many companies that thought that they were below the radar have woken up to this threat when they became collateral damage, because they had the same vulnerabilities in their networks as attack targets,” he said.  

Threat of nation state attacks

Returning to the topic of nation state attackers, Hannigan said the main actors are North Korea, Iran and Russia.

While North Korea is focused on stealing foreign currency in the digital world as it is in the physical world, he said Iran is “good at calibrating cyber attacks for effect”, which is why a cyber response is expected if the nuclear deal with six world powers collapses.

“Russia is at the higher end and we have been locked in a cyber conflict with them for a while,” said Hannigan, adding that Russia has invested a significant of time and money in developing its cyber capabilities in the past 10 years.

“Although we have seen Russian activity since the early 90s, what has changed is the decision to weaponise its cyber activity, from disrupting power supplies in Ukraine to disruption election in the US and elsewhere.

“Attacks on utility and energy companies is a great political weapon, and although these attacks use traditional techniques such as spear phishing and watering hole attacks, they are taking these techniques to a new level by sending phishing emails from within company networks and compromising legitimate websites for watering hole attacks,” he said.

Hannigan also expressed concern about the ability for cyber actors to compromise supply chains to infect software updates and equipment.

“A network router is a worrying place to find any unauthorised party, especially if it is a state actor who is willing to do damaging things and who is getting more sophisticated, more brazen and less worried about getting caught,” he said.

In this context, Hannigan said the “risk of miscalculation and unintended consequences is huge” and although no one has been hurt or killed as the result of cyber attacks, if malicious actors are increasingly tampering things such as medical equipment, it is “only a matter of time”.

The current state of the cyber threat landscape, said Hannigan, means that while old the old threats and risks will never go away, organisations need to look at the emerging threats to ensure they are able to counter these in the future.

“New problems will be amplified by the expansion of the attack surface mainly due to the proliferation of devices making up the internet of things,” said Hannigan.

“There is evidence that the market will not self-correct, so we need to find ways of changing that, which could be a mix of legislation. But in the meantime, organisations should be looking at what is connecting to their networks, evaluate the security risk, and mitigate that,” he said.

Hannigan also cautioned organisations about the need to ensure that they are paying enough attention to security in the cloud.

“Many cloud providers claim that data in the cloud is typically safer than on premise, and generally that is true because cloud service providers typically have greater security resources than their customers, but there are caveats – as outlined in NSCS guidance – and organisations should ensure they look at that.”

Read more about cloud security

  • Amazon CISO shares secrets to building secure cloud products.
  • How Microsoft uses secure enclaves to improve cloud security.
  • What cloud storage security looks like for small businesses.
  • Challenges in cloud data security lead to a lack of confidence.
  • The biggest cloud security threats, according to the CSA.

Next Steps

Biden proposes critical infrastructure safe zones for hacking

Read more on Hackers and cybercrime prevention