By John Thornton| 8 November 2013
The lessons of recent cyber attacks in other countries show that what may seem secure today may not be next year – or even tomorrow
A recent cyber attack in South Korea paralysed national broadcasters and major banks. As journalists logged on to the three main broadcasters’ systems, they found only an image of a human skull with a mischievous grin and bullet wound, with the message: ‘We have deleted your data. We will be back soon.’
At the same time, there were coordinated cyber attacks on three banks, which stopped ATMs from dispensing cash, crashed computer networks and effectively wiped 32,000 computers clean. Mobile and internet banking were frozen and, not surprisingly, customers panicked.
This attack does not appear to have been a direct attempt to bring down the South Korean economy. It was not targeted at military or government systems, and there were no immediate reports that customer bank accounts had been compromised. The aim was to generate huge amounts of publicity and to reveal vulnerability. The real purpose of this attack seems to have been to undermine public confidence and trust in core communications and commerce systems in one of the most digitally advanced nations in the world.
As the UK moves to a ‘digital by default’ scheme to improve convenience and reduce costs, we must recognise our increased vulnerability to cyber attacks, and do everything we can to ensure that citizens, businesses and government bodies retain high levels of trust and confidence in digital systems.
We know that as public confidence in online systems increases, more people will use them, and will spend less time calling and checking, which will reduce costs. Yet if that trust is undermined, the impact on organisations in terms of support and sorting out problems will likewise be disproportionately high.
We must also recognise the potential scale and geographic reach of such attacks. A recently exposed crime syndicate allegedly hacked computer systems and conducted 4,500 transactions across 20 countries to steal $5m on prepaid debit cards from the Rakbank in the United Arab Emirates. The same group is also believed to have withdrawn over $40m in ten hours from Bank Muscat in Oman via ATMs around the world.
Another major cybercrime campaign caused widespread disruption to key Israeli websites. In the first 24 hours of the attack on Sunday April 7, there were 60 million hacking attempts, affecting banking and government sites, the stock market, and defence, finance and education ministries; crashing the bureau of statistics website; lifting of employee information from a foreign exchange company website; leaking names and credit card numbers; and posting anti-Israeli slogans.
It is not surprising that the Bank of England’s financial stability director, Andy Haldane, recently told the Treasury Select Committee that cyber attacks have emerged as a top threat to the UK financial system. These are now of higher concern than the looming euro crisis, with potentially drastic implications that call for a system-wide response.
At a national level, the UK is taking the threat to information security from cyber attacks very seriously, as can be seen by its inclusion as a ‘Tier 1’ threat in the National Security Strategy and the recent allocation of an additional £650m of funding for cyber defences. At the operational level in health, police, and local and central government, there also appears to be high levels of recognition of the potential dangers, with plans now in place to manage and mitigate risks.
As a result, the UK is emerging as one of the world leaders in information security, with the government’s signals intelligence agency, GCHQ, and other agencies involved in this area known to possess world-class skills and expertise.
There is, however, no room for complacency. We need to discern what we can learn from these types of attacks to improve our own cyber defences.
John Thornton is an independent adviser and writer on business transformation, financial management and innovation [email protected]
This feature was first published in the November edition of Public Finance magazine
