There is no doubt that, to have a word included in any form of recognised Dictionary, the lexical representation must meet the rigour of being:
Common to language in conversational terms
Must cross the boundaries of being meaningful to the majority
Must have relational context
And of course, the word in focus must spring from some known entity or subject area. So, consider the word ‘Cyber’ – a word which was not known going back a couple of decades – but is now a word which has entered, almost every level of daily conversation when it comes to security in our current time. However, the ‘Cyber’ word and its associated threats have travelled along the path of rejection and challenge to gain the right to achieve true recognition. Thus, to place our conversation in context, please allow me to focus the conversation, and place emphasis on what is being discussed here in the year 2018 – Cyber Threats, and Cyber Security.
To get to the root of my point, I must go back to the mid-eighties when we encountered new thinking, and the revelation of fresh visionary academic research conducted by Fred Cohen, who identified the potential of a biological type virus condition, sharing similar infection capabilities, but in a logical form – in other words, just like a cough could pass from one person to another communicate a biological infection, the same effect could be encountered when interfacing with a virulent piece of code, which had the logical objective to pass a logical infection from one entity to another – in this case, the entity being media, or some other form of logic retentive recipient (e.g. RAM). In that era of early virus identification, it was Ralph Burger who went on to publish the book ‘Viruses a High-Tech Disease’ containing instructions how to create viruses in a variety of languages, from machine code, up to the more complex next-generation languages of the time. In other words, the viral march toward, what we now refer to as Malware had started. In this era, I was working as a Counter Intelligence Operative at a very sensitive RAF unit, which enjoyed direct communications to GCHQ through a system known as Homebrew. So, armed with information, some qualified background material, and research, I took advantage of the ability to communicate with the very heart of our National Security Agency of the time, so I fired off a Homebrew signal which outlined my concerns and fears relating to the potential of future computer security implications associated with this new form of logical danger. However, upon receiving their response on, what I felt was a topic of significance, I was somewhat surprised and taken aback at the GCHQ valued assessment, which simple thanked me for the signal, but went on the say ‘we see the implications of the computer virus as a passing nuisance’ and went on to conclude it was not considered a danger in the longer term!
From the period mentioned above, the public at large, and businesses saw a significant growth in viruses and their associated active payloads, and started to feel the pain in real time – in fact, I along with a small number of others who were serving in the Royal Air Force in this era attended some of the very first virus (malware) outbreaks on the UK Ministry of Defence and other Government agencies – it would seem, the nuisance have become of age, and pervasive with early manifestations of viruses like Cascade, Brain, soon to move on to other more dangerous code.
Moving forward, it was the late nineties which saw the creation of the root of organised cyber-crime in the form of, those well-known Carders/Hackers, ‘Script’ (Dmitry Golubov) and ‘BOA’ (Roman Vega) setting up/supporting Cardplanet, and the fledgling era of industrialised cyber-crime was now in full flow, supported by a fully-fledged, and secure site offering a rage of hacking warz, tools, and viruses feeding the early, newly formed cyber-underground community working out of Russia and the Ukraine (and soon to go wider with global interconnected communities) focused on making money out of their on-line pursuits. A position which I believe set the tone of the cyber-criminalised industry we are encountering today.
It was around 2005 when I was attending a Securie Computing Dinner in London when, by chance, I met a lady from CPNI (Centre for Protection of National Infrastructure (UK)). We discussed Cyber Crime of the time, and the real-time cyber-threat which, in my opinion at that time CPNI was seemly not taking seriously. Thus, I enquired as to what her view was from the CPNI angle. However, I was simply astonished when she responded that, the current CPNI assessment of the threat was that it was over hyped, and it was comments the like of which I had made to her which was causing an alarmist perspective on what was considered a low level, and unrealistic threat!
For many years, the imposition of governmental ignorance, lack-of-action, and possibly a blind-side eye continued – that was until such time when Richard A. Clarke published his book Cyber War in 2010. Remarkably, this was then quickly followed by the head of GCHQ acknowledging the new dangers from Cyber, with full agreement that a Cyber-Risk was now a real and present danger after all! But, as Clarke said in his book, ‘The genie was now out of the bottle’ and it won’t go back in!
The problem the world now faced was, with the passing of the secure by non-routable Mainframe protocols, and the machines isolated nature, we had moved over to the more cheap-and-cheerful interconnected client-server environments, based on COTS (Commercial off the Shelf Software) and the associated hardware platforms, which in those early days tended to be trusting NT4.0-SP6a. However, the real issue was, these cheap-and-cheerful systems were then also now being positioned to support critical infrastructure, and other such essential systems which provisioned services for global communities. And unlike our good-old Mainframe, the future prospect of patching, fixing, and keeping updated millions, if not billions of components, applications, drivers, CMOS, and the very chip that processes the data was not fully appreciated. Thus, in some ways, part out of ignorance, and part out of commercial cost-saving pursuits, we are now at a juncture of a perfect storm of adversity which has been allowed to take a secure foothold.
Reflecting to a dinner held, and hosted by the CEO of Symantec I attended, along with many MP’s, including the, at time, Chair of EURIM, Margret Moran (disgraced after the expense scandal), and one other notable attendee – Theresa May, who was at that time in opposition. John Thompson, the Symantec CEO was spinning the case that all was well, and under control when it came to Internet Security – and whilst I did not wish to be churlish, as after all I was dining at his companies-expense, I did disagree with him on his assessment of the threat. However, as for the remainder of the table, they chewed away, nodded with assent to the US giant’s opinion, and not only swallowed the expensive food, but also, it appeared every word that was spoken as asserted facts from the mouth of Big Yellow! As it happened, some years later I found myself sharing a taxi in Nice with another MP (Mark Prichard) who was present at the dinner, and we reminisced as to the meeting. My taxi sharing MP commented, ‘yes, do you remember that chap who banged on at Symantec CEO’ – I responded, ‘Yes I do as it happens’. With that my taxi partnering MP looked at me, cogs turned, and for some reason the conversation seemed to have dried up! Granted, I should have apologised for my passion, concern, worry, and awareness based on fact – but I saw little point. But, I can’t hold Symantec to own the sole blame for disinformation, as it was just a few years later when McAfee also stated on screen that we (the good people) were winning the fight against Cyber-Crime – Really!
In week commencing 22 January 2018, General Sir Nicholas Carter, Chief of the General Staff, elaborated at the meeting of RUSI (www.RUSI.org) the imposition of the UK’s Armed Forces, and highlighted many defensive areas in which security exposures, shortfalls, and vulnerabilities existed – one of them was in the military theatre of Cyber. Again, we now see that unspoken and tolerated threat come to the very forefront of a conversation, taking place under the banner of RUSI relating to Cyber.
By spooky coincidence, on the 24 January 2018 the National Cyber Security Centre (https://www.ncsc.gov.uk) also appeared in the press with what I would term a revelation of proportionate ‘No S!!t Comment’, with the suggestion that the UK could face a ‘Category One’ Cyber-Attack, which by inference, under the NCSC categorisation would be serious and crippling. I am however hopeful here that many of the tuned in, Cyber Security Professionals will not see this as news, but more a case of a testament to what has been coming for at least a decade or so. In fact, to evidence such implications of cyber-threats, one only need to look toward the investments being made in North Korea, China, and other such hostile nations who regard to developing the computer as a very high-tech, high-grade and effective weapon, which arrives with a comparable low-level price tag. Furthermore, if we care to look back to the Titan Rain events of 2008, and the RESTRICTED Security Bulleting published in 2010 by the UK Cabinet Office recognising that both Russia and China posed significant electron threats to the UK, and maybe, just maybe the word of the NCSC will start to resonate with some known and suggestive evidential underpin.
In conclusion, over the previous decades, we seem to have been bystanders who have observed the Cyber-Threat whilst it steadily increased, and move from small baby steps, to tolerated advances in high-tech capabilities. We may also note just how the unspoken and obvious threat has arrived at a juncture which can (does) imact global stability in both a business and interpersonal profiles. But when we reach such an obvious juncture, it is a matter of waiting for someone else to stick their neck out and put their words, opinion, and estimations on the table in the cold light of day. But then, those who should be leading the way such as NCSC, CESG, GCHQ, or CPNI are empowered to take up the sword, and offer forward, and so I expect not second hand, or regurgitated reports from other parties, but some fresh assessments and statements based on their opinion. All that said, one thing is for sure, it may more a case of protecting the ‘position’ first, and the need to become thought leader second – after all, if you never lift you head above the parapet, but let somene else do it first – you are always guaranteed not to get shot.
All I have introduced above is based on first hand observations and fact, and it is my hope as we move forward to encounter new levels of cyber-threats we are yet to imagine, that those organisations who are entrusted with the security of our nation look at the facts with a little more scrutiny, and be prepared to, on occasions put their neck on the line, and do a little more toward recognising the threats before they arrive and impact the lives and businesses of real people. In other words, it’s a new day, so before you take a sip of that coffee, first, please ensure you take a very long sniff.
The good news is, at least we now all understand the meaning of ‘Cyber’.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.