Govts, businesses team up against cyberthreats

With risks from cyberattacks growing at a rate of 60 percent a year since 2008, the U.K's critical infrastructure is facing "real and credible" threat, according to Britain's communications intelligence agency.

In a BBC report, Iain Lobban, director of Government Communications Headquarters (GCHQ), said "the country's future economic prosperity rested on ensuring a defense against such assaults, and the Internet [has] created opportunities for hostile states and criminals".

He revealed that the U.K. government computer networks receive more than 20,000 malicious e-mail a month, of which 1,000 deliberately target the networks.

Lobban added that governments have been using cyber techniques to put pressure on other countries. "There had also been 'theft of intellectual property on a massive scale, some of it not just sensitive to the commercial enterprises in question, but of national security concern, too," he added.

The GCHQ director also urged for new approaches to deal with attacks on Britain's critical national infrastructure. "We need to consider the value of receiving in return a direct feed of information from the operators with that same sort of timeliness, so that we are aware of the attacks that they are seeing on their systems as they happen."

Not just the U.K., governments and enterprises worldwide have acknowledged the risks that escalating threats are capable of. A Symantec survey carried out in 15 countries across 1,580 companies in six industry sectors showed that businesses are aware they have been targets of politically-motivated attacks. In fact, an increasing number are cooperating with governments on Critical Infrastructure Protection (CIP).

According to the security vendor, such attacks usually fall into two categories. They are either "targeted and tailored or massive". These threats aim to collect confidential information or to attack and disable the infrastructure, rendering it unusable or inaccessible to its users.

Director of government relations for EMEA & APJ, Ilias Chantzos, said: Massive attacks usually take the form of denial-of-service attacks against the infrastructure by utilizing botnets.

"Targeted attacks use unique malicious code in the form of a seeding mechanism, [and] will deploy [themselves] into a system and exploit vulnerabilities in zero day attacks, whereas tailored attacks use existing malware, but modified for a particular vulnerability," he explained.

The survey revealed that 53 percent of firms worldwide suspected or were sure they have been attacked with a specific political goal in mind. Of this, 59 to 61 percent of the attacks were considered to range from "somewhat to extremely" effective, resulting in damage cost averaging US$850,000 per attack.

In Singapore, about 72 percent of respondents believed attacks attempting to steal electronic information, shut down computer networks and manipulate physical equipment will stay constant or increase over time.

To determine the nature of the attack, Chantzos said the motivation of the attacker and the intended target need to be understood.

"In practice, most attacks will involve a degree of intelligence collection in order to prepare the necessary foothold for an attack to take place. Stuxnet worm that targeted energy companies around the world represents a recent example of a threat designed to spy on and reprogram industrial control systems, which shows a different kind of profile judging from the motive of the attackers," he added.

With greater awareness on politically-motivated attacks, 55 percent of respondents said they are "somewhat to completely" aware of their country's CIP plans, while 90 percent have engaged with their countries' CIP program. Another 66 percent said they would be "somewhat to completely" willing to cooperate with their government on CIP.

In Singapore, 89 percent have engaged with Singapore's CIP program with 43 percent being significantly or completely engaged.

While one third of respondents felt "extremely prepared" against the attacks, 36 to 41 percent said they felt "somewhat prepare", and 31 percent felt less than somewhat prepared. A whopping 40 percent of Singapore respondents said "they suspected or were pretty sure they had experienced an attack waged in an attempt to alter and destroy electronic information on their networks."

While it is impossible to completely ward off attacks, the security vendor suggests a six-step program to beef up a nation's CIP--develop and enforce IT policies, protection information, manage systems, protect the infrastructure, ensure 24x7 availability and develop information management strategy.

It also urged governments not to set or dictate security standards, but instead partner with industry associations and private enterprise groups to de disseminate information to raise awareness of CIP organizations and plans.