CESG: How UK defends against cyberattacks

With hacking rated on a par with terrorism, GCHQ offshoot CESG's job has become more critical, and a source linked to the intelligence agency tells ZDNet UK about evolving threats and Wikileaks
Written by Tom Espiner, Contributor on

In October, the government stepped up its national security risk rating for cyberattacks to tier one, up from tier four. That puts hacking attempts and other digital intrusions on a par with terrorism and military attacks.

One organisation charged with protecting the UK from such attacks is CESG, the information assurance arm of intelligence agency GCHQ. Headquartered in Cheltenham, it is dedicated to advising government bodies about securing their communications and information systems, and looks after parts of the critical national infrastructure.

In particular, CESG keeps abreast of attempts by hackers who may represent nation states or organised criminal rings. The government has estimated that its networks have to cope with 20,000 malicious emails each month, and patchy human monitoring of those systems opens them up to breaches, the organisation has said.

To find out more, ZDNet UK recently talked to a source with links to CESG about the evolving nature of information security threats and the effects of whistle-blower site Wikileaks on a government that has massively cut public spending.

Q: How is the threat landscape changing?
A: Cyberspace provides a significant risk. It's easy to gain access, and the equipment is not costly. You don't need large aerials, just a laptop and an ADSL line.

Have the government and public sector kept up with the pace of change?
We've made great strides to improve the protection of information. There's always room for improvement, but if you look at the past two or three years... awareness about the cost and value of information has improved. People [in government] appreciate the threat from a number of sources, including organised crime and foreign governments, hence the investment in the cybersecurity programme.

Skills [are needed] in terms of network monitoring, being able to quickly realise there is a real attack. There is technology available, but it takes human skills.

Are there enough people in the public sector who have the necessary skills do be able to deal with the range of cyber-threats?
It's very important to spot when incidents have happened and to have plans in place and the skills to implement them. From my perspective, we don't have all the skills in place across the public and private sectors to do that.

What skills are lacking?
Skills [are needed] in terms of network monitoring, being able to quickly realise there is a real attack. There is technology available, but it takes human skills. Then there is the aftermath, which takes forensics skills.

How do GCHQ and the Cyber Security Operations Centre (CSOC) at Cheltenham monitor current threats?
It comes down to situation awareness. Cyberspace is a big place, and attacks don't always happen simultaneously. You may get an early warning when a new attack or vulnerability appears somewhere else in cyberspace. Sometimes you get an early warning and intelligence, and sometimes you don't. That is the nature of the threat we deal with.

The CSOC has attack as well as defensive capabilities. Is most of the emphasis placed on defending networks? How does the government decide to respond to an incident?
Every case is different. You have to look and ask: "What is the better way?" It's not a broad brush — you have to find the right balance between defending and responding to incidents when they occur.

There are many different types of attack, but the vast majority are unfocused and spam-based. I'm guessing most attacks just bounce off government systems, and you don't need to worry about them.

You've got to differentiate between a targeted attack and a general attack. If a virus is not targeted, you have to worry about it, but as part of a group [of general attacks]. For targeted attacks, you have to be more worried.

How does the government deal with targeted attacks on its systems?
It depends on how much resource attackers have put into it. The resources organised crime can bring to bear may be completely different from a nation state.

The nature of the threat will determine how big you build your wall. If the threat is from someone who can put in a lot of effort, you also have to put in a lot of effort. For a lot of threats, as a minimum, you have to make sure your antivirus and patching is up to date. As the threat grows, you have to consider insider and blended attacks.

Should software that the government and public sector use be more secure?
Bugs in software are one of the main sources of vulnerability; it would be nice to think that one day all software will be bug free.

Microsoft software, such as Internet Explorer, is used widely across government. Would it be better from a security standpoint to move to using other products, or maybe open source?
At the end of the day, government uses the products available. Microsoft has a good reputation and security stance. It has led the way in good software development techniques — not all vendors use the same levels of rigour.

Has the rise of whistle-blower site Wikileaks affected government views on insider security, especially as many employees are being affected by government cuts? Have government cuts affected security provision?
Wikileaks is constantly bringing to mind departments' need to think of [data loss]. We have seen no indications that people are skimping on security.

It's good to understand the need to manage risk to services and continue to do that in an austere climate.

In December, the government disclosed a review of departmental security prompted by Wikileaks. Has that review caused the government to change data security practices?
The Wikileaks review has certainly highlighted the subject. There has always been a risk of accidental loss, and you have to adapt to the threat. Wikileaks has highlighted the potential — people may look at Wikileaks and think, maybe I can do the same.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards