'I'm from the government, and I'm here to help you.'
This was the opening theme of the Infosecurity Europe conference in London on April 23. And it was well-received by attendees, who are eager to see greater public/private partnership in the face of mounting security risks.
Cyber-risks are among the top 4 threats to the UK.
Setting the tone was Chloe Smith, minister for political and constitutional reform within the UK's cabinet office. In an opening keynote about the UK cybersecurity strategy, Smith promoted the government's new programs to support greater security awareness and controls. Key among these initiatives: The government's Technology Strategy Board has just expanded its Innovation Vouchers program to allow small and midsize enterprises to receive up to Â£5,000 to improve their cybersecurity through third-party engagements.
"We want to make the UK one of the most secure places to conduct cyberbusiness in the world," Smith said.
But clearly it's going to take more than a few vouchers to get there.
Even while attempting to set an optimistic tone, Smith revealed some distressing observations:
- The UK government blocks 33,000 infected e-mails per week.
- Cyber-risks - particularly those posed by nation-states, hacktivists and organized crime - are among the top four threats to the UK. "Industry by far is the biggest victim of cyberthreats," she said.
- And while there are an estimated 2,300 UK companies operating in the cybersecurity sector, they face the same skills/personnel challenges as other organizations worldwide. "Where the government can help, we will," Smith said.
Alas, Smith's encouraging words were balanced by the observations of security specialists throughout the show who ... well, let's just say they offered a different perspective.
I spoke with James Lyne, director of technology strategy at Sophos in the UK, and he had some grim figures from his own observations:
- 250,000 unique forms of malware per day - up from roughly 6,000 per day just a few years ago;
- 30,000 hacked and infected websites per day - many of them mainstream businesses that inadvertently infect visitors through drive-by exploits.
The biggest trends Lyne notes are the harvesting of credentials - not for immediate fraud, but for re-sale and later use - and greater business sophistication demonstrated by the fraudsters. "It used to be technical maturity we'd see [in the attacks]," Lyne said. "Now it's business maturity."
I also discussed distributed-denial-of-service attacks with Akamai's Christiaan Ehlers, who sees unique trends in Europe.
Whereas U.S.-based organizations have been plagued by DDoS outages initiated by hacktivists, European businesses are troubled more by extortionists. In these cases, the criminals threaten DDoS against a business unless the owner pays a fee. The actors seldom strike the same business twice, Ehlers says. And as a result, they're rarely caught.
Although some observers says the DDoS threat is overblown (see my Infosecurity Europe interview with security consultant Mark Child), Ehlers maintains that European organizations are increasingly targeted, and the technology behind the attacks is evolving.
Bound by Borders
EU agencies in general, and ENISA in particular, work hard to standardize security regulations and controls across European nations.
But there are still significant differences in privacy controls from country to country (hear my interview with Dwayne Melancon of Tripwire).
And even more concerning are the nuances - and in some cases lack - of legislation to prosecute cybercriminals. Cross-border collaboration is necessary, particularly when dealing with attacks conducted by global crime gangs or sponsored by nation states. But it's often absent. The Albert Gonzalez (Heartland Payment Systems hack) conviction was the exception, not the rule.
Lyne of Sophos says it's time for nations to get together and crack down on cybercrime with common legislation and collaboration aimed at taking away the criminals' cross-border advantages.
"We don't want to lose the innovation of the Internet - we don't want a 'Great Firewall of China,'" Lyne says.
But neither can we tolerate unpunished cyberstrikes against global businesses and governments.
Indeed, as the UK's Smith says, the government may be here to help. But it's going to require more than vouchers and awareness programs to truly mitigate today's top threats.
Smith's conference keynote was a good start. But what the cybersecurity race needs now is a great finish.