Anyone paying any attention to digital security at all knows the whole universe of cybercrime outgrew its hacker roots years ago, when it was largely taken over by organized crime gangs, primarily in the former Soviet Union, China and the United States.
Now it's outgrown organized crime as well, according to Jonathan Evans, head of MI-5, the British internal counter-intelligence and security unit that functions like a combination of the FBI and CIA in the United States.
Despite the resources and experience of a world-class intelligence operation such as MI-5, Britain is all but overwhelmed by complex, persistent, attacks that are anything but trivial early experiments into the potential for cyberespionage and warfare, Evans told attendees at the London Lord Mayor's Annual Defence and Security Lecture yesterday – a large-scale in-depth conference providing public updates on threat- and security issues.
"Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states. The extent of what is going on is astonishing," Evans said.
State-sponsored cybercrime isn't conducted by small teams assembled for a specific attack, as many organized criminal gangs operate.
With the resources of a whole country behind them, cybercrime has become dominated by "industrial-scale processes involving many thousands of people lying behind both state-sponsored cyber espionage and organised cyber crime," Evans said. "Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states. The extent of what is going on is astonishing."
The only saving grace so far is that terrorist groups are still struggling to move beyond traditional attacks on civilians to take advantage of vulnerabilities in critical national infrastructure such as electrical utilities, water, sewer, traffic management and secrets housed in government data centers rather than old-fashioned file boxes.
The change is putting corporations at risk as well as government agencies that would be natural targets for foreign security services, Evans said, citing an unnamed London-based company that lost $800 million in a state-sponsored attack earlier this year. MI-5 is currently investigating more than a dozen other major attacks on British corporations as well.
The more connected, automated and digitized Western societies become, the greater the potential danger, Evans warned.
"The internet has developed from a communication network to what is called the 'internet of things' – connecting via the internet the buildings we work in, the cars we drive, our traffic management systems, Bank ATMs, our industrial control systems and much more," he said. "This increases the potential for mischief and leads to risks of real world damage as well as information loss."
MI-5, like the security agencies of allied countries including the United States, are working together to put in place IT security standards that make cyberespionage and sabotage more difficult, though not impossible, Evans said.
Recent admissions that the U.S. and Israel were behind the Flame malware attacks on Iran and probably Stuxnet and Duqu as well don't help the credibility of any Western security agency, according to Graham Cluely of Sophos Antivisus' Naked Security blog.
"This area of cybercrime is shrouded in the deepest, thickest fog - and attribution continued to be a monumental problem," Cluley wrote. "But speculation about government and military use of the internet to spy continues to grow."
Unfortunately, neither Cluley nor Evans offered any significant advice or new insight into how to protect our individual or corporate selves against the onslaught of industrial-scale cyber-intelligence operations.
Both cited regular updates, attention to the routine details of security and adherence to best-practice guides that highlight habits common to those least often victimized.
It all sounded a bit like being told to put on your raincoat and not forget your umbrella before going out on a stormy day.
Somehow even the kind of brolly MI-5's sister agency MI-6 put together (for the movies anyway) don’t seem like they'd offer enough help to even slow down what appears to be a rapidly developing full-scale free-fire zone among security agencies discovering it's possible to attack an enemy's most deadly weapons and richest store of secrets and still get home by dinner.
"Astonishing," Evans called it.
No kidding. Especially the part of the story Evans didn't mention – the one describing how tightly U.S. and British intelligence operations work together and the role MI-5 played in developing their own cyberespionage capabilities, showing foreign governments how the new toys work.
"Astonishing" is a good word, Mr. Evans. So is "blowback;" best to keep them both in mind in future, eh?
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.