February 07, 2011, 10:34 AM — Cybercrime and cyber-espionage are on the increase and many agree that a clamp down is needed, but how do we balance that with the freedom the Internet provides and that most of us cherish. UK Foreign Secretary William Hague has appealed for governments to come together to agree a set of rules amid growing fears of "cyber war" between states. Addressing the Munich Security Conference, Mr Hague disclosed that as recently as last month the UK had come under attack from a "hostile state intelligence agency" seeking to penetrate the Foreign Office IT system.
Mr. Hague said the intelligence reports he sees as Foreign Secretary show that just one criminal computer programme can harvest over thirty gigabytes of stolen passwords and credit card details from over a hundred countries in a matter of days, causing millions of pounds worth of fraud. Over 40,000 pieces of sensitive information and financial data are traded on the online black market every day, amounting to 13.2 million criminal transactions every year.
Government systems are being targeted too. ZEUS is a well-known piece of malware that attempts to steal banking information and other personal details. In late December a spoofed email purporting to be from the White House was sent to a large number of international recipients who were directed to click on a link that then downloaded a variant of ZEUS. The UK Government was targeted in this attack and a large number of emails bypassed some of our filters. He said government experts were able to clear up the infection, but more sophisticated attacks such as these are becoming more common.
He continued by saying that last year the national security interests of the UK were targeted in a deliberate attack on our defence industry. A malicious file posing as a report on a nuclear Trident missile was sent to a defence contractor by someone masquerading as an employee of another defence contractor. Good protective security meant that the email was detected and blocked, but its purpose was undoubtedly to steal information relating to our most sensitive defence projects.
Mr Hague said that last month three of his staff were sent an email, apparently from a British colleague outside the FCO, working on their region. The email claimed to be about a forthcoming visit to the region and looked quite innocent. In fact it was from a hostile state intelligence agency and contained computer code embedded in the attached document that would have attacked their machine. Luckily, it was intercepted so didn't reach his staff.
Mr. Hague offered to host an international conference later this year to discuss norms of acceptable behaviour in cyber-space, bringing countries together to explore mechanisms for giving such standards real political and diplomatic weight.
He said that, in Britain’s view, seven principles should underpin future international norms about the use of cyberspace:
- The need for governments to act proportionately in cyberspace and in accordance with national and international law;
- The need for everyone to have the ability – in terms of skills, technology, confidence and opportunity – to access cyberspace;
- The need for users of cyberspace to show tolerance and respect for diversity of language, culture and ideas;
- Ensuring that cyberspace remains open to innovation and the free flow of ideas, information and expression;
- The need to respect individual rights of privacy and to provide proper protection to intellectual property;
- The need for us all to work collectively to tackle the threat from criminals acting online;
- And the promotion of a competitive environment which ensures a fair return on investment in network, services and content.
How do we balance the need for controls with the desire for freedom? Can we reasonably expect agreement on countering cyber-crime and cyber-espionage when the threats are fast changing, difficult to source, and intertwined with counter-intelligence operations of many of the world's major economies?
The UK has established a cyber operations group, the US has set up a Cyber Command. Is this enough? Should we support efforts to develop more stringent guidelines or should we just leave everything as it is?
