CSARN / The Monitor is a fortnightly, security intelligence briefing, sent directly to your inbox, covering threats to UK and Ireland business communities More here >>
In this period reports have emerged indicating that the UK intelligence community is developing its strategy to encourage leading British business to protect themselves from potential cyber attacks and espionage operations. A letter has been sent from Andrew Parker, Director General of the Security Service (MI5) and Sir Iain Lobban, Director of Government Communication Headquarters (GCHQ) to chairmen of the FTSE 350 companies outlining their plans for increased coordination in their defensive strategies. Reportedly titled the “Cyber Governance Health Check”, the plan involves regular surveying of leading firms across a variety of cyber security categories to allow cross-industry comparisons and further incentivise the adoption of effective security measures. This proposal follows the disclosure in the recent Intelligence Select Committee (ISC) Annual Report that British government and military data was increasingly being targeted via third parties, such as the professional services firms that comprise a considerable proportion of the FTSE 350.
This latest development immediately followed the publication of a report by auditing firm KPMG that raised concerns about excessively casual attitudes to cyber security in leading British firms. KPMG’s Cyber Response Team asserted that every single FTSE 350 company had inadvertently made sensitive information publicly available online. This included employee details and email addresses, both of which could be used in spear-phishing attacks (targeted infected emails masquerading as legitimate communications), as well as information relating to the location of sensitive files. Furthermore, the report alleged 53% of firms were operating a combination of unpatched systems or outdated server software for which vulnerabilities had already been made publically available, presenting another potentially attractive attack vector.
Shortly after the release of the report, a security expert was able to identify similar employee-related vulnerabilities in KPMG itself, as well as retrieving documents marked as confidential that were in reality entirely publicly accessible. This clearly demonstrates the broader issue of complacency that the UK intelligence community is attempting to tackle with this latest Health Check initiative. This follows our coverage in the 4th July Monitor of a PricewaterhouseCoopers report that revealed alarmingly misplaced levels of confidence that leading UK and US firms had in their information security operations. That particular study revealed that 42% of those surveyed considered themselves market leaders in terms of security, whereas only 8% of those were deemed to have sufficient and contemporary systems and practices in place when measured against a set of basic criteria.
Although the scheme is voluntary, the anonymized ranking system proposed as part of this initiative is an important development in creating further impetus for UK firms to improve their resilience against potential cyber attacks or attempts to steal intellectual property. The ability to identify areas of potential weakness relative to competitors ahead of a potential attack is obviously preferable to discovering previously unknown vulnerabilities in the aftermath of a damaging attack, both in terms of immediate disruption and long-term reputational damage.
In other developments relating to the UK intelligence community, reports have emerged that the UK and its closest allies have banned their intelligence services from using computers manufactured by Chinese firm Lenovo. The Five Eyes signals intelligence sharing alliance, consisting of the UK, the US, Canada, Australia, and New Zealand, made the decision to prohibit use of the firm’s hardware after its acquisition of IBM’s PC business in 2005. The ban followed testing which revealed backdoor vulnerabilities (deliberately designed features to allow a manufacturer or third party access to a system, conventionally used for technical support) present in Lenovo PCs. This is potentially significant given that many firms rely heavily on Lenovo’s well-regarded and popular business machines, due to their IBM heritage. Moreover, we are aware that many, many more items of hardware are compromised than reports indicate – including items that have not come from Chinese businesses.
This latest development also follows an ISC report outlining concern about the level of involvement Chinese telecommunications firm Huawei has in the UK’s critical national infrastructure. However, concerns for private-sector firms regarding this development may be overstated, as the ban only applies to the most sensitive and restricted government networks. Lenovo continues to supply significant quantities of hardware to other government departments and retain its position as the second largest global supplier of PCs. We assess that other techniques, such as the use of malware and spear phishing, continue to represent a more significant attack vector in attempts to compromise intellectual property.