This needs a title?
"we also have to secure our position in cyber space in order to give people and businesses the confidence they need to operate safely there."
Well start by banning Commercial DPI Snooping!
UK cyber security spooks will soon have the ability to undertake proactive missions online rather than just playing defense, under the revamped National Security Strategy published today. For the first time, the National Security Strategy includes a public cyber security strategy. Prime Minister Gordon Brown said: "Just as in …
Am I lacking confidence in uk gov's ability to deploy any type of tech, other than the type that goes bang on the battle field?
It will cost 75% more than predicted, involve three times as many people and most importantly, won't come close to delivering in line with expectations/promises.
It will probably limp along for a few years, sucking up money and resources, then quietly slip into history as a 'Fcuk up'.
Call me a cynic if you want.................
"Worldwide online fraud is estimated at £53bn. Logistics, utilities and communications all depend on the internet to varying degrees."
Amazon, the worlds biggest online store has a turnover of £12 billion. So what they're saying there makes absolutely no sense. You're telling me that the fraud is 4 times bigger than the worlds dominant internet store?
"The other point made was that this was not about esoteric online-only attacks - 90 per cent of UK high street transactions are online in some sense. "
How are HIGH STREET transactions ONLINE? If you mean the restock order from the shop to the warehouse? And what is your attack scenario for these terrorists for that? And how do you intend to protect against that?
Sounds like they want IMP justified a different way...
This is just a smokescreen for the government to exert more control over the interweb.
Now that the interweb can be (mis)used as a weapon, it has to be controlled, and only in the safe hands of government IT "experts" (GOD HELP US ALL).
Lord West's has said that "Al-Qaeda is planning cyber war". And to combat these, a unit at GCHQ will "monitor, analyse and counter cyber attacks as they happen." How will they do that, one wonders.
Cyber "attacks" are very rare. DDOS is pretty rare, and more of a nuisance. So GCHQ will using this excuse to monitor ALL traffic, nearly all of which will not be damaging. It's just interception, dressed up as security.
The education of business and government in matters of security seems emininently sensible and appears to be the first governmental stance on information systems security about which I may feel quietly optimistic. The emphasis on the devolved responsibility of the individual is particularly excellent. However, I feel the desirability of this department will depend entirely on the following caveats:
1) Any modification to civil liberties and personal privacy rights resulting from threat investigation are balanced directyly and objectively against risk (as opposed to force of political will, ho, ho, ho. See Great Firewall of Australia),
2) The operation remains a civilian concern and open to public scrutiny,
3) The department employ people that actually understand the technologies involved and what may or may not be achieved: their manifesto implies they are fighting people that very definitely do understand these things. This particular point is of paramount importance.
As a final note, I am moderately surprised to learn that they're distancing themselves from toeing the f*ing terrorist line. Which is nice.
The UK will have to raise their Great Game Plans, and more than just considerably, to have any Remote Hope of being in Any Way Effective in such Virgin Imaginative Fields. And of that there is No Obvious Evidence which would indicate either a Remarkable Stealth or a Missing Essential Fundamental Program.
QuITe which Option/Reality, would be a National Security Secret, for the Professional Worriers to Ponder on and Embroider with their Debilitating Angst and Assault with Paranoid Delusional Thought....... which is Really Nothing but Counsel of the Frightened and Confused.
Leadership Material for Sharing with IT and Media, it aint.
For far too long, cyber-criminals have employed this physiological terror tactic, closely observing the effects of their consequences as the victims try to respond and thereafter manouvering their ways with newer tactics. The tables are now being turned - the hunter becoming the hunted. But even with this strategy change being public knowledge - as indeed with any info published in the web - will these cyber-criminals not devise counter-strategies to defeat it?
Imagine these people follow the money being paid for fake anti-virus software to a criminal in Russia or China. What are they going to do once they find him?
The best defence is a good defence: Use proper passwords. Do not use the same password for several accounts. Disable Javascript and Flash. Use an operating system designed with a proper security model (not some toy from Microsoft where security is a bolt on afterthought compromised for backward compatibility).
This post has been deleted by its author
If they were allowed to target compromised PCs being used for a DDOS attack and nobble/fix them, that would be a result. One less PC in the botnet and one PC owner newly clued up about security. Or more likely, just reinstall everything and fall back into the same botnet, but at least they'd be out of the way for a couple of days.
Looking at the growth in all types of .fraud crimes it is obvious that the government and banks will fail to stop fraud boom which will be far worse than credit crunch unless banks make outdated signature and PIN systems reliable by exploiting honesty restoring ID KEY system described on website www.xwave.co.uk
Banks will be tempted to exploit proposed system only if courts find banks rather than victims liable for losses caused by fraud crimes.
Al Qaeda plans a terrorist CYBER attack to get back at those drones that kill hundreds in Pakistan.
Osama: "We need to show these decadent capitalist pigs that they cannot use drones to kill our people!"
Mustafah: "Why are you speaking like a cold war clique Osama?"
Osama: "Never mind that, we will hack into Mango's supply computers and place an order for the Chipping Norton branch to receive all *Summer* clothes in the middle of *Winter*!"
Mustafa: "Devilishly clever, when the westeners see the stylish yet unsuitable clothing, they will purchase it and freeze to death!"
Osama: "Exactly, that will show them".
Meanwhile in GCHQ, ten thousands servers monitoring all communications into and out of the UK notice that a Mango Chipping Norton's Internet is being probed.
Dudly Dooright: "Quick call the Prime Minister, Mango's Chipping Norton Branch is central to the UK economy, we must protect it at all cost or people will die! DIE I SAY! We must send millions of packets or they will never be able to get their order for winter legins through!"
Prime Minister: "But how can you tell it's an attack"
Dudly Dooright: "Because all other internet traffic surfs for porn, BTW, tell Alistair Darling to approve our budget, tell him 'flat chested midgets in leather" think its a good idea..."
Yep, that sounds right, nothing to do with the Internet Mass Surveillance program (IMP), absolutely nothing at all, our High Street stores face the threat of AlQaeda cyber attack and hence we need to protect them from, erm, terrorists thingamibobs. THE THREAT IS REAL!
Cool, will they be recruiting people with mad skillz to reflash routers into toasters on demand, or will it be the same tired old men sitting in on a comittee process driving a windows only desk helped by squaddies who's computer skills of being able to turn on the pc without help meant they'd be the sys admins.
Fingers are itching at the prospect of it being the former...
It is all well and good to say, "Look, these people know what they are doing. They have the tools, the talent, and the desire." But will they have the authority? If everything is dependent on Home Secretary or PM approval, this could once again be relegated to a (albeit high-tech) truncheon selectively used under political will.
I agree that this is a _perfect_ excuse to implement the various interception plans revealed here previously by El Reg. And skimming off the top of the various agencies' talent and budget pools allows them to discretely amass the wherewithal to put it together without (even!) MP oversight. All this wrapped up in the cozy blanket of Mum's Love(tm).
At least Blighty has the decency to let the public think they are notified about what's going on - in the US, everything always seems after the fact, unless some poor soul sloughs across the (literal!) mountains of documents that pass through the workings of our government. It is not a very well concealed fact that the majority of these are to hide what really happens.
... then some part of the government/legislature would take an active interest in ongoing fraud - but they don't. Nobody is interested - the local police forces tend to take the "we don't know, have no jurisdiction, can't be arsed, go to central government" approach but the centralised bodies are only geared up to investigate, collect statistics and report after a month or so. If the online crooks are agile i.e. they move/mutate their operations around the Internet/real world, they aren't likely to be caught. Why don't they just make someone responsible for actively pursuing online crime while it is in progress?
I can't see how "offensive operations" are to the benefit of the Internet and the online community in general.
"For a start they could ditch windows, move to some form of linux, which is much more secure.
if they have programs they /cannot/ do without, let them run WINE."
Yea, this sort of thing brings out the WHINE from the linux people without them fully engaging their brain.
Oh, just switch to linux. Don't worry about the extra costs of training users, training IT staff, man-hours spent reconfiguring PCs, man-hours spent reformatting documents/modifying scripts to work with the non-msoffice equivalent, etc, etc, etc.
After all, the software is free.
Isn't most of this work already taking place under the NISCC/CPNI, CSIA and CESG?
We are still waiting for the National Fraud Reporting Centre which has been delayed again until 2010. So, how long will it take to do something more sophisticated?
I just don't see these proposals helping most consumers or business. I think the government could spend the money more effectively - like giving us (www.e-victims.org) some money so we can help more victims of e-crime and other online incidents.
"How exactly do you think chip and pin works? The INTERNET !== WWW"
Wait, so you're suggesting that GCHQ would not just be monitoring our Internet communications but also every Chip and Pin Transaction too???? And those terrorists in Pakistan they have access, not just to the Internet, but also into the Chip and Pin network?
Devilishly cunning those terrorists.
"we also have to secure our position in cyber space in order to give people and businesses the confidence they need to operate safely there."
Secure from whom? ... What Security? ... I'm way past confidence into outright distrust bordering into growing outrage at the moves now being made against us all. The next step for many like me is to go from outrage into militant anger at the politicians for failing to protect us from outright exploitation, not by criminal groups but by profoundly arrogant, empathy lacking, morally vacant minded companies.
The Internet is growing ever less safe the more so many groups want to use the Internet as a means to spy on everyone. All ISP spying should be made illegal. Its like the post office opening ever letter then using what they read for their own financial gain. How the hell can that be tolerated other than by dangerously ignorant Politicians who fail to understand what companies like Phorm are actually doing to people.
If the politicians are so incapable of providing protection against DPI (who don't even know what DPI is and what it does), then as they can't protect us, their ignorance of the dangers is forcing us all to develop ways to protect ourselves. Politicians are paid to do a job. Central to that is to protect us. If they cannot do that job its time to fire them and find someone who can do the job.
No more opt out cookies from companies like Phorm. Its a blatantly untrustworthy means to appear to protect against them spying on everyone and they know it. Its why they use it. Phorm companies provide no service to any online user. They only provide a service to the people who buy stolen information from Phorm. Phorm's sales pitch words are a cover for them wanting to blatantly exploit people too ignorant to know how they are being exploited.
What companies like Phorm are doing is laterally Privacy Rape of us all. Its about time such strong terms were used and spread around the Internet against Phorm, to finally shock and inform all non-technical users exactly what companies like Phorm aim to do to users. Phorm is a total violation of us all for their financial gain. Stop all DPI now!
This initiative gets my vote.
A more secure internet/www is not going to harm anyone apart from those whom should be harmed in the first place.
I suppose like most crime once criminality has been identified it is important to track n katch but on top of that it also needs another arm that says to business, private users, schools, colleges, ... , NHS, ... something like "Hey dood! Dontcha know your computer(s) are freekt? Contact your IT specialist. If you do not have an IT specialist contact [enter phone number and website here] to get stuff sorted.
The [enter phone number and website here] bit could be a single organisation that is run/admin'd by the trak n katch people ... all the way through to find your local specialist.
I iz Ur ordinary yooth on diz streets and me and me homies are totally Ok with them GCHQ doods totally watching us backs.
Only dem der drug dealers and terrorists would disagreez with the man.
Yeh I needz more security doods, they don't earn nealy enough dough dem spooks!
And dey is handsome too.
Rad to the max!
they should get their own house in order first, but screw that they appear to have been taken over by a bunch of script kiddies.
There are many problems with this approach, but one of them is they have made themselves a useful patsy; if government systems are expected to attack other systems, then what are people going to do when they find themselves under attack from a UK government system, not much.
If it is goes to court, then there is already the admission the government are doing this, and even if they get the correct person, it can be easily argued that they haven't and they are just making stuff up. This paints a huge red target mark on all government systems, it is so badly thought out.
The first law of holes states that when you find you are in one- STOP DIGGING! To that end I have some suggestions. Priority should be given to avoiding increasing our vulnerability to attack via the net. To that end, I suggest a moratorium on developments such as "smart meters" and "the internet of things" until robust security measures can be implemented in the base architecture. If anyone knows of an example where security has successfully been backfitted atop a platform not designed to be secure, tell me, because I have yet to hear of such a thing working.
In addition to this I would recommend that we make it illegal to connect controls for critical physical infrastructure (usually via SCADA systems) to the Internet, you can't hack what you don't have access to. I would also put a time table in place for disconnecting such systems that have already been connected (though this, in truth, is really a "getting yourself out of the hole" measure as opposed to a "stop digging" one). While I consider such attacks low probability (this is not something that script kiddies will be doing for teh lulz) the potential consequences are severe enough to warrant taking action.
Another concept that, I suspect, would work well here in the States at least, is to make a company's negligence in security a cause of action for a lawsuit with triple damages. As part of this, put together a list of security best practices and make following those an absolute defense against such suits. If there is a better way to enforce adherence to good security practice, tell me about it.
I am somewhat pessimistic about the whole "good offense is a best defense" concept. One characteristic about the attacks I have seen thus far is that they lack a clear set of "fingerprints" pointing to who exactly did it. Was the Estonian DDoS attack the work of Putin and Co. or was it "patriotic" Russian hackers deciding for themselves to punish Estonia on their own, for instance. Even if one does find out who did it, it is likely to be long after the fact- not very useful for deterrence purposes.
@IndianaJ- The original source of "cyber" is not SF, but MIT's own Norbert Wiener who coined the term "cybernetics". It was from there that Gibson looked to come up with the Term cyberspace for his Sprawl universe, the setting for Neuromancer (hardly a work for "children" BTW). Besides, is not the content of a proposal far more important than the terminology used in the proposal?
I wondered why they didn't use Linux and customise the hell out of it to make it ultra-secure instead of using Windows boxes. My colleagues weren't as computer literate as I was, and I mentioned the fact that there anti-virus software was so out of date it was 3 years old and updated once every 6 months or so. Poor training didn't help, and I was often asked by colleagues how to do simple stuff like scan floppy disks for viruses and altering the message view in Outlook. I mentioned this to my team leader (a self confessed Luddite) who said he "hated the things" (computers) who just shrugged and pulled his face a bit. Anyone who can surf the internet will be given a job even if they don't know what DRM is. *There is a belief that if you can surf the net and you can type, you are fully computer literate*. The folks already there don't know what they're doing, and they'll just add a few more. Big brother might end up not watching you as his friends are totally inept.
I've always been a fen of an defensive network and striking back but that sort of behavior at least in the states is highly frowned upon. Larger ISPs don't want to have to deal with the backlash they will get from putting insecure computers on the internet.
Although we could implement technology over here just as we have done with curbing greenhouse gasses theres nothing that will be done to curb the abuse we see from the third world.
I think as time goes on you will just see the internet start to separate. I personally could deal just fine with only about 5 countries having access to our intranets, theres nothing legitimate comin out of Africa, China or Nigeria, not at least for us.
The UK might be setting a bad example by going on the offense though, I guess time will tell. They only seem to have the balls to go after white radio talk show hosts and not actual bad guys that are among them calling for their demise.