Every country has secrets. Every government has data or information that it simply cannot afford to lose or have stolen. Whether it’s strategic military positioning, government-owned ‘Big Data’ or even citizen ID or voter data governments have long had a need for High Assurance computer systems protection and cyber intelligence defences.
Now though things are changing. Lines are blurring. With everything coming online from the global financial system to the power grid and national transportation networks, the distinction between Government, Civil, and Industrial systems is all but gone. The threat to life from an adversary taking our banking systems off line or causing havoc on our transport infrastructure is every bit as real as – perhaps even more real than – a physical attack or traditional espionage. Even though many of these systems will be built and operated by commercial companies their national defence status cannot be underestimated and it is vital that the necessary cyber-security measures are taken to protect them.
Across the globe, the risks to each country’s data will vary. Governments in global superpowers such as the UK, US, China and India (to name but a few) will know they’re potential targets for fraudsters and cyber-hackers.
So what are they doing to defend themselves?
While the National Audit Office recently published a report condemning the poor state of general IT security across UK government departments, central government has made a bold and decisive move in forming the National Cyber Security Centre (NCSC), which is headed up by experienced security professionals and has laid out clear plans for its approach which genuinely move the state of protection forwards.
It has not only taken a threat-based approach to security - in which the government actively analyses the types of attacks it might realistically face – but has also decried the ‘monster under the bed’ approach of reactive endpoint security and the scare tactics traditionally used by some security vendors. The government has explicitly recognised the requirement to work with industry experts and forward-looking companies to share the responsibility of keeping society safe, as networks and software become the lifeblood of our critical infrastructure and daily lives.
In addition to these initiatives, the NCSC has made the brave and unusual step of announcing a policy of ‘active defence’ or, in very simple terms, ‘hacking back the hackers’. Active defence is controversial, especially if it is pre-emptive, but with more and more risk attached to network outages or data breaches, it has to be seen as a necessary weapon in the fight against cyber-crime and cyber-attackers.
The US has also taken significant steps to defend itself from cyber espionage. Just last December, it passed the Cybersecurity Act of 2015, which aims to “provide important tools necessary to strengthen the Nation’s cybersecurity”, particularly by making it easier for private companies to share cyber-threat information with each other and the Government.
A major driver for the US in early incarnations of its cyber-strategy was the realisation that commercial companies - tech stars like Cisco, or online banks and financial institutions - were at serious risk from cyber-attacks. IPR theft or financial interference are great ways of degrading a country's capabilities, assets, international competitiveness and operational capability – all serious considerations for national security even though these are commercial companies. You don't need a physical war anymore to disrupt a society - you can reach straight into its living rooms and hold its citizens’ digital lives to ransom directly.
The latest move in the US’s new Cybersecurity National Action Plan is to work in partnership with commercial tech giants to help citizens protect their online identities. This pledge suggests that the government recognises the importance of citizens’ online data and the role the public sector plays to safeguard this information.
In the words of the Commission itself: “Over the past few years, the European Commission has adopted a series of measures to raise Europe's preparedness to ward off cyber incidents. The NIS Directive is the first piece of EU-wide legislation on cybersecurity.”
Published in July 2016 the NIS Directive aims to solve several of the most troubling practical issues of harmonising the various different standard of the member states in order to enable an efficient and effective Europe-wide system of defence against cyber attack. Up until now, different members have implemented defences and response systems that differ in simple but inconvenient ways, such as having differing definitions of security levels and different models for security authorities and response bodies.
In addition to harmonization and coordination the Directive also requires each member to operate a Computer Emergency Response Team (CERT) and seeks to take tighter control of “essential industries” such as power, water, transportation and big finance to ensure they are cyber-protected as they undergo digital transformation.
China’s government has recently approved a broad new cyber-security law aimed at tightening and centralising state control over information flows and technology equipment.
The new legislation states that agencies and enterprises must improve their ability to defend against network intrusions while demanding security reviews for equipment and data in strategic sectors. While in principle this sounds sensible, the new legislation has been met with criticism from many companies and was defined as ‘a step backwards for innovation’ by James Zimmerman, chairman of the American Chamber of Commerce in China.
As this new law won’t come into effect until June next year, it remains to be seen if it indeed proves as restrictive to enterprises as some are predicting.
India has now embarked on an extremely ambitious and impressive programme called ‘Digital India’ which seeks to get the whole country online. From accessing government services to casting a vote, all interactions with government have been pledged to be made on an easy, fast, modern, online system. In its own words, “The Digital India programme is a flagship programme of the Government of India with a vision to transform India into a digitally empowered society and knowledge economy.”
The initiative aims to create a “cradle to grave identity” for every citizen which will allow access to “seamlessly integrated services” and enable practical “participative governance”. They also intend to use the system and to solve non-governmental problems of modern digital living such as creating “private spaces in public cloud” and realizing a secure system of “electronic and cashless financial transactions”.
The possibilities for a streamlined, contemporary democracy and digital economy are tremendous, but so are the opportunities for hackers and fraudsters. Helping to keep Digital India ahead of the cyber-threats is a key concern of the people working on it, be they experts in policy, government services, or security technologies such as PKI.
Addressing the cyber-risks
As we can see, approaches to cyber-security vary across the globe, but clear to all is the risk that cyber-attackers pose to government - and sensitive citizen - data. Acknowledging that risk is just the first step to defending against it. Only by setting forth a bold strategy – which includes deploying the most advanced and robust secure-by-design techniques with a strong understanding of the real risks we face – can governments ensure the safety and security of their information. The world is constantly changing, and being flexible enough to recognise and react when the attackers are getting ahead is going to be vital. Literally.