20080304zd BT cyber-espionage and cyber threats
|
|
|
»manage
it«
als
|
Corporate cyber-espionage The challenge of combating emerging cyber threats Globalisation is leading to a new ‘cyber cold war’, if recent reports and events are anything to go by. As we approach the end of 2008, there has been nothing short of a flurry of media reporting and commentary – worldwide – on the issue, with a number of concurrent revelations and warnings that, taken together, represent a stark sign of things to come.
n September 2007, the Washington Post reported that The Federal Bureau of Investigation had announced its »number three« priority was now protecting the United States »against cyber-based attacks and high-technology crimes.« On Monday 3 December, the UK’s Times newspaper reported that global companies Rolls-Royce and Royal Dutch Shell had been subject to »Chinese espionage attacks«. On the same day, the Financial Times reported that a large number of UK businesses could be at risk of losing sensitive data due to a frighteningly lax corporate attitude to securing stored data, and influential trade publication zdnet claimed that MI5 had issued a warning to UK businesses that international spies are conducting a campaign of cyber-espionage against them. On Friday 7 December, itnews.com in Australia reported a survey that reveals two-thirds of manufacturers fear the threat to their product intellectual property has grown over the past two years, These are, of course, just examples, and, regardless of the veracity of the claims and accusations we are seeing being made in the global media – because, actually, that is not the real point here – one thing is clear: this is part of a wider trend. During 2007, there has been a clear increase in the volume of reporting on international cyber-threats, and this is due to a corresponding sea-change in the amount of corporate cyber-espionage going on worldwide. Why is this? Quite simply, because of two things. One, the world, and particularly the business world, is more globalised than ever before. Companies transcend old-fashioned national borders and what is sold in Europe may have been conceived in America, designed in Japan and manufactured in China. And two, because that same world is more networked than ever before. It is more reliant on technology, partly because so much business is now conducted over huge distances and partly because so much business is now data-driven and computer-dependent. The result, of course, is a very modern transmutation of the age-old phenomenon of ‘industrial espionage’, which has been around since the dawn of commerce. So, on the one hand, we should not be surprised or think that this surge in ‘cyber threats’ represents something new – it does not. It’s a new take on an old problem. But, on the other hand, we should be aware that because it’s a new take it requires a new set of solutions. Security experts warn that a »cyber cold war« is developing, in which governments are using technology not only for the immediate benefit of gaining intelligence from stolen data but also to probe critical national infrastructures for possible weak points that could be exploited in the event of conflict. Security software firm McAfee produced an illuminating Virtual Criminology Report in 2007, within which it was pointed out that countries are testing the water to gauge the threat and potential for damage posed by their cyber-assaults. And attacks are not limited to any particular countries, or by alliances between countries. In the McAfee report, Johannes Ullrich, chief technology officer for research organisation the Sans Internet Storm Center, said that most countries hack each other regardless of any supposed allegiances. What might the impact of this be? It’s hard to say for certain. One worrying consequence could be the fostering of a climate of mistrust that would threaten to damage the commercial opportunities presented by globalisation. BT’s own collaboration and globalisation study, published earlier in 2007, Building Business with BRICS, indicated that board executives in the UK, U.S, France and Germany are wary of doing business with companies in the nascent economic powerhouses of Brazil, Russia, India, China and South Africa, in part because of specific fears over corporate security and state-sanctioned corporate espionage. Are executives right to worry? Again, that is not really the point. The point is they do worry, rightly or wrongly, which means that the issues of data security and cyber-crime have leached from the conference rooms of MI5 and the FBI to the boardrooms of global business. And that matters. The question being asked in boardrooms – and the one that will, you can be sure, be asked more frequently during 2008 – is ‘can we truly protect ourselves against the next generation of hacking? Or is damage-limitation the best we can hope for?’ Providing reassurance is a tricky thing, because companies involved in providing security solutions need to be transparent and responsible with their claims. So let us be very clear, here, from the outset. There is no easy panacea to this problem. There is no single product or service that can be plugged in and mean your data is safe. Which is a good thing – it means companies need to sit up and take this problem seriously at a senior level and not relegate it to a nuts-and-bolts IT services issue. Firstly, there is a need to recognise how the very nature of globalisation has altered the challenge. Once upon a time, it would have been easy for a virus detection programme to check IP addresses linked to a PC or server, spot any beginning 85.xxx and say ‘nope, we shouldn’t be sending data to anyone in China, thanks very much’, and block the address. Today, of course, most international companies will be sending and receiving legitimate data packets to and from China daily – suppliers’ details, product data, order information. So modern software has to learn what activity is legitimate and what is not before it begins to run effectively. This is hugely powerful, but the understanding of the process is not always there. Too many organisations, erroneously, think they have this activity covered. Just because suspicious activity has not been detected does not mean that it’s not going on. Recent development in anomaly detection software allow the detection of even the most sophisticated breaches designed to bypass existing anti-virus technology such as the theft of data on USB sticks and malicious Trojan activity. The ability to analyse network detail means previously unseen Trojan activity can be monitored and identified. The end result is the destruction of ever more malicious software. However, ultimately, what is needed here is a combination of good corporate policy, married to this effective technology. Far too often, we see one without the other and this, frankly, is not good enough today. It isn’t that companies aren’t investing – they are – but spending money whilst paying lip service is no solution. The technological solutions exist – software-based anomaly detection, located in the network, coupled with solid firewalls at your data centre end, is growing ever more sophisticated and is a hugely effective barrier to the types of data threats being reported. But on their own, without effective policy adherence – rigorous testing, monitoring, recording – such as is demanded by ISO 27001 (BS7799) the Information Security Management System ('ISMS'), in any organisation, in any sector, anywhere in the world – they will never be wholly sufficient. Harry Archer (Security Consultant BT Global Services)
Planning for continuity in the new risk landscape Reliable access to affordable oil and natural gas is a cornerstone of the global economy, but in today’s energy market, disruptions in the supply chain can have thorny diplomatic and security consequences for those involved in exploration and production.
Some of the world’s most influential figures have repeatedly raised concerns over both the growth in risk and its global impact. Two years ago the former UK prime minister Tony Blair said: “For how much longer can countries like ours allow the security of our energy supply to be dependent on some of the most unstable parts of the world?” Daniel Yergin, chairman of Cambridge Energy Associates, echoed Blair’s thoughts: “Energy security has repeatedly emerged as an issue of great importance, and it is so once again today. But the subject now needs to be rethought, for what has been the paradigm of energy security for the past three decades is too limited and must be expanded to include many new factors.” Their fears are nothing new. Winston Churchill, just before the First World War, shifted the power source of the British Navy's ships from coal to oil with the words “safety and certainty in oil, lie in variety and variety alone”. He began a process that, almost 100 years later, sees the international community working hard to avoid disruptions by seeking multiple supply sources, encouraging open markets and maintaining strategic reserves. Unfortunately maintaining continuity of supply is an increasingly complex challenge. The West, or rather the developed world at large, is addicted to oil and most developed nations rely on imports. And the developing world is just as reliant on ‘black gold’ as it seeks to fuel its economic growth. China, for example, already the second largest global consumer of crude oil, is set to supplant the US for the number one spot within a decade. Its own reserves, calculated to be 6.5 billion tons at the end of 2003, are thought to be good for 20 years but, according to the International Energy Agency, its daily consumption already outstrips daily production by 2.9 million barrels. China is already the world’s second largest net oil importer and that drives its quest to secure reserves in Africa and South America in particular. This leaves the firms with two major headaches that expose them to higher degrees of risk, in its many forms, that the industry has ever seen. First, exploration is expanding into more remote and potentially unstable regions of the world. Even in leading energy producing regions, like the Middle East and Latin America, political turmoil endangers global energy supplies. We saw Russia recently flex its muscles by withholding gas supplies to Belarus and Ukraine to force through price hikes, and the major oil producers have suffered at the hands of what some commentators have called “resource nationalism” in Bolivia and Venezuela. Second, as new sources of energy, such as liquefied natural gas (LNG), are discovered and exploited farther away from consumers, the world is seeing a rapid expansion of infrastructure. The network of pipelines, refineries and ports are an attractive strategic target for terrorists, guerrillas and organised crime. The importance of key strategic points has not been lost on Osama Bin Laden who called them the “hinges of the world economy”. To make matters worse many of the exploration zones are more prone to natural disasters than mature supply geographies. Many global shipping routes, such as the Straits of Hormuz in the Gulf or the Straits of Malacca in Southeast Asia, make tanker traffic vulnerable to terrorists and piracy. On land, pipeline projects increasingly cross multiple borders, compounding calculations of political risk for companies that have sizable investments in getting oil and gas safely to market. The world wants to minimise the risk of energy supply in the economic and security equation. That’s why, beyond the macro-political landscape, continuity of operations is fundamental to continuity of energy supply. When expanding into remote areas firms must bring their IT networks: an increasingly important tool for upstream production that brings its own risks. Firms must learn how to use their networks to prevent, maintain and respond to unwelcome impacts on business operations. Prevention - Security The first involves the rapidly evolving security situation and the need for a tight focus on prevention rather than cure. The threat landscape that confronts the industry has changed dramatically. Where once it was a relatively straightforward process to locate an oil deposit, negotiate the exploration rights and set up a physical infrastructure to start extracting the oil, today the commercial pressure to do so quickly is increased by dwindling supplies. The security risks are more diverse and widespread than ever before. Oil companies increasingly consider oil fields as tradable financial assets, where the status of oil reserves is taken and traded in real-time across exchanges worldwide, this exposes them to digital as well as purely physical risk. Often known as digital oil field, the information flow within the E&P sector – containing seismic surveys and deposit analyses, for example – is hugely sensitive and spans continents, crossing any number of political and geographical divides. If information is power, then information – data on a network – is simultaneously pivotal, coveted and therefore vulnerable. A firm is only as secure as its weakest site. As networks expand firms need to ensure security follows. There’s no point in having watertight security at home but soft spots abroad. Criminals have an uncanny habit of finding the path of least resistance into an organisation and will be happy to enter by the backdoor if it’s left open. Every new location brings risk – both physical and digital - and firms must understand it and manage it effectively. Maintenance - Service The second area involves keeping the business running. As the reach of oil exploration companies grows longer, its supply lines and communication networks become stretched over greater distances and through more territories. Should disaster strike, losing communications could be commercially fatal. The Taiwan earthquake which struck on 26 December 2006 was a dreadful tragedy which hit the headlines. In the background there had also been extreme amount of damage to technology in a very short space of time. The earthquake measured 7.1 on the Richter scale and broke 22 undersea cables over eight separate cable systems. This was the biggest undersea capacity failure in history and meant severe disruption to communications services across Asia Pacific. Putting it into context BT alone lost 5.7 Gigabits of core network capacity over a 300 mile long fault line. Our own global incident management process kicked in to establish the impact on customers and network services and then began the coordination of all available recovery options, cable repair and restoration activities. Isolated destinations such as Korea and Taiwan were the priority for restoring service. The consequences for oil and gas companies of communications failure between sites for days, weeks or even months are difficult to overstate. Understanding the role of the network, its weak points and its capacity to cope with a disaster, is a critical starting point. Our role in any natural disaster situation is to restrict negative impact for customers to a minimum. A priority is to find alternative connectivity for primary network links and to work closely with local carriers to ensure optimum use of the precious available bandwidth. Our dual network approach has driven continuity across the world, with backup immediately available should one network go down. Reaction - Contact Unfortunately even the best plans can’t guarantee absolute prevention and continuity. The third area for consideration is what companies must manage when it all goes wrong. The modern world means every major incident, no matter where it occurs, can come under global scrutiny within hours. Firms must respond to problems by setting up a rapid response infrastructure in the event of a major emergency or environmental incident. Establishing a field call centre in a remote, hostile territory is no easy task, but, should risk result in crisis an organisation’s ability to cope with the ensuing panic is fundamental to its chances of commercial reputation. We are seeing a huge increase in the trend for organisations in high-risk industries to seek 'rapid response outsourcing' in order to manage their contact centre capacity and, to borrow some military terminology make it more agile and easy to deploy. Putting these types of plans in place is crucial for disaster recovery and working in remote, hostile locations, but understanding what response is appropriate in the face of a disaster is crucial. Sometimes, for example, when dealing with a high volume of lof enquiries in a short space of time, the quickest and easiest solution in this situation would not have been an emergency contact centre on the ground or a website, but an automated voice service. In the wake of a natural disruption to a pipeline, such as flooding or earthquake, many organisations will struggle to react quickly. However, a virtual team can actually be brought together very quickly –even if a previous plan has not been made. It is possible to pull together a team from all over the country, or even all over the world, and offer an organisation complete agility within hours of an emergency. That, in short, is, I believe, the three-pronged approach that the oil and gas industry needs to take if it is to be prepared for the challenging times ahead. In an age of uncertainty, what’s certain is that technology has never underpinned, so fundamentally, the industry’s future. From managing risk and aiding security to providing swift and effective emergency communication, information technology is assuming a newfound prominence. The businesses that understand that will be best-placed to succeed in the coming years.
|
