The recent cyber attack on the UK parliament is said by various media reports to have resulted in no more than 90 email accounts being hacked. This has been reported with some relief. True the attack could have been much worse, but to imply that 90 accessed accounts is in any way ok is completely wrong-headed.
It would be safe to assume that some of these compromised email accounts, in turn, have access to other important direct contact details and email addresses. It is this third-party data that can be saved and used at a later date, (when this latest attack has been forgotten) to further burrow into government, civil service and other important accounts.
Hardly An Attack
The attack has been described as a brute force attack – in that the email system was somehow overcome – this sounds good in the media. The truth is that the attack was a straightforward dictionary attack – looking for weak and in some cases embarrassingly feeble passwords – passwords like “password”, “password1” and “passw0rd”. This is way beyond embarrassing and much closer to feckless & reckless.
More Money & Bodies
Politicians (from all parties) need to be educated about the risks to their personal data and in the wider sense to the administration of democracy – both are under threat. Once their eyes have been opened to all the risks, the government need to increase funding and resources to protect (as much as possible) both the democratic and physical infrastructure of this country – as both are at real risk.
GCHQ needs to go on a massive recruitment drive and be given funds to offer competitive salaries for the best candidates. Once that has increased capacity and capability, GCHQ trained staff need to be embedded into all branches of the civil service and democratic institutions, including parliament.
This Is Everything
Defensive cyber security and the ability to respond offensively are as important as aircraft carriers and the nuclear deterrent. The ability to respond aggressively is the effective deterrent that needs to be bolstered. The UK recognises the need – now the action must start.
The chief weakness is human – everyone has email and Internet access – and the ability to use pathetic passwords. Where possible this weakness needs to be designed out. Two-factor authentication would be a start for all government and related email addresses; this is not difficult to do.
This is not just an issue for government, business data and secrets are also targets. Much more needs to be done to protect against even low-level threats and disruption. Company IT directors need more money and places on the company board. According to the Financial Times, the recent Petya malware attack cost Reckitt Benckiser an estimated £110 million in lost sales, and some of its factories are still not fully operational again. The Financial Times also reports that AP Moller-Maersk the shipping giant has cargo stuck at 15 different ports around the world.