The Stratfor attacks weren't the most serious of 2011. Many of the email addresses exposed were already in the public domain. But it was a fitting end to the year: 2011 was the year of the hack, with organisations as diverse as Sony, the CIA and al-Qaeda all being attacked by hacktivists, state-sponsored hackers and cyber criminals. And the worst is yet to come. 'We're likely to see just as much activity in 2012 and probably more,' says Dave Clemente, a cyber security researcher at Chatham House, which runs an International Security thinktank. Jeffrey Carr, the founder of security firm Taia and author of Inside Cyber Warfare, who found his email address among those exposed by Stratfor, comments: '2011 was the year that our perceived security was stripped away. We are entering 2012 more vulnerable than ever before, because at least part of our security relied upon the perception that those people charged with our security, both public and private, could do the job. Well, that myth has been busted.'
'Belial' is a computer hacker, but one of the good guys - yes, they exist - despite taking his name from an Old Testament demon. 'There are cyber attacks going on right now directed at the UK,' he tells me over email. 'There have been so for the past few years. We can almost guarantee that they will happen this year. These attacks will be fairly sophisticated.' Asked about his own involvement, he writes: 'Practically anything I can disclose can and will be used against us. This is not a good situation to be in. Anyone you speak to who actually has any involvement in this subject matter will be unable to disclose any information regardless of anonymity. Anonymity doesn't exist.'
Belial runs The Hackers Voice, an online forum that aims to bring hacking and phreaking (the infiltration of landline telephone systems, pioneered by Vietnam veteran John Draper in the 1970s; he used a whistle to access AT&T's switching system and make long-distance calls for free) back to the UK. 'Hacking is NOT EVIL, despite what the mainstream media says,' reads The Hackers Voice homepage. 'We are explorers… We do not break into people/corporations' computer systems and networks with the intent to steal information, software or intellectual property.' The implication being, they do break in. Why? First, it's fun: 'Intriguing if not fascinating.' Second: 'Information should be free. Information wants to be free. Information belongs to the world!'
Those working to defend the UK on the frontline of the internet face an unprecedented feeding frenzy of hacking. According to a source, staffers at GCHQ, the government's listening post in Cheltenham, are 'over-worked, stressed out, frustrated, but keeping up the good fight'. British government sites and systems face around 600 malicious attacks every day, coming from
troublemakers, criminals and, perhaps, governments - the Foreign Office was the victim of a 'significant but unsuccessful' attack last year. 'They're up against it,' says Richard Clayton, a researcher at the University of Cambridge's computer lab. 'If they make a single mistake, then the bad guys get in.'
'At the moment, it's a wide range of different attacks,' says Clemente. Hacking attacks broadly come from three different sources: government-sponsored international espionage; viruses such as Stuxnet, which infected Iranian nuclear reactors and was suspected to be of US or Israeli origin; and politically motivated groups such as Anonymous and LulzSec, who between them claim responsibility for hacking Sony, Fox News and Stratfor, among others. But the threat to UK citizens is unlikely to come from hacktivists or state-sponsored hackers. 'It's not easy to take the UK offline - there's no single point of failure,' he continues. 'At least there shouldn't be.'
The biggest threat to the individual is from financially motivated cyber crime. Major General Jonathan Shaw, who heads the Ministry of Defence's cyber security program, said in November that 'The biggest threat to this country by cyber is not military - it is economic'. He cited one company in Warrington, Cheshire, which went bankrupt after hackers stole its blueprints for a new wind turbine and reproduced them cheaply in China.
According to Symantec, which makes security software for computers, cyber crime costs the world $388 billion a year - more than the global black market in marijuana, cocaine and heroin combined. Sixty-nine per cent of all online adults have been a victim of cyber crime at some point in their lives. The Office of Cyber Security in the Cabinet Office estimates the annual cost of cyber crime to the UK economy to be £27 million. A Hewlett-Packard study estimated that the cost of cyber crime to businesses rose by 56 per cent from 2010 to 2011. But it's not just a problem for big businesses. As a Chatham House report pointed out: 'In cyberspace the boundaries are blurred between the military and the civilian, and between the physical and the virtual; and power can be exerted by states or non-state actors, or by proxy.' In short, online hacking is everyone's problem.
And when even a grey hat hacker such as Belial (hackers wear three types of metaphorical chapeau: black, grey or white, corresponding to the legal status of their activities) is willing to talk, it can be hard to tell who's behind attacks and online scams, especially when pretty much anyone can take up hacking and make money. 'It's increasingly difficult to pin down one thing to a hacker or a group,' says Vincent Hanna, a researcher at Spamhaus, which tracks the most prolific spammers (spam often contains malicious programs used by cyber criminals). 'There's this whole ecosystem where people who want to do something bad can buy the services of a lot of other people to get started. On this underground market, you can say, "OK, I want 1,000 infected machines in Germany, and there's someone who can give you 1,000 machines in Germany, or wherever you want them. You have specialist providers of all sorts of services so that even somebody like me could do bad things online.'
In this market, it's possible to access 10,000 bots - infected computers connected to the internet - for about $15; stolen bank account details vary from $1 to $1,500 depending on the level of detail and account balance (bulk buying earns discounts, too). Many pioneering cyber criminals now sell their software, rather than repeat the crime themselves; it's possible to buy a copy of Zeus, a Trojan horse virus that steals banking details by logging the unknowing victim's keystrokes, for as little as $700. Up-to- date versions, with new features that help the hacker avoid law enforcement detection, can cost $15,000. And even if police can track down the criminals, pursuit isn't easy. Certain countries, such as Russia and lately Brazil, which have traditionally suffered from organised crime, have emerged as bases for cyber gangs, too, but cyber criminals aren't confined by geography and operate across borders. 'It's difficult for authorities to move across jurisdictions as easily as for traditional crime,' says Clemente.
But the net may be tightening. Based in Vauxhall, the Police Central e-Crime Unit of the Met has gone from 20 to 104 staff since it was set up in 2008. It's been busy, too: 'The PCeU has experience of investigating direct cyber attacks such as DDos, phishing, hacktivism, botnets, exploiting social networks, malware enabled fraud and extortion,' says Det Chief Inspector Terry Wilson. In September, the unit raided a house in Chingford, Essex, and arrested 19 people, following a tip-off from the FBI and subsequent investigation in concert with UK banks. The Eastern European gang had used a version of Zeus to steal £3 million from bank accounts belonging to members of the public. In November, the ringleaders were jailed for four years. The success of other such operations saved the UK more than £140 million from March to October alone, according to the Met. And it says that four new investigations will soon result in prosecutions - operations Westphalian, Yukon, Crossbill and Loyosa.
Despite these successes, Belial is sceptical about the Met's capabilities. 'The e-crime units are under-resourced and have no capability to come close to dealing with this subject matter,' he says. Wilson admits his unit faces a tough task: 'Cyber crime is constantly evolving and becoming more mainstream. More of the criminal fraternity will be drawn to the low-risk, high-yield benefits.'
But lack of talent on the frontline is a more serious problem than resources. Robert Nowill is the director of BT security; he was director of technology and engineering at GCHQ until six years ago. 'It's obvious there's a skills shortage,' he says. 'You could have graduates learning how to do penetration testing [sometimes called ethical hacking] but the hands-on, practical skills people already have are more valid. And the young people who have developed skills in that area have a choice in life. The vast majority go down the honest road but a small minority go the dishonest route.'
Private companies, such as Microsoft and Facebook, have tapped the grey hat pool, paying bounties to hackers who found holes in their networks. But this isn't an option open to public bodies (although DCI Wilson says the e-crime unit will consider 'any lawful enforcement asset authorised', suggesting a certain leeway in dealing with hackers). When GCHQ recently ran an online recruitment campaign, challenging the public to break a cipher, it made it clear that 'anyone applying who has hacked illegally will not be eligible to continue in the recruitment process'. Unfortunately anyone applying could also find the completion page of the puzzle with a quick Google search, even if they didn't have much technical expertise.
The Cyber Security Challenge UK may be one way to address the skills shortage. In March this year, 30 people will compete in the grand final at the Hewlett-Packard labs in Bristol, for prizes including bursaries, training courses and internships in information security. Entry opened last year to anyone; more than 4,000 people applied at the initial stage of the competition. 'If something like the Cyber Security Challenge can turn people from the dark side to something positive, that's great,' says Nowill. Judy Baker set up the challenge in March 2010: 'We very much hope to get to people before they reach some sort of crossroads in their life,' she says. 'They may decide to do a socially useful job with their competency, or they may swing the other way.'
But Baker also hopes to attract people who might not otherwise think of a career in cyber security. Dan Summers was working as a postman, delivering letters in Wakefield, Leeds, when he entered the inaugural competition two hours before the deadline (he had read computer sciences at university but dropped out). 'I just entered as an intellectual pursuit, a challenge,' he says. 'And I was hooked.' He won the competition and is now working across the country as an information security specialist for the Royal Mail, making sure the company's networks stay secure. 'For me, information security is the pinnacle of the profession.'
And just as there are underground networks of cyber criminals constantly in touch, so, too, there is a white-hat community developing. 'BT, GCHQ, the Ministry of Defence - we all rub shoulders,' says Nowill. 'It's a small, tight-knit community.'
Those defending the UK's cyberspace rely on this camaraderie, as pay is low: the competition by GCHQ was for a position with an annual salary of £25,000 - about half as much as an Infosec expert could earn at a private company, and much lower than on the dark side of the net. 'Spammer X', who retired in 2004 to write a book about his experience, said he made $336,000 each year. '2012 will continue to attract high-quality
criminals, because the amount of money to be made is huge,' says Nowill. But the operatives at government agencies 'aren't motivated by money,' says Clayton. And the unveiling of a new cyber security strategy last November, even if rather grandiose, means the UK will be better prepared than most European states. It had better be. In 2012, as Carr puts it, 'There's blood in the water.' ES