Will we ever have a 100% secure IT environment? No. But we can, and must, do better.
The recent cyberattack on Westminster should be a wake-up call to anyone operating mission-critical IT systems. It’s not surprising that Parliament relies on electronic communications. Nor is it surprising that sophisticated, state-sponsored hackers might want to target our MPs. Nor, even, that some MPs are bad at choosing secure passwords! The same could be said of any significant public or private organisation today.
What is surprising, given the increasing importance placed on IT systems by UK companies these days, is that the response to the attack was to shut off remote access to services. This sort of approach is not very effective at the best of times: consider – would shutting off remote access be a feasible way to address an attack on our diplomatic services, on fire and police first responders, or even on courier services? As technology shifts to cloud providers, the need for real, modern approaches to IT security becomes ever more urgent.
So, what should be done and what lessons can we take from this incident?
- There is no silver bullet to IT security, it’s not something you can buy from a shop. It means changing the way we design and deliver IT services, the way we audit and ensure they are working and secure, and the way users approach them. This is called operating model transformation, and it’s urgent.
- The direction of technology development is simultaneously toward the ubiquitous use of mobile services, and away from in-house provision and single-source contracts towards a utility model; 'the cloud'. As these take hold, the notion of 'just turn off remote access' becomes infeasible.
A new approach is needed, and it needs to be incorporated in as the IT services we rely on are modernised.
- Users cannot be trusted to pick secure passwords; everyone for whom IT is a critical service should look to enhance login security with multi-factor systems which require both a) something you know (a password), and b) something you have (a Mobile phone or access token, for example).
It is equally important that the launch of IT services includes sophisticated audit systems that look not for known bad behaviour, but for suspicious abnormal behaviours. These modern approaches are good at catching 'day zero' vulnerabilities, such as new viruses, hacking, etc.
The silver lining is that we have expertise here in the UK at these kinds of approaches, so we needn’t look to send all our money overseas to address this.
- Public and private entities must not rely on outmoded 'perimeter security' which assumes the bad guys are outside the system and anyone accessing an application is thus the 'good guy'. This outmoded way of building IT systems has been responsible for many recent hacks.
The approach to take is 'defence in depth', where services are more circumspect about who is accessing them, together with the application of modern data-intensive early pattern detection systems.
- The cost of designing good security from the beginning of a new service introduction is very low; the cost of trying to retrofit it is prohibitive. Resilience and security must be planned from the outset, and systems designed to fail gracefully. Practices in specification and procurement of systems, both public and private, will need to change.