MI5 Director General Jonathan Evans says there is an “astonishing” level of aggressive internet vulnerability exploitation by both state-sponsored and organised cybercrime groups.
Speaking in London on Monday at the Lord Mayor’s defence and security lecture ahead of the London Olympics, Evans said both attack groups put the nation’s secrets, infrastructure and intellectual property at risk of serious damage.
Cyber security stood alongside terrorism and ‘hostile intelligence as a primary concern for the agency that was clouded by “uncertainties we can be certain about” and “those things we remain uncertain about”, said Evans in a nod to Donald Rumsfeld’s famous quote.
One thing Evans was certain about was the real financial threat to business from “hostile state” cyber attacks, pointing to a case where he claimed an unnamed London listed company that MI5 worked with, following such an attack, suffered £800m in losses.
The massive losses were incurred through IP theft and a weakened bargaining position during contractual negotiations, he said.
While he did not urge companies to necessarily invest in security measures, he recommended the boards of all companies “consider the vulnerability of their own company to these risks as part of their normal corporate governance” and that they demand their advisors and suppliers do the same.
Cambridge University security researcher Ross Anderson told CSO.com.au Evans’ speech was “the same old scaremongering”, accusing the UK Cabinet Office of peddling in a report that estimated the cost of cybercrime in the UK at £27 billion a year.
Anderson contended the UK would achieve better results by spending more on law enforcement and less on anticipatory security such as antivirus.
Cyber security has also become a more vital source of funding for the UK’s “Single Intelligence Accounts”, which include MI5, MI6 and its signals intelligence agency, GCHQ, which in 2010 scored the bulk of the UK’s £650m four year budget to tackle cybercrime, according to a 2011 analysis by <i>The Register</i>.
MI5‘s Evans warned the risk of “real world damage” would increase as more offline networks connected to the internet, referring to the ‘internet of things’. While established terrorist groups had not posted a major ‘cyber’ threat to critical infrastructure, he expected them to become versed in how to do it in the future.