Cybersecurity was unlikely to be on the minds of Cherif and Said Kouachi as they entered the offices of satirical magazine Charlie Hebdo in Paris on January 7. Yet in the wake of the attacks Western governments have turned to computers as a means of shielding their citizens from future assaults by Islamic terrorists – causing a furore at the process.
British prime minister David Cameron has been at the forefront of the scandal, arguing that there should be no means of communication free from the prying eyes of spooks, before jetting off for Washington where he intends to forge an even closer partnership in cyberspace with the US.
It is not the first time the Etonian has been at odds with technology, the prime minister having previously accused social networks of harbouring terrorists. Added to his promise this week that the NSA and GCHQ will play out "war games", many will be wondering if his strategy will work, and what might be lost in the process.
Playing war games
Despite the headlines, Cameron admitted to the BBC’s political editor Nick Robinson that the programme would be building on previous collaboration between the two leading members of Five Eyes, a security alliance that also includes Canada, Australia and New Zealand.
"This type of collaborative cyber conflict simulation has been a regular occurrence between the UK and the US for nearly 10 years," said Andy Settle, chief cybersecurity consultant at defence firm Thales UK. "US Exercises, such as Cyber Flag and Cyber Guard which take place every year have been a crucial factor in developing qualified responses to cyber-attacks.
Those responses are more urgent than many think, he added. He believed the threat of cyber-warfare could be as damaging as the doomsday nuclear threat, an idea that lacks currency among the public. "A successful attack on a country’s financial sector, for example, could lead to disastrous consequences throughout the world, with staggering effects on markets," he said.
For its part the financial sector in the City of London has already steeled itself for cyber-attacks, conducting an drills over the last three years to test its measures against hacking. Dubbed Operation Waking Shark, the tests saw firms pelted with distributed-denial-of-service (DDoS) attacks, malware capable of wiping data and issues with payment infrastructure.
Even so, David Palmer, director of technology at the security firm Darktrace and a former employee of both GCHQ and MI5, said Cameron’s idea would be a boon to financial security.
"The idea of government-assisted war-gaming to demonstrate how skilled and creative hackers would attack these highly-defended institutions will be excellent for raising awareness of hacking approaches both within the finance sector and more broadly across the economy," he said.
Others warned that it has to be carefully planned to be effective. "Technical teams need to be given the freedom, resources and time in order to ensure this is more than just a PR exercise," said Chris Boyd, malware intelligence analyst at Malwarebytes, a security vendor.
"Today’s advanced attacks are carried out by creative, skilled teams who are not burdened by the limitations of government bureaucracy, something which needs to be replicated for such an initiative to flourish."
Socially responsible media
Aside from discussions around war games, the attacks on Charlie Hebdo provided ample opportunity for Cameron to resume his quarrel with Facebook and Twitter. His plan is to create a legal framework to allow spooks to sniff data off of social media, an issue he will discuss with US president Barack Obama during his visit.
This presents a problem for Silicon Valley. "You have to be sensitive and open to the needs and wants of the government," said Daniel Mothersdale, general manager of security firm Ultimaco. "But at the same time the man in the street that’s using your technology wants to know he’s secure."
Cameron’s challenge to encryption is therefore not merely counter to the aims of cybersecurity, but an existential challenge to it. "You’re basically asking [security firms] to create a universal key on all their products," Mothersdale added. "And then by definition they’re not secure."
What the future holds for the industry is now on a knife edge. What happens next is anybody’s guess.
