Cyber-terror: How real is the threat? Squirrels are more of a danger

Comment The UK Chancellor George Osborne last week announced that the British government plans to double cybersecurity spending and establish a single National Cyber Centre.

Cybersecurity spending will rise to £1.9bn ($2.87bn) at a time of budget cuts to police and other government departments. More details are expected to come in the Autumn Statement to Parliament on Wednesday.

Speaking at GCHQ last week, Osborne claimed that the extra spending is justified in large part because cyber-jihadists are trying to take down critical infrastructure – power stations, air traffic control systems and more. Daesh, aka the Islamic State, is plotting deadly attacks on computer systems – and is close to achieving the capability, the Chancellor alleged [speech transcript here, press statement here].

"I have made a provision to almost double our investment to protect Britain from cyber attack and develop our sovereign capabilities in cyberspace, totaling £1.9 billion over five years," Osborne said.

"If you add the spending on core cyber security capabilities government protecting our own networks and ensuring safe and secure online services, the government's total cyber spending will be more than £3.2 billion."

Some of the money will go into an Institute of Coding as well as fighting cybercrime. But a major focus of the spending will come in further boosting the capabilities of GCHQ to tackle Daesh killers. Neither Russia nor China (the UK’s most capable cyber-espionage adversaries) merited a mention in the Chancellor's speech.

Daesh, by contrast, were mentioned eight times. As well as talking about the use of the “internet for hideous propaganda purposes, for radicalization [and] for operational planning,” Osborne claimed the medieval terror mob posed a growing cyber threat.

But what are the capabilities of the self-styled Cyber Caliphate? Russia is now the chief suspect in the most serious network assault ever attributed to the Cyber Caliphate group, the hack on French TV station TV5 Monde back in April. Jihadist propaganda was posted on the station's website by miscreants who claimed they were affiliated with the Islamic State. The TV network was knocked off air for about 18 hours.

Pretty much everyone took it at face value that the Cyber Caliphate was behind the attack, and it wasn’t until weeks later, once the dust had settled, that experts published evidence that undermined the Daesh-involvement hypothesis and fingered Russians as the likely culprits.

DDoS, defacement and social media hijacking

As explained in some depth by security expert Robert Pritchard, cyber-jihadism is likely limited to "website defacements, denial of service attacks or some sort of social media hijacking." Pritchard published the article months ago but he told us last week that the capabilities of cyber-jihadists haven't changed much, in his assessment.

Hacktivists on the pro-Assad side – most notably the self-styled Syrian Electronic Army – are demonstrably capable when it comes to social media hijacking, which they normally pull off using phishing. Elements of malware slinging are also involved in both sides of the pitiless civil war in Syria.

But an ability for militias or terrorists to launch infrastructure attacks? Really there’s no evidence for that, at least in the public domain – even though some infosec firms are all too ready to ramp the threat level all the way to DEFCON-1.

London calling

Anti-malware firm BitDefender last week implausibly warned that an “IS cyber-attack on the UK could cripple all forms of communication and infrastructure.”

Catalin Cosoi, chief security strategist at Bitdefender, stated: “A possible worst-case scenario is the crippling of all communication and critical infrastructures, ranging from mobile phone to water supply, electricity, and gas. This could be coordinated alongside a physical tactical assault, as disrupting any form of communication or internet-connected technology could be used as a serious tactical advantage on the ground.”

“It is conceivable that although Islamic State might not have the necessary technical skills, it could potentially outsource these types of attacks to parties that do. The black market is riddled with such services, all waiting for the right buyer,” he added.

Challenged by the Register to justify this warning, Cosoi referred to run-of-the-mill action movie Die Hard 4.0, and denied spreading fear, uncertainty and doubt. Independent experts, such as Steve Lord, are dismissive. “Bitdefender’s assertions are more grounded in Hollywood than reality,” he said.