Britain’s GCHQ agency prepares to come out of the shadows to combat cyber-crime

GCHQ headquarters in Cheltenham, Gloucestershire Credit: Barry Batchelor/PA Archive/Press Association Images

Britain’s GCHQ is preparing to come out of the shadows to combat cyber-crime, cyber-espionage and cyber-attacks.

That is one of the revelations from a cyber-security conference at Chatham House.

There are approximately 10 million malicious events occurring on the internet every day from online fraud and simple denial of service (DDOS) attacks, to sophisticated espionage.

Targets in the UK include government departments, defence and energy firms, banks, academia and even charities.

An increasing area of concern is service providers such as law firms which may carry out work for key targets such as defence contractors, but lack the sophistication and expertise of their clients in detecting cyber-espionage.

Such firms often represent the “soft underbelly” through which hackers seek ultimately to access the systems of the target organisation.

With services and commerce transferring online at a rapid rate, all relying on consumer confidence to keep the online economy going, there is no “Plan B” for a situation where rampant cyber-crime could create a catastrophic loss of trust.

“It would be nice if everyone had burglar alarms. At the moment we are not even closing doors and windows,” said a government source.

The same source went on to give an example where the agency had received information about a hacking conference, where hackers were set the challenge of getting administrator rights to the network of a large corporation.

The hacker who came second in the contest managed to gain the access within 23 minutes. The time taken for the winner is unknown.

In another case the agency discovered that 10 percent of the traffic on the network of a major firm was hacking attributed to “a major state actor”.

GCHQ has begun to move out of the shadows to combat the growing threat and help not only the government but companies across the UK economy continue to enjoy the huge opportunities represented by the expansion of cyberspace.

Universal Credit system a ‘massive target’

There are concerns the Universal Credit system could be targeted for online fraud.

A key concern for the Government is the new Universal Credit system, which will be used to pay all state benefits.

The Government aspires for the entire system to be operated and accessed online, slashing administration costs.

This will put £200 billion of payments online in the next 12 months, a massive target for online fraudsters.

The system which delivers these payments will need to be usable by claimants who may have little familiarity with online transactions, and yet secure enough to defeat fraudsters.

Even a one percent rate of fraud would lead to the loss of £2 billion from the scheme over a year, and a 0.1% fraud rate - an order of magnitude beyond that which financial services companies aim for - would still lead to a £200 million loss over the same period.

As a consequence, GCHQ is working closely with the Department for Work and Pensions to secure and defend the system, according to the same government source.

UK’s strategic problem

Although the eavesdropping agency can use its “unique capabilities” to directly defend British interests against cyber attack, such direct action can deal with only a tiny part of a problem which is growing by the day.

In order to deal with the strategic problem, government agencies aim to act as a catalyst for change.

Part of this is a broad outreach characterised by basic information such as the "10 Steps to Cyber Security” launched by the Government last year ; the recently announced “Cyber Security Information Sharing Partnership” – a way for leading companies and the intelligence agencies to share key data on real-time cyber threats; and work with the big four audit houses and the insurance sector to put cyber-security at the centre of corporate governance.

Government agencies are also working towards a set of technical standards for cyber security, and a kitemark system of firms, organisations and academic institutions to create centres of excellence in cyber-security and incident response.

“Ultimately self-help is the name of the game”, said the source.