George Osborne on Monday outlined the extent to which the Government’s IT systems are under attack from hackers, saying that more than 20,000 “malicious emails” are sent to its networks each month.
The Chancellor said that last year saw “hostile intelligence agencies” make hundreds of “serious and pre-planned attempts to break into the Treasury’s computer system”, which he said averaged out at “more than one attempt per day”.
Speaking at the opening of Google’s Zeitgeist event yesterday, the Chancellor outlined government plans to publish a wealth of data online and to make government services “digital by default”. But, alluding to high-profile cases of data loss like that seen recently at Sony, he pointed out that the Government “must get the security question right”.
He also announced the appointment of the former head of Barack Obama’s Open Government Initiative Beth Noveck to help implement the changes, which he called a “world-class appointment”.
In February this year, Foreign Secretary William Hague told a conference in Munich that the Government’s computers were infected by a virus last year, which was transferred via email. He said the infection was cleared up but added that “more sophisticated attacks such as these are becoming more common”. The extent to which that is affecting government systems, which hold sensitive data, was revealed by Mr Osborne.
He added that the Treasury is “one of the most targeted departments across Whitehall”. Mr Osborne outlined one example last year when, he said, a “perfectly legitimate G20-related email” was sent to the Treasury.
“Within minutes it appeared that the email had been re-sent to the same distribution list. In fact, in the second email the legitimate attachment had been swapped for a file containing malicious code,” said Mr Osborne.
He added that the two looked almost identical to the untrained eye but that the Treasury’s security systems identified the attack and stopped it.
According to reports, a similar attack aimed at the French Finance Ministry and the European Council last year got past the security systems of 150 computers ahead of the G20 summit. An anonymous French government official was quoted as saying that it had been “noted that a certain amount of the information was redirected to Chinese sites”.
During a speech, given to internet entrepreneurs, the Chancellor said he was “determined to get the security question right” announced and reiterated the Government’s commitment to launching a £650m National Cyber Security Programme to enhance its online security.
Graham Cluley, an internet security expert at Sophos, pointed out the risk that “one of the targeted government attacks could steal sensitive information from government computers and put it in the hands of unknown parties”. But he noted out that the number of attacks quoted by the Chancellor is not unusual for an organisation of the government’s size.
He referred to GCHQ figures which suggest that only around five per cent of the attacks – around 1,000 per month – are specifically targeted against government departments, rather than as part of more speculative “scattergun” attacks.
Mr Cluley accused the government of traditionally being “slow to follow best practice” in online security. In a blog post, he recommended that the government review its security tools to meet the threat, warning that it should take a “close look at its computers and applications to ensure that they are properly patched against vulnerabilities.
He wrote: “One key question I would pose, for instance, is whether the web browser and PDF viewer being used by the British Government is properly up-to-date and patched. That’s even before we consider Microsoft Office, Java, Adobe Flash, etc etc ad nauseum.
“In early 2010, the British Government was strongly criticised for its unwillingness to upgrade from the chronically insecure Internet Explorer 6, and thousands of people signed a petition calling on government departments to upgrade their browsers.
“It’s unclear whether all UK Government departments are now up-to-date in the browsers and other application they use, but it seems to me that if their computers are being attacked by foreign powers with boobytrapped documents and dangerous links that to do anything less would be negligent in the extreme.
Mr Osborne’s speech came just hours after Sony’s popular PlayStation Network was tentatively returned to service after hackers shut it down last month. Around 100 million accounts were compromised and credit card details and other personal information stolen in what is thought to be the biggest online security breach ever.