Bloomberg is reporting the United Kingdom publicly announced its first major government-backed cyber attack, conducted in 2017, targeted Islamic State:

Jeremy Fleming, the director of GCHQ, which is better known for its communications interception work, said his agency had worked with the Ministry of Defence to make “a significant contribution to coalition efforts” against the al-Qaeda splinter group. He said that as well as making it “almost impossible” for the group to spread its message, the attack had protected forces on the battlefield.

“This is the first time the U.K. has systematically and persistently degraded an
adversary’s online efforts as part of a wider military campaign,” Fleming told a cybersecurity conference in Manchester, England, “Did it work? I think it did.”

He said other operations might “look to deny service, disrupt a specific online activity, deter an individual or a group, or perhaps destroy equipment and networks.”

Notice the qualifying “as part of a wider military campaign” added to the statement? What this likely means is this attack against Islamic State is not the first time the UK has conducted cyber attacks, but one in which a cyber attack was only one aspect of a multi-faceted, multi-domain operation.

There is no doubt the UK has conducted previous cyber attacks. Although the nation has never publicly proclaimed so, the country is one of the stronger purveyors of cyber capabilities, and absolutely leverages them when necessary. Since the inception of the UK NCSC, which is part of the GCHQ, this operation was likely the first time the organization worked in tandem with the Ministry of Defence for this strategic opportunity.

Bloomberg reports on Deloitte hiring EUROPOL Executive Director Rob Wainwright to run their cyber security business:

The 50-year-old MI5 veteran will join the Amsterdam-based unit in June, according to Deloitte, which shared an advanced copy of its announcement. Deloitte is planning to add 500 people to its European cyber practice to meet growing demand from corporate clients anxious to prevent hacks.

“I spent a lot of the last few years encouraging private-sector leaders to take cybersecurity more seriously, to invest more,” Wainwright said in an interview at Europol’s headquarters in The Hague on Tuesday. “So now I will go directly in there and try to help them do it myself.”

Wainwright has spent 28 years working for the U.K. government, including more than a decade at the MI5 domestic intelligence service, where he specialized in counter-terrorism and organized crime. After stints as head of the U.K. liaison bureau for Europol and running the international department of what is now called the National Crime Agency, he returned to Europol as director in 2009.

During his time at Europol, which acts as an intermediary for 1,000 global law enforcement bodies and coordinates major investigations involving terrorism and money laundering, Wainwright helped oversee a number of high-profile stings. He played a key role in last year’s takedown of AlphaBay and Hansa, dark-web markets that sold everything from drugs to hacking tools. AlphaBay was more than 10 times the size of Silk Road, which the U.S. closed in 2013.

Sounds like a major win for Deloitte and a huge hire. It will be interesting to see if Wainwright is capable of developing additional business, and strengthening existing projects, based on his expertise and experience.

The Telegraph is reporting how experts are warning UK residents that smart meters could expose British homes to cyber attacks:

The intelligence agency GCHQ is said to have raised concerns over the security of the meters, which could enable hackers to steal personal details and defraud consumers by tampering with their bills, it is alleged.

The Government wants every home in the country to have a smart meter, but only 8 million out of 27 million households have so far signed up to the £11 billion scheme.

They are designed to help consumers keep on top of their energy use and send meter readings electronically to suppliers, removing the need for visits to people’s houses to read their meters.

However, the rollout of a second generation of smart meters, known as SMETS 2, has been delayed because of worries about security.

Smart Meters are a tough proposition. They offer convenience for consumer and electricity suppliers alike, but the history of how the power industry has adopted connected technology is not comforting when considering cyber security. It is a good idea to delay the deployment of smart meters to take a good, strong look at the plan to ensure it is leveraging strong encryption, has no known backdoors, and is utilizing well established and peer reviewed standards.

Unfortunately, all too often, the electric power industry allows vendors to dictate the solution rather than the industry working together to agree on a secure, smart, resilient solution to this very challenging issue. Hopefully smart meters will help the industry take a step back and reevaluate their strategy, potentially refocusing on a better way of deploying and implementing smart meters.

Reuters reports on UK publicly attributing and blaming Russia for last years NotPetya attack, which crippled multiple UK government agencies and businesses:

The so-called NotPetya attack in June started in Ukraine where it crippled government and business computers before spreading around the world, halting operations at ports, factories and offices.

Britain’s foreign ministry said the attack originated from the Russian military.

“The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity,” the ministry said in a statement.

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt,” it said.

“Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

UK is showing the current US administration how to play hardball politics against Russia. Since the US is not publicly condemning Russia for their bad behavior, our allies will have to fill in that gap until the administration changes its tune.

CNN has an interesting short report on Darktrace, a UK cyber security company founded by ex-MI:6 spies and mathematicians:

Instead of just building firewalls, the Darktrace Enterprise Immune System is designed to understand what the company’s normal network looks like and identify any abnormalities.

Sloan says the system behaves the same way as the body when it has the flu: “This technology is like a fever that alerts us when we have a virus and then we need to take action to treat it.”

An example of a small abnormality that the technology would pick up is if an employee logged onto the server at 10pm, without ever have done so before. It would be immediately flagged as unusual.

I have seen demonstrations of Darktrace technology, and even worked closely with the company, and believe they have a valuable product. They are a unique player in the market and one to consider.

One word of caution: although Darktrace uses AI, they are not the only player in the industry to do so. Just about every company has some form of AI built-in to their products these days. So take the whole “we use AI” with a grain of salt since it is no longer a niche idea.

Disclaimer: I work for McAfee, potentially a Darktrace competitor.

TechCrunch reports on some changes UK recently made to their NIS Directive:

In the UK, the government has announced that organizations working in critical services like energy, transport, water and health can be fined up to £17 million ($24 million) as a “last resort” if they fail to demonstrate that their cyber security systems are equipped adequately against attacks.

Major requirements for organizations will include having the right people and organization in place to handle a cyber attack; having the right software in to protect against attacks; having the right capabilities in place to detect if an attack has taken place anyway; and having the right systems in place to minimize the impact of an attack if a system is breached (despite the other three being in place).

More detailed guidance includes how to secure other aspects of your network, such as your supply chain and how your data in the cloud.

UK is well ahead of most of the global cyber powers on oversight of critical infrastructure cyber security implementation. This is a good set of lessons learned for Japan to consider investigating to determine viability in the country.

The UK’s National Health Service failed to follow basic IT security practices, gravely costing them when WannaCry hit the internet:

The UK’s National Health Service is spending £20m on a new security operations centre to improve its ability to help local NHS organisations respond to ransomware and other cyber security threats.

A subsequent review found that had UK security researcher Marcus Hutchins not found a ‘kill switch’ for WannaCry within days of the initial outbreak, a further 21 trusts – totaling 92 NHS organisations – could have experienced disruptions too.

As part of the project, NHS Digital is inviting private sector to bid for a three to five year contract to support its new security responsibilities.

The National Audit Office released the findings of a review of WannaCry’s impact on NHS last month that found the malware was preventable if the NHS had followed “Basic IT security best practice”.

The audit also found shortcomings in NHS incident response plans, which covered roles and responsibilities of national and local organisations, but had not been tested with local NHS organisations.

Most, not all, breached organizations failed to follow some basic IT security best practice or were complacent in applying operating system and application security patches. Cyber security is not rocket science – it takes a systematic, methodical strategy, and can be done well, but it requires laser focus and a corporate culture of understanding risk and demanding these security lapses do not happen.