Are your online accounts secure? It’s a trick question — they’re not.
There’s a catchphrase in cybersecurity: “There are only two types of companies — those that know they’ve been compromised, and those that don’t.” The same goes for every one of us.
Don’t believe me? Look up your email address on haveibeenpwned.com, a website which tracks accounts compromised in data breaches.
The other day, I did this for a colleague whose Deliveroo account had been hacked.
Her email address and password had been exposed four times, as had her date of birth, employer, gender, phone number and address. Three of these leaks had happened in the last two years.
Her case wasn’t even that bad. Ever used MySpace, tumblr, Dropbox or Adobe? In that case, your details have been leaked (mine were, multiple times). Other services you may have used, but didn’t know existed, such as pdf reader Lumin or email validation service Verifications.io, have done the same thing.
We are under attack from cyber criminals – constantly, remorselessly, from every angle, in every way – and we are barely putting up a fight. For most of us, and most organisations, getting hacked is just a matter of time.
So what can we do? The group charged with protecting us is the National Cybersecurity Centre (NCSC), which released its third annual report yesterday.
Faced with mounting evidence of our collective vulnerability, did this document paint a grim picture of the cyber epidemic?
Strangely, it did not.
In a tone of confident optimism, the NCSC announced it had “handled” 658 attacks on 900 organisations, mostly inside government.
With the deference traditionally accorded to security services, ministers and media reports hailed this as a triumph. Nobody seemed to ask the obvious question: given the scale of the problem, why is this number so small?
One reason relates to the function of NCSC, whose main purpose is to defend the UK from hostile nation states, most notably Russia, China, Iran and North Korea. It does this brilliantly, better than any organisation in the world, but the work is increasingly slow and painstaking.
“Highly sophisticated attacks are using surgical precision, with near military levels of planning, preparation and execution,” said Lewis Henderson, VP of Threat Intelligence at Glasswall Solutions Limited.
We are under attack from cyber criminals – constantly, remorselessly, from every angle, in every way – and we are barely putting up a fight.
“This explains the relatively low volume of attacks the NCSC are defending against.”
Still, that leaves a question — one posed by Raef Meeuwisse, author of Cybersecurity for Beginners. Reading the report, he told me, left him “wide-eyed and loose jawed”.
“The general standard of cybersecurity deployed by most commercial enterprises and government functions in the UK continues to be woefully inadequate,” he said. “Yet, if we were to believe this report, everything is coming together just fine.
“This report appears to be a self-congratulatory pat on the back at a time when the revenue from cybercrime is continuing to rise to new highs.”
New figures released this week by the Office of National Statistics confirmed the gap between rhetoric and reality. On one hand, the number of online frauds had fallen. On the other, so had the number reported to police investigators.
Right now, only 2% of all online frauds are ever investigated by real police. Given that the real number of cybercrimes is almost certainly much higher than the official statistics show, that means a vanishingly small number of cybercrimes are looked into, still less solved. Crime isn’t meant to pay – but online, it does.
It’s harsh to blame NCSC for all this. After all, it cannot do everything, especially when every citizen and company is a potential source of trouble. Yet even though its report warned against complacency, there is a worrying sense that the NCSC is letting government – and all of us – off the hook.
As a branch of spy agency GCHQ that is also responsible for public cybersecurity, NCSC is an odd position, with simultaneous demands to be transparent and secretive. It also has to justify its relatively new position within a government that has been severely criticised for lacking a long-term cyber plan.
But sugar-coating the situation does us no favours. A more honest account would accept the successes in dealing with a certain kind of hostile nation attack, while acknowledging the collective failure to deal anything less dramatic.
An updated version of that cybersecurity adage might go: “There are only two types of countries — those that know they’ve been compromised, and those that don’t.”
The UK is still making up its mind whether it’s one or the other.
Sky Views is a series of comment pieces by Sky News editors and correspondents, published every morning.
Previously on Sky Views: Lewis Goodall – An election will be cleansing and make Brexit resolution easier