George Osborne MP, the UK’s Chancellor of the Exchequer, has said that British government computers are on the receiving end of over 20,000 malicious email attacks every month.
In a keynote address at the Google Zeitgeist event in London today, Osborne claimed that foreign intelligence agencies are responsible for many of the attacks, with the intention of stealing sensitive information.
Here’s part of what he said:
In any given month there are over 20,000 malicious emails sent to government networks.
Here is a salient story from my time as Chancellor.
During 2010, hostile intelligence agencies made hundreds of serious and pre-planned attempts to break into the Treasury’s computer system.
In fact, it averaged out as more than one attempt per day.
This makes the Treasury one of the most targeted departments across Whitehall.
At some point last year, a perfectly legitimate G20-related email was sent to HM Treasury and some other international partners.
Within minutes it appeared that the email had been re-sent to the same distribution list.
In fact, in the second email the legitimate attachment had been swapped for a file containing malicious code.
To the recipient it would have simply looked like the attachment had been sent twice.
Fortunately, our systems identified this attack and stopped it.
The full text of George Osborne’s speech can be read here.
The “20,000 malicious emails sent to government networks” statistic is getting a lot of press, but actually it’s the same as the one revealed last year by the director of the UK Government’s Communications Headquarters (better known as GCHQ).
At that time it was claimed that 5% of the attacks (1,000 a month) were specifically targeted against government departments.
Earlier this year, UK Home Secretary William Hague revealed that attackers had successfully infected government departments with the Zeus trojan (also known as “Zbot”).
Of course, most of the attacks said to be hitting the UK government are hitting other organisations and businesses around the world too. Governments and firms alike face the challenge of keeping their systems secure, and their sensitive data out of the hands of cybercriminals.
Does the UK government keep its systems properly up-to-date?
Clearly up-to-date security software has an important part to play in all this, but I would recommend that the British government also takes a close look at its computers and applications to ensure that they are properly patched against vulnerabilities.
One key question I would pose, for instance, is whether the web browser and PDF viewer being used by the British Government is properly up-to-date and patched. That’s even before we consider Microsoft Office, Java, Adobe Flash, and so on ad nauseam.
In early 2010, the British Government was strongly criticised for its unwillingness to upgrade from the chronically insecure Internet Explorer 6, and thousands of people signed a petition calling on government departments to upgrade their browsers.
In October last year, the Home Office announced plans that it would at last upgrade to Internet Explorer 8.
It’s unclear whether all UK Government departments are now up-to-date in the browsers and other application they use, but it seems to me that if their computers are being attacked by foreign powers with boobytrapped documents and dangerous links that to do anything less would be negligent in the extreme.