You may have seen the news from Sky News that the Ministry of Defence has been subject to dozens of breaches of military cyber security policy last year. It appears that the organisation was targeted by Chinese espionage group APT10, putting sensitive military secrets in jeopardy. Sky News obtained heavily redacted reports masking the outcome of the breaches, but make it clear that the incidents involve exposing data to nation-state level cyber risks, such as defence information being left unprotected to foreign states’ surveillance of internet traffic.
In response to this news, David Warburton, Senior Threat Research Evangelist at F5 Labs, comments on the nature of these data breaches. He acknowledges that data breaches are inevitable, even for businesses with robust security measures in place, but it’s key to limit the number of attacks happening by ensuring there are no lapses in security.
Data breaches caused by human error are extremely common and it’s important that cybersecurity policies account for these inevitable mistakes. Possibly the most infamous example was in 2007 when HMRC sent CDs through the post containing the names, addresses, and dates of birth of approximately 25 million adults and children.
However, when data breaches exposing military secrets affect our national security, it’s even more concerning, especially when groups such as Chinese espionage group APT10 are constantly looking to exploit any vulnerability to gain access to sensitive data. It is crucial, therefore, that we understand upfront what information we hold and the impact a data breach of this nature would have at an individual, organisational, and national level. We are now at a point where machine learning and AI play an increasingly essential part in keeping our data safe.
A huge percentage of traffic on the internet comes from automated scanning. This constant probing of cyber defences is carried out by many different entities, from kids in their bedroom to foreign spy agencies. APT10 is one of the older threat actors and has often employed targeted spear phishing and malware attacks.
By compromising a victim’s website they are able to install malware on devices and steal a user’s credentials. The APT10 group has been known to harvest considerable amounts of personal data and intellectual property. Any small lapse in security is likely be exploited by these groups and data will be automatically scooped up for later analysis.
The MoD has made a big push towards the adoption of public cloud computing over the past few years. While cloud platforms, due to their scale, can be inherently more secure than most private data centres, many organisations still fail to appreciate their role in securing the data in the cloud and incorrectly assume the cloud provider handles all aspects of security. In reality, managing information security and owning risk remains entirely with the data controller, regardless of where the information is stored.
It is clear from the leaked MoD breach report that the ministry actually has robust information security practices. By classifying data and the way in which a policy was breached, they are able to quickly assess the impact that any one particular breach has at an individual, national or political level.