Plain truth is we’ve all been far too complacent
IMAGINE a hotel careless enough to put its guests’ room keys on public display, along with their names, credit cards, passport details and home addresses. It would be a boon for thieves, snoopers and pranksters.
That, broadly, is what TalkTalk appears t o have done with its customers’ sensitive electronic data. And it has lost it to attackers – and is paying heavily for its carelessness.
Computers and networks can all too easily be breached, whether by criminals, hooligans, zealots or spies. But if the information is properly encrypted, the benefit to attackers is minimal. All they get is a bewildering mixture of letters and numbers. Without the ‘keys’ to decode it, the data is worth nothing.
TalkTalk, amazingly, appears not to have done this. That made it easy for the stillunknown attackers – perhaps criminals, perhaps political extremists, perhaps a mixture of the two – to steal customer information from its computers.
The company’s bland and contradictory statements since the attack – and especially the woeful performances by chief executive Dido Harding – only compound the impression of incompetence.
It appears that the attackers began by swamping the company’s website with bogus requests for information. This distracted attention while they hacked into the network and stole the data.
The attack highlights the scandalous complacency which still reigns in British business about cyber-security.
No chief executive would sleep easily at night if the company headquarters were secured merely with a child’s padlock, with vital commercial secrets strewn on every desk.
Nor would shareholders tolerate senior management who did not understand how to lock a door or file papers safely, and could not tell if the company had been robbed.
Yet the equivalent of such ignorance and carelessness when it comes to computers and networks is all too common.
Far too many company directors have not the faintest idea how computers work, or the formidable arsenal of weapons and trickery which attackers can deploy.
The hapless Miss Harding, bumbling from studio to studio, was unable to explain how her company had been attacked, how long the attack had gone on for, what had been stolen and whether the computers and networks were now secure. Nor could she tell who was behind it. This is the other striking feature of cyber-attacks. In the real world, we have a fairly good idea of who our enemies and rivals are. When it comes to cyber-space, we are in the dark
An illiterate and venomous posting on the Pastebin website, accompanied by what appears to be a portion of the data stolen from TalkTalk, appears to claim responsibility on behalf of Islamist extremists.
But we cannot be sure. Cyber-attacks are indeed a form of terrorism. They disrupt normal life, erode public morale, stoke feelings of powerlessness and humiliate those responsible for protecting us.
So attacking TalkTalk, a major provider of mobile phone and internet services, could be a stunt by those bent on destroying our way of life in the misguided pursuit of piety.
YET
anyone can claim to be a jihadist. The news that someone had delivered a ransom demand to TalkTalk suggests that the real motivation of the attackers was money, not mayhem.
The internet is rife with extortion demands. Even ordinary internet users can be blackmailed because they have left a compromising trail online by browsing pornographic websites, or posting indecent pictures.
Another common attack is ‘ ransomware’ – encrypting the data on a computer, and offering to unlock it in exchange for money. Sometimes criminal and extremist elements overlap. The jihadists may revel in the havoc they wreak, but also be keen to raise money for their cause.
One thing is clear. TalkTalk will not be the last victim of these terrifying attacks. The bleak truth is that the security of our computers and networks – government, business and private – is woeful.
Our police are hopelessly overstretched trying to deal with the wave of cyber-crime in this country. When it comes to crime that crosses borders, they are even more flat-footed.
We need to counter-attack with every means possible. Everyone who owns and runs a computer has a responsibility to keep it safe.
We do not tolerate badly-maintained and dangerous cars on our roads. We need the same penalties for irresponsibility on the information superhighways.
That will require not just criminal prosecution for corporate recklessness, but also greater use of civil liability. We need classaction lawsuits from the owners of data that has been carelessly stored.
Customers should desert TalkTalk in their droves. That in turn may encourage the company’s shareholders to ask hard questions of the management. Just don’t expect Miss Harding to answer them.
Edward Lucas is the author of Cyberphobia (Bloomsbury, £20)