In the last days of summer, the Jaguar Land Rover manufacturing plant in Liverpool called a halt after its luxury material supply was no longer guaranteed after a major cyber attack upended its suppliers.
The cost in lost revenue to the Jaguar Land Rover company, which exports Range Rovers, Land Rover and Jaguar luxury vehicles to the world, could total more than £2.2 billion ($2.9 billion) if the shutdown of three of its factories goes into October. The interruption of output threatens its 30,000 direct employees and the 200,000 people in its supply chain.
It is a calamity of such seriousness that the UK government has been forced to step in, but it is also a sign that Britain − and other developed countries − are dangerously vulnerable to the young adults who make up the foot soldiers of global cyber crime gangs.
JLR’s travails came on the heels of a cyber crime spring and summer in which it was joined by retailers Marks and Spencer and Harrods and the food store chain Co-op in suffering devastating business interruptions. All the brands are emblematic of the UK and leading businesses.
The cost to M&S was about £300 million, the Co-op lost an estimated £100 million, while the disruption cost Harrods about £30 million.
Total cost to the companies could be more than £2.65 billion in lost revenue − which is about half the annual budget of the spy agency GCHQ, charged with protecting the UK against cyber crime.
The problem is, according to experts spoken to by The National, the luxury brands will continue to be targeted because they are “so valuable and have such large databases” and GCHQ has excellent but limited resources.
Brand Britain
But if “Brand Britain” is under siege shouldn’t government be doing more to provide the defences?
As it is GCHQ and its National Cyber Security Centre arm is under significant pressure fighting off state actors − mainly Russia, China and Iran − while also attempting to defend Britain’s critical infrastructure from cyber assault.
The security services, said Prof Oli Buckley of Loughborough University, “can’t directly protect every company from every possible cyber threat” because that “would be like asking the Met Office to stop it raining”.
Essentially it is now down to companies to protect themselves as all that hackers need today is “one crack in the door” and they’re in.
That was ably demonstrated by the gang that managed to get around M&S’s “hardened perimeter” via a supplier, who will not have the same level of security, said Prof Madeline Carr, cyber security expert at University College London.
“Basically, since we have moved the economy online we have never really prepared for this,” she added.
The UK has “significant cyber vulnerabilities” and it was “widely recognised that better cyber security and resilience is needed”, particularly for UK critical infrastructure as it was a “relatively rich target for cyber criminals”, said Dr Joseph Devanny, of the Department of War Studies, King's College London.
Category one
Security sources told The National that while there might be a “blind spot” in Britain’s defences – as there are in almost every country’s – companies “need to be doing more to protect themselves”.
There is also a need for more resources, especially for the National Crime Agency that leads on cyber, said Dr Gareth Mott, of the Royal United Services Institute think tank.
There is a suggestion too that what veteran Labour MP Liam Byrne described as a “digital siege” on big companies is a new form of modern-day terrorism.
With the attacks increasing the chair of business committee argued that the government needed to act as a backstop to a “different insurance system” to help companies.
A security source said that getting domestic security agency MI5 involved was unlikely, as there had not yet been a cultural shift − as there was in 2000s on counter-terrorism − “because there’s nobody threatening us with guns and bombs”.
Enlisting MI5 or counter-terrorism teams was also not the right approach as it was “like using a chainsaw to trim your toenails”, said Prof Buckley.
However, it might take a Category One incident, that could see loss of life from a hospital shutdown or mass pollution of sewage leaking into drinking water, to make real changes, he added.
“Cyber incidents are serious, but they’re not bombs dropping from the sky. What we’re seeing now is a perfect storm of criminal opportunity, geopolitical tension, supply-chain fragility and a growing dependence on complex and interconnected systems,” he said.
As Britain had not yet experienced “that cultural shift in cyber”, Dr Mott called for a “more aggressive, interventionist government policy” but admitted that had been low on its priority list. “It’s just that we haven't seen a Category One incident … yet.”
Darknet dangers
Despite their deeply damaging impact, very little is known about the criminals behind the attacks beyond their cyberpunk names such as Scattered Spider, Lapsus$ and ShinyHunters.
They are usually a disparate assembly of young criminals, some teenagers, who spend many hours online usually in “darknet communities” planning how to hold western economies to ransom.
They are mainly based in Britain or America using their local knowledge and accents to hoodwink people by “vishing” − voice and phishing − alongside sophisticated internet tools that are now so accessible.
“It’s a much more lucrative, low-cost, low-risk way of committing, organised crime now because the chances of being apprehended are very low,” said Prof Carr.
Some of the gangs like Lapsus$ − also known as Strawberry Tempest − have very few members, perhaps seven, including two teenagers, with a presence in both Britain and Brazil.
Digital doorknobs
It is not known how much cash is paid by major companies for ransomware – something the government discourages – but there are reports of hefty payments.
However, a part of it is done for the bragging rights and it “makes a far better story when it’s an iconic brand”, said Prof Buckley.
“The attackers rattle digital doorknobs to see who’s left theirs unlocked, or they exploit supply-chain links that just happen to include a big name,” he added.
That is a shift away from state hackers, who remain a threat, as do the mass hacking farms found in Cambodia and Myanmar.
The problem was that “criminal tactics, techniques and procedures are outpacing businesses' cyber preparedness”, said Kailyn Johnson, the cyber lead at Sibylline intelligence company.
But it’s not just the mischief, notoriety or cash. The criminals also soak up and sell the valuable data that’s especially useful from JLR’s customers who can afford the £106,000 latest Land Rover.
“It’s almost inevitable criminals shifted to this kind of ecosystem where we share valuable data that can be monetised,” said Prof Carr.
Ms Johnson agreed. “Lucrative data that will certainly sell for high prices on the dark web.”
Cyber law
The crime is growing so quickly that is has now become a “game of whack-a-mole as global law enforcement agencies co-ordinate to take down criminal infrastructure” only for the gangs to “disband and reform down the line”, said Virpratap Vikram Singh from the International Institute for Strategic Studies think tank's cyber security team.
The UK in particularly was “witnessing a notable increase in incidents” with NCSC reporting a doubling of “nationally significant” cyber incidents.
That will require much more resources. But firstly the government needs to get its Cyber Security and Resilience Bill through Parliament that will require major companies to manage their critical infrastructure.
Expect it to get worse, argued Joyce Hakmeh, Chatham House think tank’s international security expert. “The criminals learn from each other, what works, and apply it so there's an urgent need to do something because the scope and impact are clear.”
The problem was the “barriers to entry have definitely lowered” as unlike in the past the “sophisticated tools are much more accessible” and AI has yet to play a major role.
Cyber shoplifters
The JLR hack in particular might well have shaken the government into greater activity, but that will not help the company, Harrods or Co-op all of whom did not have insurance cover, unlike M&S.
Long gone are the days when profits were held back by shoplifters or suspicious packages.
As businesses have grabbed the opportunities offered by going online, so criminals have shifted to the internet, posing a serious threat to the economy.
This is something that the security services admitted needs to be thoroughly reviewed. “The high-profile cyber attacks we have seen in recent weeks must give us pause – not because they are unique, but because they are not,” an NCSC spokesman said. “They merely serve to highlight the reality of what the National Cyber Security Centre sees every day.”
