A Happy New Year to you all.
It’s another podcast this week, and a conversation I had a few weeks ago with Philip Ingram MBE BSc MA GCLI who is a widely published journalist, specialising in security and intelligence, following a long and senior career in British Military Intelligence.
It was a wide-ranging discussion that allowed us to explore the dynamic and evolving nature of transport cyber security, and in particular the increasingly grey boundary between civilian and military threats. If you want to understand more about these risks and threats and how they are likely to evolve please take a listen. There’s also a transcript below.
If you aren’t already subscribed please do so now, so you don’t miss the next post.
Transcript
George Bearfield: So, Philip, what's your background and where does your interest in military intelligence and cyber security come from?
Philip Ingram: Well, my background is 26 years in the military, with the majority of my career in military intelligence and as a strategic planner. Part of my role as a senior intelligence officer was setting - in the early days of cyber security - cyber security policy standards. So, I had overall responsibility for security in many roles and that got me into cyber. After I got out of the military and spent a couple of years not focusing on it at all, I got back into the media side of things. I’m running a publication that looks at all aspects of security and cyber because it has got its electronic and digital tentacles into everything is a really important subject.
George: And how do you think the cyber threat has escalated over the time you've been involved, particularly over recent years?
Philip: Well, the cyber threat in some ways is always changing, and in other ways it's quite simple. A lot of the successful attacks that are out there at the moment are the same sort of attacks that have been going on for years and they're just exploiting vulnerabilities that in many cases people have known for years. But ‘cyber’ changes because the way we use our digital assets changes and the cyber threat landscape changes as well. So only a few years ago, the majority of security devices were hard wired together. They weren't connected to a network and therefore they were connected electrically rather than electronically. But with the advent of IP devices we're starting to see more and more devices connected into networks and all that goes with that. It grows the cyber threat landscape and you then get the ‘Internet of Things’ - or as I call it, the ‘Internet of Threats’ because you know, that's exactly what it is. You're ever increasing this threat landscape that can be exploited again into your network. And I think we're just about to see another sea change in the coming years with generative AI. [Until now] it's been that you need to understand what you're doing to [develop] code for attacks against endpoints and attacks against networks and everything else. That has been exploited by cybercriminals carrying out attacks as a service (and you can buy those quite easily online - you don't even need to go to the dark web to get them). But now, with the advent of generative AI, anyone can write code because you can get ChatGPT, or other generative AI's to write you the code that you need to attack various endpoints by putting in only a few criteria and this is where I think we're about to see a change.
George: It's not even as if you need it to ask it to write code - you just set a goal and it will seek its way towards that goal.
Philip: Exactly. So, you know it's an ever-evolving environment. The one thing I will say is that people focus on cyber at the expense of everything else. You know, it's a ‘digital’ issue and I'm holding up one digit of my hand here: One of my fingers, you know, it starts in the physical environment whenever these digits type code because someone has gotten various ideas and how to what they want to do with a network and it's one of these digits that clicks on the link that tends to then infect a network. So it's a physical environment and cyber is just the enabling piece; the enabling environment, for that particular threat to exploit as it goes in.
George: Well, it's interesting that you mentioned generative AI in terms of it doing this sort of technical side, but of course generative AI can also mirror and make more complex the whole kind of social engineering side and attempts to trick people into doing certain things with messages that appear credible or as if they're coming from somebody that you trust.
Philip: Well, there's this. This is where you know it's not quite cyber, but we have to then get into the information game because you know, being able to produce credible messaging and we see that with a lot of the phishing scams that go out around the place. They get better and better and better and they've been relatively easy to spot over the last few years because the grammar is wrong or the phraseology is wrong or the images are wrong or something else is wrong in it. But once generative AI comes in, it's going to be much more difficult to spot. I know cybersecurity professionals who are responsible for overall security in their own companies and they've set up ‘red team’ attacks into their own company. They've been the one that have known the attacks are coming and they've fallen for the first phishing email themselves because people have used social engineering to exploit different bits and pieces. Then we get into the game of information exploitation and the ability to influence the way people think; their decision making, and that utilizes the digital environment. There's a debate as to whether it's actually a cyber security issue or not, but it's a security issue that doesn't really sit well anywhere. And with it exploiting cyber connectivity, especially through the use of social media and everything else but, but also manipulation and use of big data is something that I think we have started to see in the past but will become more important in the future.
George: One area I was particularly interested to get your viewpoint on Philip - given the background that you've set out - is this. I've [mostly] worked in civil transport and civil industry and mainly rail. And there's almost an implicit barrier in people’s heads between peacetime and wartime, but the more I learn about the cyber-security space, the more I start to see that the boundary between nation state, military confrontation and some of the criminal activity isn't as clear as perhaps we would have thought. This term ‘hybrid war’ keeps popping into my head and the idea that malign nation states are probably cataloguing our vulnerabilities and investigating our civil infrastructure now in readiness for a possible future situation where things might turn very nasty indeed.
Philip: There's no probable about it. They are doing it now and they're doing it in a number of different ways, and your hybrid warfare is where we are. If you wanted to look at it from a cyber perspective, we are effectively at war continuously every day. You describe the rial network: critical national infrastructure is one of the targets that is continuously being probed. Vulnerabilities are being looked at and every now and again we see little ‘beta’ testing of cyber weapons and that that nation states are doing it. But nation states are also sponsoring it. If you look at a number of the APT [advanced persistent threats] that are out there - and you look at where they're configured - it's no accident that there's a large number based in Russia, because they won't be prosecuted by the Russian authorities. But they'll only not be prosecuted by the Russian authorities if they continue to cooperate with what Russia wants to do. Therefore they pay their dues and their dues are financial dues because they make a lot of money out of a lot of the cyber-attacks that they're doing from a criminal perspective. But they're also their dues in carrying out operations on behalf of the Russian state. So that you know the Russian state can stay one step away if it's identified as come in and keep that that level of separation. You see the same in China. You see the same in North Korea, although we know that in North Korea everything is state controlled, and we know in China everything is state controlled. Russia, there's that little bit more liberalism. It was interesting when the Ukraine War happened because a lot of the criminal, cyber, APT that there are, especially Russian based: they'd run themselves like businesses and they'd have leave plans and they'd have people that specialize in particular areas. And they pay them quite well, and they’d have contracts and everything else. And once Russia invaded Ukraine, there were quite a significant number of their subcontractors who were Ukrainians, and they didn't want to work for a company that was based in Russia anymore. So they lost a degree of their capability and have been having to try and regenerate that again. It’s a professional organization whenever it comes to their business approach and that is recognised by nation states and forms an integral element of what nation states do, of course, nation states themselves have got their own their own integral cyber capability too. And that's not just Russia, China, and North Korea. It's also all other nation states. You know, the UK has got the National Cyber Force and that is an active cyber capability carrying out offensive cyber operations.
George: Absolutely. So when you said about paying dues as well, I think it might be good to make this explicit or at least get your view on what I suspect is the case, but don't often get the opportunity to talk to people about: which is, when there's a ransomware attack on, say, a transport company and the criminals are in the network for some time they’ll be ‘paying their dues’ in terms of disturbance caused and nuisance caused and also the financial terms. But they'll also be looking to exfiltrate as much data as they might be of us for that nation state to think about offensive cyber-attacks and crafting those in the future, as well as well as looking for backdoors and other places where they can set themselves up for future attacks in the network.
Philip: Of course they do. You've got a lot of people who think “Oh, I will never be subject to a cyber-attack, because who's going to be interested in little old me?” But then you sit down and start to ask them what contacts they've got on their mobile devices or on their computers and who those contacts work for, and you'll find that they've got say, a local politician. I deal with journalists a lot. You know, the journalists have got Minister’s private contact details on their phones and once you've got that, you may be attacked to get that data. So it can be exploited elsewhere, and every little bit of data helps. If they know who your friends are, and we've seen this with the phishing scam emails that come in, if you get one, you know from your best mate John saying, “hey, this is John,” and they've got the style of how he writes because they picked that up, from doing social media analysis and all the rest of it, and it comes in from an email that looks like his, you know, in a very busy work environment the chances are you're going to click and open the email. It's very difficult for people psychologically not to and that's how they're getting into different networks.
But the paying their dues is that for the different APT's sitting in different countries, they will pay a financial tax to allow them to continue to operate there and they will also do an operational tax. So they'll have to respond to tasks that are given to them by the nation state. So the nation state can remain sort of one step divorced from the actual attacks that happened. But it's all about data. A friend of mine, is the leading King's Council when it comes to data protection and all things cyber and Internet and has written the international legal textbooks on it. And he describes data as the new gold, the new oil. It’s that valuable.
George: So I have two related questions: I guess the first is that you talk about the importance of critical national infrastructure - I'm particularly interested in transport. How much of a target are Transport networks and above all critical [transport] infrastructure and what do you think the relative priorities are for Nation States in terms of trying to seek to gain a foothold?
Philip: Critical infrastructure across the board, and transport in in particular, will be being targeted on a daily basis. You know it is a very, very high priority for nation states, principally because of the amount of data that is processed. It'll link to so many other areas. So they want to do it for two thingsL to get access to the data that's linked to the critical national infrastructure so that they can begin to understand how it’s put together; who the key movers and shakers are in it, what the issues are that there are with it so that they can influence that at some stage in the future and tune their attacks to carry out the effect that they want: Something serious in the future. But they also know that anything around critical national infrastructure has got a political element to it. And therefore they'll try and exploit that. They'll exploit that from a wider information perspective and everything else.
George: The capabilities which have been developed for really impactful attacks on critical infrastructure are by their very nature held back and would only be used when it's needed to use them, because otherwise people expose their capability and then that capability is copied, inevitably copied and shared by others. And we saw this with the Stuxnet attack, which of course you mentioned the fact that Western nations have a pretty sophisticated and cyber-attack capability. Well, that was evidenced in the Stuxnet attack on the Iranian nuclear centrifuges. But when you look into that attack, which was actually undertaken for a pretty high profile political objective - a political and military objective - it led to that level of technology and level of attack to be exposed for others to use. It was a hugely technologically advanced attack, and that was many, many years ago.
Philip: Yes.
George: So it makes me wonder what the what the capabilities are that aren't exposed but exist out there at the moment and what we might expect to happen should the political and military situation escalate to such a stage that some of those techniques would be used?
Philip: Well, we're seeing so many developments and techniques. You know, I'm looking at stuff that’s out there before I hypothesize a little bit. So we know that for the ‘Pegasus’ software to infect a mobile device, all you have to do is receive a message you don't have to open anything. You don't click anything. The device just has to receive a message and that gives control over everything that's in your device, even when your device is switched off, they can remotely switch the camera on they can access all the data that's on it. They can switch the microphone on and everything else. The only way you’d know was your battery tends to run down slightly faster than you expect, but that seems to happen with every upgrade that you get in an iPhone anyway. And that's a bit of software that we know about. It’s been found on a lot of senior politicians’ devices, and it was used to track the Saudi journalist Khashoggi in Istanbul before he was murdered in the Saudi embassy. But nation states will have something that is equally powerful, if not more powerful. And this is where we have to look at where our potential vulnerabilities are. Our networks are fantastic. Our networks and network protection are pretty good across the board because we've got, in many cases. AI enabled capability looking for any unusual activity on a network and I can spot it instantly and alert it and everything else. But you have to ask yourself how much actual work is done on something that is permanently connected to a network with mobile devices getting more and more powerful? The majority of work is actually being done on mobile devices, not permanently connected to the network. They just go to the network to access the data that you need. It draws that data down and saves it. You know you what it is that you're doing back up onto the network again, but if I wanted to attack to get data in particular a particular network, I'm not going to attack an endpoint that is connected into a network where there is a very sophisticated array of different capabilities protecting that network. I’m going to attack an endpoint that doesn't and that's a mobile device and therefore mobile devices I think are one of the biggest threat landscapes that there is at the moment. Within mobile devices we look at you where is a threat vector likely to come. How do you get illicit coding onto a device or get the user of a device to give permissions to access everything on there without them knowing it? You produce a viral app and I give a lecture around the world looking at Pokémon go. And you look at what Pokémon Go did and it encourages people to take pictures of different places. I was thinking with my old intelligence hat on if I wanted to send a specialist team to get some photographs of a top-secret establishment in a harsh country, it would take me 9 to 12 months to plan the operation. The team would probably last on the ground for two weeks maximum if I'm lucky, and there'd be a major diplomatic incident. However, I get the 12 or 14 year old child of someone that I know that works in there to take pictures around it because they're driving past it on the way to school because I put a high-priced monster outside and the additional bonus that I can access all the data that's on the device that's doing that. In those countries those devices are going to be, you know, the parents devices and potentially the work device because that's the only one that will be allowed to use these sorts of apps. Now I'm not saying Pokémon go has been, you know, in any way you used for that. But the potentials there.
But you look at the likes of Tik, T.O.K and you have to ask yourself a question. You know, is Tik T.O.K, a fantastic video sharing platform first and foremost is that its primary role or is it probably old ad data harvesting device and you know, data harvesting, what else can at harvest on your on your, on your phone whenever you've got it sitting there. And from the research that I've done, it can access literally everything.
So the threat landscape is changing. And we have to be very, very wary of it.
George: Going back to rail as critical infrastructure: I know you pay very close attention to the the war in Ukraine, and that's been a real test bed for technology. And obviously it's also been an area where rail has shown its importance for: evacuating refugees’ for bringing in supplies (military or otherwise) and for troop movements. I just wondered if you had the insights into what we've learned about the importance of rail and its security in a war footing from the war in Ukraine.
Philip: Well, Ukraine is an interesting one. Because, you know, Russia is so vast and it relies heavily on the rail network for getting its troops, it's equipment. But more importantly, its combat supplies, it's logistics, as close to the front line as possible. And they don't have huge numbers of trucks and everything else. So the rail network is absolutely critical to Russia's war effort. And you look at the size of Ukraine, Ukraine itself is the second largest country in Europe. It's really difficult to get your head around just how big it is. The frontline and fighting in the East is, you know, 400 plus kilometres long and what's going on in military terms, trying to get trucks to move stuff around, especially whenever you've got drones and missiles and other things that can intercept them is not good militarily. Getting vast quantities of Military material to one place by rail is essential, and we've seen a number of cyber-attacks against Russia’s rail network. Now the Russian rail network is still very Heath Robinson, and it's still quite old and therefore what we're seeing is Second World War type operations and destroying signal boxes and derailing trains and other things that are being used to disrupt what's going on.
And it's interesting to see the old techniques being applied with the new techniques as Ukraine tries to disrupt Russia's rail network and logistics supplies and they’ve been doing it quite successfully. I personally believe that this winter we're going to say a marked increase in those sorts of attacks across Russia.
George: You talked about disruptive technology, I think and from a sort of arm’s length perspective, one of the things I've been watching with interest is the extent to which drones have really become a disruptor in warfare and how Ukraine and Russia and seemingly every country is experimenting with drones. But I just wondered if you had any insights into where that's likely to go and what impact they've had on the battlefield.
Philip: Well, it's not just drones. It's commercial off-the-shelf drones that have had a massive impact because they've been able to get huge numbers of very cheap drones. $1000 gets you a very capable drone. Attach a cheap explosive device to it and fly it into the back of a multi-million dollar armoured personnel carrier and when it explodes it sets the ammunition off in the in the back of that and destroys the vehicle. It’s a very cost-effective way of destroying military material, and it's also being used effectively as a long-range sniper. So the FPV (first person view) drones in particular are being used to take individuals out. This is a sea change in conflict. Electronic warfare is then very important to jam the control mechanism for the drones and to try and protect against them. I do know that Ukraine is developing its own drone manufacturing capability at a huge rate of knots and a lot of that is designed to get round the electronic warfare jamming and other bits and pieces. Russia's taking a slightly different view on it, in that what they're doing is they're buying kamikaze drones and stuff from Iran and elsewhere, and we see that with the Shahed 136 and Shahed 131 kamikaze drones. But Russia is being squeezed by international sanctions and is having difficulty getting its hands on the electronics that it needs. Whereas Ukraine is getting as much help as the West can pour at it, and I think this is one of the big growth areas that we're seeing in warfare: the drone becoming the sniper rifle of the future.
George: And I guess we're seeing the effect of drones in the maritime war as well.
Philip: Oh hugely, Ukraine, a country without a Navy, has already sune one of Russia's largest ships. Some of its newest ships destroyed the submarine on all of this is using drone technology. You know it's using Western missile technology, but it's phenomenal what's going on. And I know within the militaries of the West it’s really raised a lot of eyebrows and people are really having to think about things in much more detail. Then if we extrapolate that into potential future threats, we see these amazing displays at a lot of big sporting events where you get the drone displays going up at night and you get swarms of drones doing different patterns in the sky. And we saw it in London and New Year's Eve last year. We'll see swarm drones connected with AI enabled targeting: that's frightening. You could use that to swarm into a crowd and take out people that you specify in AI. As to the targets that you're looking at and you're looking for, there's a lot more to come with this and this is where, conflict tends to accelerate technological change.
One of the biggest areas of technological change that we're going to see is the use of drones from an aggressive and offensive perspective, but also the use of technology to try and defend against drone threats as well is being developed almost as fast.
George: And just again going back to the sort of the transportation side and critical infrastructure, if I look at rail for example and the cyber security threat, a saving grace really has always been that on rolling stock, for example, emergency brakes tend to be hard wired, relay driven or you know kept away from networks. But we're now moving - in the UK, Europe and the world - into digital signalling and which is integrating the traditionally slightly separate trackside signal interlockings and the trains into one sort of network enabled or Wi-Fi enabled set of functions. I mean from what you said before, it's probably inevitable that foreign nation states who are potential adversaries are looking in detail at this and what they might be able to do with it?
Philip: 100%. They will be and the and this is where I've got some real concern: you know driverless cars or interconnected cars now: I've seen those being hacked live. They can't be protected. The Americans can't keep their list of all of those with the highest-level security clearances across the whole country secure without it being hacked and released. Sony Pictures can't keep its latest blockbusters secure without it being hacked. And we connect our critical national infrastructure and our railways and all the rest of it. I'm really concerned that it gives a huge amount of potential to cause a massive amount of disruption and we only have to think back to the earliest movie that there was that showed a cyber-attack on a transport infrastructure network that caused complete chaos. It’s one that most people won't remember and won't think of. The cyber perpetrator in it, the actor that carried out the cyber-attack was Benny Hill, and the movie was ‘the Italian Job’.
George: Yeah.
Philip: Where they [dramatized bringing] the whole city's traffic light. system to a complete standstill by injecting the wrong code in through the computer control traffic light system. That was way back then. If we're bringing in network connected controls for our rail network and everything else, people will be working very, very hard trying to find vulnerabilities in it so that they can exploit that at some stage in the future with an exploit for political purposes. So you know Russia could cause disruption to a rail network in the run up to general elections, so that people go, “Oh, it's the government not investing.” and everything else. Whether it's to give advantage should they go into a conflict scenario or anything else in between. So it's extremely worrying. On the positive side, I think the UK's almost the envy of the world and that we've got this organisation called the National Cyber Security Centre that is sitting, looking at all of the threats that are coming in. They're harnessing the power of industry as well as what the government's got as well as what we're getting from international partners. And from what I'm seeing, they’re very, very good at identifying threats and mitigating most of them before they get in. But again, at the end of the day a cyber attacker only has to be successful once the NCSC has to be successful all of the time.
George: I'm a risk management person, so I spend a lot of my time thinking about low frequency, high consequence events. It can get a little bit disheartening when you're always in that space. I guess the difficulty is to do objective risk assessment because the likelihood [is difficult to estimate]. They're not random events, they're conscious events. And so it's a very difficult one to get a balanced picture of how credible the threats and the risks are.
Philip: Yeah, well, again we've got a dedicated organization that looks at that and puts that together. It's called the National Protective Security Authority, the MSA, and the MSA works very closely with NCSC from a cyber perspective. But it looks at things from a much more holistic side of things and into threats. It used to be called ‘the Centre of the Protection of National Infrastructure. But the remit has grown because they took in a lot more responsibility just outside critical national infrastructure and it's bringing the physical side together with the cyber side. They're continuously assessing the threats that there are. They know what high value targets across the UK would be and then provide advice and the lovely thing about the two organizations is not just that they work together. The level of advice that they provide is phenomenal and it's free and the capabilities that you have on their Internet links are superb. It's the sort of thing where a lot of consultants will go out and charge a lot of money for saying exactly the same thing that's available for free on these government websites and they are proactive.
George: Yeah, absolutely. So that's a good point to bring things to a close on Philip. That it's not all doom and gloom and we do have a pretty good, world class, capability in in the UK certainly and also with our partners in the Five Eyes and elsewhere across the world in trying to deal with some of these risks. Any advice or pointers for people working in transport sectors about how to approach these risks in the coming years?
Philip: Well, I think there's a couple of bits of advice. One is to get the basics right, because if you get the basics right then it will protect against the vast majority of attack vectors that there are out there and have a cyber mindset where recognise that everyone is part of the wider cyber community, it doesn't matter who you are. It doesn't matter whether you're the person tightening the bolts on the new rail that that goes in, you'll have to type something into an electronic device somewhere, or you'll have a fitness tracker on you, or you'll have your phone and you'll get work emails. Everyone is part of the wider piece. Everyone’s got a degree of responsibility. If something happens and something that's unusual goes on, you don't ignore it. Hopefully there's the culture within the different organisations too, to enable people to go and report it to a professional. And, you know, ninety-nine times out of a hundred it's not going to cause any problems whatsoever. But there’s that one nugget where a threat can be mitigated before it promulgates across the network and causes huge amounts of disaster. So you recognize that everyone has got a responsibility in this? We’re an interconnected society and we're only going to become more interconnected and therefore you've got as much responsibility for your security - your work security as the organisations that own all of the networks and the infrastructure.
George: Absolutely thanks ever so much. Philip: It’s been a pleasure talking to you.
Philip: George, my pleasure.
Cyber Security of Critical Transport Infrastructure: A Military View