CONTENTS
POLITICS-FIRST-SEPT-OCT-2016-FINAL
POLITICS-FIRST-SEPT-OCT-2016-FINAL
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
politics first | Special Section: Cyber Crime<br />
Andrew<br />
Bingham,<br />
a member of the Culture,<br />
Media and Sport Select<br />
Committee and Conservative<br />
MP for High Peak<br />
ADVERTORIAL<br />
Society must understand<br />
cyber crime to effectively<br />
tackle it<br />
Dr. Adrian Davis, (ISC) 2 Regional Managing Director<br />
– EMEA Region, explains to Marcus Papadopoulos<br />
the actions required to decisively meet the menace of<br />
cyber-crime<br />
100<br />
Cross-border cooperation is crucial<br />
to confronting cyber crime<br />
UK companies earn £1 of every £5 via the internet, and this is predicted<br />
to grow. However, with the emergence of online crime, this raises the<br />
question of how to approach internet security and what the Government<br />
can do to protect UK citizens and businesses.<br />
The internet has created new opportunities for business, education,<br />
communication and leisure. Some surveys attribute internet use for<br />
21 per cent of the GDP growth between 2006 and 2011 in countries<br />
like the UK. If we are to keep using the internet, we must effectively<br />
approach the issue of internet security.<br />
The very nature of the internet has led to a design which lacks borders<br />
and has no central control, leading to amorphous boundaries between<br />
countries – private companies are free to establish international links<br />
and route traffic in any way which is commercially viable.<br />
That freedom has a number of benefits. So, for instance, from a<br />
business perspective, you can establish a presence online and market<br />
your services with little effort. People can share ideas and information<br />
freely - no matter their origin.<br />
A key aspect of the internet is the state of the software industry<br />
and the very applications used across the internet. The industry, itself,<br />
creates a challenge: that of software errors. That is highlighted by the<br />
wide variety of applications in use, ranging from online banking, to<br />
movie streaming and to web browsing.<br />
Unfortunately, each piece of software has potential errors or<br />
problems built in, known as “bugs”. Those are typically unintended<br />
defects in the software which were accidently built in by the designer.<br />
Despite massive investment and wealth generation that comes from<br />
building software, bugs still exist, partly because the authors rarely face<br />
the consequences or an economic loss for poor quality.<br />
Unfortunately, bugs have a darker side beyond simply upsetting<br />
the end user. They often provide a mechanism which allows malicious<br />
people to hack or abuse the software. Hacking software can have<br />
serious consequences; a recent example was the breach of TalkTalk’s<br />
systems in 2015. Errors made in their software exposed 157,000 UK<br />
customers’ personal details.<br />
The openness of the internet, and the prevalence of software<br />
bugs, has led to a rise in internet criminals seeking to exploit this<br />
environment. The Department of Culture, Media and Sport reported that<br />
online banking fraud had cost UK businesses £40 million in 2014 - and<br />
this is increasing.<br />
It is now a fact that a billion dollar bank heist is actually plausible<br />
and could be carried out without the criminals ever setting foot<br />
in the country where the crime took place in. That creates a big<br />
problem for law enforcement: if the perpetrator can cover their tracks<br />
and hide their identity, how do they even know which country they<br />
are in, let alone successfully prosecute them? The cross-border law<br />
enforcement issue is a key challenge facing Governments around<br />
the world.<br />
In November 2015, the then Chancellor George Osborne<br />
announced a £1.9 billion investment in cyber security, including<br />
the establishment of a National Cyber Security Centre. The<br />
principle behind a single central body for managing incidents is<br />
a sensible step, and ensuring that the new organisation has clear<br />
responsibilities is essential for it to be successful.<br />
Unfortunately, the role of internet security is much harder than it<br />
sounds. As highlighted, if you have no borders, and if anyone in the<br />
UK can be directly attacked via the internet, then you cannot throw<br />
up border control. Instead, every company and person online needs<br />
good internet security in place to protect them.<br />
What a central body therefore can do is encourage investment<br />
and improvement of online security. In the United States, a standards<br />
body, the “National Institute for Standards and Technology”, provides<br />
useful information for government departments, businesses and<br />
users. Those standards help to encourage stronger security and<br />
information sharing across the country.<br />
Where a national strategy can also help is awareness of the<br />
issue of internet security. Educating our children in schools is a<br />
valid approach and one that, in the long-run, would ensure that we<br />
have internet security literate consumers and workers within our<br />
businesses.<br />
Finally, the last key area is cross border collaboration. As cyber<br />
crime continues to grow, the ability to track down the perpetrators<br />
and bring them to justice will become more important. Building<br />
strong links with other countries in the world to tackle such issues<br />
through cooperation will become another key task for Britain’s<br />
NCSC.<br />
Q How serious a problem is cyber-crime in the UK?<br />
Any crime is bad for society as a whole. However, cyber-crime has<br />
a different impact in comparison to physical crime. In the cyber<br />
world, assets are not necessarily stolen but value is. For example,<br />
a company is attacked, data on a product is copied and then sold<br />
to another company in the world which then produces the same<br />
product either cheaper or quicker or, indeed, both. Now, that<br />
damages the economy because it means that innovation is rapidly<br />
brought to market without the costs associated with research. So<br />
cyber-crime affects society far more as it can extensively harm<br />
trust in how business is carried out. Further to that, the other side<br />
of cyber-crime is that it is much more efficient than traditional<br />
fraudulent crime; for instance, at the touch of a button, a scam<br />
email can be sent out to tens of thousands of people, whereas<br />
before a scam letter would have to be typed out and then sent in<br />
the post.<br />
Q What are the root causes of breaches in security?<br />
Firstly, the software and systems themselves; for example, there<br />
are, approximately, between 15 and 50 defects per one thousand<br />
lines of code. With as many errors as that in a piece of software,<br />
criminal programmers can find them and use them for fraudulent<br />
purposes. So software vulnerabilities must come under the<br />
spotlight.<br />
Secondly, products and systems are not tested sufficiently<br />
enough hence we do not discover the errors before a product is<br />
put out to be used by companies or individuals.<br />
Thirdly, people make errors. Most people think that computers<br />
are infallible; however, if you press the wrong button, the computer<br />
will do as you tell it to. A classic example of that concerns people<br />
who send out emails without a thought for privacy and put<br />
everyone’s email addresses in the ‘To’ field, instead of the ‘Bcc’<br />
field. It is very difficult to catch that kind of human error.<br />
And fourthly, given how many applications there are in<br />
existence, I do not believe that most people who download them<br />
to their PC or phone have been trained in how to use them safely.<br />
So the skills gap is a major factor in accounting for the dramatic<br />
rise in cyber-crime.<br />
Q Can you explain the strategy of (ISC)2 in approaching<br />
cyber-crime.<br />
As an international professional body, we certify and assure<br />
recognition for the professionals with the skills and instincts<br />
needed to protect companies against cybercrime and other cyber<br />
threats. We are also working hard to fill the increasingly recognised<br />
skills shortage for those professionals. As a profession, we also<br />
talk about prevention or stemming vulnerability, which is all about<br />
educating innovators, systems and software designers and their<br />
business stakeholders to think about how the product is going to<br />
be used and to consider obvious problems within the requirements<br />
gathering, design and development process. So, for instance,<br />
regarding the TalkTalk case in 2015, it would appear that the initial<br />
problem here was caused by something called “SQL injection”.<br />
Now, an SQL injection is a very basic attack and has been known<br />
for at least 10-15 years and can be tested for and solved very<br />
easily. Yet in the case of TalkTalk, the problem was not found. So<br />
until we can stem the vulnerability, until companies recognise the<br />
prevalence of vulnerability, and the need to manage the risks they<br />
present, we are not going to have a firm foundation to work from.<br />
We also share our knowledge to develop digital skills across<br />
society, which involves having as wide an awareness as possible<br />
of the internet and the digital world, coupled with the basic<br />
knowledge of things which should never be done when you are<br />
engaged in this world. An example of that is if you are working in<br />
an airport lounge, you do not write down your password and leave<br />
it around when you leave.<br />
Q Is there anything else which you would like to add?<br />
We are dealing with a fast moving, constantly changing world.<br />
Overall, we have found that people are becoming much more<br />
conscious of cyber security. However, the problem is that the<br />
IT industry is not yet expressing that awareness in terms which<br />
the average member of the public can really understand. Part of<br />
that problem is due to people still not equating cyber-crime with<br />
physical crime. The TalkTalk case, however, is one of a growing<br />
number of cases that has made people think that cyber-crime can<br />
hurt them, and this growing awareness will help organisations like<br />
(ISC)2 and its membership of certified professionals to talk about<br />
it more. In many ways stories like the TalkTalk case have been,<br />
ironically, a godsend as they opened the eyes of businesses and<br />
members of the public to the scourge of cyber-crime. It’s time now<br />
for society to heed the lessons learned.