What Are The New Rules Of Fighting Cyber Crime?
Philip Ellison 27 October, 2017 at 12:10
- We’re seeing blackmail and targeted campaigns on a global, state-organised scale; and unfortunately, a Geneva Convention-style agreement doesn’t necessarily extend to the actions of individual hackers acting on their own volition.
- Governments and private companies can both learn from hackers and innovators on the dark net when it comes to protecting security and privacy.
- Ultimately, the security of any organisation comes down to how confident each and every individual is in using the technology.
At an Intelligence Squared evening on “the new rules” of cyber warfare, the BBC’s Nick Robinson sat down with a panel of experts to discuss the political, social and commercial aspects of cyber crime and online security.
“It’s going to get worse before it gets better,” says Jeh Johnson, who held the position of Secretary of Homeland Security from 2013 to 2017 under President Obama. “”In terms of investment in technology, and raising awareness, we have a long way to go.”
“We are moving into an era where censorship of the internet is impossible,” says Jamie Bartlett, Director of the Centre for the Analysis of Social Media and author of The Dark Net. “You don’t have to be a skilled programmer to be a cyber criminal; it’s very easy. Most experiences of cyber crime are low level stuff, such as fraud or harassment.”
What this means for governments
Johnson likens fighting cyber crime at a government level to constantly playing defence, while hackers outside those institutions are on the offensive. “Those playing offence are increasingly tenacious and creative,” he says. “On defence, it’s like trying to catch raindrops.”
Bartlett reasons that governments should be working with these hackers to craft more secure, decentralised solutions; he reminds us that exciting technologies like Bitcoin, and the blockchain on which it operates, were originally developed by radical libertarians. He believes that there is much we can learn from criminals on the dark net; in his book, the infamous Silk Road site reportedly offered a safer, more private customer experience than Amazon.
Johnson points out that cyber criminals are so adept at mining information, they can create a profile of how you think and send you a tailored political appeal — as has been proven was the case in the run-up to last year’s election. “It turns out, people who like to barbecue outdoors were more likely to vote Trump,” he says. “So it was possible to target people who bought outdoor grills.” Bartlett adds that this sort of behaviour is only going to become more sophisticated as we generate exponentially more data.
In the wake of revelations that Russia played a part in influencing the US presidential election through fake news, propaganda and targeted political ads, Robinson asks: would a cyber equivalent of the Geneva Convention ever be practical? Or should we always be assuming that other nations are using whatever technology is at their disposal to try to sway the outcome of our democratic processes to their advantage?
Speaking incredibly diplomatically, Johnson states his belief that as long as an actor, be that a nation state or a specific leader, makes their desires known, it is possible for hacker groups to take it from there, granting the actor plausible deniability — essentially, a state actor can allow these groups to operate at arm’s length, while turning a blind eye.
When asked whether artificial intelligence will support attackers or law enforcement, Bartlett states that he strongly believes it will be used by attackers. “Governments have to be leaders in AI, and it has to be highly regulated,” he says. “I fear that the greatest advances in AI will fall to private companies, leading to monopolies and inequality which will undermine democracy.”
What this means for businesses
“At the moment, there is no commercial incentive to think about security from the outset, only after the attack has happened,” says Angela Sasse, Professor of Human-Centred Technology at University College London. She believes this will remain the case, until companies can sufficiently position security as a USP.
Bartlett’s advice to businesses is to assume that you have already been attacked, and that your information is already at risk of being stolen — and have a good back up plan. “More CEOs are educating themselves about cyber security; it goes to the very survival of their business,” says Johnson, citing Equifax as a prominent example.
There has been much talk over the last twelve months of the UK government “banning” end-to-end encryption on services like WhatsApp, and of companies like Apple installing “backdoor” access on their devices for security agencies. So, is it incumbent upon businesses to cooperate with governments? “On a case-by-case basis, yes,” says Johnson. “But I’ve been disappointed so far in the level of cooperation from the private sector. Everyone in cyber security benefits from sharing information.”
And what about when it comes to companies granting government bodies backdoor access to smartphones? “Some people think the only thing that should be impenetrable is the human mind,” says Johnson. “By that logic, you could argue that if you can get a search warrant for someone’s home, to read their diary, then why not their phone?”
What this means for consumers
“Society and organisations are made up of individuals, and so it falls to our individual ability to manage this technology,” says Sasse. She reasons that the internet is as much a utility as electricity or water, and that because we don’t “test” our light switches or faucets every day to ensure they are safe, we can struggle to stick to the habit of doing so with regards to technology. If she could impress one tip upon everybody, it’s that it isn’t necessarily the strength of the password that matters; just don’t repeat the same password everywhere.
“We’re so far down the road of surrendering privacy, people might not even realise,” says Johnson. “Hackers can know everything about you, and exploit it.”
“If everybody used a Tor browser, we would enjoy a greater degree of personal privacy,” says Bartlett. Sasse counters that while individuals could start encrypting their emails and use a Tor browser, unless absolutely everybody they know did the same, it would actually make communication more difficult.
As Bartlett sees it, there is a silver lining to high profile cyber crimes such as the recent ransomware attack on the NHS — people are becoming increasingly cautious in their online behaviour. “We will respond as a society,” he says. “But governments will have to do more, and take more responsibility.”
Image credit: Intelligence Squared / Tim Bowditch