Industry experts – including a hacker – on the greatest challenge of our digital future.
Michiel Prins: ‘secrecy in security is wrong’
Former hacker and co-founder of HackerOne, coordinating ‘bug bounties’ – rewards offered by firms to the hacker community for finding flaws in cybersecurity systems.
“Over the past few years we have seen more and more mega-breaches. Spear phishing [targetting individuals with spam email and malware] and social engineering [targetting the human element in security sysytems] was usually to blame. However, the Equifax breach proved that mega breaches can result from security vulnerabilities in web applications that go unnoticed or unresolved.
“As traditionally non-digital industries become connected, it is no longer acceptable to work on security in secrecy. Organisations who do will continue to be breached and risk digital society at large.
“Organisations with a lot to protect, such as those in the financial services industry, will need to take a more pro-active approach to cyber security. Consumers, regulators and others will start to call out the lack of a visible, active security program.
94% of the world’s top 2,000 public companies don’t have a channel for hackers to report bugs in their cybersecurity systems
“White hat hackers [non-criminal hackers] are the defenders of the internet. They scour the web for vulnerabilities and surface them to help companies boost security and prioritise fixes faster. But we at HackerOne found that 94% of the Forbes 2000 [the top 2,000 public companies in the world] still don’t even have a channel for hackers like me to report bugs.
“Recently, I found a flaw by accident, reported it to the company to fix it, and the response was a request for a meeting with their lawyer. Tactics like these or even worse are far too common still and deter hackers from sharing their knowledge and expertise.”
Talal Rajab: ‘governments must take the lead’
Head of the cybersecurity programme at techUK, the UK’s technology trade association.
“The UK government, over the past couple of years, has reiterated how important cybersecurity is to the UK’s growing digital economy. From doubling its investment in cyber from £850m to £1.9bn to opening the National Cyber Security Centre, which provides crucial advice to businesses and consumers, the government has continually highlighted that cybersecurity should be a top priority for businesses.
“With the introduction of the General Data Protection Regulation and the Network and Information Systems Directive [Europe-wide measures to, respectively, increase individuals’ control over their data and boost the overall level of cybersecurity in the EU, both of which must become law in EU member states by May 2018] the regulatory framework for cybersecurity will change within the next year and businesses will need to consider how they can best protect their systems and the their customers’ data.
“Cyber criminals are adapting, and that means that we must adapt too. Government must therefore be prepared to review the regulatory landscape, and the effort that has been made to secure UK plc from cyber threats, to ensure that we remain up to date in how we defend our economy.”
Katie Moussouris: ‘long-term strategies for finding bugs’
Founder and CEO, Luta Security, a cybersecurity training firm.
“Bug bounties [cash incentives offered to security consultants and white hat hackers, in return for locating flaws in a computer system] are all the rage for finding more vulnerabilities, but most organisations can’t fix the bugs they already know about. A premature bug bounty against an immature organisation can flood a response team with duplicate, low-complexity bugs it could have paid an intern to find more efficiently.
“Rather than follow the latest trend, businesses need to take a maturity model approach, build capability in finding and fixing bugs internally, then hire trusted professionals, before baiting a crowd of strangers on the internet with cash. After that, bug bounties can be an important incentive to help businesses catch the bugs it missed.
“The UK government understands and embraces this approach, and is working with my company Luta Security to build a roadmap for unified, government-wide vulnerability handling. This is not a “bug bounty”, nor will it become one. It’s about building sustainable streamlined processes for handling incoming vulnerability reports and resolving them as efficiently as possible.
“There will always be more bugs to fix, no matter how much effort organisations spend at any point in time. Building a resilient and efficient bug-handling process is the only way organisations and governments can hope to keep up.”
Emily Taylor: ‘more encryption, not less’
Associate fellow, international security at Chatham House, a think tank, and CEO at software firm Oxford Information Labs.
“It’s said that 80% of cyberattacks would be defeated if organisations and individuals took a few basic steps to improve their ‘cyber hygiene’. The establishment of the UK National Cyber Security Centre is an example of good policy. The aim is to improve the cyber resilience throughout the supply chain, a change from the previous policy of trying to defend only the largest targets. An area for improvement would be to make the NCSC independent from GCHQ.
“The UK government is wrong is to argue that encryption is dangerous, that it’s turning the internet ‘dark’ to law enforcement and that mandatory back-doors should be introduced for government. The UK has experienced horrendous terror attacks over the past 12 months, and it’s natural for politicians to want to do something to make people feel safer. But undermining encryption would do more harm than good.
“Online banking, e-commerce, document storage, private conversations: all these rely on strong encryption. Introducing backdoors for governments simply introduces vulnerabilities which are bound to get into the hands of adversaries. The security of the entire network will be reduced, and meanwhile terrorists and criminals will find other ways to obscure their communications from prying eyes. People have been using cyphers and crypotgraphy to communicate for hundreds of years.”
Brian Honan: ‘IT alone can’t protect you’
Founder, BH Consulting, a cybersecurity advisory firm.
“Those organisations who look upon cybersecurity as the sole responsibility of the CIO and the IT team are the ones who ultimately will be suffering more breaches and potentially heavier resulting losses. They need to realise cyber risk in today’s business environment is one of the most critical risks facing the business. If not managed properly, these risks will materialise and have a major impact on the business.
“With that in mind, organisations need to ensure they are well prepared to detect, respond, and deal with a cybersecurity incident. However, that focus should not be on solely how to deal with the breach itself, but look at ways to ensure there is resilience built into the infrastructure so that the business can continue to operate and function even when hit by a cyber-attack.
“Cybersecurity is no longer an IT issue, it is a critical business issue. One that needs to be dealt with at the most senior level in the organisation and provided with the appropriate resources to protect the organisation’s brand, reputation, data, and systems.”
Mike Janke: ‘start-ups should shore up the Internet of Things’
Co-founder of DataTribe, a fund for cybersecurity start-ups.
“Firmware vulnerabilities is an up-and-coming investment area in cybersecurity for both consumer and commercial companies. Firmware is software embedded in a piece of hardware and it exists in just about everything from connected kitchen appliances to smart TVs and printers, and connected sensors in automobiles and airplanes. Yet no practical and scalable solution exists to check it and secure it.
“Additionally, I believe that the next generation of cybersecurity start-ups will be those that can help an organisation remove products from their ‘stack’ instead of adding more. And homomorphic encryption will become more pervasive. This is a form of encryption that allows computations to be carried out on ciphertext [encrypted text], thus generating an encrypted result which, when decrypted, matches the result of operations performed on the plain text.”
Matt Burgess is a staff writer at Wired and the author of Freedom of Information For Journalists (Routledge, 2015).