Cyber security: policy and protection
Evidence is showing that cybercrime is growing very rapidly and, in terms of scale, has overtaken traditional forms of crime and fraud. Ross Anderson is Professor of Security Engineering at Cambridge University; Chris Smith went to see him to hear how large this problem is, what policymakers need to do to stop it, and what other problems maybe laying in wait for us...
Ross - Most crime in Briain is now online. About 1 million British households this year will become victims of traditional property crime such as burglary and car theft. About 4 million households will be victims of fraud scams and abuses of various kinds, the great majority of which are online and electronic.
Chris - What is the relative value of those two crimes though?
Ross - The relative value is probably about the same, but online crime is increasing at a tremendous rate and it does have real psychological effects on people if they become victims of fraud and they’re not believed by their banks, and the police aren’t interested, and everybody just treats as if it was their fault.
Chris - If I come home and someone has broken into my house and ransacked the place, I know exactly what to do. I can phone up the police and they’ll probably send someone round. If I come home and find someone’s been in my bank account online, what do I do?
Ross - What the bank should do is make you good if you’re a victim of fraud; that’s the guidance from the Financial Conduct Authority. But very often banks don’t do that because they’ve got all sorts of small print in their terms and conditions and they’ll say then it’s not their fault, so it must be yours.
Chris - I can’t phone the police then?
Ross - You can phone the police if you like, but the problem is in 2005 and agreement was made between the banks and the police to the effect that fraud should be reported to the banks. As a result, the Home Office has been able to claim for the past dozen years that crime has been falling when, in fact, it’s just been moving on like everything else.
Chris - What can we do about this?
Ross - The police are going to have to put more effort in doing cybercrime enforcement because, at present, the online bad guys know that Britain is basically undefended. You can do cybercrime here, you won’t get pursued and you won’t get arrested except perhaps if the FBI get interested if you defraud Americans.
Chris - So America are much more hot on this than we are?
Ross - America’s much better at cybercrime enforcement than anywhere else. In fact, the American government spends as much on cybercrime enforcement as the next dozen governments put together.
Chris - Given the rate of growth of these sorts of technologies and the interconnectedness of the world we’ve got. The Internet of Things, we’ve got people buying mass produced gadgets from China for example, many of them with very poor security and admin passwords you can’t change, and the admin password is “admin,” for example. What does the government need to do urgently so we’re not continuing to sleepwalk into this nightmare?
Ross - The security problems of the Internet of Things will eventually, I believe, be fixed by players such as the European Union. Europe is already the world’s regulator for privacy, because Washington doesn’t care and nobody else is big enough to matter. I hope that it will become the world’s regulator for safety as well. So when you end up buying things like air conditioners from China or Korea, these will end up having to carry on them a CE mark which means that they comply with all applicable standards. We know have standards for vulnerability management and what that will mean is that you won’t be able to export your air conditioner to Europe unless you’ve got some way of patching vulnerabilities. Once Europe starts enforcing that standard vigorously, we should hopefully be beneficiaries of it even if we have left the EU by then.
Chris - What about transport Ross, because that’s one thing you haven’t mentioned yet? Transports massive - cars, planes and so on. What’s happening with them because they all have computer systems?
Ross - We’re beginning to see in the transport field firstly that some cars have been hacked and have even been driven off the road. What we’re also seeing is that some car makers, such as Tesla, are starting to patch their cars every month so that if vulnerabilities are found they can be fixed.
Chris - By “patch,” you mean the car has got to acquire a new piece of software code to address a problem that’s been identified?
Ross - Yes, that’s right. Your mobile phone and your laptop are typically patched every month. So a new software release come out from Microsoft, or Android, or Apple, or whoever and your laptop or your phone will install that automatically. In future, this is going to have to happen to cars too, and it also provides and opportunity for any safety flaws that arise in self-driving cars to be patched quickly and at skill without having to recall millions and millions of vehicles to the garage to have their software changed.
Chris - Well, that sounds good - what’s not to like?
Ross - The problem is when you start patching stuff every month, you need to maintain a software team which is offay with that particular product. My phone, for example, is a Google Nexus 5x which I bought last year and Google now tells me they’re going to stop security support in September next year, which I find very annoying. I don’t think it’s very good that I’ve only got two years secure life in that product.
If the same thing happens in a car that I buy in two years time, then I will be very annoyed indeed. Because if it becomes necessary to patch a car for it to remain safe, and if you’ve got a ten year old Mercedes and Mr Mercedes suddenly says sorry, it’s too expensive for us to patch cars that are more than ten years old because that would mean we’d have to keep test equipment and engineers current on dozens, and dozens, and dozens of all models, then that would mean that you car has to be taken away and scrapped. If suddenly cars are scrapped after ten years instead of twenty years, that’s going to double the CO2 emissions from the car industry and that’s surely not going to be acceptable.
Chris - What do the government need to do to address all of these very concerning points?
Ross - We did a big study last year for the European Commission because it’s not just cars; it’s medical devices; it’s electrical equipment; it’s all sorts of other things. And the European Union with 500 million people is a big enough market that if they say to Mr Ford, or Mr Samsung, or whoever sorry, unless you meet our standards your products can’t come into our market, then that actually matters. So that, I think, is the place where leverage is going to be applied and we’re going to end up having rules which will simply tell the car makers sorry, you’ve got to keep supplying security patches for 25 years on consumer protection grounds, and environmental grounds. If that’s going to be expensive, you’d better figure out how to do the engineering better, or you’d better have few models, or you’d better hire more engineers - your choice.