March 5, 2020
When Tim Berners-Lee implemented the first successful communication between a Hypertext Transfer Protocol (HTTP) client and server via the internet – creating the World Wide Web and revolutionising digital communications forever – he could never have predicted it would become the single most important piece of technology in the 21st Century.
The first two decades of this millennium have been defined by the internet and its myriad applications for individuals, businesses, governments and media.
It is difficult to imagine a technological development that has had a greater impact on human society in the modern era.
As of January 2020, it is estimated the global digital population of internet users stood at 4.54 billion, encompassing 59 per cent of the world’s population.
The explosion of digital connectivity cannot be overstated.
But as with any piece of technology that changes the way we live, there are challenges, as well as opportunities, that need to be addressed.
While the internet has democratised information and access to knowledge across the world – creating huge advances in productivity and innovation and facilitating rapid communication and transfer of data – it is also totally anarchic, unplanned and decentralised.
There is nobody responsible for the internet, nobody in charge of protecting its users from exploitation or criminality, nobody who can pull the plug. Security is not built into the system.
“The internet as you see it now is not properly planned, it just evolved,” says Dr Issac, senior lecturer and programme leader for computer networks, cybersecurity and digital forensics at Northumbria University.
“People never thought there was going to be something called the internet. Security was not considered; it was an afterthought.”
But as businesses become more and more reliant on the internet for their day-to-day operations, the need for security, or cybersecurity as it has come to be known, is greater than ever.
That’s why Biju and students at the university created the Cyber Clinic – a weekly club funded by the Institute of Coding – which runs ethical hacking and cybersecurity training sessions for students.
Identifying the huge demand for cybersecurity skills now and in the future, Northumbria University is keen to be a supplier.
Alongside the innovative Cyber Clinic, Northumbria has teamed up with Sheffield Hallam University and police forces across the North East, North West, Yorkshire and the Humber to create the North East Business Resilience Centre (NEBRC).
The NEBRC is a collaborative project between universities, who have the cybersecurity skills, and police, who have the reach and authority, whereby students go into local businesses to test their networks, identify weaknesses and try to secure them.
The race to secure businesses from cyber threats is one that is just beginning in earnest and, as Dr Biju tells me, it’s one we also face enormous obstacles in winning.
One of those obstacles is the growing speed of wireless communications technology. It’s now possible to connect almost any kind of device to a network in the blink of an eye.
“For 5G, the average speed will be five gigabits per second – that’s a lot of speed,” Dr Issac clarifies.
“The problem with these high-speed networks, even though it’s good for some activities, is that now on the network you have these Internet of Things (IoT) devices.
“Some of these devices are just sensors, some are CCTV cameras or smart TVs and security is not built into them, but they are connected to the network.
“If you position them properly, it is secure, but a lot of the time you could get into a network just by getting connected to a smart TV.”
Ryan Milner, one of Dr Issac students learning in the Cyber Clinic and working in the NEBRC, explains there is no provision in something like a smart TV to secure it.
“They’re built for simplicity from a consumer point of view, not for security,” he says.
“If it’s easy to use, the manufacturer just kind of throws security out of the window.”
It seems the presence of IoT devices on networks makes them much more difficult to secure, which is particularly concerning given that we’ve only scratched the surface of the capabilities of this technology.
One of the most progressive instances of IoT is the driverless car, which combines sensors and software to navigate roads autonomously. A brilliant example of human ingenuity but a huge concern from a cybersecurity point of view.
Dr Issac explains: “If I can drive close to the car, I can get the wireless packets surrounding that car because they’re in the air and once I capture them, I can do all kinds of attacks on the car.
“Autonomous car technology is not a problem. You have artificial intelligence, you have image processing and all of the things to do it. But to secure that car, I think it is almost impossible,” he adds.
We’ve all seen those movies where people go into banks with guns and masks and take huge amounts of money out of the safe.
It makes for great viewing, but the bank robbers of the future will be armed with a laptop and some specialist knowledge, not a shotgun and a bad attitude.
Dr Issac talks about some specialist software that would allow him to simply go into a bank with a packet-capturing programme running on his laptop, sit there for 30 minutes and then load what was captured into an analysis tool like Wireshark, whereupon he could find out the IP addresses, MAC addresses and port numbers of all the bank’s servers and devices.
“Next time I visit the bank, I’m visiting as a very informed person,” he reveals.
But a recent development in the world of data privacy has changed the incentives for the criminally inclined and made the idea of robbing a bank much less attractive.
That development is the General Data Protection Regulations (GDPR), brought into effect in May 2018.
“GDPR has changed the hacking scenario,” says Dr Issac. “Under the new guidelines, if a business gets hacked, that business has 72 hours to declare that it’s been hacked.
“If it doesn’t and obviously, not many companies would want to declare that, if the company is later found out, it would have to pay a fine of €20 million or four per cent of its annual revenue, whichever is a greater amount.”
To be clear, because of GDPR, a hacker no longer has to hack into a network and extract money. All they have to do is be able to demonstrate they have gotten into the network in the first place. Once consumer data is compromised, GDPR comes into effect.
Dr Issac adds: “GDPR has incentivised hacking. You read about a lot of hacking incidents in the newspapers and on social media but what you’re reading is probably one per cent.”
Businesses who have been hacked essentially now have three options in respect of GDPR. They can declare that they’ve been hacked, do untold reputational damage and watch share prices plummet.
They can fail to declare and be fined €20 million or they can pay whatever the hacker’s ransom is for them to fix the problem and not say anything about it.
“On a daily basis,” says Dr Issac, “loads of companies are paying the hackers but you’d never know these stories. They happen behind closed doors.”
A large multi-national company might be able to sustain being hacked from a financial point of view. And, as student Iqra Haq, from Northumbria’s Cyber Clinic, adds, it is also much more likely to have an in-house team of cybersecurity experts.
“I worked at Nissan on a placement,” she says, “and it had dedicated cybersecurity and software teams with people who knew where the vulnerabilities were and were able to have resources in place.”
But for almost all of the North East’s 160,000 SMEs, many of whom do not have any proper IT systems let alone cybersecurity resources, the choice between a €20 million fine or hacker’s ransom is an impossible one.
This is why it’s so important to have initiatives like the NEBRC in place. The NEBRC will be able to go into a business, conduct a security assessment of its network and do things like penetration testing or ethical hacking to try and identify weaknesses and put together a business vulnerabilities plan.
For SMEs, this support will become more and more invaluable as the internet becomes ever more pervasive in our lives.
The other crucial function of the NEBRC is simply to raise awareness of the importance of cybersecurity and get businesses to adopt better practices.
Dr Issac adds: “I think awareness is key. Once a person is aware, they want to do something about it.”
So far, we have been unable to keep up with the pace of technological advancements. Increasingly, it seems we’re also unable to keep up with the ever more sophisticated means being utilised to commit cybercrimes.
“It’s a work in progress,” concedes Dr Issac.
North East Business Resilience Centre