Cyber Security is one of a select few concerns that requires a combination of good practice, technological expertise and legislative support in order to be appropriately managed. To achieve the level of skill needed to maintain this balance requires collaboration between not just industry and government, but equally as important, academia. With several collaborative bodies set up to achieve exactly this, such as the Academic Centres of Excellence in Cyber Security Network and the Academic leg of the Security and Resilience Industry Suppliers Community (RISC), Academic RiSC, the work of these organisations remains of critical importance in defending not just organisations, but national security from would be cyber-attackers. Professor Chris Hankin combines his work as Director of the Institute of Security Science and Technology at Imperial College London (one of the Academic Centres of Excellence in Cyber Security), with a role as Chair of Academic RiSC – as such Chris is uniquely placed to give an insight into the work academic bodies are doing in the cyber security field.
Joining Imperial in 1994, Chris’ pre-existing work in Security made him an active member of the Institute of Security Science and Technology at Imperial upon its formation, and in 2010, he was given the opportunity to become its Director. The Institute aims to “provide a portal on science and technology in order to develop answers to security challenges”. Despite the transition from an independent researcher to the more ambassadorial and wider scoping role of Director, Chris was happy to embrace this change, expanding his field of work to include a broader range of issues, one of which being cyber security.
The Institute’s work was heavily influenced in 2009 by the UK’s first national cyber security strategy under the then Labour administration, revised under the coalition in 2010 and the accompanying Cyber Security Programme, brought into effect in 2012. The Programme offered a variety of opportunities for academia to get involved with government, and Chris has also been involved with the Research Institute of Science in Cyber Security, the first created under the Cyber Security Program and the leading Research Institute in Trustworthy Industrial Control Systems, as well as a host of other work with bodies conducting research in cyber security. Despite the Cyber Security Programme’s support of collaboration with academic bodies, Chris and his team observed that the role of academia in engaging with government was still being stifled, because Government tended to draw on a quite narrow pool of known academics – The problem was addressed through a workshop aimed at solving these issues, the Academic RiSC body being the outcome. Explaining his role as chair of Academic RiSC, Chris says that the governmental partner, be it the Home Office or another department, share an opportunity for academic contributions on a topic, which he then disseminates through the various networks involved in the program to solicit responses.
Collaboration of any form naturally brings with it a unique set of challenges in empowering all bodies to work effectively, in no field is this more the case than cyber security due to the oftentimes sensitive and private nature of the information involved: governmental data can often have implications as severe as national security, and industry must of course consider the commercial impacts of the information. While in Chris’ experience industry partners are able to limit the effects of information sharing concerns through non-disclosure agreements and similar mechanisms, this is far from a perfect solution – there has, according to Chris been a general issue within the cyber space of academic bodies gaining access to the real data needed to work on real, scalable solutions. Imperial, as well as several other academic bodies have attempted to mitigate the effects of lack of data availability by creating test beds, generating their own data sets in order to test the applicability of their solutions to cyber threats. In situations where industrial data is made available however, there is a tangible benefit to the industry partner, with academic insight into how to better defend from the threats their systems may face; Chris described this collaboration as a win-win situation, and hopes for even greater buy-in in the future.
With an eye firmly fixed on the future, Chris highlighted the potential impact of the upcoming EU Network and Information Security Directive on information sharing. The Directive, coming into force in May 2018 puts obligations on companies providing essential or digital services to report breaches within 72 hours and share information on their attacks. While warning that Brexit could curtail the volume of information shared across European borders, the future appears largely positive – the increasing volume of information soon to be available in turn increasing the scope for academic research and involvement in tackling cyber security challenges going forward. That said, the future is unlikely to be entirely positive – as much as the cyber security sector refuses to stand still, neither, unfortunately do those that find themselves on the wrong side of the law. In predicting some future trends in cybercrime, Chris first referred back to the dramatic increase in ransomware attacks over the past 12-18 months, in particular Wannacry exploiting legacy aspects in systems, and the vulnerabilities associated with unpatched software. Looking forward, with the ever-present nature of digital systems in the present day, such as IoT devices and other systems controlling our physical environment, Chris warns that, “in the fullness of time, there will be an increase in the volume of legacy in those systems” and as a result, an increasing level of vulnerability. While a computer desktop is changed on a semi-regular cycle, this may not be the case with these new systems, potentially creating a Pandora’s box of cybercrime opportunities.
With new issues come new solutions, and the cybercrime trends Chris mentioned are no different. In combatting the ever-changing cyber threat, the potential solutions offered by Chris can be divided into two categories, technical and cultural. With regards to technical solutions, Chris and his team are currently working on deep learning in order to develop resilient industry control systems, “spotting anomalous network traffic to try and detect when something is going wrong in a system”. Drawing also upon other studies, Chris mentioned work being done on quantum resistant cryptography to increase resilience in the face of quantum computing threats – a growing threat in the field of cyber security. Culturally, Chris was vocal on “putting the human at the centre of cyber security”, designing systems that the user can both understand and use effectively. Drawing attention to the NCSC’s updated approach towards password control, now focused around reducing cognitive load on users, Chris also advocated increasing education on cyber security in order to ensure cyber security is given the attention it requires going forward. A final, perhaps novel approach towards combatting cybercrime that Chris finds himself heavily involved in is game theory – viewing cybercrime as a game between attackers and a defending systems administrator. Using knowledge of common attack patterns, UK and US recommended security strategies and budgetary restrictions, this approach offers advice to partners on optimal defence strategies and attempts to give an insight into the mindset of an attacker to successfully thwart their efforts. Both Chris’ work and his personal thoughts on the future direction for cyber security strategy offer a consistent message – the key to long term cyber security is a successful rapprochement between human and cyber sciences to jointly address the problem.