On 21 September BCS, The Chartered Institute for IT, held a thought leadership debate about future security threats. Andy Clark, Head of Forensics at Detica, opened the evening.

The annual growth of deployment of IP based devices is dramatic. In 2007 there were 200 million IP-based devices on the internet, in 2010 there are 35 billion and by 2013 it is estimated that there will be one trillion (which will work out to be around 140 for each person).

These, said Clark, will increasingly be portable devices or embedded within appliances, and they won’t have the power to detect and resist cyber attacks on their own, so our existing protection models will need to be reviewed.

Clark posed a number of questions: do you really know what your information systems network looks like? Completely? And then more importantly, do you know who is using it, and what for - now?

He then introduced the first speaker, Paul Lewis, Lead Technologist - Economics and Risk from the Technology Strategy Board. Lewis said that there are two important strategic trends he feels warrant a debate. The first centred around the apparent lack of security in software development and the second looking at the state of the UK and international legal framework to deal with cyber and security issues.

He said that software engineering has been around for some time, but secure techniques aren’t always used even though a lot of security weaknesses could be stopped by secure development practices. He gave two possible reasons for this: that software has got so complex it isn’t possible for humans to spot every possible error, and that there is no motivation for it to be secure.

He then quoted a hypothesis by Nobel prize-winning economist George Akerlof and used by Professor Ross Anderson from Cambridge University, called the market information asymmetric problem or the market for lemons. This problem can be characterised in one sentence: The sellers know more about the product than the buyer.

Lewis said that in Akerlof’s example someone buying a second hand car has no way of knowing its quality and the same is true with software. Industry is capable of creating secure software, however the economics of the industry mean that there is little incentive to do so. Users want features and go for the first product to reach market.

He added that Microsoft is starting to address these issues, but the rate at which vulnerabilities are discovered is accelerating. He then asked if we can learn from the safety-critical world and if we can educate our programmers?

He then moved on to talk about how the law affects cyberspace. He said that the main problem is that cyberspace is international. In the UK it is governed by the Computer Misuse Act of 1990, amended by the Police and Justice Act in 2006.

But the internet is temporal and ubiquitous and it is critical. What would happen if it failed? The very nature of the internet means that actors can operate locally, but hide globally. Following this he posed a few questions for the later debate. How do we differentiate between an exploitation or an attack? Under what circumstances does an exploitation become an attack? Can we apply law to cyberspace and what is the best way to introduce secure practices to software development?

Who has our data?

The second speaker was Dr Adrian Baldwin a researcher at Systems Security Lab HP, whose talk focused on who’s got our data.

He started off by saying there are two ends where data is stored. The client end, which is likely to be a smartphone or portable device, and the service end, which can be implemented in a variety of ways including using cloud technologies.

He then went on to look at the immediate problems. The first is consumerisation, namely who owns the devices and where are they? These are different threats. Smartphones are powerful, connected and complex. They are going to get more complex and contain even more data. Current research into memristor (low powered memory) technology suggests that in the future small devices may have as much data storage as current laptops.

These devices can do a lot, but how secure are they? How many minutes does it take someone to crack PIN-based access control? Not many, says Baldwin. There is an increasing threat from malware and as the devices are highly connected, they are likely to be infiltrated. What is more worrying is that these devices also connect to our work networks where the boundary between personal and corporate usage is blurred. He then asked how we know if the data on them is safe. It comes back to, he said, where your data is.

After this Baldwin covered the service end and in particular the cloud. He said that accessing cloud services is now so simple that some people implement new systems that bypass conventional controls by buying cloud services on a credit card and then simply claiming the money back on expenses.

While this may be efficient and responsive, increasingly those who use these virtualised services don’t know what systems are being used to store critical information. When these services push data on to other companies, how do we know where our data is? We are losing control. Do we really know what we are using and where, he asked.

He noted that several people have lost control of their networks because staff connected unauthorised hardware to them. To combat this, he suggested that organisation security should acknowledge that there might be a business need for such things to happen and that therefore it should find ways to do this safely and be the department that says yes rather than always saying no.

The scope of the threat

The final speaker was Dr Mike Westmacott. He opened by talking about the potential threats and the state of the security industry and what, in fact, is its scope.

He said the scope is technical (including the provision of software and services) delivery to its stakeholders, but it also includes training and links to the academic world. The security industry operates against the threats and the threat agents themselves who try and gain advantage from information security systems whether this be for monetary or political gain in varying degrees.

He then asked why the information security industry might itself represent a threat. Before answering this question he said that the number of people involved in cybercrime is increasing and they are getting more organised and skilful.

The threats are also changing, he said; they are becoming more sophisticated and criminals are adopting better engineering techniques. He said that now we have a part of society that provides crimeware as a service, meaning that individuals and organisations are setting up services where people can buy support for the malware.

Westmacott then asked whether we as an industry are maturing at the same rate, particularly since there will be more advanced systems in the future to combat.

He noted that education in the UK is doing very well in producing computer science and security professionals and that there is a good number of professional bodies representing them. He did ask if they are working together, though, and said that they are struggling in some areas.

There is a problem for smaller firms as they find it hard to employ graduates who don’t have the experience. Although security consultants, he said, are generally highly paid. He followed this up by saying that we, as an industry, need to create a talent pipeline that takes graduates to whatever level is most appropriate.

The debate

One of the main issues discussed by all the attendees was that of disclosure of security breaches. On one table they talked about the fact that security always used to be about perimeters and keeping people out, but the trend these days is more about openness and sharing.

Some people wondered whether there might be a backlash against this approach. Also governments are never going to be keen to give out information they hold. But, as one person put it, there is a need to be agile, which means that more information needs to be shared, which in turn has its risks.

With the current younger generation more open to the notion of sharing information, one person noted that, in order for there to be any significant change to the way that countries, businesses and individuals operate, that generation will need to rise to the top, which will take time.

Another point where there was near universal agreement was on education. One group felt that there should be a ‘green cross code’ approach to the way children are taught, whilst others felt that education around the fact that people shouldn’t spread malware should also be included.

Role of the law

Of course the biggest issue with security threats of all kinds is the law and how crimes should be dealt with. Some people said that there shouldn’t be tighter laws, simply a better framework. Others commented on the fact that even though as many as 50 per cent of people on one of the tables that evening had suffered some form of cybercrime, police forces still don’t include such crimes in their figures.

One person commented that internet users don’t take threats seriously. They perceive the biggest threats to be to their finances, but they are covered by the banks and the banks are insured themselves. Another person added that there may come a change when underwriters refuse to take on the risks anymore.

Also, if there is a sustained attack on banking and shopping sites people may lose confidence in them and stop using those kind of services.

On top of this if, as Andy Clark said, we have many more IP-enabled devices such as fridges and cookers, then these too could be attacked.

What can be done?

It was widely suggested that software code needs to be more secure. However, one person noted that it can be as much as five times more expensive to write secure code than standard code. Also, the software market demands convenience, not security.

As to how to address the threats themselves it was agreed that this will only get harder. With cyber warfare or espionage it was stated that as it is easier for countries to buy malware it also makes it easier to deny. Someone also raised the point that undoubtedly more countries are looking into this approach.

It’s not just malware that can now be bought, you can also hire people with all manner of skills, such as those who can launder money, one person added. Then there is the issue that a lot of people enter into malware and bot use voluntarily, which means that it is very hard to track and trace these sort of activities.

The cloud itself

One group suggested that by using cloud technologies some attacks could potentially be avoided. As the cloud gives companies and organisations more bandwidth this should mean that DoS attacks are less of an issue. The flipside of using the cloud is that if someone does manage to get into the system, then there could be huge problems.

The problem with debates such as these, as someone pointed out at the very start, is that people don’t think very far ahead but only about issues regarding the next five years.

Having said that, a few participants did bring up more future thinking ideas. One was the threat to the whole population from electro-magnetic pulse bombs if the general populous is fitted with microchips.

These are nuclear bombs that are detonated in the atmosphere and can destroy electrical circuits rendering them useless. Others raised the possible security risks from wide adoption of augmented reality and also the threats from unmanned drones.

More Thought Leadership Debate reports are available at: www.bcs.org/thoughtleadership