Paul Vlissidis MBCS, Technical Director at NCC Group and author of How To Survive The Internet, tells Martin Cooper MBCS why the language cybersecurity uses might be hampering the industry’s attempts to keep people and organisations safe.
‘It was 2014 and a journalist called Claudia Joseph contacted me,’ Paul Vlissidis says. ‘She said: “I want you to hack me... I really want to explore what it feels like to have your life taken over by a hacker.” We drew up some rules of engagements so we could stay within the law... Lawyers told us to stay away from bank accounts.’
Vlissidis gained access to her online life: emails, photographs, shopping lists, PayPal, location. ‘It felt very prurient,’ he recalls. ‘You can see, if somebody did this with bad intentions - a stalker maybe - they would have an enormous amount of power. It was unpleasant.’
The investigative work itself might have been unlikeable but the finished Mail on Sunday article was well received. This led to a phone call from a TV production company called Shine TV: ‘They said “We’re thinking about doing a show about people going on the run,”’ he recalls.
‘”We think there’s a cyber component - an online component.” The show didn’t have a name at that point but we talked about what might be possible [technically]. They set me some challenges like gaining access to a laptop.’ The show became Hunted - a kind of modern-day Running Man where contestants need to stay hidden from a team of experts for 25 days.
‘As part of that process, I started hacking people,’ he says. ‘And it made me realise one thing: people aren’t really very good at this stuff. They don’t get fundamental cybersecurity and operational security behaviour. This started to bother me.’
Hunted, he says, taught him that people who were trying to hide - indeed highly motivated to hide - did a bad job. Despite trying hard to lock down their digital footprints, they were visible, traceable and findable.
Expanding the point, he says: ‘I think the security industry is pretty bad at communicating these things... Communicating with the end-user. We work in a huge echo chamber - we love to talk to each other about this stuff all day.’ This led Vlissidis to write a book: How to Survive the Internet - Protect your Family from Hackers and Cyber Stalkers.
Leveraging high impact language solutions
Vlissidis speculates that one reason why the cybersecurity industry’s wealth of knowledge isn’t always made easily accessible to the public is the language the sector uses.
“Though technically accurate, spy-craft terms like ‘threat actor’ and ‘on the wire’ don’t necessarily convey risk in an easily understandable and actionable way.”
“Generally, in the security industry, the language is quite male, it’s quite aggressive. This may be for historical reasons. It is militaristic and born from espionage and that makes it quite inaccessible.”
The security industry’s love of complex jargon and rhetoric might also be making the subject more difficult for organisational leaders to comprehend, too.
‘More of my professional life is spent with leadership teams and boards,’ Vlissidis explains. ‘We’ve finally managed to get the subject onto the agenda. Leaders are now asking some really hard questions, which is great. But they don’t like jargon-heavy answers. That technical and militaristic jargon doesn’t help.’
In summary, he says, ‘all businesses want to know - in plain terms - what is the risk to my business and how do I manage that? That’s it. They sound like simple questions but they get answered with all sorts of gobbledygook. I think we make a huge mistake. We need to de-gobbledygook - if that’s a word.’
For clarity’s sake
The counterargument to this is, of course, industry-specific jargon is often very precise in its meaning. Demilitarised zone, or a DMZ (the IT industry loves acronyms too), for example, means something very clear-cut. The language provides a useful shorthand when two professionals are discussing their work.
Be part of something bigger, join the Chartered Institute for IT.
In defence of our industry’s language, it’s also worth considering that analogies might make concepts easier to understand. But, as Vlissidis points out, even the best metaphors, equivalencies and parallels always lack pure technical accuracy.
‘I’m all for accuracy,’ he says. ‘But [language] has its place and, when you’re trying to communicate with a non-technical audience, falling back into jargon - even if it is technically accurate - you’ve lost your audience.’ And consequently, you’ve missed your objective.
‘We’re already seeing this inaccessibility born out in recruitment,’ Vlissidis says. ‘It’s difficult [to recruit people] but it is getting better. ”It’s difficult to persuade young women to come and join the cybersecurity industry because it’s perceived to be geeky, male dominated and there’s that aggressive male language.”
Is Hollywood getting cyber right?
From exploring the language cybersecurity uses to describe itself, we move on to look at cyber from the outside. Specifically - given Vlissidis’ work in television - we explore how our industry is represented in film.
‘If I were to write a film script - a cyber disaster movie - it’d be about a cyber kinetic attack - using the jargon I’ve just been decrying,’ he says. ‘It’s that idea of doing something in an online sense that has a physical outcome. Die Hard 4 talked about a “fire sale” - that’s the ultimate nightmare scenario.’
If you’ve not watched the 2007 Bruce Willis blockbuster, a fire sale is a three-stage attack on national infrastructure. The grizzled New York cop’s hacker sidekick explains: ‘Step one, you take out all the transportation. Step two, the financial base and telecoms. Step three, you get rid of all the utilities: gas, water, electric, nuclear... Pretty much anything run by computers which, today, is pretty much everything.’
‘Can it be done?’ Vlissidis asks. ‘Power and telecoms are the oxygen and nitrogen of modern life. Without power you don’t have telecoms and without telecoms you don’t have much. There are scenarios - I’m sure they’re being thought about in rooms in lots of countries - for most of us, it’s not something we need to lose sleep over.’ As we shall see though, Vlissidis has strong views about what we should be losing sleep over.
But, he believes there is a value in imagining scenarios. That’s because when you don’t imagine situations - and test your processes and systems against those scenarios - that’s when real life disasters come knocking. ‘Imagining scenarios and ensuring your sufficiently resilient to prevent them from happening or to deal with them - that’s what disaster planning is all about,’ he says. ‘That’s what contingency planning is all about.’
Doom in the board room
Netflix producers might spin up blockbusters about kinetic attacks but, closer to home - or at least closer to the office - Vlissidis says leadership teams, in his experience, share one collective nightmare scenario: ransomware.
In 2020 alone, we saw some frighteningly effective ransomware campaigns rock big name corporations and lock out headlines around the world: Garmin, Randstad, Foxconn, Barnes and Noble, Honda, Cognizant and Travelex - to name just a few.
Ransomware isn’t new. Even before 2017’s WannaCry attack seared the word ‘ransomware’ and the idea of a cryptographic based attack into minds and briefing documents.
The first true malware extortion attack happened way back in 1989 when the AIDS Trojan hid files on victims’ hard disks. It demanded users pay $189 for the release of their data.
In the intervening years, ransomware bubbled and fermented away. In 2013, however, it hit the big time with CryptoLocker. It was a trojan that attacked Windows machines and locked away files using RSA public-key encryption. Cryptolocker’s real innovation, though, was embracing Bitcoin.
Thanks to its near anonymity, the cryptocurrency provided criminals with a safe and comparatively secure means of cashing out after their crimes. It’s reckoned CryptoLocker netted its operators around $3m.
‘Ransomware is a low-cost, high return venture. The one thing ransomware has done,’ Vlissidis says, ‘is it has moved cyber from a compliance issue to an operational issue. It can take you out as a business. It is much more significant. It’s not something the regulator will just slap you on the wrist for. That got everybody’s attention.’
As with all adversaries, ransomware is evolving. WannaCry and its kin were all indiscriminate attacks - they slithered across the internet and infected any machines they found which were vulnerable. They were as indiscriminate as a flu or coronavirus.
‘What’s different is most ransomware attacks are now targeted,’ Vlissidis warns. ‘The near misses I’m seeing, they’re not opportunistic. They are sniper rifle type attacks targeting individuals in an organisation - often through their digital footprints. They do a well-crafted social engineering scenario with ransomware as the payoff at the end.’
Summing up the situation, he explains how ransomware is going to worry any organisation, ‘particularly if they have got the old M&M style security - the hard outer shell and the squishy middle. A lot of networks still exhibit those characteristics. Once you’re on the network, you can go anywhere. In a ransomware scenario, that is potentially devastation.
‘Lots of organisations are trying to fix this. They’re talking about micro-segmentation and zero trust networks. What they are really doing is dealing with that security legacy. The larger the organisation, the bigger the legacy problem - unless they were born on the internet.’
Cyber risk, of course, doesn’t stop when we leave the office and head home, nor when we close the door to our home office. Maintaining a good security posture at home is perhaps even more important than keeping our guard up at work.
Closer to home
Rather than worrying about Hollywood hackers - the hoodie-wearing social misfit with a huge IQ, a penchant for pizza and an allergy to sunlight - Vlissidis says, ‘I’m more worried about the ex-partner, or the colleague who is jealous of your promotion. Those are the people we need to be worried about. They may know your passwords, or you may have shared accounts on devices in the house. A lot of people just don’t see it.’
There are two sides to stories where people have been hacked, says Vlissidis. One is purely technical: it’s about passwords, routers, updating operating systems, firewalls and awareness. Cleansing your network and your devices after a cyber attack is merely a technical job.
“The problem is, you can’t reformat and reset people. Being hacked can be a terrifying and indelibly traumatic experience.”
‘It’s terrible,’ Vlissidis says. ‘I feel qualified to talk and help on the cybersecurity side, I’m a cybersecurity geek. But not the human side.
‘The point is, I’m sat here and I’m safe and warm. If I’m on the internet, on social media, it doesn’t feel like I’m unsafe,’ he says. ‘Of course, all my information is out there for the world to see. The problem is, the general public isn’t aware that these risks are out there.’
A route to getting a handle on this risk is understanding your digital footprint. ‘Never underestimate,’ he warns, ‘just how important email is to you. Because it is so old, people don’t pay much attention to it. But beefing up your email security - you’ve got to do that. It is at the heart of your digital life.’ From there, he says, ‘move on to multifactor authentication and password managers.’
Paul's cybersecurity career tips
How to start a career in cybersecurity
‘Even though AI and machine learning are coming in, the cybersecurity problem is growing - we’re not keeping pace with the scale of the problem and that’s down to a lack of subject matter experts. Initially, I’d say to go after your technical curiosity.
Get yourself a Raspberry Pi and tinker around. There are also lots of online environments where you can test out techniques and skills. You don’t have to get a degree these days - there are plenty of apprenticeships out there. There are lots of career pathways in.’
How to make your first cybersecurity CV stand out
‘Don’t over specialise too soon. At the moment, everyone wants to be become a penetration tester. That’s seen as the sexy part of cybersecurity. There’s myriad other jobs, such as a risk analyst working in a security operations centre, keeping an eye on networks.
There’s loads of really interesting roles. Just try to work out what interests you first and go after that. Also, try and stay technical and keep your hands on keyboards for as long as possible. It serves you well, it’s more fun and it keeps you in that important continuous learning mode.’
How to step into security leadership
‘I was asked a very interesting question which stuck with me: “How can you teach us the secret language that boards and management speak? What is this language that they all talk?”
That’s ironic because these people think we [technical people] speak a strange language, too. We talk about DMZs, threat actors; they don’t know what we’re talking about. They talk about risk and resilience. They talk about operational risk and compliance risks. So, we don’t know what they’re talking about either.
The key is gaining exposure to leadership’s language. And, as a technical person, act as a translator between technical people and leadership. Moving your career into the “strategic side” is about understanding the business context.’