So the BBC have finally told it as it is, through the latest Panorama episode, available on i-player. Better late than never, as they say! Highly recommended.
Allow me to introduce myself. My name is Richard Henson, and I’ve been lecturing at University of Worcester for over 15 years. Whilst I am interested in technical matters, my passion is the interface between technology and society and the role of standards in maintaining a balance between the two. I was drawn to information security through engagement with the local community in connection with my work on e-commerce and would promote the excellence of the public key infrastructure to any business in the region who would listen. And excellent the PKI indeed is… if implemented correctly.
I didn’t really get up close and personal with the politics and differences in organisational culture associated with information security until I began a knowledge transfer fellowship, and started to talk seriously with small business about small business security. A gulf had opened up between the larger businesses, who were really starting to understand the potential dangers, and the small businesses who seemed blissfully unaware. Being quite a stubborn individual, I found this difficult to accept and spent an inordinate amount of time talking to SMEs and surveying whether their views had changed… each time with the same result. A colleague in another university put it very well, “There is a need but not a want”. And very few small businesses seemed to want information assurance in the only packages then realistically available, PCI-DSS and ISO27001.
After 26 million sets of personal details were not accounted for by a government department, and the then Chancellor of the Exchequer had to come clean about it in Parliament, I was sure that perceptions would change. To be fair, they did, a little, but not in any sustained way, and not as a result of any public concern. A year later it was as if the matter never happened. I was hoping to see the government show leadership and tighten up Data Protection legislation… this happened very slowly and I think no-one wanted to upset the small business sector that was going to drive the country out of recession. The new coalition government brought some excitement with its new cybersecurity policy, but seemed to get bogged down when it came to implementation. The good things that did emerge were IASME and Cyber Essentials. And so to 2015.
The Panorama program paints a bleak picture of organisational cyber security, cyber crime, and personal cyber security, and doesn’t seem to offer much by way of optimism for its viewers. What is strange to me is that though a number of experts interviewed said the current crisis had been building for years the programme makers didn’t stop to wonder why no leadership had been shown in countering it. Maybe that will be the subject of a future program, once a new strategy has been agreed. Having studied previous revolutions driven by technological change, it was clear to me what was needed as far back as 2007… and that was legislation, with teeth. The prevailing view, however, was to sit back and let the emerging on-line industry put itself in order, and even the infosec community itself seemed split on the matter. But there is no doubt that cyber crime grew enormously in those intervening years and national statistics weren’t even being recorded.
Many of us expected that the Ashley-Madison breach would provide the long awaited wake up call, but the public has a short memory. It was the even more spectacular Talktalk debacle on the back of that, followed by the first ever reporting of cyber crime statistics, that have brought the matter into the open in such a way that perceptions of the Information Society will never be quite the same again.
The good news is that new legislation IS coming… via the European Union. However, it will be enforced by the Information Commissioner and not the police, in line with current practice. The new law has been underreported, but will finally bring Europe in line with legislation that has been successful in the US since first introduced in California in 2003. Meanwhile, it seems that the Computer Misuse Act (1990, revised 2006) will still be expected to fit the bill as regards bringing cyber criminals to justice. Interesting times. I’ll be devoting my next piece to the contents of the GDPR (General Data Protection Regulation), which many think will come into effect in January.
This month’s tip: passwords.
Whilst following the cyberstreetwise guidelines on passwords is much better than nothing, it should be pointed out that a nine digit password can be hacked in a little over 20 minutes on a desktop PC by a brute force attack. The guidelines should be tweaked so that 11 digits minimum is emphasised. This takes 37 years to hack on a desktop PC.