Defending the digital frontier: insights into cyber security

Defending the digital frontier: insights into cyber security

Reported by Valérie Nowak, CSaP Policy Intern (January – April 2024)

Drawing on his experience at the National Cyber Security Centre, Richard Crowther offered CSaP’s Policy Leaders Fellows an introduction to cyber security. In his talk, he debunked prevalent myths surrounding cyber security, emphasised the need for collective action and dispelled the notion that individual users alone should bear the burden of cyber-attack detection and mitigation.

Richard recommended the development of a holistic security-by-design strategy to help lessen cyber threats. He noted that phishing attacks and identity theft were common dangers, instigated by individuals and organised groups. He explained that cyber criminals typically target organisations to steal financial assets and vital data, using extortion and ransomware to exploit human and technological vulnerabilities. As Richard summarised, "It doesn't sit very comfortably with me that we put so much responsibility on individual users to spot threats."

Cyber security in government

Acknowledging that there is significant, valuable, work being undertaken to improve cyber security in government, Richard suggested that greater and perpetual investment was required to protect the government’s critical services. He highlighted that preparedness was crucial, with both proactive and reactive responses playing a part in mitigating risks: "You assume the breach is going to happen and you get well-practiced in responding to and resisting it." Richard stressed the need for cyber incident preparation for senior leaders, recommending they run exercises to practice the steps they would take in event of a breach.

Debunking cyber security myths

Richard debunked prevailing cyber security myths, for example when creating a secure password.

"It is a myth that you need to choose a unique complicated password, with special characters, numbers, and capital letters and you need to change it every three months for every service you use. Research has shown that that is impractical - even impossible - for people to remember them all."

Instead, he advocated pragmatic measures such as the use of password managers, coupled with multi-factor authentication and ensuring regular system updates are applied automatically. He concluded that it wasn’t possible to have 100% security and, if that was the goal, the result would be a useless and overcomplicated system. Richard called for security-first software development and pointed out that at the moment there are sometimes misaligned incentives for software vendors to ensure that the products they ship are secure from the outset. Shipping an insecure product puts the onus on the customer to apply security updates later down the line. This creates added burdens in terms of finances, time, and effort and this is something that is rarely taken into account by vendors.

Security-by-design

Richard advocated for setting a high bar and demanding security-by-design technology from vendors. This proactive approach prioritises cybersecurity considerations throughout the development lifecycle of technological solutions, mitigating vulnerabilities and reducing the risk of exploitation by malicious actors. Additionally, there are calls for increased involvement of governments, including the UK Government, to establish clearer and stronger security-by-design standards for technology.

He also encouraged the use of modern programming languages that have in-built security measures designed to address typical vulnerabilities. The introduction of cyber security certification schemes could play a critical role in verifying the security of products and technologies, however, Richard acknowledged that the identification of security compliance criteria and thresholds is challenging when creating comprehensive certification frameworks.

Governments, industry and regulators must work together to address cyber security issues. Pointing to a recent whitepaper on memory safety published by Google, Richard explained that self-regulation by tech giants might usefully supplement government cyber security compliance and promote industry best practices.

Ransomware and policy considerations

The debate surrounding the legality and ethical implications of ransom payments remains contentious. It was noted that the insurance sector is increasingly having to facilitate ransom payments, as one attendee summarised: “There is an explosion of the insurance sector as the government will not pay ransom.” However, there are arguments that favour a complete ban on ransom payments to further deter cybercriminal activity. Another attendee cited the example of the recent cyber-attack against the British Library that shut down much of the library’s digital infrastructure for six months as, following UK Government policy, there was a refusal to pay the demanded ransom. There is growing consensus on the need for public discourse at the international level to develop standardised recommendations and policy frameworks to address ransomware threats effectively.

Raising public awareness

Richard drew the talk to a close by noting that it often takes a big attack for cyber security to be taken seriously by large organisations—this needs to be addressed. He encouraged greater public education, explaining that raising awareness is vital to combat cyber threats. He concluded that cyber security requires proactive measures, technological innovation, regulatory frameworks and collaborative efforts. Prioritising security-by-design, investing in training, and promoting cyber security awareness can help inoculate against growing cyber threats.

Image by FlyD on Unsplash.