Does teaching Computing make hacks like TalkTalk more or less likely? Tony Parkin visited Nesta
Hardly a day passes without another revelation of a digital security lapse, a website hacked, or personal data being exposed. The TalkTalk fiasco is dominating headlines not least because this is its third such incident, and so many could be affected – it has 4 million customers.
This was a cyber-security lapse on the part of a major digital provider, that really should know better. But what about the cybersecurity at all those essentially 'non-digital' enterprises hooking up to the web to take our details? Companies that have far less internet experience?
And what about all those digital devices we are buying that are expanding the Internet of Things (IoT), and adding yet greater vulnerability to the cyberworld? These threats reach a whole new level when it’s a car (see "After jeep hack...") that has been hacked and taken over while being driven, or a home network penetrated via an intelligent light-bulb connected to the IoT.
When the state of IoT resembles the wild west, are we wise to educate a new generation of pupils in the art of coding, and helping them join in life on this wild frontier? What is the role of education in helping address this ever growing cyber-security threat?
'Script-kiddies... attacking home and school networks via lightbulbs'
This was just one of the compelling questions raised at an early point in a fascinating evening that was "Sounding the cyber security alarm", held at Nesta’s HQ in central London. As ever, Nesta had assembled an impressive panel working in the relevant field. It was Chris Wallis, founder and CEO of Intruder, a new penetration testing company, who was first to raise the issue of the current cohort of school children becoming familiarised with coding, and the likely impact.
As he pointed out, the more familiarised people become, the more likely they are to explore what they can and they can’t achieve in the murkier areas of coding. The internet’s script-kiddies could be joined by legions of children attacking their home and school networks via lightbulbs, or fridges, with pathetic levels of security in place. Are schools ready for this, and do they have in place the key components of the Computing curriculum that address the ethical issues, and steering children to use these capabilities for good, rather than evil?
Earlier Miranda Mowbray, a research engineer from HP Labs, had shown just how easy it was to present challenges. HP Labs had undertaken a series of tests on various common items that were being connected to the IoT to check how secure they would be. Of devices from 30 market leaders, 90 per cent collected personal data, often for no obvious reason, and 70 per cent of them used unencrypted communications channels to gather – an easy way in for any school hacker.!
Especially when 80 per cent of the devices failed on basic password security measures that allowed such things as unlimited password guesses – 60 per cent didn’t even bother to encrypt software updating, and HP found an average of 25 security vulnerabilities in the items tested. Teachers’ smartwatches would be particularly at risk: 90 per cent of the watches use communications that are trivial to intercept, and 70 per cent even allow firmware updating over unencrypted comms. Given that some teachers already access emails via their watches, enough said?
So why the epic fail in cyber security when it comes to the Internet of Things? Miranda Mowbray outlined at least four factors that have come into play. First, as with any areas of new technology, the very novelty means that there are potential vulnerabilities that those involved in developing haven’t even thought of yet.
'Old school' devices lack the security necessary for networking
The second element, though, is that many of the devices that are now being internet-connected are 'old school', non-networking devices, that lack the security now being built in to devices designed for networking. Many of the devices are also fairly basic and limited when it comes to digital resources, which limits their capabilities to be sophisticated and secure.
The major contributing factors are probably the rush to market and the desire to be low cost. This means that business models frequently neglect the expensive aspects of large-scale testing and the security consciousness that is required.
Chris Wallis outlined a similar shortfall when it came to security testing. There was a shortage of appropriately qualified testers, who need both high mathematical and computational skills (another key role here for schools). Not enough tools have yet been developed, and those that have been are not 'context aware' enough to be reliable and effective. And a further interesting complication is that many of those working in the field with suitable maths and computational skills often lacked the human communication skills to convey the importance of their work to the colleagues, usually less technical, who would authorise purchase and funding. So communication skills are equally important – as ever, it’s education, education, education!
'If the hackers are really good, you won’t know they're already in!'
The third panel member, Dave Palmer, director of technology at Darktrace, does a lot of governmental-level security work. In fact, I suspect that if we knew all the organisations Darktrace works for, he’d have to kill us. He highlighted the main challenge for those seeking to manage the security of organisations: if the hackers are really good, you won’t even know they are already inside your system!
Darktrace and others are developing Enterprise Immunity Systems that can attack intruders in the network, rather than prevent intrusion, rather like the approach by a body's immune system for bacteria and other invasive threats. The rapid developments in machine learning and artificial intelligence are making this more feasible, though the algorithms need to be sophisticated and beyond simple concepts of teaching and heuristics.
The new systems need to model everyone inside the organisation, since everyone is a potential threat, not just those outside. Then they need to become self-learning and adaptive in real time to the behaviours of employees. Which calls for some very advanced maths skills – another key role for education. Even the non-mathematicians involved in penetration testing need to be able to understand the outputs from such modelling, which means that 'computational thinking for all' again comes to the fore.
Targets for education
Dave Palmer identified two major requirements that education needs to address. First, developing a generation of students with advanced maths skills, and computational thinking skills, to enter the cybersecurity industry and supply its growing staffing need. But, equally importantly, education needs to promote the development of understanding by those running the companies of the implications of this digital revolution, so they recognise the need for resourcing and hiring those capable of assisting companies to become more secure.
At a time when the annual losses by UK industry to cyber attacks have been identified by Defence Secretary Michael Fallon at £20-30 billion, and when digital economy minister Ed Vaizey says that 90 per cent of big businesses, and 74 per cent of SMEs have experienced cyber breaches, this certainly seems both crucial, and urgent. It also backs up the arguments of those educators who stressed that coding was not the be all and end all when it came to implementing the new Computing curriculum.
During a lively following debate, the only disagreement among the panel members was whether the situation was more akin to the game-playing of Cold War spying – a la John le Carre – or an ongoing all out war. Certainly the suggestion that the Internet of Things could be used to hack atomic power stations and send them into meltdown caused considerable unease in the room.
However, when it came to criminality and cyber security, Chris Wallis suggested there may be a certain amount of naivety in society. Cyber crime is here to stay. Just as no-one ever expects that the law to totally eradicate muggers, maybe society has to accept that digital security will never be able to eradicate cyber criminals.
The real danger is the scam calls that follow the hack
Do we need to strengthen the forces that resist them, and educate children away from a life of cyber crime? As the BBC’s Rory Cellan-Jones has pointed out, what's clear from the TalkTalk victims who've rung into the BBC to discuss their experiences, the real danger is the scam calls which follow the hack, rather than the hack itself. So we need everyone to be better educated on both practicalities and ethics of this issue.
So, educators, to address the cyber security alarm sounded by Nesta, we need to increase the number of those with high-level mathematical skills, increase everyone’s capabilities in computational thinking, and help those with high mathematical and computational skills with their communication skills so that they can get their messages over more effectively. Plus a greater focus on the ‘implications’ aspect of computing, the important 'digital literacy' component.
That should keep us busy for a while, but would undoubtedly be made considerably easier if we could also address the challenge of getting more women engaged in the field of cyber security. This is yet another STEM area where we find they are incredibly poorly represented. Oh, and lest you think it’s not really an education problem, consider this: education is one of the top targets for cyber attacks, along with the energy and finance industries – way ahead of aerospace and defence that we may have suspected would be the prime targets. Does that focus your attention?
Many thanks to Nesta for organising a truly superb evening, with a stunning well-chaired panel that engaged both those involved in the industry and those for whom it had been an interesting mystery – TP.
Nesta's Sounding the cyber security alarm report
"When Will We Truly Take Cyber Security Seriously?" (TechWeek)
"Global nuclear facilities 'at risk' of cyber attack" (BBC)
Education, energy and finance top UK cyber attack targets (Computer Weekly)
Women an untapped cyber security resource, report reveals (Computer Weekly)
UK losing £20-30bn to 'information bomb', claims defence minister (Computing)