Q and A: Cyber-crime expert talks Brexit, security... and attacks from fridges
The Director of Imperial's Institute for Security Science and Technology has long been at the forefront of combatting the threat of cyber-attacks.
There have been many denial of service attacks over the years, but this may have been the first attack launched from gadgets connected to the internet of things. It demonstrates how our own technology can be “weaponised” against us.
– Professor Chris Hankin
Institute for Security Science and Technology
Professor Chris Hankin has just returned from Japan, where he and his peers explored the idea of forming of an international network of universities to help better protect the increasingly connected infrastructure that we all depend on from rogue attacks.
His work fits in neatly with the Government’s £1.9 billion cyber security strategy, announced on 1 November 2016. The strategy featured, among other initiatives, plans to recruit more cyber-security experts, the continuation of the existing academic activities, and the creation of a fourth Cyber Security Research Institute - "a virtual network of UK universities" to co-ordinate research into improving defences for smartphones, laptops and tablets.
Professor Hankin has also been lending his considerable cyber-expertise to an influential panel on the impact of Brexit on cyber security and the UK’s relationship with the EU. Colin Smith managed to grab a few moments with him to learn more about the current cyber-security landscape and the part the Institute is playing in combating these emerging threats.
Can you explain some cyber threats that global corporations are facing at the moment?
If you look at open source statistics, I don’t think that there has been a big increase in cyber-attacks. However, there have been some headline hitting incidents that are worth talking about. For example, the company Dyn Inc. - which offers products to monitor, control, and optimize online infrastructure - had a massive “denial of service” attack.
A denial of service attack involves hackers creating computer programs that send bulk messages to a particular target. This generates huge volumes of traffic on a company’s network, which is so great that their systems can’t cope, preventing companies from providing their normal services. What made the denial of service attack on Dyn so unique was that the attack was launched from gadgets such as phones, smart fridges, smart lights and tablets that rely on the internet for some of their functions. In short, someone had hacked these gadgets and used them to send a torrent of messages to Dyn, which shut down their normal services.
There have been many denial of service attacks over the years, but this may have been the first attack launched from gadgets connected to the internet of things. It demonstrates how our own technology can be “weaponised” against us. It is an interesting development and shows us how the cyber landscape is evolving and how our own systems may be launched against us in the future.
How is the cyber threat changing on a nation-state level?
There are many benefits to digitising the services that we rely on, such as train networks and our energy generation and distribution systems. It makes them more flexible and responsive, and smarter. It also makes them vulnerable to cyber-attacks. Many countries are taking an interest in these systems and are developing tools to compromise them. They are seeing cyber as another weapon in their armoury.
For example, in December 2015 three regional power companies in the Ukraine were attacked to such an extent that 225,000 consumers lost their energy supply. Before that a German steel mill was attacked, compromising a blast furnace, which caused millions of Euros of damage. These attacks on physical infrastructure, mediated by cyber, are the kinds of attacks that we’ll see more and more of between nation states.
How will the Institute play a greater international role in helping to shape the global cyber security environment?
I am just back from a trip to Japan where I visited Keio University, which created one of Japan’s first cyber-security centres. I attended a conference at Keio called “borderless cyber”. The purpose of the meeting was to create an international network of excellence in cyber security involving universities like Imperial, Cambridge and many in Japan and the USA to combat the increasing cyber threat we are seeing.
Is London a special case in terms of its needs around cyber-security?
I think London is potentially a special case because it is one of the main financial capitals in the world. Cyber security and the financial sector is something we at the Institute are very keen to build some activity around. It is an area that is very attractive to serious organised crime, but one could also imagine that it could be a primary target of attack from nation states, if they wanted to undermine the UK economy.
You were recently asked to be on an advisory panel considering the implications of Brexit on the UK’s cyber infrastructure. What was your role?
I was on an advisory panel set up by London First that produced a report looking at the security implications in terms of Brexit on the UK’s cyber security landscape. In particular, I investigated new European Union legislation, which comes into force in 2018. It is aiming to make companies more open and accountable when data breaches occur. I also investigated the rules around the right for users to be forgotten. This is where users have a right to have their data removed from search engines if they can demonstrate that leaving the data there can cause them undue stress. The EU are also aiming to introduce legislation to more severely punish companies that breach data protection rules and I was also looking at the implications for the UK.
I also looked at the implications of Brexit on innovation in the UK’s higher education sector. In particular, we looked at the potential implications of the loss of Horizon 2020 funding on UK science.
The report has been well received and was recently mentioned in a debate in the House of Lords.
How will the new EU regulation affect the UK?
We will be absorbing these new EU regulations because the UK’s break from Europe won’t have come into effect by the time the legislation is introduced. Looking back in recent history the UK has generally been at the forefront of cyber security regulation. It seems that even if we are not part of the European Union, companies will want to abide by these new regulations because they will want to trade in that market in some form.
Article text (excluding photos or graphics) available under an Attribution-NonCommercial-ShareAlike Creative Commons license.
Photos and graphics subject to third party copyright used with permission or © Imperial College London.