On the afternoon of October 26 last year the Metropolitan Police arrived at a house in County Antrim in Northern Ireland to arrest a 15-year-old boy for hacking into the TalkTalk computer network and stealing the personal details of 157,000 customers, including bank account and credit card details. In the days that followed, three more teenagers and a 20-year-old man were arrested in relation to the attack.
The idea that teenagers could overpower a major British corporation inflicting £60 million worth of damage came as a shock to members of the government, businesspeople and the public.
As part of the fall out, investment has poured into the fight against cyber crime. This week, the UK government announced plans to invest £1.9 billion in cyber security over the next five years, and the EU Commission separately says it will funnel €1.8 billion (£1.5 billion) into the industry by 2020. Last year businesses globally increased their security budgets by 24pc.
But law enforcement and corporations are still losing the fight against cyber criminals, the National Crime Agency admitted this week, reporting that the “accelerating pace” of criminal ability is outpacing the country’s defences.
“You’ve got the perfect storm of increasingly sophisticated cyber attacks and high adoption of cloud infrastructure,” says Alexis Scorer, a director at technology dealmakers GP Bullhound who specialises in technology.
“The ‘software as a service’ business model has been adopted by hackers, you can rent botnets by the hour. That’s how you’ve got 14-year-olds hacking into corporate networks.” Botnets are one of the weapons in a cyber criminal’s arsenal that can be used to send spam or take a company’s network offline with a Distributed-Denial-of-Service attack.
No amount of money will help overcome one of the greatest difficulties in the security industry though: the lack of skilled people. By 2019 there will be a global shortfall of 1.5 million security professionals, according to ISC Squared, a security certification and industry education body. And the numbers could in fact be significantly higher, given that there are already more than 1 million cybersecurity positions unfilled worldwide, according to a 2015 Cisco report.
Heading up the government’s move to train more cyber defenders is spook agency GCHQ, which sponsors academic bursaries, runs summer camps and training days, holds competitions and has created a cyber excellence accreditation for top universities and masters programmes. The intention is to spot talent in children and nurture them through their education, with the end goal being a career in the industry.
“It’s an interesting departure from our day to day work, but we have a role to play in this,” says Chris Ensor, a technical director for GCHQ’s information security arm.
This week the agency simultaneously set aside £12 million for training at its North Yorkshire base, with a focus on recruiting middle-aged and mid-career women, as it opened applications for the second round of its university bursaries for youngsters that show an aptitude for cyber-related subjects.
Ensor, who has worked for GCHQ for nearly three decades, is heading the secretive agency’s efforts to train young people. He has a broad Welsh accent, a shaved head with long silver side burns and wears a gold chain around his neck. During his time at GCHQ he has developed secure email networks for the British government and Nato, as well as helping secure its internet use.
For him, the reason the industry is short of people is that it’s still in its infancy. “Cybersecurity is a new subject, a new profession. We’re where medicine was a few hundred years ago,” he says. He believes that getting professionals in government and business to work with educational institutions is the best way to bridge the gap. “No one place can do everything. Academia can’t fix it, industry can’t fix it, government can’t fix it. But working together we have a really good chance,” he says. Although he admits, “There’s not necessarily a quick fix for the kind of numbers we’re after.”
Not everyone agrees that formal education is up to the task, particularly given the pace of technological change and the speed curriculums can adapt. Mikko Hypponen, the chief research officer at cybersecurity and privacy company F-Secure, says, “The niches in cybersecurity are so specific that universities don’t have the expertise themselves to run programmes for them all, or it’s not justifiable. So many of the courses are generic or very broad.”
There are just three universities in the world that offer courses relevant to F-Secure’s work, according to Hypponen. That means the best option for the company is to train staff itself and pick up talent from less traditional routes.
One of the ways Hypponen, who has been hunting cyber attackers for 25 years, thinks companies can connect with international experts is through bug bounty programmes, which allow ethical hackers who find holes in companies’ computer systems to report them and earn a reward.
The idea is that the rewards of disclosing flaws responsibly outweigh those for selling them to criminals online or using them maliciously. “When skillful people find vulnerabilities in your system you want them to tell you, you don’t want them to tell someone else,” says Hypponen.
“Every company should be running bounty programmes. And I don’t mean software companies, I mean every company. Because today every company is a software company.” He cites the example of Volkswagen, whose emissions scandal last year was the result of faulty software in its diesel cars. Looking around the hotel lobby we’re in, he says:“This hotel is a software company, a big part of their orders are coming in from the web.” Then he points at me and says, “You’re a software company”.
In the last two years alone, hackers have wreaked havoc on:
eBay asked 145m users to change their passwords after hackers stole customers’ names, addresses, numbers and dates of birth
A serious vulnerability was discovered in encryption technology used to protect many of the world’s major websites, leaving them vulnerable to data theft
A cyber attack on Sony Pictures Entertainment resulted in a huge data leak, including private details of 47,000 employees and famous actors
US Central Command (2015):
Hackers claiming links to Isil managed to take control of CentCom’s Twitter and YouTube accounts, changing the logo to an image of a hooded fighter
Ashley Madison (2015):
Hackers threatened to publish the names of up to 37m AshleyMadison.com customers – a dating website for adulterous affairs
Talk Talk (2015):
The website of phone and broadband company TalkTalk was hacked by cybercriminals. Names, addresses, email addresses, phone numbers and credit card/bank details could have been accessed in an unencrypted form
JD Wetherspoon (2015):
A database containing names, email addresses, birth dates and phone numbers of of 656,723 customers was hacked. The company insisted only an “extremely limited” number of credit card details were taken
Major technology companies have been using bug bounty programmes for a few years, including Google, Microsoft, Facebook and Tesla. “Bug bounties make it attractive for researchers to look at a piece of software and find issues,” says Adrian Ludwig, lead engineer for Android security at Google. “They also reach across borders and find talent where it happens to be. We have a lot of talented people in China finding security issues.”
But even with bounty programmes, and education schemes, we won’t be able to train the army of cyber defenders needed to tackle the snowballing problem of computer insecurity, according to experts. From resources moving to the cloud to employees logging on from an unknown number of personal devices, it’s nigh on impossible for businesses to keep a handle on their systems. The security department behind Android, for example, has billions of apps, devices and pieces of software that it needs to keep secure.
“The biggest challenge is to be conscious of what’s going on and make decisions that can be very short term: do I fix this bug or that? Do I spend the next six months fixing bugs or do I ignore those bugs and invest in other features that make them obsolete?” says Ludwig, admitting that for many companies,“most security at this point is random, completely random.”
To bring some order to the chaos, Google has built an artificial intelligence that works with its security team. Called Safety Net, the learning machine analyses almost a billion Android devices every day and checks for problems. If it detects any patterns, either in a certain location, type of device, or program, it alerts the security team so that they can look into it. “We’re looking at billions of pieces of data every day,” says Ludwig.
Security experts from the industry, government and national security think artificial intelligence will help develop the defences needed to secure against increasing attacks. Like Google, IBM has put its cognitive machine Watson, best known for beating two human competitors at the television game show Jeopardy! in 2011, to work in its cyber security department.
“Even if we really run hard we probably won’t get to 1.5 million,” says Nick Coleman, global head of IBM’s cybersecurity and intelligence division, and former National Reviewer of Security for the UK government. “We have some really skilled people, but there aren’t enough of us.”
Security professionals are drowning in data. From flaws in their own systems to potential threats, attempted attacks, and successful breaches, the information they need to sift through is endless. “With cognitive computing we’re moving to an era where information will be presented as what’s relevant,” says Coleman, helping save security analysts time.
The UK leads in machine cyber defenders thanks to startups such as Darktrace and Cyberlytic. Darktrace, which this week announced an extra $65 million in funding from New York private equity firm KKR, is already moving security artificial intelligence beyond a human help tool, with a program that can autonomously spot and fight attacks in real time, buying security teams time to figure out a response. When the system detects an infected machine, for example, it can isolate it or slow down its activity to minimise the damage.
“This puts a company back on the front foot against cyber attackers who gain the ability to neutralise fast-moving attacks, such as ransomware,” says Dave Palmer, the director of technology at Darktrace, which is run by ex-intelligence experts from GCHQ and MI5 and whose customers include BT, Drax Power Station and Virgin Trains. “Only machine learning can match the speed and intelligence of these novel attacks.”
As attackers take up more sophisticated, automated tools and attack with more frequency, the combination of skilled people and intelligent machines will become even more imperative if breaches such as that against TalkTalk are to be prevented.