In The Cuckoo’s Egg, author Clifford Stoll spent months tracking a Soviet Union-sponsored hacker based in Germany. The hacker managed to easily gain access to US military networks with default passwords – and in some cases, log in as “guest” with no password.
“Confidence in technology is now a public requirement,” said Ciaran Martin, Professor of Practice in the Management of Public Organisations, Blavatnik School of Government. “But no one designed the internet with security in mind.”
Martin was appointed the Head of Cybersecurity at the UK’s Government Communications Headquarters in 2013, before becoming the first CEO of the National Cybersecurity Centre. At GovInsider Live’s Festival of Innovation, he discussed security lapses on the Internet and how governments can move forward from here.
Security: nowhere to be found
When scientists were building the Internet in the 60s and 70s, few imagined how popular and essential it would become. Security was not a consideration. “We didn’t focus on how you could wreck this system intentionally,” said Vinton Cerf, an American internet pioneer.
But the internet grew “organically and incrementally” with the aim of “enhancing free connectivity”, said Martin. “A system evolved where people got onto the internet by giving away personal data for free.”
Using data as the “price of entry” has had drastic consequences. Hackers have used the very selling points of the internet – fast and open – to steal data from users, businesses, and governments.
This is a “terrible security model”, said Martin. Even if a more security-conscious consumer or organisation wanted to pay for security, “there’s no information out there, there’s no pricing.”
“And if consumers can’t change, then the industry has no incentive; security doesn’t pay,” he added.
Paying for security
So the solution is to “make security pay. Only then will secure by design follow,” said Martin. That means security is built into a product before it is taken home, instead of expecting users to take measures to make it safe to use.
Lessons can be learnt from how governments have made cars safer over the last 50 years, he added. “A bit like cars 50 years ago, there are too many defective products and services that we allow on the digital highway.”
Some of it involved education and laws. But “part of it is just making cars safer through engineering … in ways that people don’t see,” Martin said. “And there’s something around that for me in terms of what we do with the next few years of technology.”
In 2018, the UK was planning to put into law a “code of practice” for IoT security. “The aim is that you can tell whether the security updates will be done automatically, and if so until what year,” said Martin.
But in March, his team discovered “some flaws in a small number of web cameras,” he said. So we need to have “objective, measurable standards” for security.
“We don’t need to ban everything that isn’t as secure as it might be, but we need to give consumers … a choice to the information. Make security pay,” he added.
Collaborating for a competitive advantage
Today, the Internet has more borders than people realise, said Martin. “It would be great if there was a great digital treaty governing the whole of the world,” he added, but “the momentum isn’t there”.
Instead of giving up, countries can work together to build a “competitive advantage” in security, he said. The UK has worked with Estonia and Singapore to do so.
For instance, the UK signed a security pledge with Singapore last October to make IoT products secure by design. “If your digital infrastructure’s harder to target than neighboring countries, then hackers will go to the neighboring country,” said Martin.
Martin “longs for the day” when there will be greater international cooperation – but there isn’t, he said. “So we make the best of it.”
“Like-minded countries committed to a free and open internet, with good levels of skills and government and industry momentum, can work together to achieve some of the solutions,” he added.
Fostering transparency and resilience
“It will be a generational mistake that we mustn’t make, to get security wrong in the next phase of technology,” said Martin. In that mission, “hype is our enemy and transparency is our friend.”
There has been a lot of hype around 5G, that “everything is going to be dependent on it tomorrow,” he said. Take autonomous vehicles, for example. “We’re not going to have cars all over the road where the only thing between humans and a crash is the maintenance of a mobile phone connection. There’s going to be other things that need to be explained,” he added.
“Hype is our enemy and transparency is our friend.”
Governments also need to “assume cyberattacks all the time” and build that security into their systems, said Martin. “Unlike 25, 30 years ago, when the internet sprang up and some people saw it coming, but most people didn’t, the contours of the next generation of technology are reasonably clear.”
Whether it’s IoT, AI or 5G, the world knows what to expect. That is a golden opportunity to “get in now and make security part of the conversation,” he said. “So we’re not faced with what we’ve been faced with for the last 10, 20 years, which is retrofitting security onto a model that’s already there.”
By incorporating security into the future of technology, the world will stand a better chance of not making the mistakes we’ve made today with the Internet.
Catch up on GovInsider’s Festival of Innovation here: https://www.festival-of-innovation.com/watch