Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/2/2017
12:00 PM
Mark Flegg
Mark Flegg
Commentary
100%
0%

A Hogwarts For Cyber Protection?

How the UK is minting a new generation of cybersecurity wizards.

Never let it be said that the British don't do things with style. In the years leading to World War II, they recognized the need to break enemy codes, and ran crossword puzzle contests to find recruits for their ultra-secret Government Code & Cipher School—also known as GC&CS, or Bletchley Park.

The resultant genius of codebreakers such as Alan Turing is believed to have shortened the war by two to four years, and to have assured its outcome. Surely the mystique of Bletchley Park led to the archetypal smooth, sophisticated 007 spy-hero archetype—as many of Bletchley Park’s cryptanalysts came from Oxford and Cambridge.  

Now there is a new war underway, and the British have been among the first to recognize it: they’ve taken the threat of cybercrime and online infringements seriously, and began a government-supported campaign to protect online rights of normal citizens while America was still revelling in the unbridled, wild west freedom of the Internet. The British have a National Museum of Computing and, modern-day equivalent of the crossword puzzle contest, a set of competitions called Cyber Security Challenge UK that presumably function as high-level testing and recruitment tools.

Now they’ve established a new school of cybersecurity wizardry — the National College of Cybersecurity is slated to open its doors  — where else? — at historic Bletchley Park. This investment in the UK’s defense against cyber risks is good news, and represents a collaborative effort between the industry and government in facing the challenge of skill shortages.

The National College of Cybersecurity also seems to be taking a smart approach to recruiting a student body by accepting the most gifted 16- to 19-year-olds, selected through aptitude testing or on the basis of their technology skills, rather than academic qualifications. Alastair MacWilson, chairman of the Institute of Information Security Professionals and also of the non-profit group Qufaro, which is setting up the new college at Bletchley Park, has said that this is a way to tap into critical talent that the UK otherwise risks losing. Smart.

Unfortunately, it’s not enough. For businesses in particular, the scale and immediacy of the cybercrime challenge is so great that not even a new generation of Bletchley code breakers can be expected to crack it alone.

And, as it so often goes with technology, the timing isn’t fast enough. The new college won’t see its first students until September 2018. By the previous May, the EU General Data Protection Regulation (GDPR) will almost certainly have come into force. By the time Bletchley can even open its doors, businesses will already face enormous fines for data protection failures—up to €20 million ($21. 2 million) or 4 per cent of their global revenue, whichever is higher—in addition to new obligations to notify authorities and their customers of any breaches.

I alluded earlier to the skills shortage in this critical field. A recent study by the International Association of Privacy Professionals’ estimated that businesses worldwide will need to hire at least 75,000 data protection officers in the next two years to be in compliance with GDPR regulations. Surely the 500 students making their way to Bletchley in 2018, even added to the recruits garnered by the Cyber Security Challenge initiative, can’t begin to address the scale of the global skills shortage.

Nothing Is as It once Was
Western culture has entered an astounding period of valuing people and attributes that would previously have been held criminal, or at best out of line by any standard of civility. In the case of training cybersecurity agents, the pool of tech-savvy young people attracted to Bletchley also represent a steady flow of cyber attackers, who may be motivated by money or simply boredom. Last year’s TalkTalk breach, which affected 156,000 of its customers, was pulled off by a 16-year-old who told officials he was "just showing off."

For many cyberattacks, no great expertise is actually required—hacking tools are widely available online, as are numerous offers of cybercrime-as-a-service. As a result, there’s an increasing number of unsophisticated attacks that can nevertheless cause widespread damage to the unprepared. In other cases, though, as the US presidential election campaign seems to have demonstrated, state powers actually put resources behind attacks that few businesses can hope to match.

It’s heavily ironic that savvy (if not particularly well trained) millennial-and-younger "digital natives" are pitted against business leaders who, in general, have much less technical knowledge. Around the world, C-level execs lack deep technical experience—for example, a recent review of 100 global banks found that only 6 per cent of their board members had professional backgrounds in technology.

Yet regulators, customers, and the media expect businesses to counter these threats, and it’s not going to get easier. If the breadth and sophistication of the technological landscape develops geometrically, the scope of attacks develops exponentially. Last October, in a watershed moment for distributed-denial-of-service (DDoS) attacks, the assault on Dyn took down Twitter, Netflix, PayPal, and Spotify. The Mirai botnet’s ability to harness a vast network of devices in the Internet of Things translates to massive IoT attacks that can now be launched easily and cheaply. This is a risk for nearly every business.

Between the ever-moving target of these disruptions and the growth in regulatory penalties, businesses need to look again at the costs and benefits of cybersecurity measures. They will need to take a layered approach, and understand that there will be no single or static answer. They’ll need to examine the capabilities and robustness of their third-party providers—for example, checking the bandwidth of DNS providers and the defenses they have in place. Of course, they also—always!—need more sophisticated, experienced people in-house. But they can begin by instilling a culture of good cyber hygiene among current staff, and educating them about the risks so they can avoid at least the most widespread, if unsophisticated threats.

Let’s not underestimate the problem: cybersecurity is a brave new world, and we need well-trained wizards to proactively navigate it. The US could take a page from the Brits, not only in taking an active hand in training its own anti-cybercrime forces, but in acknowledging the breadth and seriousness of the problem.

Mark Flegg is global product director of domains and security at Corporation Service Company (CSC). His expertise is in cybersecurity technology, focusing on DNS, SSL, and DDoS protection. CSC is a legal services organization providing matter management, corporate compliance, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.