the future of computer security and cybercrime
TRANSCRIPT
Franklin Heath Ltd
London Futurists: The Future of Computer Security and “Cybercrime” Craig Heath
@heathcr
09 January 2016
© Franklin Heath Ltd c b CC BY 3.0
lawyer lawyer ✗
mathematician mathematician ✗
computer scientist ✓
security engineer ✓
futurist ?
Craig Heath
09 January 2016 2
© Franklin Heath Ltd c b CC BY 3.0
“Cyber”
09 January 2016 3
Image Credit: “DarkAngelDTB” from DeviantArt Image Credit: Colin Foran (DeviantArt: “nathantwist”)
© Franklin Heath Ltd c b CC BY 3.0
How to Predict the Future (vaguely scientifically)
09 January 2016 4
Considering trends + thought experiments Where I’m looking for trends: my experience First job in software 1977 computer security specialist since 1988
history of information security Kerckhoffs 1883 Bletchley Park 1939-45
How far away is the horizon?
© Franklin Heath Ltd c b CC BY 3.0
Computer Security vs. Cybercrime
09 January 2016 5
Computers used to commit “traditional” crimes Roswell Steffen 1973 (embezzlement > $1.5M)
Unauthorised use of computers Stephen Gold, Robert Schiffreen 1985 Kevin Mitnick 1987
Breaching computer security has itself become defined as a new type of crime UK Computer Misuse Act 1990 US Digital Millennium Copyright Act 2000
© Franklin Heath Ltd c b CC BY 3.0
Trends: What Has Stayed the Same?
09 January 2016 6
Information theory & computer science Kerckhoffs 1883 Turing 1936 Shannon 1948 Saltzer & Schroeder 1975
Passwords easy to understand and implement
Social engineering attacks c.f. “rubber-hose cryptanalysis”
© Franklin Heath Ltd c b CC BY 3.0
Trends: What Has Changed?
09 January 2016 7
Number of devices, connectivity and bandwidth (109) billions, always-on with multiple Mbps
“Classic” crimes have moved online e.g. confidence tricks -> phishing
“Beta culture” continual enhancement and patching
Magnification of capabilities and consequences a fix can be rolled out to millions of users a single attacker can harm millions of users
The “attribution problem” nation state or a kid in a cyber café?
© Franklin Heath Ltd c b CC BY 3.0
Is Computer Security Getting Better or Worse?
09 January 2016 8
I don’t know any computer security professional who would argue it’s getting significantly better
I don’t know anyone who has stopped using the Internet because it’s getting significantly worse
Hypothesis: did we reach a sort of equilibrium in the 1990s that is acceptable to society, now maintained by governments and market forces?
© Franklin Heath Ltd c b CC BY 3.0
What Influences Might Tip the Balance? – 1. Downside
09 January 2016 9
Increasing complexity of computer systems if you don’t understand it, you can’t fix it
Increasing value available to attackers transaction limits increase ever more data goes online
Increasing ability to affect the real world “Cyber Physical Systems”
Better policing of non-computer crimes bad guys usually follow the path of least resistance
© Franklin Heath Ltd c b CC BY 3.0
What Influences Might Tip the Balance? – 2. Upside
09 January 2016 10
Market forces consumer awareness but see “The Market for Lemons” (Akerlof 1970)
risk of reputational damage cost of breaches and/or conditions of business insurance
Legal forces regulation (c.f. building regulations) licensing (c.f. chartered civil engineers) fines or compensation awards for affected consumers
© Franklin Heath Ltd c b CC BY 3.0
How Serious is Reputational Damage for a Company?
09 January 2016 11
The “Ratner Effect”
Ratner Group value:
1991 £680M
1992 £49M
...
2016 £7454M
Image Credit: “EG Focus” from Flickr
© Franklin Heath Ltd c b CC BY 3.0
Why I Don’t Believe Breach Cost Estimates
09 January 2016 12
2011 Detica report: “cost of cyber crime to the UK ... £27bn per annum” approx. £540 per year for each adult in the UK
Detailed response from Ross Anderson et al.: “Measuring the Cost of Cybercrime”, 2012 doesn’t venture a bottom line figure, but...
My experience: Costs of loss of IP are routinely vastly overstated Fraud losses are a normal cost of banks’ business
© Franklin Heath Ltd c b CC BY 3.0
Crystal Ball: Will the Equilibrium Hold?
09 January 2016 13
If security defenders just keep doing the same things, attackers will overtake us
Penetration testing and code inspection isn’t going to take us much further
Fundamentals need to be, and can be, improved better product development process better platforms better tools better developers