Q&A: Professor Frank Stajano on the rise of cyber-attacks

Despite the recent news of the NHS’s WannaCry data breach, and the leak of extremely compromising information by the Swedish Government, cyber-security experts are swiftly assuring the wider business community it’s not all terrifying news.

Last month, key security stakeholders gathered at Cambridge University with the unified mission of building a stalwart army of future “ethical hackers”. The key message to come out of the inter-university C2C cyber-security challenge was: to spread awareness of potential threats and involve everybody.

Large scale cyber-threats, particularly targeting IP heavy businesses, are becoming increasingly prevalent and much more advanced. But beneath the surface, the avoidable issues are much the same.

Professor for Security and Privacy at Cambridge University Professor, Frank Stajano, divulges what he thinks have been the biggest shifts in cyber-security in the 20 years he’s been studying the topic, and how firms can avoid falling victim to prevalent threats.

Professor Frank Stajano

EGR Technology: Can you give us an insight into the C2C cyber-security challenge and how you are involved in it?

This is an initiative towards the students, Cambridge to Cambridge is an international competition for students of this Cambridge and MIT, one of the most prestigious technical universities in the world. We set this up last year as a way to build bridges between the academic cyber-security communities of the two countries. We started this with 15 MIT students and 10 Cambridge students in a competition of similar format to this one over 24 hours. Of course the scope was much smaller. Given the tremendous interest this raised we decided to carry it on. I ran another initiative at a national level called Inter ACE, standing for Academic Centre of Excellency. I’m the Head of ACE in cyber-security research for Cambridge and there are 13 of them in the country. We’ve invited them all to participate again for the second time this year in March.

I really have an aim to reach further across the talent pool to those at home who haven’t decided what to do at university yet. I want them to understand the very smart kids here are not much different or much older than them.

I especially want to inspire girls. I want to show them it is much more interesting than it is made out to be in the media.

Computer security is a very rewarding discipline to get into because what you do is at the foundation of the society of tomorrow, which is all digital.

The other long-term goal is really building the next generation of cyber defenders for the future of society.

EGR Technology: In a broader sense, how has the approach to cyber-security changed over time?

When I started doing academic research into cyber-security over 20 years ago my boss told me it was a waste of time and only for geeks. And now we’re very much in demand for academic work and also business consultancy.

Modern society depends so much on computers that if there is a security problem it effects everybody very directly.

We need to develop a new mind-set about developing software where security is not an option but is something designed within it from the start. The difficulty is that it is hard for the common user to see the difference between a secure and insecure product. To someone who does not have extensive security knowledge it all looks the same. On that basis there is not much incentive for the manufacturers of the systems to be very secure because they know nobody will pay extra, because they don’t know the difference. The setting is one where security is not very valued on the developers’ side. This is the main flaw we need to counteract.

From my viewpoint as a professional educator I do that by addressing the people who are going to become the software engineers of tomorrow. These defenders need to be more competent than the bad guys, to be able to find the flaws.

EGR Technology: Why have cyber-threats become more prevalent recently?

Cyber-attacks take quite a lot of ingenuity to find the vulnerability and crack the system. However, once the first person has done that it’s very easy to distribute that and anyone who is completely unskilled can replicate that. There are very many people involved in this just because it is so easy to apply something that has already been developed.

In the last decade we have seen what used to be just vandalism turn into criminal activity because they have now started the find ways to monetise the attacks. Phishing used to be just nuisance emails has become a business where maybe a fraction of 1% respond, but when they do you can swindle them and otherwise it’s free and only time is wasted. Traceability being difficult, there’s a feeling that you can do it with impunity. As a society we want to make sure that we can trace where the attacks come from, and promise retribution to deter the attackers from engaging in this activity.

EGR Technology: What’s the main message in your cyber-security course?

My main message is that security can only be meaningful as a system, it’s not just the technology. I can teach the cryptography and operating system security access and all that, but it is not the technology that is the security infuser. My PhD supervisor once said that if you think cryptography can solve your problems then you don’t understand cryptography and you don’t understand your problem.

Security is about systems, only the whole system can be secure or not secure. Individual pieces of technology are neither here nor there. To summarise the whole course into one sentence, security only makes sense at a system level. If you’re drawing too narrow a view of what you need to secure then you’re most likely going to have problems. You have to consider all the outer layers of the onion, including people and organisations, if want to make your system secure.

EGR Technology: What can businesses do to protect themselves from potential cyber threats?

You do need experts, this is why we’re doing things like C2C so as to help close this gap, there are many more people that are needed in government and the industry that are competent in cyber-security than are available on the jobs market, so as an educator I provide courses, but the competition is a much broader outreach program.

EGR Technology: What do you believe to be the future of security?

Everything that is new will have some aspects that can be exploited if it hasn’t been carefully designed. You just have to make yourself a little bit more protected and make sure that when they go around rattling all the doors in the neighbourhood yours doesn’t open.