Cybercrime, cyberterrorism, cybersubversion and so forth are all serious issues. Defending critical infrastructure from attackers ranging from Eastern European gangsters to agents of foreign powers and from management consultants to the HR department is obviously crucial to organisations that want to prosper in the digital economy. But we need new tools to help.
The nice people at the Fraud Advisory Panel invited me along to their expert stakeholder roundtable on “Protecting Consumers and Reducing Opportunities for Cybercrime”. The roundtable was held under the Chatham House Cyber-Rule, so I won’t be forever excluded from polite society by tweeting, blogging or whispering who said what, although I will say that the stakeholders represented included government and law enforcement. Here I only want to highlight a few key points from the discussion.
Naturally the conversation began with tales of the Dark Net, pedophile exchanges and assassination marketplaces but it quickly turned into a discussion about Bitcoin. My suggestion that we persuade all criminals to start using Bitcoin right away so that we could at least monitor and measure criminal activity didn’t gain much traction, and neither did my plan to prosecute the Bank of England for conspiracy to defraud Her Majesty’s Revenue and Customs by printing £50 notes. But I digress.
One aspect of the issue that I hadn’t considered before the meeting was the issue of consumer education. As was pointed out by some of the law enforcement people present, there are plenty of criminals out there right now using things like Western Union and people seemed to fall for the cons all too easily. Even those of a more libertarian bent (e.g., me) must be forced to think about how to protect people from themselves. This (to my mind) makes the appeal of sort-of-anonymous and non-reversible transactions even less appealing. Given that some of the projects we are working on for clients in the financial services sector are providing more input to thinking around this topic, I think I’ll put it to one side for the moment and return to this important topic into a future blog.
Anyway, to be completely honest I’m not sure that we got any closer to understanding what emerging cybercrime threats we should be factoring in to our risk analysis nor which technological vulnerabilities we needed to assess further. This reminded me that I had similar thoughts last year, when the organisers of the University of Cambrige’s Rustat conference on “The Cyber Revolution in Global Finance” were kind enough to invite me along to their event and take part in a panel discussion about Bitcoin and the future of money. The event had three main themes:
[From Rustat Conferences]
- The future of UK financial regulation and British competitiveness post-FSA.
- Cyber Innovation: for example, behavioural analytics; the rise of private cyber cash, new payment platforms, mobile banking, privacy and consent, economics of cyber security.
- Threats to national economic security from cyber crime and attack, and to the City of London from new financial capitals such as Shanghai and Dubai.
- How to optimise Cyber Finance collaboration between Silicon Fen and Silicon Valley, research, entrepreneurs, VCs, the City, government and security services.
The discussions were again conducted according the Chatham House Cyber-Rule, which meant that blogging and tweeting were allowed but no comments were to be attributed to any individual speaker, so I won’t mention anything that was said there except to note that I wasn’t at all convinced by the government and industry participants that they had any real mental model of the problem nor any narrative around workable solutions. I, naturally, tend to see the whole problem as being identity-related but of course that is also too narrow a prism.
To be fair, it’s quite difficult to create and maintain risk analysis on this kind of scale and I don’t think that we (i.e., society) are anywhere nearing understanding or dealing with the risk associated with cybercrime, cyberterrorism and cybersubversion. I did read a good paper about one useful approach recently — Paul and Vignon-Davillier’s “Unifying traditional risk assessment approaches with attack trees” in Information Security and Applications, 19(3) (2014) — so I’m not saying that we aren’t making process, but I can’t help but feel that the kind of risk analysis that we have used for years (in defence, finance, manufacturing and so on) must change.
Anyway, to the point. At the Fraud Advisory Panel, I mentioned a 1998 prediction by Paul Kocher, (then President of Cryptography Research), who said that breaking a crypto system is far more difficult than robbing a physical bank but potentially far more profitable. Hence, I was very interested to sit through the sessions that were about systemic attacks on the financial system, which gave me the idea for a challenge that I will share…
Thinking about systemic problems, I was trying to imagine scenarios where well-funded, motivated and expert attackers could do more damage to a bank than its own management could, but I do not know enough about the international financial system to be able to put forward a plausible candidate attack. Perhaps a correspondent might help?