After attending multiple smart city-type events, it is interesting to sit back and take stock of the common themes but also what’s missing. And in many ways the topic that receives scant attention when everyone is thinking about innovations is the thorny one of security.
Almost daily mainstream media headlines about attacks don’t seem to bring the subject into sufficient focus for many people. Eyes glaze over until the moment it’s your business or device that’s hit, then it’s a crisis.
A key issue is the fact that the more interconnected we are, the more entry points for the bad guys, whether individuals, groups or nations. In a world where every streetlight will have 5G-enabled sensors, how many entry points is that? Or – as the financial services sector showed in spectacular fashion – if decisions and processes reside within black boxes, who really understands what’s going on? And if these are hacked, how would you spot it?
Of course, it is human nature to want to concentrate on the exciting new ideas, without people pouring on cold water, but there has to be a robust discussion and risk management of the vulnerabilities of these.
Open up – it’s good for everyone
When security is discussed, a lot of talk is now about better sharing of information as a means of prevention. A typical sentiment came from UBS Group CEO, Sergio Ermotti, a couple of years back: ‘Don’t create a stigma or taboo that you have been attacked.’ However, there is clearly some way to go.
Here is a sector, like any others, that tries to keep its bad news under wraps. How much sharing of information really happened after, for instance, the February 2016 attack that saw hackers steal $81 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York via fraudulent messages over the Swift interbank network. The attackers set up four accounts at Rizal Commercial Bank Corporation in the Philippines in May 2015, and left these dormant until, using malware linked to Swift’s Alliance Access device, by which banks access the network, they transferred the funds from the Fed over a long weekend. The attackers deleted confirmation messages that would have tipped off back office staff.
In the months after the breach at the Bangladesh central bank, the investigators, security firm, FireEye, were examining possible breaches within at least twelve other banks linked to the Swift network that looked to have similar irregularities.
Some cooperation but not enough
Professor Marco Gercke, director of Cologne-based Cybercrime Research Institute, is one of those who has called for much better cooperation. The same offenders will use the same tactics elsewhere, he has pointed out. So defenders need to share tools and tactics, just as the attackers do.
There are sectors that have been badly hit, such as US retailers, that have subsequently put in place agreements for the exchange of information. It is starting to happen in other sectors but not quickly enough. In financial services, there is now some cooperation between banks on a national basis or cross-border, such as within the Cyber Defence Alliance, but there is still a long way to go.
A key reason why it is so important to openly share information is the fact that, as observed by Bruce Schneier, a US cryptographer, computer security and privacy specialist, and writer: ‘Attackers have a first-mover advantage. We tend not to secure things until the attack has happened.’ And, of course, the attackers only need to find one vulnerability, whereas the defenders need to secure ever more complex and – crucially – interconnected systems.
Interconnectivity – the down-side
That interconnectivity and the fact that more or less everything is now a computer means we’re moving to a world where computer security becomes the security of everything. ‘It is no longer a web you connect to, it becomes a world you live in,’ said Schneier. In the first, data is lost, maybe also money and face; in the other, people die. The biggest concern is the ‘Six Sigma hacker’ – i.e. the expert who doesn’t make one car crash, he makes every car crash, who doesn’t make one ATM spew out money, he makes every one do so at once.
Rob Wainwright, director at Europol, the EU’s law enforcement agency, has warned of the ‘relatively low levels of digital hygiene,’ with recycling of ‘pretty old cyber tools’. There is a need for better staff awareness and for security to be a mainstream issue, not compartmentalised, he added.
The defences that have been built are often a patchwork of sticking plaster, applied over time. Some organisations might have 100+ security products, which is like putting a different alarm on every window and door in your house.
What can be done? Gercke has argued forcibly for real-life preparation, simulating and planning for events, such as, what happens when the message comes that the hospital’s data is corrupted and will be lost unless a ransom is paid within 15 minutes, to use a recent real-life example. The response, communications and recovery need to be put in place and tested, with involvement from all relevant teams, including senior management, HR, legal and communications.
Smart or stupid intervention?
There is also a human aspect in that the hardest resources to hire are typically cyber people – anyone advising a tech-oriented youngster on a sound career move might point them in this direction.
More government involvement in cyber security is inevitable. When it was ‘just data’, said Bruce Schneier, governments kept away but when people start dying and property is destroyed, that will change. ‘It will need much heavier regulation, I might not like it but I think there is no alternative… the choice will be smart government intervention or stupid government intervention.’
There is then the problem that regulation tends to be industry-specific, which doesn’t work in an interconnected world. This might mean, he felt, that devices will start to be disconnected if they cannot be secured: ‘We will make more conscious decisions’. In terms of the dangers of interconnectivity, he cited the ability to take down a city’s power grid by hacking an individual air conditioner.
Security isn’t a topic just for the IT, data protection or security specialists within an organisation, it is essential for senior decision-makers as well, so that it directs strategy and planning from the outset. At the least, the fact that regulations are increasingly making those senior managers accountable in the event of breaches means this should focus their minds. On the one hand, event organisers could come up with security streams for their smart city agendas; on the other, there’s still no guarantee that anyone would turn up, despite plenty of wake-up calls and warnings.