The concerns posed by cyber security go far deeper than whether the password on your Twitter account has been hacked. Mike Hughes talks to Rob Carolina, executive director of The Institute for Cyber Security Innovation at Royal Holloway University in Surrey.
Look around you. Pretty much every aspect of our lives revolves around the Internet, with more and more devices connected and performing functions. Global connectivity has been demanded by businesses and governments for years – and now it is here, and we still don’t know how to manage it. A briefing last year for MPs warned them: “The perils of connectivity seem only to be growing as the Internet of Things brings more devices online.
Already, it has been shown that hackers can assume control of car steering wheels, insulin pumps, baby monitors, toilets and central heating systems, raising the prospect of all sorts of cyber malfeasance.
“The Cyber Security Strategy acknowledges that it is not possible to eliminate cyber crime. But just as car thefts have been dramatically cut by preventative technologies such as immobilisers and alarms, cyber crime may be reduced by eliminating some of the opportunities available to prospective cyber criminals.”
Which means that cyber security has become a critical component of the web and new and radical approaches are needed to mend it, which is the point where Rob Carolina and The Institute for Cyber Security Innovation start their work, as a trusted, persistent presence that can bring together government, academia, industry, business, trade bodies and users, on an international scale.
The Institute needed to have a very different strategy if it was to be substantially more effective than what had gone before, so it turned the traditional model of research on its head, by listening first to end users and policy makers to develop projects that meet their short and medium term needs.
“The institute is here to help address the unmet cyber security needs faced by government and industry in the ‘here and now’,” explained Rob. “Our brief focuses on security in whatever form it might take and means we may be doing research and delivering solutions by working with sociology and psychology experts as well as business organisations. We are project driven, so whatever work we engage in has a specific beginning, middle and end, with a client, timetable and deliverables for which we can assemble the right team.
“That delivery team might come from any of our academic departments, but if we need to supplement that with different skillsets we will look off campus and into our network of trusted advisers and experts, or perhaps academics in other institutions.
“And the solutions we come up with may not be tangible like a piece of code or a product, it may rather be a cutting-edge report that assists an organisation to make a decision or some targeted research to assist the market generally.”
Rob and his team have built a formidable and global organisation, helped by the university’s own reputation as a centre of excellence. Royal Holloway is also home to the Information Security Group, a pioneering interdisciplinary group founded in 1990 to pioneer cyber security education, research and industry engagement. ISG is recognised by GCHQ as an Academic Centre of Excellence and Royal Holloway has been awarded a Cyber Security Centre for Doctoral Training (CDT) - one of only two in the UK. So the setting was perfect for the cyber security mould to be broken and for the Institute to commission and disseminate white papers, facilitate technical and policy briefings, organise workshops and networking and briefing events, and carry out product reviews and assessments.
Crucially in this highly entrepreneurial part of the UK, the Institute also plans to provide a fund and facilities for incubating promising start-up companies and tenant facilities for cyber security initiatives.
“One of the advantages the Institute brings is this idea of pushing engagement across
multiple departments. Where members of an academic department at any university are focused on their need to pursue and deliver research, the Institute is not focused on that,
but on engagement with industry and government to try to assess needs in the short and medium term.
“Royal Holloway is very privileged to be in the position of having a significant profile working in information security, and there is also a lot of internalised expertise on campus. Put that together with a large alumni base and it all informs our ability to do what we do.
“The university is acknowledging that delivering cyber security is a strategically important priority, so it would be harder to do this somewhere random and just putting a sign on a door.”
Like any high-tech sector cyber security is changing all the time, but the difference here is the pace of change, with challenges just a click away from threatening companies and destabilising economies.
“The puzzle certainly has a lot of moving pieces,” says Rob. “I have been working with people in this space for nearly 25 years now and I have seen this paradox where never before in human history have we had more expertise and knowledge, products and services. At the same time we have never had more complaints about the lack of cyber security, which is in part just a function of the pace of innovation in technology and the uptake of engagement.
“When I started the Internet was only just starting to be a phenomenon, but now it has been rolled out to pretty much any part of society you can imagine. So having become ubiquitous, we are now seeing an increase in connecting devices and people are talking about everything you own being connected in some fashion.
“This produces a whole set of challenges, and some of them are to with old technology as well, because some of the things being remotely addressed have been around for decades when it was assumed that there would just be a single operator on a local network. Now we live in a world where anything on a local network can now be connected to the Internet and guess what – these gizmos were not built with security in mind. That was nowhere in the design brief for these ICSs, or Industrial Control Systems.
“So there are some serious challenges ahead.”
This pace of change is frightening and leads to many short-sighted businesses accepting they will always be at risk, and losing interest in the steps they can take. It’s a scenario Rob is familiar with. “The simplest response is that safety is not a binary, in that you can’t just say’ I am safe or I am not safe’, that’s not how life works. I challenge you to find any other area of life where that is true, because when we talk about safety in cars, we know they are more safe than they used to be, but driving one is not risk-free.
“To businesses who say you can’t secure a device so why even try I would ask if they have locks on their front doors. If they have, then why – if it is possible for a clever burglar to pick the lock?
“We don’t expect a standard of perfection from safety devices, we expect them to deter the casual character or slow down the professional. How much effort you put into them depends entirely on the risks you are facing.”
For businesses in the South East those risks can be fatal. There needs to be awareness of the problem first, and Rob says the best way to tackle that is good old-fashioned face-to-face networking, and the South East is a vibrant and connected place to find those contacts and share best practice.
“It is an exciting part of the world to be in at the moment and I have seen a lot of exciting developments. It is a large region with a lot of room so that whatever kind of experience you want, you can find it here – urban, suburban or rural.
“And the closely aligned presence of so many technology businesses creates a great pool of talent for people with business goals. The confluence of expertise in mobile, computing, software, cyber security and gaming is remarkable and as long as product and service people are innovating on connected devices, there will always need to be innovation on cyber security.”
In that way, another cluster of ground-breaking sectors is created. The Enterprise M3 strategy of tailored support for the right businesses is attracting some of the UK’s most valuable innovators and its expertise in collaboration and teamwork is producing a feeling of shared responsibility that is one of the region’s hallmarks.