Could a change in the way we look at ethical hacking be the catalyst to a more comprehensive attitude to cybersecurity? Would this secure our nation’s assets? Recently, I took a look at the Worldwide Threat Assessment of the United States for 2017[i]. This is an annually published document that details high level unclassified assessments of the US Intelligence Community for the year. It is released by the Director of National Intelligence (Dan Coates for 2017) and as such is an important barometer regarding global threats. This report regularly includes threats such as terrorism and weapons of mass destruction.
At the very top of this year’s report it reads:
Our adversaries are becoming more adept at using cyberspace to threaten our interests and advance their own, and despite improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years.
Cyber threat has been on this list every year since 2011. In pointing to cyber attacks or data breaches as a global threat, there is an accord with a World Economic Forum survey for global threats of 2017[ii] and a similar report by the Pew Research Center[iii].
If we overlook the small to medium scale cyberattacks on a global level, this year has still seen the WannaCry ransomware attack that hit the NHS[iv] , the Petya ransomware attack[v] that hit firms and infrastructure across Europe as well as the Equifax[vi] and Uber[vii] data breaches. In the UK we have been hit with a significant number of cyberattacks[viii] over the past year alone. Could we be due a far more crippling larger scale attack, such as the attack on the Ukraine[ix] that disrupted the country’s power? If so, how should we as individuals and as a nation defend ourselves?
In response to the growing threat, the UK government announced a National Cyber Security Strategy[x] in 2016 to make Britain “secure and resilient in cyberspace”. The vision for 2021 is that “the UK is secure and resilient to cyber threats, prosperous and confident in the digital world”.
The difficulty in the production of such a strategy is that the digital landscape will be dramatically different in 2021. The strategy document acknowledges that the expansion of the Internet into ‘smart’ systems extends the threat of remote exploitation to a host of new technologies. As the systems that underpin our daily lives, such as power grids, air traffic control systems, satellites, medical technologies, industrial plants and traffic lights – are connected to the Internet, they are therefore potentially vulnerable to interference. It is nigh on impossible to understand what the technological infrastructure of the country will look like in five years’ time. Given the fact that IoT, blockchain, connected cars, AI etc are due to be making an appearance over this time, could we be underestimating our potential vulnerabilities? It is genuinely difficult (if not nigh on impossible) for those who work in IT to keep up to date with all of the developments that affect our areas of specialism. How then would it be possible to mitigate threats to ensure that ‘the UK is secure to cyber threats in 2021?’
Prevention, as they say, is better than cure. So, could a general culture where we are more aware of cybersecurity be better for our national infrastructure?
Ethical hacking might hold the key to this. It is a non-destructive, “white hat” form of hacking, where all means at one’s disposal are used to gain access to a system. So, for example, social engineering techniques and phishing might be used to gain access to credentials. It also includes standard penetration testing techniques, such as port scanning and checking for known operating system vulnerabilities.Penetration testing is generally a more formal test cycle, where the organisation is aware that testing is taking place[xi]. This can form part of the development life cycle. It was recently reported that the NHS is planning to use ethical hacking[xii] to shore up their own defenses.
This can only be a good thing. I would personally go one step further and recommend that ethical hacking be introduced into computer science qualifications from GCSE to degree level and should also be discussed in schools. Anything that allows a greater focus on cybersecurity to reach out to a wider audience should be welcomed.
I would also say that when hackers that exploit systems ethically, not causing damage (for example, physical or that related to reputation, such as the destruction or publishing of data), and seek to inform the owner of the system about the vulnerability and how to resolve it, should not be criminalized. The exploitation of computer systems in this way is currently a breach of the Computer Misuse Act[xiii] (unauthorized access to computer material). Instead, (possibly under GDPR legislation) any organisation that receives information on vulnerabilities should be held accountable for their remediation. In this way, we can aspire to a more open and collaborative approach to cybersecurity, involving those who know the most about the topic.
In conclusion, we are becoming a more connected world and this is set to increase dramatically over the coming years. Our dependency on technology is at an all-time high and the scale of disruption to our society due to cybersecurity breaches can now have catastrophic consequences.
I feel that Ethical Hacking can begin to give organizations the ability to turn the corner regarding cybersecurity. This can ensure that systems can be resilient from the same type of attacks that they might face in the real world. It may be argued that the higher the standard of ethical hacker, potentially the greater the likelihood of Britain ‘becoming secure and resilient to cyber threats.’
[viii] UK hit by 590 ‘significant’ cyber attacks in the last year (source: Computing)