Show Hide image

Beyond the phone scam: how the threat is evolving

Are antivirus developers winning the battle against today’s cyber criminals? Microsoft’s chief security adviser Stuart Aston, talks to Will Dunn

Cyber threats have been a reality almost since computers were invented, but they’re evolving. People carry their data with them in their pocket. The “Internet of Things” means that apparently inanimate objects can connect and communicate, and some companies are allowing their employees to use their own devices.

You might imagine this would cause the nature of threats to change dramatically. In fact, according to Stuart ston, Microsoft’s chief security adviser, a lot of the dangers are well established. The good news is that a lot of the techniques for fighting back are well established, too; the bad news is that not everyone is adopting them.

First, the new stuff. The Internet of Things isn’t actually all that big a deal, believes Aston. “Any time we provide a device with some sort of connectivity, we should think about the security of that device – what it can do, what it’s connected to, what it knows and what it doesn’t know,” he says. “Then we should think about how it’s appropriate to secure that in a risk-management way.”

In other words, as other contributors have said in this supplement, it’s worth assessing what the risk actually is and how dangerous the information a device might hold can become. Smart light bulbs that allow themselves to be turned on and off remotely are undoubtedly connected, Aston points out, but if they’re hacked then the consequences are hardly disastrous. “Then the bad guy knows whether my lights are on or not. Is that a big threat? Do I care?”

The answer may well be yes, if the light bulb’s connection can be piggybacked to gain access to banking or other confidential details, but it might be completely harmless. The key is applying security technology intelligently, as distinct from the mainstream idea of aiming simply for ubiquitous cover. In business, in particular, it has to be a cold, detached decision.

“If I had a diamond in my house and I didn’t have locks on the doors, the bad guys could help themselves,” says Aston. “But if the cost of the locks and all the other security was more than the value of the diamond, I have to start asking how badly I want the diamond.”

Up in the cloud

The other idea that could provoke some disquiet is that of putting everything into the cloud. This is actually a strength, Aston believes. “We spend something like a billion dollars per year on cyber security at Microsoft, which is a big investment,” he says. “I doubt many commercial organisations can afford to spend that much resource on making their own services as secure.”

There are follow-on benefits from taking this approach, he believes. You start off with one customer whose installation of, say, Microsoft Office 365 is under attack in the cloud. Microsoft works out what’s going on and how to prevent it, and protects not only that customer but all those that use Office 365. “We use highly trained people to look at security events and react to them accordingly,” Aston says.

Cloud, when it’s done right, also helps companies in sensitive environments. “People know where the information is stored, how it is stored, and then you as the consumer of that cloud service can make a judgement about your risk – it does become a choice, because cloud is about choice. Many consumers are observing that and saying they’ll put a portion of their data into the cloud for a well-evidenced resource.”

The main documented threats still come from the traditional avenues, Aston explains. These are examples of disguised malware, which might  look like an email or a video codec or something else, which the end user – the criminal hopes – will install on their system, believing it to be innocent. It then starts doing something else on the network: “It could install software designed to steal banking information. It could be a Trojan designed to download other malicious programs. It could be a root kit on a PC. It could be there for ransomware. It could be there to spy.”

Ransomware is a relatively new development. Frequently delivered by a Trojan, which is just the mechanism, it establishes itself on a system and cuts off access to data unless a ransom is paid. Trojans have declined as a menace over the past year: Microsoft research shows that around 3.5 per cent of computers with reported malware have Trojans, as distinct from 5 per cent a year ago, but longer-term data suggest this risk is fluctuating rather than dying down.

Browser modification is another recent development. Here, a web browser is changed to make it show an unwanted advertisement (which sounds harmless, if annoying); or to record keystrokes (less harmless if you’re typing in sensitive passwords); or any number of other things. At the same time, criminals are moving towards “social engineering”, observing how someone behaves on social media and when emailing – their signature, their general manner and so forth. They can mimic this behaviour, so that recipients of any messages become convinced they’re communicating with a friend or colleague. This friend or colleague then turns out to be tranded at an airport and needs a money transfer, or something similar.

Rise of the robots

The social engineering phenomenon points towards humans being part of the problem. This is true to some extent. Easy-to-guess passwords and default security settings left on phones and other devices are a widespread security risk. (Remember the phone hacking scandal a few years ago – in which phones weren’t actually hacked. The criminals simply guessed that the owners wouldn’t have changed their voicemail passwords.) Today, people are talking about security more than they used to and are increasingly in the habit of reporting incidents, says Aston, which has to be a positive thing.

“In the Seventies and Eighties there was a spate of [fraudulent] doubleglazing sales that were made over the phone,” he adds. “The callers asked for credit card details, and people were giving their details over the phone. So the person is also part of the attack.” Such scams are less common today, but can still occur.

However, automation is a major part of the equation. “The reality is that you’re looking at millions and billions of security events every day,” Aston says. “You can’t have someone going through all the code by hand and saying, ‘That looks a bit fishy.’ You have to generate machine-based algorithms to work out what’s out there. It turns out those algorithms are about 100 times more efficient than the humans, anyway.” There is a great deal of machine-tomachine learning happening, which helps sharpen the systems’ responses. So, logically, does this mean that the criminals can also use machine-tomachine learning? Aston suggests that the cost would be prohibitive, although the theoretical possibility exists. And with state-sponsored cyber crime now well established, it might be asked just how finite hackers’ financial resources could actually be in some cases.

But fighting the malware remains relatively straightforward, Aston says. Leaving the actual cure for the viruses and other malware to the giants such as Microsoft, there are simple practical steps that individuals can take, and that companies can train their employees to implement. “It’s quite common for identity to be used as part of an attack, and it’s a simple thing to protect against, or at least be aware of,” Aston says. “You can do a number of things. You can use multiple factors of authentication; you can use an authenticator; you can use smartcards or other mechanism.”

Staying up to date

The other thing to do is to ensure that all software is up to date. “Many customers don’t have up-to-date software on their PCs, so the bad guy gets a free pass,” says Aston. “That’s not just from Microsoft’s point of view – every piece of software needs to be kept up to date.” This is normally achieved through automatic patching, although many customers find these facilities annoying and switch them off. This magnifies the problem not only because the security hole is unplugged but because there are known patches to address specific vulnerabilities. The cyber criminal knows there will be systems in the field with that specific problem, so they know where to find the weaknesses.

“It’s like hygiene,” Aston says. “We go to the toilet; we wash our hands. We go to a hospital ward; we wash our hands or give them a spray. The chances of our getting sick are much reduced. It’s the same with updates and generic software.

“What we see for the UK is something like one in eight computers report an encounter with malware over a six-month period. Also in the last quarter, 3.5 per cent had Trojans, down from 4 per cent last year. Browser hijackers were at about 5 per cent for the fourth quarter of 2015.”

The figures might sound low but, given the sheer amount of computers in the wild, they’re not. It’s arguably reassuring that the emergence of cloud, the Internet of Things and other innovations is unlikely to damage security, but it remains the case that the basics around identity are often ignored. Overcome this and, while it’s unrealistic to expect it to go away, the threat will at least be mitigated.

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

China’s strategy to become the world’s strongest cyber power

Nigel Inkster, former operations and intelligence director of MI6, analyses China’s efforts to impose order on its vast online community.

When just over two years ago I began researching a book on China’s cyber power, mainstream western media were full of stories about China’s alleged programme of state-sponsored cyber industrial espionage directed against US and other western corporations. Following an agreement between Presidents Xi Jinping and Barack Obama in December 2015 that “that neither the US nor the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage” that story dropped out of the headlines. But the importance of China as a cyber power has not diminished and understanding China’s capabilities and objectives in the cyber domain has become a key element in understanding its global strategic objectives. It is also an important prism through which to understand China’s long struggle to achieve modernisation whilst retaining its cultural and political self-esteem.

China came out of the Cultural Revolution in a state of economic and technological backwardness that demanded urgent attention. Its new leadership was seized of the important role modern ICT would play. Although the internet did not become accessible to ordinary Chinese citizens until 1996, the subsequent take-up has been dramatic. China has over 700 million “netizens”, the majority of whom access online service through smartphones. In 2015, the total value of online sales was $581bn, making China the world’s largest digital marketplace. The Chinese government has ambitious plans to switch from an export-dominated economic model to one based on domestic consumption; and to move up the value chain to break free of a middle-income trap. A key enabler will be an Internet Plus strategy that aims to integrate the real-world and digital economies.

In pursuing this, China’s government had to confront two vulnerabilities. The first is the potential of the internet to serve as a vector for subversive influences that challenge the Communist Party’s legitimacy. The second is a high level of dependence on western – largely US – technologies and software, seen as a security threat. From the outset China’s authorities sought to control online content through a combination of firewalls to filter externally generated content, regulation of service providers and censorship; the latter becoming ever more technologically enabled but still reliant on large numbers of censors and pro-government activists who promote and defend official views on social media sites such as Weibo.  

The result has been a cat-and-mouse game in which China’s netizens have sought to bypass censorship by relying on the infinite capacity of the Chinese language to generate homonyms for terms which are banned, giving rise to a rich lexicography of online dissidence. But it is a game the authorities are winning thanks to technology dominance and the huge manpower resources devoted to an issue seen by the leadership as existential. This is not to say that the Chinese internet is characterised by an atmosphere of sterile ideological conformity; in many respects it is more vibrant and anarchic than its western equivalent and has been used to good effect by its citizenry to hold officialdom to account. But first under Hu Jintao and ever more under Xi Jinping a climate of greater political and cultural conformity has led to popular bloggers –so-called Big Vs – being shut down. And China is unapologetic about asserting an approach to the internet based on the concept of cyber sovereignty, in effect its right to determine what its citizenry can access.     

Meanwhile, China is pursuing a policy of indigenous innovation to reduce dependence on western technologies. Dependence on western ICT is such that when in 2014 Microsoft announced that it would cease supporting Windows XP it subsequently had to make an exception for China, such was its reliance on that system. That dependence will take time to erode. But there is a growing number of indigenous Chinese software companies, Chinese smartphones and other devices are increasingly competitive with western equivalents and Chinese entrepreneurs have shown considerable ingenuity in developing and marketing a range of online services. As the Chinese state seeks to impose greater order on what to date has been an anarchic and insecure Chinese cyber environment, new laws have imposed greater demands on western companies such as the provision of source code. China is seeking to leapfrog the west in key areas of ICT including artificial intelligence (AI), quantum encryption and quantum computing. And the Chinese government is facilitating the purchase by Chinese companies of western technology start-ups. In 2014, $22bn had been spent on such deals, which have significant medium-term implications for the competitiveness of advanced industrial economies including the UK, France and Germany.

The global outlook of China’s leadership is dominated by the so-called Century of Humiliation covering the period from the mid-19th century up to the founding of the People’s Republic in 1949 during which China was virtually colonised by the west. The determination not to repeat this experience has translated into a transformation of China’s defence posture from a land-based, low-tech, mass-mobilisation force to one that is increasingly based on a capacity for naval force projection with a view to securing China’s supply lines and protecting its growing range of overseas interests. Digitisation is seen as critical for China’s efforts to develop armed forces on a par with its only real comparator, the United States. This is exemplified by an ambitious reorganisation at the end of 2015 which led to the creation of a new Strategic Support Force that combines signals intelligence, electronic warfare and information warfare capabilities within a single organisation that also has responsibilities for space-based activities. After a long period of coyness PLA officers now talk openly of China developing offensive cyber capabilities albeit at a “moderate rate” and in response to the activities of states such as the US.

This posture also translates into a more assertive foreign policy, no longer merely concerned as until recently with ensuring peace and stability to permit economic development. China probably does not aspire to replace the US as, in their words, “global hegemony”.  But it does wish to move from a global governance system dominated by the US and its allies to a world that is multi-polar and which respects different political and cultural systems. And to transition to a “new security concept” which while broadly respectful of international institutions like the United Nations, also subordinates customary international law to the interests of major powers. Here too the cyber domain plays a major role with China championing its vision of a global cyber governance and security order where the USA is no longer predominant. This vision enjoys some support in the developing world, not least due to the activities of national champions such as Huawei and ZTE who are building and operating core backbone IT infrastructure systems in countries that would otherwise remain on the wrong side of the digital divide.

To revert to cyber espionage, it is now clear that US threats of financial sanctions against Chinese companies deemed to have benefited from the theft of US intellectual property (IP) persuaded China’s leaders that this particular game was no longer worth the candle. The “noisy” reduplicative exploits that characterised so many cyber-attacks emanating from China are now much less in evidence. But cyber capabilities have become a major enabler of Chinese statecraft and are inter alia reducing the space within which overseas-based opponents of the regime can operate. For better or worse China is transitioning from becoming a large cyber power to a strong cyber power and can be expected to play an increasingly prominent role in this space.

The west will have to get used to living in a world in which it no longer enjoys the unquestioned technology dominance to which it has long been accustomed.