Nations can no longer afford to go it alone on cyber-security

Cyber-crime knows know borders, so nor should our defences.

Senior representatives from more than 90 governments met in Seoul recently to discuss cyber-space, including cyber-security and cyber-crime. It was the third in a series of international conferences that has followed a push from the UK government to bring a more international perspective to discussions about how to keep cyber-space open while addressing threats.

Cyber-crime does not operate in a world confined by national borders so an international response is our only option. We need to cooperate to protect devices and information infrastructures from malicious entities seeking to steal secrets, deny access to critical services and exploit our identities to commit crimes.

Vulnerable businesses
There is much work to be done. Weaknesses in infrastructures, policy and operations leave us vulnerable and threats to businesses and individuals are frequent and damaging. For example, a sophisticated malicious software recently infected a PC at a small British bakery, then managed to bypass all of the business’s online banking security software and steal £20,000. There is no end to the news of malware, viruses and spam that affect online accounts and home computers.

Recent research indicates that four in five of the UK’s largest quoted companies are unprepared for cyber attacks. The widely reported threats to systems within finance and banking are an uneasy reminder of our vulnerability – and a key priority of the Bank of England and other financial regulators. Even those companies that you might expect to see outsmarting cyber-criminals are not immune. Just a few weeks ago software company Adobe admitted that its system had been hacked and that data from nearly 3 million customers had been stolen. Now there are reports of ransomware attacks across companies in East London’s hi-tech cluster of businesses.

Currently, too many decisions relating to cyber-security rely on inadequate evidence, inconsistent data, deficient reporting and varying rules across networks and systems. This inconsistency on data is apparent in UK government. Two years ago the UK Cabinet Office published a study by Detica, which estimated that cyber-crime costs the UK economy £27bn per year. It gave a breakdown by business sector and type of crime. This type of data is critical for governments, businesses and technology companies to plan appropriate security responses. However, a 2012 study undertaken by Professor Ross Anderson and colleagues for the Ministry of Defence calculated that a more realistic estimate would be closer to £12bn, distributed in significantly different ways to the Detica claims. This would suggest a different pattern of appropriate responses.

Defence beyond borders
A report to which I contributed, Now for the Long Term calls for the creation of an information exchange - CyberEx - to start tackling these issues. It could be funded by governments and businesses with an interest in collecting and analysing data on cyber-attacks to inform their own decisions about cyber-security. Each could share their own information and coordinate with others on responses to international threats. CyberEx could identify weaknesses in the global system, flag up suspicious Internet traffic and malicious software and help countries and businesses develop technical standards for their cyber-security efforts.

It could seek to minimise common vulnerabilities that enable the theft of sensitive information and the distribution of spam through systems, and work closely with international and domestic agencies to prevent common system attacks. The platform could also provide a useful mechanism for stakeholders to work together on responses to collective concerns, such as privacy protection. By providing an accessible, open platform for information exchange, CyberEx could help governments, businesses and individuals to better understand common threat patterns, identify preventative measures and minimise future attacks.

But you are only as strong as your weakest link, so CyberEx would also need to help developing countries improve their cyber infrastructure. For example, Professor Anderson’s MoD study concluded that significant numbers of “stranded traveller” scams and Advance Fee Frauds originate in West Africa, particularly Nigeria.

We are at the start of conversations with interested parties on the potential for CyberEx, so the details of how and where the exchange would be hosted are still to be worked out. The report’s recommendation is a starting point but it is an important one. It could move us closer to using an exchange platform to counter common but high-risk cyber threats. It is a conversation that must continue if we are to meet the challenges posed by increased societal dependence on information infrastructures.

Ian Brown receives funding from the UK Research Councils (currently EPSRC), the European Commission, and BT. He is on the advisory councils of the Open Rights Group, Privacy International and the Foundation for Information Policy Research.

This article was originally published at The Conversation. Read the original article.

The Conversation

We can't fight cyber-crime by ourselves. (Photo: Getty)
Getty
Show Hide image

Don’t shoot the messenger: are social media giants really “consciously failing” to tackle extremism?

MPs today accused social media companies of failing to combat terrorism, but just how accurate is this claim? 

Today’s home affairs committee report, which said that internet giants such as Twitter, Facebook, and YouTube are “consciously failing” to combat extremism, was criticised by terrorism experts almost immediately.

“Blaming Facebook, Google or Twitter for this phenomenon is quite simplistic, and I'd even say misleading,” Professor Peter Neumann, an expert on radicalisation from Kings College London, told the BBC.

“Social media companies are doing a lot more now than they used to - no doubt because of public pressure,” he went on. The report, however, labels the 14 million videos Google have removed in the last two years, and the 125,000 accounts Twitter has suspended in the last one, a “drop in the ocean”.

It didn’t take long for the sites involved to refute the claims, which follow a 12-month inquiry on radicalisation. A Facebook spokesperson said they deal “swiftly and robustly with reports of terrorism-related content”, whilst YouTube said they take their role in combating the spread of extremism “very seriously”. This time last week, Twitter announced that they’d suspended 235,000 accounts for promoting terrorism in the last six months, which is incidentally after the committee stopped counting in February.

When it comes to numbers, it’s difficult to determine what is and isn’t enough. There is no magical number of Terrorists On The Internet that experts can compare the number of deletions to. But it’s also important to judge the companies’ efforts within the realm of what is actually possible.

“The argument is that because Facebook and Twitter are very good at taking down copyright claims they should be better at tackling extremism,” says Jamie Bartlett, Director of the Centre for the Analysis of Social Media at Demos.

“But in those cases you are given a hashed file by the copyright holder and they say: ‘Find this file on your database and remove it please’. This is very different from extremism. You’re talking about complicated nuanced linguistic patterns each of which are usually unique, and are very hard for an algorithm to determine.”

Bartlett explains that a large team of people would have to work on building this algorithm by trawling through cases of extremist language, which, as Thangam Debonnaire learned this month, even humans can struggle to identify.  

“The problem is when you’re dealing with linguistic patterns even the best algorithms work at 70 per cent accuracy. You’d have so many false positives, and you’d end up needing to have another huge team of people that would be checking all of it. It’s such a much harder task than people think.”

Finding and deleting terrorist content is also only half of the battle. When it comes to videos and images, thousands of people could have downloaded them before they were deleted. During his research, Bartlett has also discovered that when one extremist account is deleted, another inevitably pops up in its place.

“Censorship is close to impossible,” he wrote in a Medium post in February. “I’ve been taking a look at how ISIL are using Twitter. I found one user name, @xcxcx162, who had no less than twenty-one versions of his name, all lined up and ready to use (@xcxcx1627; @xcxcx1628, @xcxcx1629, and so on).”

Beneath all this, there might be another, fundamental flaw in the report’s assumptions. Demos argue that there is no firm evidence that online material actually radicalises people, and that much of the material extremists view and share is often from mainstream news outlets.

But even if total censorship was possible, that doesn’t necessarily make it desirable. Bartlett argues that deleting extreme content would diminish our critical faculties, and that exposing people to it allows them to see for themselves that terrorists are “narcissistic, murderous, thuggish, irreligious brutes.” Complete censorship would also ruin social media for innocent people.

“All the big social media platforms operate on a very important principal, which is that they are not responsible for the content that is placed on their platforms,” he says. “It rests with the user because if they were legally responsible for everything that’s on their platform – and this is a legal ruling in the US – they would have to check every single thing before it was posted. Given that Facebook deals with billions of posts a day that would be the end of the entire social media infrastructure.

“That’s the kind of trade off we’d be talking about here. The benefits of those platforms are considerable and you’d be punishing a lot of innocent people.”

No one is denying that social media companies should do as much as they can to tackle terrorism. Bartlett thinks that platforms can do more to remove information under warrant or hand over data when the police require it, and making online policing 24/7 is an important development “because terrorists do not work 9 to 5”. At the end of the day, however, it’s important for the government to accept technological limitations.

“Censorship of the internet is only going to get harder and harder,” he says. “Our best hope is that people are critical and discerning and that is where I would like the effort to be.” 

Amelia Tait is a technology and digital culture writer at the New Statesman.