Cyber security is a moving target. The threats faced by individuals, organisations and infrastructures are constantly changing. Criminals regularly adapt their tactics as security measures are put in place to thwart known threats.
Computer viruses offer an example that reflects this constantly evolving landscape. Initially, computer viruses were mainly a nuisance that exhausted limited resources on a machine. They then evolved to harvest valuable data and information remotely. The most recent incarnations go beyond simple data harvesting and can actually perform complex financial transactions, for example, Zeus V3, or manipulate industrial control systems, for example, Stuxnet.
This trend is reflected in most other types of cyber threats, which is why predicting what types of threats we may face in the future requires a crystal ball. What we can be sure of is that we will continue to see some old foes, others will evolve to circumvent security measures and, inevitably, new types of threats, hitherto unforeseen, will emerge.
While we may not be able to accurately predict the exact types of threats, we can certainly look at the very nature of cyber space and understand from where these threats may emerge. We need to start by recognising we are getting better at dealing with the purely technical threats. These will continue in the foreseeable future, but there are already very good and sophisticated mechanisms available to ensure the resilience of networked information infrastructures while on-going research will continue to improve practices in this area. As such, new future threats are likely to mainly arise from three other directions:
The first is the intersection of humans and technology. The internet is becoming increasingly ubiquitous in our lives through an array of smart devices, social media platforms and e-services. Humans, however, intersect with these technologies in complex ways and it is at this intersection where new types of cyber threats are likely to emerge. In fact, often, human behaviour is shaped by the technology in question and, equally, technology is made vulnerable and is exploited by humans. We are already seeing a rising trajectory of socalled social engineering attacks, such as phishing and tailgating, that aim to exploit the vulnerabilities arising at the intersection of humans and technology. There is also an increasing exploitation of the fluid nature of identity afforded by these technologies, whereby digital personas on online social networks are used to establish trust with victims or wield influence among online groups. Note that too often there is a tendency to focus on humans as the weak point in cyber security. This mind set must change. It is the intersection of humans and technologies that leads to vulnerability – be it use of technology in unanticipated ways (and without malice) by humans that may lead to a threat or intentional exploitation by an insider agent to cause harm. This shift in perspective is crucial to understanding future cyber threats originating at this intersection.
The second is the convergence of cyber space and the physical world. In many ways the term “cyber security” is a misnomer. We live in a digital world where the notions of cyber space and the digital world fuse together. The internet is now embedded in a lot of physical infrastructure and is an integral part of daily lives. This convergence of the cyber and the physical is another potential pathway for future threats. Already, viruses such as Stuxnet exploit this convergence as do websites such as pleaserobme.com, which utilises publicly posted information on social media to predict when a property may be unoccupied.
The effects of the Arab Spring and the London Riots and the role the convergence of the cyber and physical world played in both sets of events are obvious to everyone. In fact, children and young people today are growing up with this convergence as the norm rather than an exception. As such it is critical to treat cyber security as integral to security in the modern digital world rather than developing isolated approaches for protecting cyber space. Otherwise threats arising at the convergence of the two will remain unchecked.
The final direction from which threats are likely to come is that of the partially-trusted online ecosystem. Modern organisations operate as part of a complex, partially-trusted eco-system comprising other organisations, a diverse range of thirdparty technologies, and end users operating in a variety of organisational cultures. This eco-system manifests itself in various forms: an organisation may be part of a supply chain, either at its head or as a participant, often transitively, or both; an organisation may procure specific technologies, software systems or services from other organisations; and end users may utilise new personal technologies or software services (from partially-trusted third parties) in their day-to-day working practices. Such partially-trusted settings are not an exception but a norm in modern business settings. Worryingly, however, a recent survey of cyber security practices in smalland medium-sized enterprises conducted by Lancaster University revealed there is little scrutiny of cyber threats arising from external out-sourcing. Understanding how cyber risk is constructed in such complex organisational eco-systems is critical if we are to build resilience to future threats.
In fact, we can invest in cyber security technologies, infrastructures, training and best practices all we like but that can only be effective if such capacity building happens on a global scale. In other words, an organisation or a nation is only as strong as the weakest link in the chain. This is reflected in the recent government announcement that a new UK centre is to lead efforts on global cyber security capacity building.
We must be proactive and not just reactive. The cost of cyber crime is monumental with estimates ranging from a global cost of between $250bn and $1tn per year. This is, of course, the financial cost. The emotional and physical harm that is often a direct consequence of cyber security breaches is immeasurable. And, of course, there is the indirect impact on the economy through lack of consumer and business confidence arising from a perceived lack of cyber security. In the face of such substantial costs, it is clear we cannot remain still. With criminals continuously adapting their tactics or identifying new pathways for cyber attacks, we must learn to anticipate from where future threats will emerge, something that can help us improve resilience in people, processes, technologies and infrastructures and put countermeasures in place rather The Arab Spring: when the physical and cyber worlds collided than responding once the breach has taken place and the damage done.
There should also be recognition of the role the global inter-connected nature of the internet plays in exposing individuals, businesses and public sector organisations to cyber threats. For too long the focus has been on protecting a single entity – an individual, organisation or a nation – against cyber threats. Not enough attention has been paid to the complex ways in which various entities interact online and are not only globally connected but also accessible. Lock-down approaches can cause more harm than good in terms of compromising social and economic benefits.
The internet is a global phenomenon and our response to future threats must be global. This must be rooted in embracing the openness of the internet to continue to foster creativity and social benefit. The future of cyber security is as much about approaches that can help preserve these opportunities for openness and innovation as it is about anticipating and counteracting the threats posed by criminals.
Professor Awais Rashid is director of Security Lancaster, an EPSRC-GCHQ Academic Centre of Excellence in Cyber Security Research.