Day two’s keynote speaker Misha Glenny provided a different angle for everyone to think about – the human aspect of cyber security.
As a journalist, Misha admitted he didn’t know much about the technicalities behind cyber security, but set out that it is now about all sorts of things not just technology. He opined that tech is just a small component of cyber security and to understand the threat we need to also look at politics, psychology, military doctrine, and even anthropology. “It’s about risk management and above all it’s about people,” he said. “We have to know how these things all inter-link and why the human aspects are as important as tech.”
Misha went on to explain that essentially the threats we face now are the same as 15 years ago: social engineering; malware deployment, and hacking. The proliferation of devices and desire for more data, means the problem we have today is one of scale.
“We have two big battles on our hands that will decide whether the internet either liberates or enslaves us,” he warned. “Those battles are what we can and can’t do with other people’s data and the competition between states. The internet is morally neutral – we will decide what it does and how.”
Misha divided his presentation into three areas: Communication; Threat Awareness; and Strategic Security Thinking
“The greatest failure of the cyber security industry is communication,” he explained. “What we have to do is make computers and security interesting. We haven’t yet developed convincing narratives around why cyber is critical to people’s lives and they are still bored by it. On the other side, the bad guys have proved at a very early stage that they are very good at penetrating our psychology, and coming up with great stories and narrative to hook people in.”
He pointed to the rise of social engineering in Spear Phishing and CEO Fraud, to help highlight why users need to learn to read everything coming into their in boxes and to develop a different language awareness.
“It doesn’t matter what defences are in place around networks if human aren’t able to read emails properly,” he explained. “We need counter narratives so people know their responsibilities when it comes to security. The old house metaphor rings true – you can have dogs, lights, fences, or patrols around your house, but if you open the front door and let people in they are all useless.”
He went on to say that TV and film dramas can really help change people’s understanding and get their attention – Mr. Robot for instance has the ability to be a hugely important and game-changing narrative, striking the right balance of geekiness with political idealism.
“Having talked to many people involved in the fight against cyber crime, barely five minutes goes by without them mentioning Sun Tzu’s The Art of War,” Misha said. “So what is so special about this?”
It boils down to one thing: Study your opponents and learn about them. How much do we know about our enemies? What sort of people are they?
“As part of my research, I spoke to as many criminal hackers as possible,” said Misha. “They come from all races, classes, and religions. There is only one demographic that is consistent – 96% of hackers are men*. They all begin hacking around the age of 12-16* when they haven’t yet developed a moral compass. They are trying to get away from their parents and the internet anonymity empowers them to be who they want to be.
“There are people out there who scour social channels looking out for kids with skills, and then recruit them in at a young age, once they are involved in a crime syndicate it’s very hard for them to get out. We see this pattern repeated over and over again. We’re not engaging with them through schools and the police have a purely punitive approach, so presenting an alternative is a big challenge.
Aside from communication, another area where cyber fails, Misha believes, is that there are not enough women in the industry. “The industry is a sea of men,” he said. “But when it comes to understanding the human element, which is a crucial part of our battle against cyber crime, women can offer these skills as well.”
He also believes that hacking has changed the face of traditional crime groups. “The nature of crime is changing in a very basic way,” he explained. “In the old days, you needed one thing in traditional crime gangs – the capacity to threaten with violence. Cyber doesn’t need violence, so the whole nature of crime is reorganising as we speak. Traditional crime groups have woken up to this and are employing the digitally literate.”
We need to understand this as well as what is going on politically and technically if we are to combat cyber crime strategically.
Unless we can reach agreement about basic cyber rules then we are all on our own. ‘This means companies of all sizes need to take responsibility for their own security. Everyone has to look after themselves and adhere to what Sun Tzu tells us – know your enemy,” he concluded.
You can get Misha’s book Dark Market – How Hackers Became the New Mafia on Amazon®
*Misha Glenny cited the above statistics as coming from the Hacker Profiling Project run by the United Nations Interregional Crime and Justice Research Institute.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.