CW@50: Fertile British breeding grounds for information security innovation

Missed opportunity

The invention of public-key cryptography has long been attributed to US cryptographers Whitfield Diffie, Martin Hellman and Ralph Merkle, whose work was refined and implemented by Ronald Rivest, Adi Shamir and Len Adleman (RSA), but it was revealed in December 1997 that GCHQ cryptographers James Ellis, Clifford Cocks and Malcolm Williamson had beaten them to it.

However, GCHQ had failed to patent and commercialise their discovery because the work was classified as top secret. For the same reason, other British innovations in the field of information security may still be unknown.

“After almost three decades of secrecy, Ellis, Cocks and Williamson received the acknowledgement they deserved,” writes Simon Singh in his book The Code Book, noting that James Ellis sadly never lived to see the day, having died one month earlier on 25 November 1997.

Not bound by any secrecy classification, the RSA asymmetric cypher for public-key cryptography went public in 1977, four years after the GCHQ cryptographers had made the same breakthrough, enabling non-government computer users to protect data from unauthorised access, which is the core of information security.

But almost from the beginning, the US government sought to exert influence over cryptography standards and how cryptography was used, with the NSA starting to lobby to get a law that would regard all cryptographic information as classified at birth, recalls Whitfield Diffie.

Malware is born

Although information security has been a concern since ancient times, it only became an issue in the world of computing once formerly standalone computers were connected – about three years after Computer Weekly’s debut.

The first-ever connection between remote computers was established on the Advanced Research Projects Agency Network (Arpanet) on 29 October 1969, which was mainly enabled by the concept of packet switching developed by British computer scientist Donald Davies.

It could be argued that ever since the advent of Arpanet, information security in the modern sense has become increasingly important, particularly as Arpanet led to the connection of multiple networks and eventually the rise of the internet.

It was not long before the first piece of malicious software or malware made an appearance, with the detection in 1971 on the Arpanet of the Creeper worm, an experimental and relatively harmless self-replicating piece of software that used the Arpanet to infect the PDP-10 mainframes.

Before that, there had been several pieces of malware, but they relied on the sharing of floppy disks for distribution.  In 1982, the Elk Cloner written for Apple II systems is considered by some to have been responsible for the first large-scale computer virus outbreak in history, and was followed by the first virus for MS-DOS machines in 1986 – the Brain virus – but these and others still relied on floppy disks.

The power of the internet was still to be harnessed as an efficient mass distribution tool.

It was at that time that one of the oldest British cyber security firms, Sophos, was founded by Jan Hruska and Peter Lammer to produce antivirus and encryption tools. Today, the company proudly claims a 30-year history of innovation.

Malware expands rapidly

As the popularity of email and bulletin boards increased, the first internet-borne malware began to emerge, with the Morris worm that infected internet-connected machines running Unix becoming the first widespread worm in November 1988.

In 1991, the internet went public with two million users of email and bulletin boards, and rapidly increased in size and popularity mainly because of the invention of the web browser by British scientist Tim Berners Lee while working for Cern in Switzerland.

Web traffic increased exponentially in 1993 as internet users moved from email and bulletin boards to web-based services, with businesses soon seeing the value and potential of linking local operations to international transactional and storage systems.

But this revolutionary means of exchanging information came at a price, rapidly becoming a target for attackers typically in search of intellectual property data and personal data with the aim of making money through fraud and extortion, in addition to the activities of attackers pursuing the goals of state-supported cyber espionage.

By the mid-1990s, once-impregnable organisations were highly connected and highly vulnerable to attack, ushering in the first large-scale use of public-key encryption in the form of the secure sockets layer (SSL) computer protocol. This combines public-key and symmetric-key encryption to secure a connection between two machines, typically a web or mail server and a client machine, communicating over the internet or an internal network.

“Public-key cryptography was the technology that enabled e-commerce, e-government and all other online transactions,” says Royal Holloway’s Piper.

Information security industry expands with threats

In the 1990s, cryptographers recognised that the internet could only function if there were commercial private-sector solutions and if security could evolve to meet the challenges, according to US cryptographer Bruce Schneier, former chief technical officer of BT Counterpane. This essentially led to the rapid growth and expansion of the information security industry.

But not everyone immediately understood the need for information security or the future it would have, so when Royal Holloway introduced its first qualification in information security in 1992, not everyone was convinced.

“It is probably fair to say people thought we were nuts,” says Piper. “It turned out to be quite a good move, but nobody at the time – including us – foresaw just how important it was going to become.”

Another area where the UK has led innovation, he says, is in certification for penetration testing through the Crest not-for-profit organisation led by its president, Ian Glover.

“I am impressed by people who do things like Ian Glover,” says Piper. “As a result of his efforts, we have UK-based world standards for penetration testing, putting it way ahead of any other branch of cyber security.”

Although demand for information security products and services grew throughout the 1990s, it really accelerated through the first decade of the new millennium as cyber threats proliferated. By 2003, the amount of information on the internet had surpassed all other information in human history.

“IT security was being asked to defend more ground than any other interest in the history of our species,” says Schneier.

The Melissa virus was perhaps the most notable piece of malware in the 1990s, preceding a string of infamous worms in the early 2000s that included the LoveBug, Nimda, SQL Slammer, Blaster, Sobig, MyDoom, Netsky, Sasser, Koobface and Conficker.

However, the most famous worms were undoubtedly Stuxnet, Flame and Duqu, which introduced the concept of cyber weapons.

The decade also saw the rise of Trojans such as Zlob, Zeus, Torpic (Sinowal), SpyEye, GameOver Zeus and Regin, and remote access tools (Rats) such as Beast, Nuclear Rat and Bandook.

Since the1990s, each information technology advance has created new vulnerabilities, in turn creating opportunities for information security innovation.

British innovation, GCHQ influence and legacy

In the UK, government in general and GCHQ in particular have been the natural breeding grounds for information security innovators, and since the Second World War, some of that expertise has gradually found its way into the private sector.

Many UK information security companies employ former government experts, while some government departments have been privatised and some products and services developed for government have been made available to businesses through government commercial organisations.

One of the most recent and high-profile examples of government expertise moving into the private sector is Iain Lobban, who retired as director of GCHQ in October 2014, and within a year was reportedly advising oil and gas multinational Shell and corporate intelligence firm Hakluyt & Company, itself set up by former members of secret intelligence service MI6.

As far as cyber security companies are concerned, one of the best but perhaps most unlikely examples is BT, which after the privatisation of British Telecommunications 1991, became one of the UK’s leading suppliers of information security services, including distributed denial of service (DDoS) mitigation, managed firewalling, and threat monitoring.

British multinational defence technology company QinetiQ is another example of a UK company that emerged out of a former government department, owing its existence to the privatisation of part of the government’s former Defence Evaluation and Research Agency (DERA) June 2001.

These and other British cyber security firms count former GCHQ and other intelligence agency members among their founders, leaders and advisers, but a fair amount of innovation has come out of the private sector too, although many of these firms have been founded by those with experience working with or for the UK government and military.

Innovative British cyber security companies that have arisen from the private sector include nCipher – acquired by Thales in 2008 – which was founded in Cambridge in 1996 to develop internet security products using advanced cryptography; Becrypt, formed in response to demand for mobile security in 1994; Digital Shadows, founded in 2011 to provide a cyber threat monitoring service; and, more recently, Glasswall Solutions, which innovates to tackle all document-based attacks with patented technology that breaks down every file to byte level, searching only for “known good” and matching the files against manufacturers’ standards to pass only clean, regenerated files on to end-users.

“We wanted to create a technology that gives organisations complete governance and control of every file that enters and leaves an organisation,” says Greg Sim, chief executive of Glasswall.

The military-grade cyber defence capability assessment tool (CDCAT) is an example of a tool originally developed for the military to help deal with the Conficker worm that is being made available to commercial business.

The CDCAT cyber security management and maturity assessment tool was developed for the ministry of defence (MoD) by the UK Defence Science and Technology Laboratory (DSTL), but accreditation organisation APMG has since been charged with taking the risk management tool to market by Ploughshare Innovations, which manages the commercial licensing of defence technology developed by the DSTL.

The UK government appears to be recognising the contribution that can be made, rather than continuing the former practice of using secrecy as the reason for ensuring British information security innovation never found its way into commercial applications.

The year 2013 was a watershed, not for innovation, but for the revelations by whistleblower Edward Snowden about the mass internet surveillance programmes being run by the US National Security Agency (NSA) and allied countries, including the UK.

These revelations have since stirred much debate, particularly around the use and control of encryption, harkening back to similar debates in the 1970s, when public-key encryption was introduced.

How this debate will influence innovation, particularly within Europe in the years to come, is not yet clear. Another major influence on information security innovation and business models could be the final text of the UK’s draft Investigatory Powers Bill, which is inching its way to becoming law.

A short-term effect of the Snowden revelations, however, was to push the government into at least appearing to be more transparent. In June 2014, GCHQ announced plans to help critical national infrastructure firms defend against cyber attack in a pilot for sharing threat intelligence and to share declassified intellectual property to support new business ventures.

Under the government’s National Cyber Security Plan, there has also been investment in UK cyber security startups, with more planned for the future.

In September 2014, the government announced £4m funding for a competition to help small and medium enterprises (SMEs) develop ideas for countering cyber threats, and in January 2016, the government announced a £250,000 cyber security startup support programme that will offer help and advice to develop products and services and bring them to market.

British security startups

Existing UK cyber security startups with links to GCHQ and other intelligence agencies include the Falanx Group, which was founded by a former British Army officer and employs former members of the security and intelligence communities, and Darktrace, arguably one of the UK’s most successful cyber security startups

Although Darktrace’s founders include senior members of the UK government’s cyber community from MI5 and GCHQ, it also has close links to the Cambridge University, pointing to the UK universities as another important breeding ground for British innovation in information security.

Darktrace, founded in 2013, has developed an innovative cyber attack detection system that is modelled on the human immune system and based on cutting-edge machine learning and mathematics developed at Cambridge.

“Darktrace is designed to be self-learning, to understand the behaviour of the enterprise and every person and device in it, to adapt by calculating probability based on evidence, and to do all this in real time as things are happening,” says John Dyer, account director at Darktrace.

Other notable British cyber security startups include real-time risk assessment firm CyberLytic, secure data transmission firm SQR Systems, which was the result of a research programme at the University of Bristol, password protection firm Silicon Safe, mobile security firm Wandera, data loss prevention company GeoLang, and high-end security services firm Corvid.

“A purely product-based approach to security is doomed to failure,” says Andrew Nanson, chief technology officer at Corvid. “Instead, you need a continually evolving platform of capability and to be as agile as the attackers.”

This is by no means an exhaustive list of innovative British information security companies, but illustrates that there is an abundance of such innovation and that it is finally moving out of the shadows of government and military secrecy into commercial products and services.

But the government continues to be pivotal and could play an extremely positive role. While recent announcements around cyber security funding and support for cyber security companies are encouraging, it remains to be seen if the various government initiatives truly deliver the help that UK cyber security firms need.

According to some of those companies, there is still much work to be done.