Businesses, government departments and academics are to collaborate to find solutions to some of the most pressing cyber security problems facing the private and public sector.
An initiative from Royal Holloway, University of London aims to bring together experts from across multiple disciplines including cryptography, psychology and criminology to find rapid solutions to escalating cyber crime.
The Institute for Cyber Security Innovation has been set up by the university at a time when organisations are facing unprecedented threats from organised crime, state-sponsored hackers and malware.
Authoritative research by PwC showed the number of data breaches increased by 14% in Europe in 2014, with each incident costing industry an average of more than $2m.
Technology director and executive director of the institute Robert Carolina said security technology is now the best ever seen by industry.
"Research is deep and focused," he said. "We have never had more experience in cyber security, but we have never had more complaints.”
More on cyber security
- Banks play down cyber attack levels
- East Midlands gets cyber threat sharing node
- How to source cyber threat intelligence
- Nato and business join forces to tackle cyber security threats
- Ransomware on the rise, warns cyber threat report
- UK cyber threat sharing ahead of target, says Cert-UK
- Many firms still unprepared for cyber attack, EY survey shows
- Government mandates Cyber Essentials for public-sector supply chain
- Cyber Essentials ensures SMEs protected, says Databarracks
- European online transactions under cyber attack, says payment council
- UK is prime target for cyber attacks, says FireEye
- Why are UK micro businesses unprepared for cyber attack?
The project is part of a wider initiative by the university to develop a cyber security hub that will help to incubate security startup companies and potentially develop investment funds to promote security.
Security experts need to work in a more co-ordinated way if they are to keep pace with cyber criminals, said Carolina.
He argued the security industry has become too fractured with cryptographers, mathematicians, forensic specialists and business specialists working on the problem in silos, rather than pooling their resources.
“The pace of innovation is very fast. The bad guys are hacking on an agile basis and are out innovating the good guys,” he said. “We need to work together to become as agile and as fast as them.”
The institute has begun its first project with pharmaceuticals company GlaxoSmithKline (GSK) – a major research programme looking into ways of preventing employees inadvertently clicking on links that lead to malicious websites.
The project will bring together technology experts with psychologists and will use eye-tracking technology to work out how normally vigilant people can be duped into clicking on malware.
GSK chief information security officer Robert Coles said one of the ways attackers get into an organisation is by tricking people into clicking on links or attachments in emails and exploiting vulnerabilities in software running on PCs.
“If we could persuade people to be more vigilant and not to click on links and attachments it would eliminate this attack method,” he said.
The institute is also in discussions with a communications manufacturer on a research project into advanced areas of encryption, with more projects expected to follow.
Identifying the problem
Experts from the institute aim to work with governments and industry to help them identify the most critical security problems.
We don’t want to be seen as a government, industry or politically led organisation
Robert Carolina, The Institute for Cyber Security Innovation
The group will aim to deliver usable results within six months or a year, depending on the project, rather than follow three-year academic research cycles.
“If we come to industry with a defined project, with a defined outcome in six months, it won’t lead to a product, but it will produce a framework or a standard that will improve the state of cyber security and will attract funding,” said Carolina.
The university plans to build on the work by creating a security hub that could attract established security firms and help develop startup businesses over the next one to three years.
“We need to develop a centre of innovation, to become a destination where people want to be and want to be seen to be,” said Carolina.
He added that the work will require the development of venture capital funds that are ready for the security industry. “It's very difficult to plot a path to success in this space. It’s a much more troubled path for business growth.”
The institute also aims to build bridges between politicians and computer security experts to improve regulation and legislation that impacts their work.
Because it is based in academia, the institute will have the advantage of being seen as politically neutral, said Carolina: “We don’t want to be seen as a government, industry or politically led organisation.”
Recruiting security experts
The institute is now looking for security specialists, including chief information security officers, business leaders and policy advisers to join the organisation's advisory board.
“Basically I am looking for people who want to come along and complain about what is wrong in security and the problems they face,” said Carolina.
Reformed computer hacker Gary Mckinnon, who fought a 10-year battle against extradition after being accused of hacking into the Pentagon, said the initiative was a good idea. But he warned the weakest link in any computer security system was not technology, but human error.
Read the latest research on security
“Weak passwords, leaving machines turned on when no-one is using them, clicking on email attachments with embedded malware, not applying the latest security patches and so on are the biggest risks facing businesses,” he said.
Each year the US has published the same, long list of security vulnerabilities which are simply the result of human action or inaction, as well as insecure programming methodologies, he said.