Avoid infosec mistakes of the past, urges Robert Hannigan

Cyber security should not be an end in itself, but be about enabling exciting things for the future, according to Robert Hannigan, chair of Lorca Industry Advisory Board and former GCHQ director.

“The possibilities offered by new uses of data are fantastic, especially in areas such as healthcare, so it is absolutely critical that we get it right,” he told attendees of the Lorca Live event at London’s government-backed Lorca cyber security innovation hub.

However, Hannigan said people need to trust new technologies, and trust depends on the right combination of technology and human behaviour.

“That is the challenge and the opportunity for emerging and existing cyber security innovation companies that are enabling a future based on an appropriate level of security and trust, and an appropriate level of risk,” he said.

Hannigan observed that public debate has finally woken up to the fact that the global economy, every company and individual is sitting on an IT infrastructure and an internet that is “fundamentally insecure or has some insecurities built into it” and is reliant on a supply chain that is “getting ever more difficult to understand, let alone trust or secure”.

This has led, he said, to a complete change in thinking by governments about trust. “Cyber security has always been about trust. Essentially, all cyber attacks are an abuse of trust, either by persuading a person to trust something they shouldn’t or by getting a machine to trust another machine when it shouldn’t by exploiting vulnerabilities.”

Old challenges around identification and authentication remain, but what it changing, said Hannigan, is that the stakes are continually rising.

“The reason people are getting so excited about things like 5G is not because the technology is so different, but because the critical dependencies are much greater than ever before,” he said, adding that things like healthcare, which will be transformed by 5G and artificial intelligence (AI) depend on getting trust right so that people will use those services.

“The stakes suddenly just got higher, which is why governments are really worrying about it, but on the positive side, what they really want to build in trust and security early.”

To address this, Hannigan said there are three key things to do. First, understand the risks better such as the complex and deep interdependencies in modern supply chains. “Many companies do not really understand the vulnerabilities in their supply chains and the risks they are exposed to as a result.”

Second, he said, security needs to be retro-fitted to infrastructure that was not designed with security in mind. “An obvious example is the trusted platform module, where industry worked together to show that it can be done.

“And the third thing we need to do is to ensure that everything we build is secure by design and by default, and every government is worrying about this,” said Hannigan. “Building in security and trust when you design something is absolutely critical, and every government is looking at regulation on this.”

As the attack surface expands with things like internet-connected devices, as the data that flows exponentially out of those devices, and as we have ever more genius ways of it through the use of AI, Hannigan said it is crucial to ensure that integrity and trust are built in so that all new products and services can be used with confidence.  

“So it is about understanding the problems and the risks, it is retrofitting where we have to, and its building for the future by design and default so that we don’t repeat the mistakes of the past, and that we don’t wake up in ten years’ time with a massive flow of data, a massively expanded attack surface and realise that we haven’t built in the security we should have,” he said.