Professor Sadie Creese, Co-Director of the Institute for the Future of Computing at the Oxford Martin School, started by emphasizing that the internet can be a force for good by increasing our ability to share and build relationships across the globe. The abundance of data and advances in information technology are seen by leaders as crucial to tackling diverse future challenges, but they also leave us vulnerable. We don’t have to look to the future to see that we have a responsibility and a vested interest in protecting privacy online. Today, it would be difficult for most of us to remove our online presence if we wanted to, and Creese noted that we have probably agreed to standards of privacy and security that we would not find acceptable offline. To design policies and legislation to protect data, we must first decide what we consider to be acceptable for security online.
The second speaker was Richard Thompson, Former Chief Constable of the Civil Nuclear Constabulary. He said that although espionage, fraud and information theft are not new, there are new challenges online. First, the majority of our ‘wealth’ now exists as data in an extremely complex digital world. Second, the barriers to entry for criminals are extremely low; hacking does not need to be funded by a state or an organised crime network to be effective. Third, for law enforcement, there is often no geographical link between the victim and the criminal and multi-jurisdictional investigations are fraught with difficulties, particularly where laws and resources differ. A market already exists on the darknet for commerical espionage and hacking tools, and the origins of such attacks are almost impossible to trace. However, it is not just criminals taking advantage of this; several countries admit to or have been caught (remember Stuxnet?) hacking too.
The final panellist was Peter Jopling, Business Unit Executive at IBM Security Solutions, who brought a more technical perspective to bear. He talked about IBM’s research in identifying vulnerabilities across networks. The volume of data here can aid the development of solutions, but the first challenge is analysing it to identify meaningful events. Jopling also mentioned the need to act in real time in the arms race between security experts and hackers, as attack vectors change quickly.
With all these issues brought to the table, the Chair kicked off the question session by asking whether we have to accept the erosion of privacy to remain secure online. To my relief, the answer seemed to be a resounding no, but there were no easy answers to how we might go about preserving it. It was agreed that we have a responsibility to protect ourselves—with well-chosen passwords or two-factor authentication—but these measures are not always sufficient. Although much of the discussion focussed on privacy, cyber security must also defend against malicious activities such as attacks on infrastructure by terrorist groups. One questioner asked what academic research has to offer here. Professor Creese said that in the field of cyber security, investment has been generous, but tends to be narrowly focussed and prescriptive, leaving no space for radical ideas. This battle for academic freedom might be a familiar story to some of our Fellows.
The event touched on a broad range of cyber security issues, and the speakers seemed to agree that addressing these threats requires the development of a policy and legal framework, in which international cooperation and discussion will be crucial. As shown by reactions to the publication of the Draft Communications Data Bill in the UK in 2012—which aimed to give the police and security services more power to monitor internet activity—policy in this area can be contentious. The difficult challenge for governments then, is to balance liberty and security in a changing landscape.