The Future For Cyber Security

The end of passwords?

Let's face it, passwords are a huge pain in the backside. Making them strong, making them unique, changing them regularly - this is all a big inconvenience we could simply do without. And on top of that they're also relatively easy to steal.

But what's the alternative? What's an effective solution to the simple sounding problem of how to prove that you are who you say you are? Finding something that's reliable, cheap, easy to implement, and that is relevant in all situations, is not easy. And don't forget it must be simple for the user too. Got any ideas? You could become a millionaire several times over if you crack this one!

One technology that we're seeing more of - especially in mobile phones - is that of 'biometrics'. This is where you prove who you are because of, well, you! This could be your fingerprints, your face, or even your walking or typing style. There are many other biometric technologies too - spy movies often show eye scanners or voice analysers, whilst in the offline world your signature is still used to prove your identity to this day. One UK bank has even previously experimented with using your heartbeat as an identifier.

Away from biometric methods, other proposed alternatives to passwords have included asking users to pick out familiar pictures from a series of random images, or implanting chips in your body.

Finding a good alternative to the humble password is an area which is attracting a lot of research & development money. Many different imaginative methods have been proposed and tried out over the years, yet the classic password still remains. Will it ever be replaced?

Artificial Intelligence

Artificial intelligence is in the news a lot right now, especially following the release of ChatGPT in late 2022. Whilst the term "artificial intelligence" is often misused, it essentially refers to a machine or computer that can think for itself to solve problems. Rather than having to be given a set of specific well-structured instructions ("if this do that"), as is the case in traditional computing, AI systems are instead able to work out for themselves how to solve a problem and to adapt as they go.

Thankfully the technology isn't yet at the level where AI can recreate itself and pose an existential threat like the robots in the movie Terminator (although some experts are warning that this is a potential - if small - risk), however the technology is already at a level where it can do incredibly impressive things. As an example, it can summarise the plot of any novel in any number of words that you want (even with every word beginning with a different letter of the alphabet!), or understand the request to create a photo of the Pope in a puffer jacket and then to go ahead and create this realistic image.

What this all means for security is both ominous and exciting:

• Ominous, because it may allow hackers to pretend to be someone they're not (some AI tools are already able to generate lifelike "deepfake" videos or voice recordings of actual people). Fraudsters could for example exploit this to phone victims while pretending to be a family member in distress, or to phone the bank and successfully pass its voice authentication tests while posing as someone else.
• Exciting, because it could lead to a whole new class of security defences being developed that can detect and automatically respond to security attacks with much better accuracy than today's technology.

The technology of AI is developing at such a pace that even these last few paragraphs will likely be out of date in the next few months. The threats and opportunities it poses, not just to the world of cyber security but to society as a whole, will no doubt be the subject of much debate, and become much clearer, in the months and years ahead.

Preventing credit card theft

Whenever there's a large data breach at a company it's often credit card details that are stolen, with them then being used to buy goods illegally. But what if stored credit card details could be made to be useless, thus making it pointless to steal them?

One method of doing this is known as "tokenisation", whereby a random looking number (a "token") is stored instead of your actual credit card number. This token - calculated from your credit card number using a secret value - is useless to anyone but the retailer & the bank, making it worthless to hackers.

Tokenisation is a concept that has been around for many years and is starting to gain momentum, with many large banks now working on it. It's also how many mobile phone payment systems work, avoiding the need to store your credit card details on your phone.

Alternatively, another approach to securing credit cards is to develop cards with an ever-changing security code (the 3 or 4 digit number that you're asked for in online payments). Your credit card number would then be useless to any hacker - they'd need to have your actual card in order to find out the current security code.

Either of these technologies will hopefully mean that theft of credit card numbers will eventually become a thing of the past - although fraudsters will no doubt then find other ways to steal money! Security is a constant arms race between defenders and criminals.

The Internet of Things (IoT)

The "Internet of Things" (IoT) is a term used to describe the dizzying array of everyday items that can now be connected to the internet, many of which are part of a smart home. Control your central heating from your smartphone? See who's ringing your doorbell when you're not at home? View your home CCTV whilst on holiday? Your fridge might even be joining the party too, detecting when you've run out of milk and ordering it for you.

And the IoT isn't just about home-based gadgets - traffic sensors in the road, water level meters that send flood alerts, and fire-detecting sensors in the forest. The range of devices that are part of the 'Internet of Things' is vast.

All these gadgets may be useful, but they also have the potential to create whole new classes of attacks. Could a hacker thousands of miles away be spying on you using your cctv cameras? Might hi-tech burglars identify who's on holiday by monitoring electricity usage to spot dips in consumption? Skilled hackers may also start selling their services to remotely disable burglar alarms too.

Poorly developed devices can also give hackers a backdoor into your wifi network - researchers have already demonstrated attacks against some smart lightbulbs, extracting the wifi password that can then be used in further attacks.

The Internet of Things, especially in the area of Smart Homes, is a topic that's attracting many entrepreneurs at the moment, with those who build their market share the quickest looking at potentially huge financial rewards. This rush to market though will inevitably lead to some firms prioritising the development of new features over spending on security - we're in for an interesting few years whilst hackers look for attacks and the market shakes itself out.

Driverless cars

The visions of old movies about the future are finally becoming a reality! Spurred on by the US-government backed DARPA challenges between 2004 & 2007, several major companies have been developing driverless cars for well over a decade now, becoming big news in recent years.

When the technology finally arrives the benefits to individuals - and society as a whole - will be immense. Far fewer crashes, less congestion, no stress over finding a car parking space (hop out at your destination and let the car find its own space!), the ability to do productive work whilst commuting, and the ability for many current non-drivers to gain their freedom and mobility back too.

The security of these cars is paramount though. Lots of research, both by manufacturers and independent researchers, is ongoing in this area. Cars will be able to talk to each other to warn of accidents or congestion, but this ability to communicate also gives a possible avenue of attack for criminals. No one would want any malicious 3rd party to take control of their car, or to cause chaos by overriding any inbuilt crash avoidance features.

Fortunately we're at a point in history where we're more aware than ever of the need for inbuilt security in systems, and as a society we have the required knowledge and skills to achieve this. Car manufacturers also have sufficient resources - and the motivation to prevent bad publicity - to invest in security. Even so there will be both hackers & researchers trying to break these system for years to come, with some proof of concept hacks already having been demonstrated.

Personal privacy

Attitudes to the sharing of personal data have radically changed over the last few years. Whilst once we wouldn't dream of sharing our political views or detailing our relationship woes for the world to see, the rise of social media platforms such as Facebook, TikTok and Snapchat have gradually been chipping away at this.

The sharing of personal data, and whether it really matters, is an ongoing debate. The 2018 Facebook data sharing scandal, when it was revealed that Facebook allowed companies access to much of our data, caused shock across the world. But whilst many people felt betrayed by Facebook freely sharing our data, many others simply said 'so what?'.

There are times when certain personal data being leaked can have very serious real consequences, such as the data breach from the Ashley Madison dating website, or the possibility of ID theft, but other times it may cause nothing more than mild embarassment or even have no consequence whatsoever. The effects too may not just be directly on an individual, but on society as a whole - the aggregated data that Facebook gave away may (according to some) have helped to influence the results of the 2016 US presidential election.

There has certainly been a generational shift in attitude to online privacy over the last decade. Will this continue? Will we continue to willingly give away details about ourselves to companies or on social media, or have we reached a critical point where we're now waking up to the damage that oversharing can do? The European GDPR regulation (introduced in 2018) has been one of the more significant responses by lawmakers to the issues of privacy in the modern world.

TikTok, owned by the Chinese company ByteDance, is viewed with great suspicion by many in the West. Government departments in several countries have banned it's staff from installing the app for fear that the Chinese government could exploit the app to access your phone (not just the data within TikTok, but everything else on your phone too), whilst the US state of Montana banned it completely in April 2023.

Attitudes to privacy, and how personal details are protected, are likely to continue to see large changes over the next few years. Will someone someday come up with a way to completely prevent ID theft regardless of how much data is leaked on someone? Or are there more Facebook-like scandals to come?

Cyber war

Even though aircraft and intercontinental ballistic missiles have changed the nature of warfare over the last century, war is still - fundamentally - about soldiers facing each other on the battlefield. This is now changing.

We now live in an interconnected world, where nation states are able to cause huge damage to others with just a few commands from a computer thousands of miles away. Think it hasn't happened already? Think again.

The Russian invasion of Ukraine in 2022 is regarded by many as being the first major "hybrid" war, where battles are happening not just on the ground but in cyberspace too. Countless cyber attacks have been recorded throughout the whole duration of the war, from the taking down of several government and banking websites, to efforts to cripple the Ukranian railways. Russian hackers are even reported to be hacking into the CCTV cameras of Ukranian coffee shops in order to collect intelligence on passing aid convoys.

Russia was also blamed for the 2017 NotPetya attack that paralysed companies around the world, including Maersk shipping, FedEx's European subsidiary, and pharmaceutical giant Merck, whilst in 2007 Estonia suffered what is thought to be the worlds first cyber attack against a nation. Whilst never admitted, it is widely thought that Russia was behind the attack which crippled banks, media outlets, and various government bodies for weeks.

The 2010 'Stuxnet' virus was (reputedly) developed by the US & Israeli security services to destroy Iranian nuclear facilities, whilst North Korea are thought by many to be behind a 2014 attack on Sony Pictures in retaliation for their comedy movie 'The Interview'. The 2016 US presidential election has also been dogged by accusations of tampering by the Russian government, including extensive fake news operations.

As the world becomes more connected the opportunities for destructive cyber war becomes real. Power stations or other critical national infrastructure could be severely damaged (or even made to explode), health services could be disrupted (the 2017 WannaCry ransomware had a severe effect on the UK's National Health Service), and government services could be destroyed. These all have the potential to be as devastating as any bomb ever could be.

Governments across the world are becoming wise to the threat of cyber attacks have started building their defenses up accordingly. War is a horrible and often pointless act, regardless of whether the attacks are physical or electronic - the use of a cyber is simply just another type of strike that can be used.