How is cybersecurity evolving in times that more organizations digitally transform and myriad technologies such as the Internet of Things (IoT) are emerging and converging? What about security and IoT? Cloud security? The role of artificial intelligence in tackling cyber threats? The main challenges? The changing cyber threat landscape? The future of security?
We have to change the way we think about security. A lot of the disruption and cost is due to a focus on prevention as opposed to detection
A load of questions and a specialist that answers them indeed. We’ve asked Dr. Ben Azvine, Global Head of Security Research and Innovation at BT, to share his views on these and other topics.
Ben Azvine is, among others, responsible for BT’s security innovation strategy. He says his role essentially is to look two to five years into the future and prepare for the upcoming security challenges and cyber threats. For him, it is the best time in the history of technology to be involved in security because it is such a dynamic area.
Security is not just a technology issue as Ben reminds; it is also a business and board-level issue. In fact, according to Ben, cybersecurity is currently one of the top three priorities for business today.
The cost and evolutions of cybercrime and cyber threats
Ben, can you start by telling us a bit more about your background?
Ben Azvine: Sure. My background is in artificial intelligence (AI). I used to be a full-time academic in the field and, even today, maintain active contact with academia through several visiting professorships, which allows me to talk about some of the challenges ahead and perhaps inspire bright people to work in the security field.
I joined BT about 20 years ago and have spent most of my time leading R&D programs in intelligent systems. We strive to build intelligent networks and intelligent assistants that help people do their job better.
Crime that can cause disruption to critical infrastructure is probably the most significant threat we should worry about
Basically I like inventing things. I have approximately fifty patents and patent applications in my name. I really enjoy coming up with new things, and in that task, I’m supported by a fantastic team of people all over the world.
How has the cyber threat landscape evolved in your opinion? Are the types of threats changing, and is there any change in how these threats impact our personal and professional lives?
Ben Azvine: You only have to turn on your TV to learn about the latest cyber-attacks on individuals, companies, and governments. The reality is that criminals are continually coming up with new ways of attack, creating approximately $400 billion in annual losses.
Nobody is immune. Ninety percent of companies have reported a security breach. Every second, approximately 18 people are victims of cybercrime. Both the frequency and the importance of the attacks are increasing.
The numbers are pretty worrying, but on a positive note, this is also a significant opportunity for companies to invest in new security capabilities. This is a really vibrant technology right now, and there are plenty of financial incentives to increase R&D investment.
The different types of hackers and evolving cyber threat landscape
What cyber threats should worry us most now?
Ben Azvine: I have seen figures that about 80% of financial crime on the internet is done by coordinated groups, but I don’t think all crime is performed by financially motivated people.
There are lone hackers who are in it simply to impress their friends or make a name for themselves. But worst of all are the ideologically and politically motivated hackers.
Financially motivated hackers tend to go after the easiest targets, so if you can deter them by having good defenses, they often choose the easiest targets. But ideologically motivated hackers go after specific targets, and they don’t give up. This creates a more persistent threat. We don’t always hear about the damage they do, but it is very significant.
We have to be aware that the threat environment is evolving rapidly. Crime that can cause disruption to critical infrastructure is probably the most significant threat we should worry about.
Artificial Intelligence: predictive analytics and data at the service of cybersecurity
How is predictive analytics helping us protect ourselves against cyber threats? At BT you developed the SATURN project that uses predictive technologies, big data and AI. Can you tell us about it?
Ben Azvine: SATURN is a technology we developed here at BT labs. Like many innovations, the initial area of our focus led to the creation of something far more valuable than we originally thought.
Ideologically motivated hackers go after specific targets, and they don’t give up. This creates a more persistent threat.
Initially, we were interested in creating a model that would help us understand the impact of breaches on critical national infrastructure. For example, what would the impact be on telecommunications or the road infrastructure if the electricity network was attacked? Important questions now that everything is being digitized with smart grids and the Industrial Internet of Things whereby everything also gets more connected.
We commenced research on this about 5-6 years ago. There are basically two ways to approach this. One way is to develop mathematical models of each national infrastructure and then model how they would impact on each other.
The problem with this approach is that it is complicated to link together the existing models of such infrastructure. Also, once you build such a model it would be out of date almost immediately because of the dynamic nature of the world. So, due to the rapid pace of change we decided to abandon the top-down approach and use a more data-driven approach instead that looks at actual incidents in the past, collects vast amounts of data from various sources about such incidents and then link them together with the help of human experts.
The challenge here is how to combine and organize such vast amounts of data. The SATURN acronym (Self-organizing Adaptive Technology Underlying Resilient Networks) refers to the principle that the data needs to self-organize so that it can be interacted with by human beings and used to spot anomalies. One of the first applications of SATURN was to investigate cable theft crime on our networks.
What makes SATURN so powerful is that it can handle any type of data. It is not limited to structured data. It handles data from social media, news feeds, and internal log systems. The data self-organizes and humans subsequently interact with the data through visualization tools, providing a holistic view of data sets and their interrelationships. People can also spot anomalies not seen before that a computer would not be able to detect.
There are three key elements to a security strategy: prevention, detection and response. With SATURN we address detection. Here the aim is to detect an attack while it is happening, ideally within seconds of it starting. But we also want to predict the next stages of the attack. Essentially we have developed software that is trained to look for specific phases of an attack. We look for low-level signs of an attack that we can extract from our network logs.
However, the data is so noisy that we cannot monitor everything. Hence we rely on the knowledge of our experts, the knowledge we have of the different types and stages of an attack, and we train our software robots to keep an eye out for these stages. This gives us time to react. By predicting the next stages of an attack, and the timings of such next phases, you will know whether you have time to respond.
Addressing the concerns about the future impact of AI
What role do you think Artificial Intelligence will play in our personal security and the way we keep our organizations safe? A lot of people seem concerned about the future impact of AI.
Ben Azvine: I think there are two future scenarios of AI: there is the scary scenario of robot domination. But there is another more positive scenario where AI is used to make our lives easier and more secure, where we ‘augment’ humans.
I’m a big fan of human-centered AI where people are in control but where lots of the laborious processing and preparation are done by computer
For example, an immediate benefit of AI would be in the area of authentication. AI could be used to free people from the passwords shackle. People have difficulty remembering all their passwords, which creates a great deal of frustrations as they struggle to log into their laptop or phone.
There has been a lot of research on biometrics and tokens, but none of these solutions are very user friendly. With AI, we can look at the way people speak, or even the way they log into their machine as a means to automate authentication.
Machine learning systems could also be used to learn from people by observing them with a view to automating the more routine elements of their tasks. One big prize in that regard would be to automate the response to security breaches, although I would caution that we should never relinquish control entirely to robots in security. I’m a big fan of human-centered AI where people are in control but where lots of the laborious processing and preparation are done by computers.
Cyber threats and security in the Internet of (Every)Thing(s)
Let’s talk about the Internet of Things (IoT). Around five billion devices are already connected to the Internet of Things. How will this be secured? Will we need to accept more vulnerability?
Ben Azvine: I think IoT will make our lives easier and boost business. And the more data we collect the more it will help us make smarter decisions.
The traditional security model is the coconut, a hard shell that keeps you safe inside. But that model has holes in the shell; it is outdated
However, from a security perspective, every device could potentially be a vulnerability. I think there are three key security challenges we need to deal with.
- Most security measures today are designed for high power, high-cost devices; with IoT, we need to develop cost-effective encryption and monitoring for low power, low-cost sensors and devices. Essentially this is a scale issue; we will need to sell enough of such solutions so that costs decline. That will happen.
- The second challenge is concerned with trust and data integrity. For example, how do we protect our networks from spoofing attacks? How do we prevent people from intercepting messages from the electricity meter in your smart home, or even worse, your pacemaker? Antivirus and encryption technology are needed so that criminals cannot break into IoT communications.
- The third challenge is privacy and personal data protection. I think this will make or break IoT. There are so many potential points of data collection, and when you put all of that together, it becomes easy to identify people. I think we have the necessary techniques available to address this issue, but we need to use them correctly from the start.
It reminds me of the early days of cloud computing. Back then, we also worried about security. I am sure we will solve these issues, but it will require more awareness and cooperation among device manufacturers, network operators, and consumers. We need to establish best practices and promote vendors that comply with best practices. Today many vendors are still making rooky mistakes such as storing passwords in firmware as plain text. Those are not severe problems to overcome; it just requires rigor in following basic principles and best practice.
The misperceptions and reality of cloud security
Security and the cloud: what do you see as the major risks, and how can they be avoided?
Ben Azvine: There is still a huge gap between perception and reality. Cloud security is much better than people believe it to be.
Cyber defense will become more analytical and predictive. Within a few years, we will have real-time response to cyber-attacks
Some people express concern about having their emails in the cloud, but they’re perfectly comfortable having them on their phone or laptop, which isn’t password protected and can be left on a train. Cloud providers are in the business of securing their data and apps, so I would have more faith in a cloud provider than placing my data on a USB stick.
However, there are challenges for cloud computing security:
- Firstly, we need to be able to manage the security of virtual applications and machines in the same way as we secure our physical machines. When I buy a laptop in a store, I immediately install security software. I should be doing the same in the virtual domain. As providers, our task is to make it easy to do so. Ideally, we should be securing applications as they are being created. At BT, we have created technology that scans virtual environments and creates intelligent security.
- Secondly, as people store more data, they become more vulnerable as targets for hackers. We need a simple way to add more security measures to data access. Even cloud providers should not have access to the data of their customers. Fortunately, there is good technology available to govern access to data.
- Finally, there is the issue of compliance. With data moving freely to the best available resource, there is potential to create compliance issues around the geographic location of where data is stored. We need to improve trust in the cloud by giving people more control and visibility over where their data is stored.
Looking ahead: thinking differently about security and cyber threats
What do you see as the biggest headaches for the CISO and CIO today and in the future? Can they be expected to do a decent job when the CFO is cutting costs?
Ben Azvine: We have to change the way we think about security. A lot of the disruption and cost is due to a focus on prevention as opposed to detection.
More human-centered security measures will emerge, that will help people make decisions, both personally but also around corporate and national security
We cannot stop everything. Instead, we should promote a more risk-aware culture. The traditional security model is the coconut, a hard shell that keeps you safe inside. But that model has holes in the shell; it is outdated.
We should focus on the avocado model: protect the crown jewels, the stone in the middle. Spend most of your resources on protecting the crown jewels and, for the rest, focus on detection, monitoring, and responding. That is the only way to meet the competing objectives of costs versus security.
Towards real-time response to cyber-attacks
Let’s look a little further in the future. What will next-generation information security look like in your opinion?
Ben Azvine: That’s my playground! I think cyber defense will become more analytical and predictive. Within a few years, we will have real-time response to cyber-attacks.
The time it takes to respond to cyber-attacks will reduce dramatically. I think more human-centered security measures will emerge, that will help people make decisions, both personally but also around corporate and national security. I also see a world without passwords. I have a vision of AI that authenticates you in the same way your friend authenticates you.
Quantum computing is a huge opportunity, given the processing speed it promises. Still, it is also a massive threat from a security perspective since ultra-fast computing power could theoretically be used to crack current encryption techniques.
So how will we provide encryption-based protection in a quantum world? There are promising developments in the areas of Quantum Key Distribution and post Quantum Cryptography, which will help meet these challenges.
To conclude, are you optimistic? Is the future bright?
Ben Azvine: Yes, absolutely. There are big challenges ahead, but this is the best time to get into the field.
I’m very optimistic that we will have the people to meet the challenges in the future. There is a lot of interest in the field, but we need to keep up our investment, because the bad guys are investing in their capabilities all the time too.