A recent Financial Times summit reveals what the industry is worried about.
Amid the leaking of pictures showing the likes of Jennifer Lawrence, Kate Upton and Rihanna in states of undress, cyber scrutiny has come up for some serious scrutiny. While the Anglophone media raked over the story computer experts descended on a Financial Times (FT) cyber security summit to discuss some the key issues facing the industry. Here’s what they are asking.
1) Who is responsible when a breach occurs?
On finding out her private photos had been leaked to the internet actress Kirsten Dunst took to Twitter to vent her colourful feelings about Apple’s iCloud through the medium of emoticons. Her view that the company was to blame was much mirrored in the press, to the chagrin of several delegates CBR spoke to at the FT event.
A financial expert even suggested that the liability for breaches should be shifted to the consumer when they are to blame for an online banking intrusion. Morally companies may have a point, but it seems an unlikely policy to win political parties an election, unless it can be shown such a burden is having an impact on economic growth.
2) Do we need international security standards?
Earlier this year the government developed a certification framework called CBEST intended to improve cyber security standards in the financial sector. Led by the Bank of England, the scheme particularly targets advanced persistent threats (APTs) that plague critical industries and infrastructure.
While this is a good example of progress, many would like to see more work done on international security standards. The move would certainly increase confidence in trade, and diminish the "ungoverned spaces" on the internet that many view with hostility. The slow progress is one of the reasons that the UK felt it had to take individual action, but it remains open to the idea.
3) What are the security implications of outsourcing?
Raj Samani, EMEA chief technology officer at McAfee, told CBR in a separate interview this week that cloud could really do with being rebranded "someone else’s PC", his tongue only somewhat in cheek. His view reflects widespread scepticism about cloud services and the wisdom of leaving your important data in the hands of others.
Many breaches earlier this year have highlighted that large companies can make themselves vulnerable through unwise partnerships with smaller firms. All connections to external systems are potentially weak links in the chain, and it only takes one of them to crack for the entire system to be put at risk.
4) Is it a good idea to have mandatory breach notification?
Almost every state in the US has enacted legislation which obliges companies to inform those whose personal information has been taken in IT security breaches, the exceptions being Alabama, New Mexico and South Dakota. Yet so far the UK has resisted similar calls, notification to the Information Commissioner’s Office (ICO) only being mandatory in cases involving telecoms firms.
Companies have an interest in limiting risks to their reputation when breaches take place, but there is also an issue of customer trust that increases with transparency, as well as the danger of punitive fines should the ICO find out about a breach through another route. Yet former information commissioner Richard Thomas has said that in North America the public has become almost "bored" with notifications, and that he feels they are more relevant to regulators.
5) Do we have enough skilled workers to defend ourselves?
It’s a great time to be working in the UK if you like your computers. For everyone else the lack of skilled workers is proving to be a real problem, with many trade groups lobbying government to loosen migration laws to entice people from abroad.
For the public sector the problem is even more acute, as state jobs lack both the money and the prestige of companies like Google or Apple. This has prompted the creation of groups like the Cyber Security Challenge UK which hopes to get more kids interested in pursuing a career in the industry – a vital endeavour given that the defence sector is reluctant to hire hackers from the dark side.