Oxford researchers are trying to make the threat of online crime more tangible to all of us.
By Judith Keeling
We’re careful to lock our front doors and paranoid about protecting pin numbers — but most of us are still at sea when it comes to protecting ourselves from cyber crime. For Oxford’s Professor of Cybersecurity, Sadie Creese, that’s particularly worrying.
Online security is a very real problem. A report last year by the non-profit organisation Get Safe Online found more than half of us have been victims of cybercrime – with one in five losing money to an online fraud. Many such crimes often go unreported, too, with up to one in five people saying nothing, believing it is somehow their fault. It’s a huge issue for individuals, businesses and governments alikel cybercrime cost the UK £35 billion last year, according to one estimate.
The problem is that cyber crime takes many forms. It may be similar to old-fashioned crimes that are now committed online — such as online fraud instead of a conman on your doorstep. “Or they can be crimes that could only be committed via cyberspace,” explains Creese, director of the Global Cyber Security Capacity Centre at Oxford University’s Oxford Martin School. “Such as digital identity theft.”
Fortunately, researchers at the University are doing something about it. The research centre opened at the end of last year with a mandate to explore how to deliver cyber security to people, companies and countries, and Creese and her team have already launched several substantial projects.
The work of the centre is focused on understanding what works, what doesn’t — and why — across all areas of cyber security, to enable all of us to learn how to protect ourselves effectively against online crime. Creese believes that the sheer scale of the data we’re creating and the complexity of our online systems is presenting a vast number of unrecognised risks to our safety.
“Can you get your smart car hacked? What about banking, social networking, watching TV…,” asks Creese. “How safe are you? This is what we’re working to understand.” Perhaps the biggest difference between online crime and old fashioned theft is that the Internet provides fraudsters the chance to up-scale the volume of crimes they can commit at once, while also offering the possibility of anonymity.
For example, while a thief posing as the gas man to steal a pensioner’s savings from the biscuit tin would personally have to visit a number of houses to steal money, a cyber criminal could send out tens of thousands of phishing emails with the press of a button. And while the gas man might be recognised or captured on CCTV, online identity is much harder to trace.
That’s why one of the main topics Creese is looking to understand is how cyberspace is patrolled. “To an extent, individual countries can control access on their sovereign soil but everyone has their own different privacy laws,” says Creese, who started her career as a computer scientist, then worked for the Ministry of Defence and security company QinetiQ, before returning to academia in 2007. “But it would be incredibly difficult to draw up an international agreement about how the Internet is policed.”
Creese’s Oxford team at the Capacity Centre — of mathematicians, computer scientists, psychologists, criminologists and economists — is certainly trying to work out how it can be done. The first major project they’ve started on is how to protect against insider online fraud. “A lot of current security tools are designed to control entry,” says Professor Creese. “But that’s no use against insiders,”
There’s certainly no shortage of companies interested in the results. BAE Systems, Lakeland and Morrisons are just a few of the UK household names to have reported cyber attacks recently – but many more suffer in silence. “This kind of crime is grossly under-reported,” explains Creese. “It’s very difficult for businesses or government departments to admit to being attacked by someone they trusted. They think that this damages their credibility – so it’s hard for them to admit that it’s happened.”
If companies in the banking or energy sector were to be targeted for instance, the consequences for the wider economy – and all of us – could be catastrophic. Creese and her team are considering ways of encouraging more people to train as security professionals to provide advice to enterprises and organisations, then, as well as exploring ways in which businesses can successfully recover from insider cyber attacks and prioritise their attentions to threats.
Indeed, that’s where Creese’s new initiative, called Cyber Viz comes in, which is working to help companies visualise their incoming cyber-security alerts and decide which are most urgent. “Companies and government departments get cyber alerts all the time but if they can visualise the effect that these might have on their organisation they can effectively prioritise what action to take to protect the elements that are most important to them.” Next, Professor Creese wants to produce a tool to enable all of us to visualise cyber space, so that we can analyse risks as they occur. “Ultimately, we’re trying to make the threat of cyber security more tangible for everyone.”