University of London

Small Navigation Menu

Primary Menu

You are here:

How to stay secure in cyberspace

Cyberspace, as Royal Holloway academic Professor Keith Martin puts it, is where life happens, which is why an introductory MOOC on information security should be of interest to all.

Written by Peter Quinn |

Professor Keith Martin
"People attempting to exploit systems are really just going where the action is": Professor Keith Martin.

Everybody on the planet needs to know a little bit about cyber security, and everybody would benefit from understanding the principles being talked about here.

In collaboration with the University of London International Programmes and online education partner Coursera, Royal Holloway, University of London (pictured below left) has launched its ‘Information Security: Context and Introduction’ MOOC. The course instructors are Professor Peter Komisarczuk, Professor Keith Martin, and Dr Jorge Blasco Alis, three academics from Royal Holloway's renowned Information Security Group.

The course enables learners to begin the journey into the study of information security and develop their appreciation of some key information security concepts. It also explores skills, knowledge and roles so that learners can evaluate potential career opportunities in this developing profession and consider how they may need to develop personally to attain their career goals. 

Currently teaching on Royal Holloway's campus and distance learning MSc in Information Security, and the author of Everyday Cryptography (Oxford University Press), Professor Keith Martin talks to London Connection about the militarisation of cyberspace and why understanding the principles of cyber security should be on everyone’s to do list.

'The CIA Triad', a featured video in the week 1 'Introduction to Information Security' module, sounds rather interesting. What does this cover?
It's a rather simplistic way of capturing three of the main security services that you would want in cyberspace. The 'C' stands for confidentiality, which is secrecy. The 'I' stands for integrity, which means that things are correct and as you expect them to be. And the 'A' stands for availability, which means the services you want are up and running.

These are the three things which often go most wrong in cyberspace, in terms of security information gets revealed to people who shouldn't have access to it, things get altered so they're not as they seem, and things are not made available by, for example, people attacking servers to deny access. There are lots of other aspects to security, but on a MOOC when you're trying to attract peoples' attention, it's eye-catching.

Could you tell us a little bit about the 'Cryptography Wars', one of the readings in the week 2 'Introduction to cryptography' module?
Cryptography is really a nuts and bolts part of cyber security in terms of the technical solutions – it's right in the heart of everything. You don't always see it being used, but you're using it all the time. There are some political aspects to securing something, and security is a very political topic. In some sense, encryption is one of the areas that can become very political because it's right there in the middle of things that we build. 

If you're going to shut data away, apply encryption and deny access to data, that's fine in terms of your own secrets. But, of course, everybody wants to know everybody else's secrets. That hits politics when you're shutting information away that powerful organisations such as GCHQ or law enforcement authorities may want access to. You end up with a real tension, because you've got a very good tool which allows you to lock data away, but it's a subjective political issue sometimes as to whether some people shouldn't perhaps be allowed access to the information.

The Crypto Wars has been the political struggle, within political debate, and the arguments over when encryption can be applied and when there should be some way of undoing encryption.

The utility of cyberspace has gone up for everybody over time, and therefore the utility of weaponising it goes up over time. They're almost hand in hand.

That brings us on to the so-called weaponising of information, as we've seen, for example, in the apparent Russian interference in the recent US presidential campaign. Is this a new phenomenon?
That's not necessarily about encryption, it could just be about attacking servers. I suppose what you're really asking is how long has cyberspace been a militarised zone? And the answer is it depends on how long you decide we've had cyberspace. If cyberspace relates to the existence of computers then I suppose the answer is we've had weaponisation of cyberspace pretty much from the outset.

When computers were first built they were used in very controlled environments. One of the first major users of computers, of course, is the military and defence, so you could argue that in some sense that sector has almost driven the development of computing. So, to a certain extent, you could argue for however long we've had cyberspace. 

But I think what you're seeing that's different now is that, prior to the 1970s, you really only saw computers in cyberspace. Up to the 1970s this really is a government/defence environment. And then in the 1970s and 1980s computers start becoming increasingly available in the commercial sector and begin to edge into peoples' homes. Then in the 1990s we see a massive revolution where computers became the norm, largely through the spreading of the internet and particularly the development of the World Wide Web, which allowed cyberspace to come very much within the public realm. 

In that sense, the public cyberspace only dates back to the 1990s. The utility of cyberspace has gone up for everybody over time, and therefore the utility of weaponising it goes up over time. They're almost hand in hand.

Cyber attack padlock
"If there are cracks in the machines that are built, then obviously they provide potential avenues in for hackers."

Does 'Network and Computer Security' touch on some of the high profile cases of hacking such as the US Department of Justice and the IRS?
Yes, to an extent. Security has two components to it: one is the technology, which is really what that part of the MOOC is all about. We can't, in a MOOC, talk about absolutely everything, so the focus here is on the technical defence.

Cryptography provides the nuts and bolts, if you like, of the security solution. ‘Network and Computer Security’ is very much about what you'd then assemble, using cryptography and other things. That is related to hacking, I suppose, because hackers will exploit flaws, errors, weaknesses in network defences and in computer defences.

These modules talk about the principles of doing these things properly. But if there are cracks in the machines that are built, then obviously they provide potential avenues in for hackers. 

A much more powerful way for hackers to get into systems, even secure systems, is to exploit the people that are using the systems. You could have an excellently defined system with superb encryption and superb network protection, but if one of the users of that system gets threatened with a lead piping then you may lose all your security.

These weeks are about technically defending networks and computers. We just have to keep in mind that there are other routes in and that there's a human side of things.

You can see highly intelligent and honest citizens around the world who would never walk into a Virgin Megastore and steal a CD, but are quite content and even proud of their ability to rip music off the internet.

Is the seeming ability of hackers to steal and sell a company's data becoming an increasingly worrying trend?  
Yes, it is a worrying trend, but we do all our business in cyberspace now. That's where life happens, and so that's where crime happens, so we shouldn't really be too surprised. Criminality and people attempting to exploit systems are really just going where the action is, and we've moved it there by doing everything in cyberspace.

What's weird about cyberspace is you can conduct bad activities remotely, you can sit in London and attack a server in New York or Bangladesh. And the other thing is that it's relatively low cost.

But there's a whole layer above this, which I think is fascinating, which is that what we probably have not yet fully understood is, let's say, the psychological changes: cyber bullying, for example. There's a habit of putting 'cyber' in front of traditional crimes, 'cyber theft', 'cyber fraud', and so on. But it's not that straightforward, because these are in some sense similar to things we've understood before, but in some sense they're new and people will conduct crimes and attacks for different kinds of reasons. And possibly people who, for example, would never conduct a fraud or robbery in the physical world might be willing to attempt one in the cyber world because they almost psychologically don't accept it as theft or robbery. You can see highly intelligent and honest citizens around the world who would never walk into a Virgin Megastore and steal a CD, but are quite content and even proud of their ability to rip music off the internet.

The week 4 'Security Management' module includes videos on 'Security Controls', 'Security Policies' and 'Risk Assessment'. Are there international laws and standards relating to Security Management?
Yes, absolutely. Best practice guidelines, international standards, all sorts of regulations – just as there are for financial audit and control requirements. There are some very well-respected standards that large organisations really should follow, and most of the good ones do.

The UK government has had a very big cyber security strategy over the last five years, and one of the things they did as part of that was try to bring out a 'lite' security management guidance for smaller organisations. They realised that a lot of the stuff that was around was targeting the big corporates who can afford to build a huge management system for their security. So there's a focus now to help smaller organisations. A big focus of attacks now is on SMEs because they tend not to be well defended at all, so they're now quite a big target for cyber crime.

We're seeing students on the MSc course going into almost every sector: telecommunications, the NHS, medical, government, almost any corporate environment you can think of.

What happens in the final week of the MOOC?
It was decided that the MOOC wouldn't just be an introduction to the subject, but that there’d be an attempt to indicate where people could go with a career in information security.

Depending on people's skills, there's a whole range of things they can do. Almost any organisation now deals with cyber space, so needs to be aware of cyber security. We're seeing students on the MSc course going into almost every sector: telecommunications, the NHS, medical, government, almost any corporate environment you can think of.

And then, on the other side, you've now got an enormous cyber security service sector, serving that need - organisations building and selling cyber security technology and services - and a vast and increasingly expanding cyber consultancy sector. Almost all of the big accountancy firms such as KPMG and PwC have huge cyber security teams and are actually doing a lot of security advice, audits, testing and forensics.

In some sense, everybody needs security expertise, and large organisations will want to employ people who have such expertise, but you've also got this huge sector providing cyber security services to meet that demand.

I suppose you could argue a third layer is government: the national policy makers provide a third big tier, people who are involved in defending nation states or in setting policy. Quite a lot of our students, who come from around the world, are working for their governments or their military. That's a third swathe of activity.

In terms of the overview that the MOOC provides, do you hope to attract learners on to the MSc?
We'd be absolutely delighted if people who were not considering following the MSc still got something from this MOOC. The world generally lacks understanding about these issues, and everybody needs to know a little about information security. They maybe don't all need to know about encryption or what a firewall is, but everybody on the planet needs to know a little bit about cyber security, and everybody would benefit from understanding the principles being talked about here. It would help keep them secure in cyber space and they will get something useful for their daily lives."