Surrey Computing

By Alan Woodward

Recently an old colleague, Dr Andrew Rogoyski, came to lecture to our MSc students on how government deals with cyber security. Dr Rogoyski has studied the interactions between government and industry and his talk led to a key question for which there was a surprising range of views. The question? When and how should government get involved in cyber security?

The UK has the most Internet-centric economy in the G20 group of industrialised nations according to research by the Boston Consulting Group released in March 2012. It estimates that the UK’s internet economy was worth £121bn in 2010, more than £2,000 per person. Couple this with the knowledge that approximately 20 threats per second are discovered on the Internet, and it’s not surprising that UK government lists cyber security as a “Tier 1 Threat”, alongside terrorism. However, recognising the threat is slightly different from actually doing something about it.

Governments now recognise that there is a strong economic advantage in having a secure digital infrastructure. In order to attract businesses to your economy increasingly you need to demonstrate that your country is a safe place to conduct Internet-based business. Booz-Allen reports on this aspect of a countries with its cyber hub index.

Interestingly the UK and the US are seen as the safest places for Internet based business. This has resulted in several large corporations quietly reversing the recent trend to relocate business to the developing world to reduce costs. Ensuring security has become as important, if not more important, a business driver for governments as cost. When a country loses its AAA credit score for a ratings agency, it makes headlines. I predict it will not be long before similar importance is attached to measures such as the Booz Allen cyber hub index.

But in order to ensure a safe environment, where does government responsibility end and business responsibility begin? In November 2011, the UK government hosted the first intra-governmental conference on the cyber threat, at which time they issued a revised cyber-security strategy. As well as discussing the usual topics of the threat from cybercrime, espionage and warfare, the conference saw the debate begin at governmental level as to where responsibility lies for protecting key assets on the Internet. When the national interest is threatened, responsibility for protection lies primarily with the state, but many governments are powerless in the case of the cyber threat, for a variety of reasons.

 

A significant difficulty in protecting critical national assets is that the Internet is primarily run by private companies or non-governmental organisations. That’s true even in the case of  critical national infrastructure such as utilities, which are vulnerable to attack via the Internet. Most of the infrastructure and services that underpin national digital infrastructures are run by private companies such as HP, Fujitsu, IBM, Verizon, BT and others. Even the key technologies employed to sit on top of the infrastructure are developed by private companies ranging from Google, to Microsoft, to Apple plus a raft of much smaller start-ups, some of whom you will never have heard. The level of investment produced by these companies dwarfs those made by governments.

For example, the UK’s National Cyber Security Programme is making available a total of GBP650 million (USD1.01 billion) over four years. This money is intended to be part of a programme whereby government works with businesses, as well as protecting governmental assets. But this money is lost when you think, for example, of cyber security company Symantec spending USD862 million in 2011 alone on research and development. Similarly, Microsoft spent USD8.7 billion in 2010 and Google USD3.7 billion. The disparity between individual government spend, and that they are used to procuring systems over many years rather than at the speed at which Internet technologies change, means that governments find it very difficult to engage with private businesses.

So what have governments done in response to this situation? Well, they have acted in remarkably different ways.

For example, you might imagine the all-out attack on Estonia in 2007 would have led to an aggressive response. Instead it led to the formation of the Co-operative Cyber Defence Centre of Excellence (CCD COE). The purpose of CCD COE is to understand the cyber threat as it develops and thence to prevent those attacks. This is an approach which has received the full backing of NATO. Meanwhile, the EU has created the European Network and Information Security Agency (ENISA) to act as a hub for the exchange of information, best practices and knowledge in the field of information security.

Other governments have adopted a more militaristic approach. In May 2010, the United States Cyber Command, part of the US Strategic Command, became operational. Cyber Command is not just there for the operations and defence of specified Department of Defense information networks but also to carry out “full spectrum military cyberspace operations”. Similarly, Israeli Prime Minister Binyamin Netanyahu announced in May 2011 that the country would set up a cyber-defence task force to defend Israel’s vital infrastructure from cyber-attacks.

Regardless of style of approach one common theme has emerged: the key to effective defence against the rapidly evolving threat is shared intelligence. The studies conducted by Dr Rogoyski showed that what business wants most from government is Information Sharing and Awareness Raising. And, intelligence is one thing that governments do have.

They are now looking for ways of sharing sensitive information, that they might otherwise be unhappy to share as it might reveal the source of the information, with those who are directly affected by it. In the US in 2011, the Department of Defense launched a new pilot programme, the Defense Industrial Base Cyber-Pilot, in which it shares classified threat intelligence with around 20 defence contractors or their commercial internet service providers. Although the initial scope of Defense Industrial Cyber-Pilot was to help protect government network, it doesn’t take a great leap of imagination to see how this can become a two way process, especially in areas such as power, transportation and energy. The success of this scheme resulted in it being extended in September 2011 to include more private organisation. It has, however, highlighted in the public consciousness that the military are involved in protecting the Internet, and the debate continues as to whether it should be the Department for Homeland Security of the DoD that has such a responsibility. Either way, the positive aspect is that it is happening.

 

In the UK, the private sector is not necessarily waiting for government direction. For example, a financial services virtual task force has been formed by several large banks. This task force co-operates with the Metropolitan Police and exchanges information on threats and attacks as rapidly as possible. This has proved to be a very effective approach and has led to a number of successful prosecutions. Another information exchange is being set up by Intellect and ADS, UK hi-tech trade associations.

The emergence in 2011 of the infamous Stuxnet virus has highlighted how vulnerable critical national infrastructure is, and this has given a jolt to all those thinking about Internet security from a governmental perspective. Even if it were just a commercial issue, cyber security (and certainly the perception of it) can dramatically affect a nation’s fortune in the modern world. The fact that someone can potentially turn off the water, lights and stop the trains makes people think quite differently about what is a “stable” country, and will certainly influence anyone trying to decide whether to base their business in a country.

However, it is clear that unlike many historical threats to national wellbeing, this threat can only be checked by the closest collaboration possible between government and business. Business must be focussed on ensuring that this happens, and government must be more willing to share what it knows than it has been previously.

With news only this week that the Duqu virus (evil son of Stuxnet) has been found in the wild in a new variant, we can see that the threats are becoming more advanced and more persistent, and perhaps most worry of all, more targeted. Governments and business have a relatively small window in time to put in place the necessary mechanisms to share information such that it can be acted upon quickly enough to prevent damage. For those countries that don’t do this, they will rapidly realise that whilst in the past people “voted with their feet”, these days people “vote with their mouse” and it takes a lot less time lose trust in the Internet age than ever it did before.

Posted in general | Leave a comment

Every year in the month of March, the Computing Department puts together a PhD Conference in which the works of its PhD students are celebrated through presentations and posters. The event acts as a training ground where the Department’s Postgraduate Research Students (PGRs) can test drive presenting their contributions to computer science, giving participating students a feel for external conferences. This year’s event, the 9th Conference, was littered with outstanding moments, the most prominent one being the overwhelming support and attendance by the Computing Department staff and PGRs: a fact that was noted and appreciated by the Vice Chancellor, Professor Sir Christopher Snowden, who gave the opening address. His address was followed by an amazing motivational speech by Dr Alastair MacWilson, Global Managing Director of Accenture Technology Consulting, who emphasized on the importance of seizing every opportunity available and encouraged all attendees to be more than the sum of their skills set; to be flexible, responsible, trustworthy and always be willing to take up opportunities as a progression of their dreams.

9th Annual Computing Department PhD Conference, University of Surrey

A second motivational speech was given by Professor Dave Robertson, the Head of School of Informatics at the University of Edinburgh, who enthused the crowd by offering a highly captivating overview of current research trends in computer science and concluded his talk by encouraging our research community not to shy away from the option of being self employed, as a vehicle for trail blazing new trends and schools of thought with regards to computing. This philosophy seemed to complement Professor Chris France’s foreword for the Conference’s programme.

The 9th Annual Computing Department PhD Conference culminated with the giving of prizes and below is the list of categories and winners.

Best Paper

Mr Panagiotis Ioannou, for his paper ‘Effect of Spiking Network Parameters on Polychronization’. He received an Amazon gift voucher for £60, sponsored by BCS and awarded by Dr Roger Peel.

Best Paper Presentation (1)

Mr Wissam Albukhanajer, for his presentation of the paper ‘Image Identification Using Evolutionary Trace Transform for Copyright Protection’. He received an Amazon gift voucher for £40, sponsored by the Computing Department.

Best Paper Presentation (2)

Miss Kendi Muchungi, for her presentation of the paper ‘Computation Simulation of Light Adaptation Incorporating Rod-Cone Coupling’.  She received a Kindle, provided by IBM UK’s, Mr Steve Legg.

Best Paper Review

Mr Matthew Karlsen, who received a £20 Amazon gift voucher sponsored by the Computing Department.

Best Poster

Mrs Areej Alfraih, for her poster entitled ‘Chromatic Aberration Estimation for Image Splicing Detection’.  She received an Amazon gift voucher for £40, sponsored by BCS and awarded by Dr Roger Peel.

Best Research Potential

Mr Brian Gardner, for his poster entitled ‘Neurocomputational Model of Foraging Behaviour based on Reinforcement Learning’.  He received an Amazon gift voucher for £20, sponsored by the Computing Department.

As is the case with any event, its realisation is only as good as its facilitation and for this event, a debt of gratitude is owed to Mr Nick Ryman-Tubb, who ensured proceedings run smoothly and on time. A natural outcome was therefore that the event was a resounding success, not in the least because of the overwhelming show of support from both industry and academia.

Sponsors: Intellas UK, BCS, IBM, Detica, Memset, Thoughtified

Organising Committee: Dr Lilian Tang, Mrs Maggie Burton, Miss Anna Vartapetiance (PhD Rep), Mr Kostas Eftaxias (PhD Rep), Miss Tameera Rahman (PhD Rep), Mr Aasis Vinayak (PhD Rep), Miss Kendi Muchungi (PhD Rep), Mr Christopher Smith, Mr Spencer Thomas

Academic Reviewers: Dr Matthew Casey, Dr Andre Gruning, Prof Yaochu Jin, Dr Shujun Li, Dr Mark Manulis, Dr Sotiris Moschoyannis, Dr Lilian Tang, Dr Helen Treharne (all University of Surrey)

Judges: Prof Steve Schneider (University of Surrey), Prof Dave Robertson (University of Edinburgh), Mr Steve Legg (IBM UK), Dr John Baxter (University of Surrey), Dr Dawn Duke (University of Surrey),

Photographer/Videographer: Mr Ghulam Qadir

Attendance and Encouragement: Prof Sir Christopher Snowden (Vice Chancellor, University of Surrey), Prof Chris France, Associate Dean of Postgraduate Research Students, Faculty of Engineering and Physical Sciences, Prof Jonathan Seville (Dean, Faculty of Engineering and Physical Sciences), Computing Department Staff and PGRs

Posted in general | Leave a comment