Kids will always play pranks. In previous years the worst it might be was wrapping toilet roll around the teacher’s house on Halloween. Now kids have the means to play pranks on a massive level.
So a 16-year-old kid somewhere around the world can find out the flight that the CEO of Sony Video Games is on and have that flight grounded because they make a bomb threat.
This might be good fun for them, but we can’t live in a world where flights are arbitrarily grounded because kids think it’s funny.
We can’t really live in a world where Xbox Live or Playstation gets bombarded into not working on Christmas Day because some kid finds it humorous.
Eventually someone is going to think it’s funny to turn off the electricity in a hospital. While these systems have some resilence, the more connected, the more complex they get, eventually somebody’s idea of a joke is not going to be funny in a very tragic way.
We are getting to the point that we have an unsustainable situation in terms of internet security.
We are addicted to the shiny things that technology allows us to do, things that were not possible before, things that are very alluring, but the risks are less transparent and they are often hidden.
So you can get a pacemaker, which you can control with software and that’s great, and it can adapt to the patient’s heart rate. But now somebody can turn it off. If they just take the time to read it and understand it and because somebody didn’t appreciate that you have to put in difficult, strong, robust security measures, somebody’s life has been put in the hands of one of these 15-year-old kids.
The more that technology infiltrates our world, the more this will go on. We have the Internet of Things where your toaster has a webserver on it. Your fridge will keep stock for you and order more beer when you need it. But the people who make fridges don’t know how to make secure software, and the people who make toasters aren’t paid to understand that attackers can turn that toaster into a spy that listens to your conversations and then informs your wife that you’re having an affair, or records that racist conversation and plays it to your boss. So there are risks emerging at a fast rate.
Some of these things are not possible yet, but give it a couple of years, and they will be. There are people already being spied on by their baby monitors. Somebody can get your WiFi password from your doorbell because someone decided your doorbell needs to be on the internet.
There is a twitter account which is full of examples of manufacturers taking an ordinary gadget that does a regular task and putting a computer in it, but not realising it now does a whole lot of other things that people might not want it to.
People are not always rational actors. Once something has been proven and there’s a big media storm over it, they will react and stop buying it. But the media can’t keep up with the number of insecure things that are happening. So there will be people in the street I live on now who will be using insecure software, but who just haven’t got the memo that it is insecure – that’s because the people who are actually interested in this stuff can’t convey the message to the entire world.
Some people I chat to on the internet have released advisories in the past year for products of several well-known brands, running on software that could enable people to take over your computer if the vendors made a mistake. But you probably won’t have heard about it unless you read the tech blogs – and again not everyone has the time to do that.
If a product has a major car crash then people will be hesitant to buy it (as with the cheating software in Volkswagen’s cars) but for every product failure you hear about, there’s nine or 10 you don’t.
The concept of the hacker has attracted a lot of different connotations in recent years. It tends to bring up a lot of different associations in people’s minds. In the culture I’m in, it tends to be somebody who understands technology, likes technology and makes it do new things. Tim Berners Lee, who created the World Wide Web, was a hacker. But more recently, it also means a person who commits computer crime, which has more negative connotations.
I am a hacker. I like technology and I would like to use it to make the world a better place. I also believe there’s a lot to be done that could help bring many of our brightest and best kids back into society.
The first thing is for people in the Government to realise that you can’t prosecute your way out of this problem. Just like with the drugs problem, people thought ‘If you arrest enough people then they would stop using drugs’ and that didn’t work, although it has taken about 60 years for people to start realising this. Locking people up is not going to help them.
So we must change the attitudes of people who are drawn towards experimentation because of their curiosity. Most of what might be considered ‘illegal hacking’ is conducted without any criminal motive, any attempt to cheat or make malicious gain, but rather, it’s the natural human desire and drive to understand the world in which we find ourselves.
These people could be drawn together in a way that gives them an environment to develop these skills so that they can be productively harnessed. (That’s not to say we should be drafting teenage hackers to work in GCHQ to keep us safe from the terrorists).
Obviously school provision is not sufficient and we could have more ‘hacker spaces’. I’d define these as a self-organised space, where people come together to work on different projects. It’s generally a space where the rent is paid for by the people who use it, or they will have some whip round.
The Government might even want to consider sponsoring these places, seeing them as an investment in talent. This means not just bringing up people who could go on to work in cyber security – but also in the sense that if you have a youth club you provide a place for children to congregate. If you close that youth club because of budget cuts, children are still going to congregate, but they’ll congregate in the park and they’ll drink cheap cider and they’ll have teen pregnancies and get into drug abuse.
So what you can do is facilitate a culture that drives people towards a certain relationship between their technological interest and their abilities and proficiencies. Some people are doing this a lot better than us, especially in the Nordic and Baltic States.
At the moment the Government is right to take an interest in culture and we have a Culture Secretary for that. But online culture has developed faster than the Government can react, because it is a large institution that takes time to understand technology.
Individuals are simply a lot faster to respond to technological developments than any large monolithic entity – so the Government struggles, and I don’t know if they will get better at it.
Large corporations and private industry accept that people will mess around with their websites and find ways of hacking them. So they’ve come to the conclusion that if it is inevitable – they’ll pay the same people to protect them, which is easier them doing it than being hacked by some Eastern European cyber criminals.
So they come almost universally to a consensus behind models called ‘bug bounties.’ Right now, today, you can go and hack American Airlines for free Airmiles, or you can get several thousand dollars in hard cash from Facebook, or Google, or Yahoo for pointing out exactly, and clearly, where they screwed up.
“I am a hacker. I do like technology and I would like to use it to make the world a better place”
Certainly we need to think about the next generation. This is something I’m exploring now. I’m working with a start-up called My Hacker House – the idea is to build a space for people that might be apprehensive or have difficulties getting employment or cyber security training in the formal sense because they might be too young, or have had run-ins with the law.
The idea is to give them a space to have their talents nurtured in a less judgemental environment but also with a bit of mentorship. On the other side of the equation it means working with corporations and government to say what can you bring to the table in terms of these young talented people, and what can they provide the Government in terms of security services.
There’s certainly a desperate need for help. Pretty much any large corporation realises it needs to spend money making things more secure, and it’s that bit between spending money and making things more secure that is difficult at the moment.
It requires some of this talent – and there’s a lot of talent out there – so we need to build bridges. We need to create that space where people can come together and overcome some of the mutual distrust and find a constructive way to move forward – this is how I aim to nurture future talent.
Without doubt we have great, great minds in the UK. They are at risk of not being harnessed because the traditional system by which people end up in particular roles in society hasn’t quite caught up with this change in society.
With luck we can harness these people because we need them – and we are facing great challenges. The internet itself is creaking and groaning and it needs to be almost redesigned from the ground up. The best analogy is that it’s quite easy to build a ship. But once you’re in a ship it is quite hard to redesign it when you’re in the ocean. It is the same with shoring up the internet so it can cope with the ever increasing burden that is going to be put on it by society.
We need these people and we need a system where they can reach their potential and avoid any friction in the process. We also need people not to be drawn into either serious financial crime or anti-social activities because they are the only people that take their gift seriously.
It’s a win-win situation if we build this better approach.