Cracking cybercrime
As one of the few GCHQ-accredited Academic Centres of Excellence for Cyber Security in the UK, the University of Southampton has a leading role in research and education to tackle cybercrime.
Most of us depend on the internet for our day-to-day activities – from buying shopping and booking train tickets to keeping in touch with friends and contacting our local council. Yet the world’s digital economy is being undermined by the activities of cybercriminals; the Office for National Statistics estimated that there were 2.46 million cyber incidents in the UK in 2015, making up more than a third of all crime. Southampton researchers are addressing this issue and training the cyber security experts of the future.
As one of the few GCHQ-accredited Academic Centres of Excellence for Cyber Security in the UK, the University of Southampton has a leading role in research and education to tackle cybercrime, both today and in the future. The Southampton Cyber Security Academy is a partnership between the University of Southampton and world-leading industry and government partners to provide a focal point for cyber security research, education and outreach. Industrial partners of the Academy are the Defence Science and Technology Laboratory (Dstl), Northrop Grumman and Roke Manor Research, with further partners across a range of industries set to join as the Academy grows into a vibrant community of businesses, centred in the South of England but with global influence.
Professor Vladimiro Sassone, Director of the Academy at Southampton and Head of ECS' Cyber Security research group, says: “The increasingly alarming statistics on cyberattacks and crime on a variety of targets make the Academy a timely initiative fully aligned with the UK’s national cyber security strategy. The span of problems is huge, including the protection of critical infrastructures, of industrial and economic processes, of government, businesses and users’ data, privacy and interests. There is a pressing demand for cyber security, and in the next 20 years cyber research will have the same kind of momentous social and economic impact as medical research had in the 20th century.”
The increasingly alarming statistics on cyberattacks and crime on a variety of targets, make the Academy a timely initiative fully aligned with the UK’s national cyber security strategy.
Helping companies beat cybercriminals
Companies are going out of business all over the world because of cybercrime. UK government statistics published in 2015 showed that 90 per cent of large organisations and 74 per cent of small- to medium-sized enterprises (SMEs) in the UK reported a cyber security breach in 2015. For the most severe breaches, the costs can exceed £3m for large companies and £300,000 for SMEs.
Dr Gary Wills, Associate Professor in Computer Science, leads a team of researchers who work in the field of secure systems engineering – looking at the way secure systems such as cloud-based systems, the ‘internet of things’ and cost-effective protection for SMEs are designed, implemented and used.
The team use computer simulations and mathematical models to develop tools to help organisations test how secure their systems are. As well as looking at the systems themselves, they work with owners and employees of SMEs using surveys to glean the latest information on current cyber security in SMEs. Using these methods, they are helping organisations protect their data, deal with a cyber security breach and find out how the breach occurred so they can improve their systems to prevent similar attacks in the future.
“A fundamental problem is that the internet was built on a non-secure platform, with an ethos of openness – but now that we rely on it to store so much confidential data, it is vulnerable to cyberattack,” says Gary. “Our research focuses on helping SMEs, as they often don’t have a sophisticated IT department with the expertise to protect their online assets.”
Building secure systems that aren’t easily hacked is vital for the future of the global digital economy. “Laws are changing and a serious breach in privacy can result in a company being fined a 10th of their turnover.” And, without sophisticated systems, many small businesses don’t detect a cyber fraud for around 18 months, during which a lot of damage can be done.
“Imagine if you were to leave your house with all the windows open and you put the front door key under the mat on your front step. You shouldn’t be too surprised if your valuables go missing. However, often people – and companies – don’t change the default passwords (‘door key’) or close the unused ports on their server (‘windows’),” says Gary. “Through our research, as well as improving the systems, we are informing companies of the importance of carrying out these fundamental security checks.”
Training tomorrow’s leaders in cyber security
As an Academic Centre of Excellence for Cyber Cecurity, the University is a hub of research, education and innovation on the topic. Around 45 postgraduate students are currently specialising in cyber security though their MScs and PhDs at Southampton. “We provide a stimulating environment for our students, including opportunities to work with companies such as IBM and Microsoft, which set real-world problems for our talented students to solve,” says Gary.
PhD student Zeyad Aaber’s research involves testing the performance of the government’s Cyber Essentials scheme that was set up to protect SMEs from threats online.
“In two years, we have devised a new approach to model threats facing SMEs and developed a new threat analysis method to evaluate an SME’s readiness to control current threats,” says Zeyad. “Many system designers try to apply human understanding in what a secure system can do, but computers are not as good at making decisions as we would like to think, so they often miss subtle things that we, as humans, easily spot. Through our research, we are ensuring that the rules we use to implement the secure systems behave the way we want them to.
“It has been a privilege to study here in Electronics and Computer Science at Southampton, working with world-class professors on national projects. This research environment has kept me challenged and has brought out the best in me,” Zeyad adds.
Small companies are increasingly using cloud-based systems, which are also vulnerable to security and privacy issues. PhD student Fatmah Akeel’s research focuses on devising a set of guidelines for building secure data integration systems that combine data from multiple data sources to resolve users’ queries. Organisations use data integration systems as a cloud service to provide better results for applications such as data analysis, visualisation, scientific research and national security. “In my opinion, it is essential to guarantee that data integration services continue to provide the needed functionality in a reliable and secure fashion. The current technologies on the web, including cloud services, require improved security and privacy, especially when handling sensitive and personal data, which are always at risk,” says Fatmah.
Working with colleagues in social science, business and engineering, the team also looks at how people make decisions on taking risks, how to keep documents secure when they leave an organisation, and cyber-to-physical attacks that could come from smart cars, smart meters, the ‘internet of things’ and security in manufacture. PhD student Nawfal Fadhel is working with Lloyd’s Register on a project to help manufacturing companies can protect their brands from cybercrime. “I would encourage young people to apply for cyber security degree as there is a huge technological gap that the UK government needs to fill to enable businesses to protect their intellectual property,” Nawfal says.
Multidisciplinarity is a great strength of our research here at Southampton. From producing our own software and hardware, through to improving the understanding of how people make decisions about risks, to the legal aspects of cyberattacks, our research is beginning to influence policy on cyber security nationally.
Changing the rules of the game
Computer scientist Dr Toby Wilkinson’s research involves assessing the risk posed by cyberattacks. “There are two components to this – the probability of an attack happening and the impact that the attack could have – in terms of the damage it could cause,” says Toby. "This is where safety differs from security. In a safety-critical system, say an aircraft, faults tend to be random and hopefully of low probability, but attacks by humans on systems are much more targeted and intelligent: someone is actively looking for defects and how to exploit them."
This becomes a ‘game’ between the defenders and attackers of a system. “But it’s an asymmetric game: the attacker only needs to find one defect for them to get in, but the defenders need to identify all the defects to keep them out, so you need to change the rules,” says Toby. "My research involves developing ways to design the bugs out and using mathematical proofs to show that the software is correct – rather than relying on a human to do this, as the systems we are building now are too complex and people can make mistakes."
Funded by Dstl, Toby is working on a project with a manufacturer of unmanned aerial vehicles (UAVs) to validate UAV routes and prevent collisions.
"With UAVs becoming ever more widely used, it's vital that we ensure they are safe and not open to cyberattack,” says Toby. “We are developing software to monitor the decisions made by artificial intelligence to identify unsafe decisions and block them. This monitoring software will come with a mathematical proof that it is correct, giving greater confidence that the system is safe. This approach of monitoring system behaviour and blocking bad actions has an obvious application to security too."
Multidisciplinary ethos
Cyber security is a multidisciplinary issue, which requires expertise from law, psychology, education and business risk management, as well as mathematics and technology. Southampton is one of the few multidisciplinary Academic Centres of Excellence in Cyber Security Research in the country, sponsored by the UK government, and we have experts in all of these areas.
“Multidicisplinarity is a great strength of our research here at Southampton,” says Gary. “From producing our own software and hardware, through to improving the understanding of how people make decisions about risks, to the legal aspects of cyberattacks, our research is beginning to influence policy on cyber security nationally. It is my hope that through this research, we can start to regain people’s trust in the digital economy so that individuals and companies can be confident of making transactions online that are safe from cyberattack.”