Co-author of a new doctrine for cybersecurity, along with another Cornell University researcher, Mulligan explained the key points of this theoretical framework at the XX International Conference on Information Security of ISMS Forum held in Madrid. Educate about the risks and consequences of cyber and raise awareness among States to develop a joint strategy to detect in time threats are the main lines of the doctrine, which delands some strategies raised to Now as putting the focus on the identification of the CYBERCRIMINALSS and then judging them.
question. Given the scope of the latest cyber [this interview was conducted before the alert launched last Monday by the FBI for a hacker attack to hijack domestic routers], do you think governments are sufficiently overturned in the Finding solutions?
answer. Governments, businesses, and individuals are increasingly concerned. The Ciberespionaje related to classified documents, the attack to webs and the theft of passwords and personal data is growing. So far the focus has been on developing new technologies to curb this breakthrough, but the solution requires public policy. We have to make an intervention in decisions that have so far been relapsed in individuals, for example, the installation of updates on their mobile devices. Ignoring or putting it off is irresponsible. These upgrades make sense from a technical point of view: they are security patches to solve system vulnerabilities.
All countries have security regulations, but the problem is that there is no coordination. Even if we are not going to act the same way, sharing information and anticipating threats together would be a breakthrough.
Q. do you think that part of the solution is to educate citizens so that they are aware of these dangers and do their best to remedy it?
A. we're never going to have perfect systems. People are not going to behave in an exemplary way, there are people who are continually trying to attack systems, some for economic or political reasons and others just to show that they can do it. We can educate, teach that if you have many electronic devices that you no longer use, you have to shut them down or they could be communicating with external and unknown networks. The first step in managing insecurity is to take responsibility and not look the other way when you get to your computer an update of the operating system, whose mission is to put a security patch to the code of your computer to make it safer.
"Maybe we shouldn't give them a chance to decide, but directly update their equipment automatically"
Q. What can be the consequences of not installing these upgrades?
A. if I ask how much battery your phone has or what power the WiFi is easy to answer. Just look at the bars at the top of the device. But what security does it have? How many times have you tried to damage it or access it throughout the day? We have no idea of the safety of our mobile. When there is an attack on a government or corporate website, the culprit is not an individual from a computer, but the so-called botnets, the use of millions of computers of different users to direct traffic to sites Concrete and knock them down, disable them.
As a citizen, you do not want your device to be used for that purpose, but you do not have any tools to measure the health of the device. To that it adds that many people are afraid to update their mobile if it hangs, in case they delete messages or if it starts to work slower. Other times they are traveling and do not have enough broadband and they put it off. At that point, your phone is vulnerable and someone may be trying to get data from it or want to use it for an attack. Irrationally and for their own interest they do not, and they are allowing third people to be attacked en masse. The more people update, the better the security system for everyone.
Q. The reason why many relax is precisely that they are not afraid to be attacked because they are not famous people with material that is susceptible to theft.
A. If your computer is hacked, you can extract information, detect what you are typing or access the microphone. The consequences can fall directly on your privacy. Certain passwords lead to information about your financial situation, credit card details, phone numbers, email addresses... That data from hundreds of people can be very useful for credit card fraud or phishing operations, which is one of the most growing crimes in the world. A criminal who gets your data can open new accounts with your name, or sell that personal information in the darknet (Dark Network).
Q. What kind of legislative changes do you propose?
A . today, people can decide whether to update their phone. The question is should we adopt other policies? Taking into account that their security decisions affect third parties, we should not give them the opportunity to decide, but directly update their equipment automatically. If we consider that there is a real public risk and that they make the whole ecosystem weaker. There are many differences between the individual interest and the public and we have to reflect on that. It's like the car: in some countries the safety belt is automatic. It is not the case of the United States because we value freedom there.
Q. in that case, governments would have to rely on the criteria of technology when launching operational system updates. Blindly trust that they will arrive on time.
A. companies are interested in addressing these vulnerabilities; For them it is a matter of time and money. They also face the challenge of ensuring that these security patches will be compatible with other services. For example, in the case of Microsoft, make sure that they won't hinder the latest version of Microsoft Office. Also that the devices will support the upgrade. In the case of Apple, it is easier because there are not many users with old operating systems. They have been forced to change the terminal in order to be up to date. home computers work differently; They are usually maintained for longer and the applications that are downloaded are not as constrained by the operating system as the mobile ones. It's another rhythm.
"Our doctrine proposes to get people to install security patches, to understand when their machines are infected."
Q. with the Internet of things many gadgets are connected to each other. Are such open systems more vulnerable to attacks?
A. They are intelligent devices that are connected to the Internet and can be hacked. There is now a shift in the approach of these products to prioritize security from the time of design and manufacturing. The big problem is that many of those devices do not allow upgrades. Touch screens from which the thermostat is controlled, the door closing or the house lights. They are easy to install and comfortable, but we know they are vulnerable from a security standpoint and can be used jointly to create an infrastructure that supports different types of attacks.
In the United States they look like use and pull products and have not been manufactured to deal with vulnerabilities. They don't have the ability to support security patches. I'm not talking about Alexa, but about gadgets that have normally been released to the market by small companies.
Q. is the problem small companies?
A. they try to get products to market quickly that are attractive and innovative. Security costs money and consumers are not willing to pay more for a camera to control their baby that is safe from the point of view of the cyber. They think, who's going to want to see my baby? In terms of product development is more expensive and also the safer a device is less likely to connect with others. People want to remove the device from the packaging, plug it in and be able to do it all at once. The security market is not profitable.
Q. What is new in your doctrine for cybersecurity with respect to the previous three?
A. they focused on two aspects that are inefficient. They left the weight on the advancement of Technology and the development of stronger security systems. It's impossible. Let's think about a house. To make it safe, we'll build it in metal, with a single window, small, with a fingerprint access door. Very safe but very unattractive to live without light. We can build very secure systems, but people want to download applications, that is compatible with other devices, use WiFi. Building a system that is safe in all those environments is a major engineering problem. Another added problem is that there are those who want to attack and access those systems; They continually look for the windows, the vulnerability gaps to be strained.
Another flaw is to focus on the punishment of the cybercriminals. Finding the original machine and the person behind it is very complicated. Then there is the question of whether the country will extradite him to be judged. That's another doctrine that doesn't work. Our doctrine proposes getting people to install the security patches, make them understand when their machines are infected, and ensure that they keep them as safe as they can. Similar to the health scenario: your health contributes to general health.