I had the pleasure of attending a “Horizon Brief” organised by the Centre for the Study of Financial Innovation (CSFI) for Dentons. The well-informed speakers, ably chaired by Andrew Hilton (Director of the CSFI), were lawyer Dominic Grieve (the day after he ceased to be an MP), lawyer Anton Moiseienko from Royal United Services Institute Centre for Financial Crime and Security, lawyer Richard Parlour (Chairman of the EU Task Force on Cybersecurity Policy for the Financial Sector at the Centre for European Policy Studies) and lawyer Antonis Patrikos from Dentons’ Privacy and Cybersecurity Practice.
There was a deal of discussion about Russia and China, cyberattacks and critical national infrastructure, and also the nature of serious crime as it shifts towards online. Much of the discussion was illuminating, and I won’t repeat it all here, but I particularly enjoyed the points made about cryptocurrency as a facilitator for cybercrime.
(I can't resist quoting Marshall McLuhan at this point. Way back in 1970 said that "World War III is a guerrilla information war with no division between military and civilian participation”. We are already in that war, and we don’t seem to have a strategy for winning it.)
I asked the former Minister about the comments of one of his former colleagues, Margot James, the Minister for Digital Thingies. She was quoted in The Daily Telegraph that the UK must "get over" privacy and cyber security fears and adopt technology such as online identities. I was surprised by this statement because I assumed that the Minister for Digital Thingies would be campaigning non-stop for our privacy, doing everything she can to provide for our cybersecurity and working around the clock to develop a digital identity infrastructure that simultaneously delivers both of these. We don’t need to “get over” them, we need to get something done about them.
None of us should have to “get over” privacy or cybersecurity fears to use digital identity because digital identity should deliver both of them. If you understand computer security, cryptography and communications then you know that we already have the tools to do precisely this: cryptographic blinding, zero-knowledge proofs, verifiable credentials and so forth. Given that the panel was made entirely of lawyers and the government is made up of lawyers and PPEs, perhaps it is not surprising that there was little to know mention of the technologies needed to create robust cyberwar defences.
While the Minister was advocating online identities, another Minister was ending government funding for the government’s own Verify digital identity service. And more recently another Minister has scrapped the online age verification plan that would have at least bootstrapped digital identity into the mass market, even if it was to be provided by Pornhub rather than the Department for Culture, Media and Sport. To a casual observer, it might seem that the government has no actual strategy.
I wondered afterwards if there isn’t something else going on here. A couple of years ago, there was an opinion piece in The New York Times acknowledging that while there are technologies issues that contribute to poor cybersecurity throughout society, but suggestion that the underlying reason is political. This is because corporations "have poured large amounts of money into our political system, helping to create a regulatory environment in which consumers shoulder more and more of the risk, and companies less and less”.
Perhaps the way to get the right technology in place is then regulatory. Looking at banking. It wasn’t technology that brought us open banking, for example. Or payments. In the UK, there is a new code of conduct in place for Authorised Push Payment (APP) fraud which means that, essentially, if you are tricked into sending money to crook then the bank (not the crook) has to give you your money back. I can’t see new code of conduct that means if your computer is hacked then Apple or Microsoft is responsible (for selling you a hackable computer) but I can see a way to make intermediaries work harder on behalf of consumers.
I’ll give you a simple example of an absolutely typical fraud that we see in the UK on a daily basis. A Mr Pibworth instructed a firm of solicitors to pay money out of his client account at midday on January 25th of this year. It was a Friday (as is typical for these frauds). He asked for the money to be paid into a joint account that he and his brother have. However, a few hours later the solicitors received an email purporting to be from Mr Pibworth (but which was actually from a fraudster) with new instructions saying the money should be paid into a different account. Which they then did.
And £60,000 was sent off to the fraudsters.
(The same firm of solicitors, incidentally, lost £100K to a similar fraud in 2016.)
I imagine that the solicitors didn't bother checking that they were sending to the correct account any more because the banks have to pay up if they transfer cash to fraudsters. According to the code, these solicitors would only have to demonstrate that they had taken “the requisite level of care” and then bank customers would have to cough up and compensate them. But what is a “requisite level of care”? It’s certainly not taking for granted the contents of an e-mail! Perhaps they should have phoned Mr. Pibworth to check that he had sent the e-mail? But then the Wall Street Journal reports that criminals used artificial intelligence-based software to impersonate CEOs’s boss to and instruct him to transfer money! The CEO of a U.K.-based firm thought he was speaking on the phone with his boss, the CEO of the German parent company, who asked him to send the funds to a Hungarian supplier.
(I think that the requisite level of care should be linked to using digital identities with credentials provided by someone that you can sue - such as a bank - if the identity turns out to be fraudulent, but that’s a topic for another day.)
If you ask me, however, Mr. Pibworth was negligent for sending sensitive financial details by unencrypted e-mail, since everyone knows that e-mail has absolutely no security associated with it at all and you should generally assume that any unencrypted e-mail without a digital signature with financial details is fraudulent. Solicitors should have a code of conduct that ignores any financial instructions in an e-mail. WhatsApp, Signal, Messenger and perhaps even Instagram* yes, but e-mail no.
Comments
Post a Comment