Gresham College Lectures

Defeating Digital Viruses: Lessons From the Pandemic

March 31, 2023 Gresham College
Gresham College Lectures
Defeating Digital Viruses: Lessons From the Pandemic
Show Notes Transcript

This talk will explore the potential for harnessing the public health framework for addressing online safety and security.

Throughout the COVID pandemic, citizens have washed their hands, covered their faces, and maintained a physical distance. If members of the public can protect themselves and others from offline viruses, why not digital ones?


A lecture by Victoria Baines recorded on 21 March 2023 at Barnard's Inn Hall, London.

The transcript and downloadable versions of the lecture are available from the Gresham College website: https://www.gresham.ac.uk/watch-now/digital-pandemic

Gresham College has offered free public lectures for over 400 years, thanks to the generosity of our supporters. There are currently over 2,500 lectures free to access. We believe that everyone should have the opportunity to learn from some of the greatest minds. To support Gresham's mission, please consider making a donation: https://gresham.ac.uk/support/

Website:  https://gresham.ac.uk
Twitter:  https://twitter.com/greshamcollege
Facebook: https://facebook.com/greshamcollege
Instagram: https://instagram.com/greshamcollege

Support the show

Speaker 1 (00:06):
Ladies and gentlemen, given that my previous lecture in this series was on encrypted messaging, it's half tempting to start this one on lessons from the pandemic with an assessment of the former health ministers now very public WhatsApp messages. But this isn't a politics lecture, neither is it a political one, I promise. Um, COVID 19 is still in our communities and many of us are still coming to terms with its impact. So I have no intention of conducting an assessment of the effectiveness of the UK's or any other country's operational response. I am, you will be very pleased to hear in no way qualified to do that. Rather I'm gonna focus on what the pandemic teaches us about how to communicate with the public on safety issues and how considering our safety online also as a public health concern might make us all safer and more secure during the pandemic.

(01:22):
Public health messaging like this was an essential component of government's responses and research has already been published that seeks to analyze this messaging. For example, from the perspective of communication science in terms of self-reported levels of compliance and with a particular interest in the use of social media. Now, systematic reviews are still ongoing, but we as individuals can testify that when asked to cover their faces, wash their hands, keep a distance from each other to protect themselves, their loved ones and their communities. Many people did this and indeed some still do. People all over the world proved that they were capable of taking preventative measures to control the spread of infection. And in the UK public health messaging was reinforced with memorable slogans, exhorting the public to action including this one, stay home, protect the nhs, save lives, and the rather catchy hands face space in lockdown.

(02:42):
In 2020, I wrote a book as you do on security rhetoric, the techniques used by governments, the media and others to communicate safety and security to the public. And I was reminded of the similarity of the language and imagery of pandemics and that of cyber threats more precisely how the cybersecurity world routinely borrows from virology, immunology, and epidemiology to represent cyber threats as viruses and infections that spread. It set me thinking about why we had come to do that, what challenges that comparison might present and whether there were opportunities to put it to better use. And I analyzed three different types of communications, government statements such as those made by politicians and law enforcement agencies, the marketing materials of companies selling cybersecurity products, popularly known of course as antivirus software. And lastly, text written by cyber criminals themselves such as phishing emails, scam messages and pop-up ads.

(04:09):
And what I found really surprised me, governments, salespeople and criminals all used similar techniques to catastrophize cyber threats to make being a victim of cybercrime look and feel like the worst possible thing in the world. They did it for different reasons, governments to justify what they were doing and bizarrely in some cases were not doing to tackle the problem companies to persuade people to buy their products and criminals to entice or coerce people to comply with their demands. But they all portrayed digital technology as dark and ano anonymous and cyber threats as colossal deadly crises. And they all used mystifying technical jargon to do so.

(05:16):
So I put myself in the shoes of someone looking for basic cyber crime prevention advice and unlike many people would, I did a Google search and because I was interested in all types of content, I searched for both text and images. And this is a screenshot of my search results in January, 2020 for the search string cyber crime prevention. And you'll see that perhaps with the exception of the advice sheet from the Philippines national Police towards the bottom left there of the screen, there seems to be something of a pattern. So let's take a closer look at this together. First of all, what color is cybercrime prevention? Would you say? Blue. Blue, yep. Absolutely. It appears to be either dark blue or in fact no color at all. Pitch black. Preventing cyber crime also appears to involve treating your computer like it's a crime scene or at least putting a padlock on it. Um, it requires an ability to code use of some kind of futuristic projected touch technology and pirates and insects crawling out of your computer screen. Faceless hooded figures seem to be prominent as well, don't they? So before we go any further, let me ask you, how confident do you feel right now about your ability to protect yourself online? Because I will wager that unless you already work for law enforcement for a cybersecurity company or you are a cyber criminal, these images shout that cybersecurity is not for you.

(07:17):
They say a picture paints a thousand words, and this image sums up for me what the dominant rhetoric of cybersecurity has looked like for the last 30 years. It brings together several of the elements returned in my Google search, the blue light, the circuitry background, the cascading binary. They all speak of technical sophistication that is beyond the grasp of the average citizen. In fact, the central figure seems to be a sort of magician conjuring up numbers from an ethereal keyboard, the like of which I've certainly never seen in real life, we're encouraged to assume. I think that this is a male figure. He's wearing the stereotypical uniform of a hacker, the hoodie, and he's strangely faceless. His hands are accentuated. They're the only part of his body that are visible. They're grasping rapacious even they encourage us to think of him as a violent criminal, a mugger or worse.

(08:30):
But unlike the average mugger, the map behind him suggests that he is capable of reaching right around the world. Now newsflash, in real life, not all cyber criminals wear hoodies. Some of them don't identify as male and all of them certainly have faces, but somehow we've ended up in a place where this is the accepted, even the default way of representing them, and in which the overwhelming impression is one of our own powerlessness, helplessness and hopelessness. And when we look for precedence for this kind of image in popular culture, that sense of powerlessness is heightened because I suspect that when many people think of a hooded figure with grasping hands, they first think of this. And what we know about this chap, what we know about the grim reaper is that barring a very few exceptions in European folk tales, when he comes for you, there's no escape. There is absolutely nothing you can do.

(09:53):
So imagery that depicts cybercrime like this is hugely disempowering. It does nothing to make people safer beyond pushing them to buy a product. It has more to do with fiction and fantasy than with the reality of cybercrime. And yet, for several years, this very image was at the top of the welcome page on the FBI's website when ordinary people were searching for advice on cyber crime prevention. How on earth did we get here? The reasons were I think intentioned, but it got out of hand. Like many others working in cybersecurity, I have struggled to explain what on earth it is without reverting to metaphor, language and imagery that make zeros ones and invisible data see more immediate and more tangible. The persuasive impact of metaverse is in their ability to make someone feel as they might feel about the image invoked. So for example, some parts of the web are represented as dark simply because they are not indexed by mainstream search engines and they're therefore less visible on the surface. Malicious software is described as infecting a computer because it enters the machine, it spreads and it impairs its functioning. It behaves like a virus because it self replicates, but it doesn't attack human bodies, or at least not yet. That's for another lecture. Even the word cybersecurity sounds remote from ordinary people's experience like it's a made up word from the pages of science fiction. And in fact, that's exactly what it is.

(12:07):
Fantasy and science fiction are key features of what historians would perhaps call cyber securities foundation myth. The term cyberspace, which is now regularly used in international negotiations, was in fact coined by science fiction author William Gibson and popularized in his 1984 novel Numan and the sub genre in which Gibson was writing, cyberpunk subsequently escaped the page to become a real world aesthetic. All of these compound words with that cyber prefix, they trace their origins to cybernetics the study of animal and mechanical regulatory systems expounded by Norbert Wiener in the 1940s. Now, wiener's term itself borrowed from the ancient Greek COEs, meaning the helmsman or a steersman of a boat. Meanwhile, in the second half of the 20th century, popular science fiction are bounded with cybernetic organisms, cyber orgs, Darth Vader, star Trek, Borg, Dr. Who's Cybermen, the Terminator, and my favorite battle star Galactus Cs all introduce Cybos to the public well before something like cybersecurity gained currency as a popular concept.

(13:44):
So all of these modern cyber words of which the Oxford English dictionary currently has 49 are confections, they're neologisms in which a prefix with its origins in ancient sailing is applied to digital technology in contrast to the less exciting but probably more accurate alternative network and information security, cybersecurity is difficult to grasp without an understanding of this somewhat obscure heritage. But in this respect, etymology reinforces the dominant rhetoric, which is that cybersecurity is exclusive, inaccessible and dystopian cyber securities association with epidemiology also has its own history, is commonly traced back to Gregory Benford's 1970 short story, the scarred man in which malicious software had the name virus and the program engineered to remove it vaccine Benford had worked on the precursor to the internet, the US Department of Defense ARPANET project in the 1960s. So yet another intersection between life and art, between science fact and science fiction. But it's researcher Fred Cohen, who is credited with introducing the term computer viruses to the academic world. And Cohen's definition was the blueprints not only for usage of that term virus, but also of a wider transferred lexicon.

(15:37):
In a 1987 article in the journal Computers and Security, he writes, we define a computer virus as a program that can infect other programs by modifying them to include a possibly evolved copy of itself. With the infection property, a virus can spread throughout a computer system or network using the authorizations of every user to infect their programs. Every program that gets infected may also act as a virus and thus the infection grows. The hyperbolic potential of that metaphor is exploited from the outset. So Cohen expands as an analogy to a computer virus. Consider a biological disease that is 100% infectious spreads whenever animals communicate, kills all infected animals instantly at a given moment and has no detectable side effects until that moment. If a delay of even one week were between the introduction of the disease and its effect, it would be very likely to leave only a few remote villages alive and would certainly wipe out the vast majority of modern society. If a computer virus of this type could spread throughout the computers of the world, it would likely stop most computer use for a significant period of time and wreak havoc on modern government, financial, business and academic institutions. That was back when academic institutions were important.

(17:26):
Now this language taps into our deep seated fear of death and basic physiological needs, and it's transferal to cybersecurity imbues computer problems with a sense of mortal danger. And one may think that engaging in that kind of alarmist rhetoric would've been something of a gamble. During the Covid pandemic target audiences may legitimately have felt that they had bigger, more immediate threats to worry about. At the same time. You may remember something that I was struck by that during the pandemic, many companies of all types sought to persuade us that we needed their products, quote unquote more than ever. In late 2021, cybersecurity vendor displayed this text on their website and I really hope that I have sanitized this page as much as I need to because as I often say when I show this slide, I really don't want to get sued preparing for the next global crisis.

(18:36):
A cyber pandemic people and organizations have suffered greatly from the coronavirus pandemic. That's true. Many critical lessons are being learned, but none more important than that. Another devastating crisis could be brewing. A catastrophic cyber event has long been envisioned. And with today's digitally connected world, a global cyber pandemic is now a reality. And a banner at the top of this page urged visitors to prepare for a cyber pandemic secure your everything now. Now there are a number of possible reactions to this content. It could indeed trigger the alarm at which it is evidently aimed. It could also be rejected as a cynical attempt to exploit an already heightened state of alert. It could likewise be seen as crass and insensitive by people who have been directly affected by covid at the time. We can perhaps be more definite about what this messaging is not and that is empowering for the citizen in their communications. On covid governments were keen to emphasize the active role of ordinary people in controlling the spread of the virus, in protecting themselves and others. In stark contrast here, the only solution is to purchase the product offered by the vendor. No further protective advice is given.

(20:23):
On the same theme, companies started to promise cyber immunity while the world was in the throes of the first wave of coronavirus infections. This period also saw the launch of a product that claimed to be the world's first computer vaccine. Now we don't have access to the sales figures of these companies before and after these campaigns, so it's not possible to gauge how successful these attempts to capitalize on the pandemic have been. But what is clear is that COVID 19 was used by some in the cybersecurity industry as a business opportunity and as a device to persuade potential customers of the urgency and severity of cyber threats. It's a clear example of a tactic that is known as fud, F u d, fear, uncertainty and doubt.

(21:29):
Now none of this critique should be taken as an attempt to dismiss cyber threats. Cyber attacks can be serious and damaging to reputations, finances, national security and personal wellbeing. But there is no empirical evidence that scaring the hell out of people while making them feel powerless makes them any safer. If we think about it logically, there's no reason why it should. Highlighting the way in which certain types of imagery are consciously chosen and considering the potential impact of those on different audiences, particularly on a non-specialist, non-technical public, can help us to identify instead, alternative framings that resonate with citizens, but also empower them to protect themselves and others.

(22:32):
One proposed approach seeks to harness lessons learned from public health rather than simply exploiting its language. An imagery, a social ecological model recognizes that an individual's history and circumstances, their relationships, their community and society at large all interact and all influence the occurrence of a problem and levels of protection from it. And there are precedents for applying this public health approach to safety and security issues. For instance, the World Health Organization includes violence prevention in its work as one of the social determinants, social, physical and economic conditions that impact on health. In my research a few years ago on online child abuse, which I've included in the transcript for this lecture, considering risk and protective factors in this way helped me to appreciate the full range of interventions and stakeholders needed. And as you can see, there are quite a lot which makes this, this map and the previous one rather complex to read at a distance. So I'm going to zoom out to the top level

(24:01):
Crucially, it demands that we give equal consideration to all types of intervention regardless of our personal preferences and aversions. It tests our assumptions, it challenges our biases. For example, in order for children to be protected from sexual abuse online, it isn't simply enough to lock up offenders and make children and caregivers aware of the dangers that also need to be services such as the Stop It Now helpline, which helps people who are concerned about their own thoughts or behavior towards children, people who are worried about the behavior of others and friends and relatives of people who are arrested for child abuse. So a public health approach to the problem demands that we identify and provide also for underserved and hard to reach groups. This model is also eminently applicable to common cyber threats. And in the last decade or so, a number of researchers have proposed that we tackle communicable cyber threats as we do communicable diseases and non-communicable cyber threats as we do non-communicable diseases. So let's consider for a few moments how that might work in practice, botnets are networks of infected devices that are then used to conduct attacks on other devices, on systems and on networks. And if you use social media, you'll also be familiar with the fact that people's accounts can be hacked or cloned in order to dup or scam one's friend networks. Equally, fake news spreads via sharing on social media. In fact, we often say that it goes viral. So all of these behave in a way that is similar to communicable diseases.

(26:15):
Cyber threats that aren't directly spread to others behave like non-communicable diseases. And in this category we might include attacks on websites that disrupt delivery of a service, denial of service attacks, scams designed to take your money and ransomware attacks that lock devices until a ransom is paid.

(26:40):
A public health approach also seeks to address individuals risk behaviors and environmental exposures. And for our purposes, these could include sharing account passwords with other people. That's something you really shouldn't do. Not installing antivirus software, clicking on unchecked links, all of which can be reduced through behavioral change and awareness. And finally, there are risks that simply come with the environment. For example, using public wifi, having to share devices with other people, being exposed to information online that may or may not be true and entrusting personal data to retailers and other online service providers, all of which can be mitigated to some degree. So breaking it down in this way helps us to identify opportunities for prevention and intervention.

(27:45):
Communicable cyber threats such as unwittingly being the intermediary for an attack as part of a botnet, can be met with system level interventions, including quarantine of infected devices, mandatory reporting of new cases, educational information and guidelines for early detection. But it also means that we can prioritize various forms of prevention, primary prevention to minimize the threat by addressing risk behaviors and promoting generalized protections, secondary prevention to reduce the impact of a disease or incident through targeted intervention and tertiary prevention to manage long-term effects and reduce the risk of recurrence. And we can also promote cyber hygiene at an individual level. So let's take a practical example. A device can become part of a botnet when the user clicks on malicious software. And this could have arrived in an attachment or an email or a web link of some description that malware infects the device, in this case hijacking the processing power to disable websites by flooding them with traffic.

(29:15):
We see similar process flows in other types of cybercrime as well, like someone compromising your email or social media account and using it to send scam messages to your contacts. Now naturally the first hope is that we can prevent this entirely. Not downloading the software in the first place is the surest way to prevent the device being infected and used in attacks. But if we're not able to do that, there are other points at which we can intervene to reduce the impact. For instance, if your device has antivirus protection, even if you click on a suspicious link or an attachments, it can be detected and removed before it can do any further damage. And even if you have failed in your duty to protect yourself and others, we can still help those others with their defenses.

(30:21):
Considering cybersecurity as a public health issue also helps us to identify what needs to improve at a societal level. And this public health approach typically comprises four main steps. Firstly, we define and monitor the problem, then we identify those risk and protective factors. Next, we develop and test prevention strategies. And finally, we assure that there is widespread adoption as the first step suggests. Reliable data on the scale and nature of a problem is essential to determining the correct responses and it ensures that there is an evidence base for any measures that are developed and adopted. Just as covid cases, hospitalization rates and excess deaths were continuously reported at the height of the pandemic. So too, we need to know how big, how prevalent a particular cyber problem is. But this is easier said than done because the data on cyber threats is so disparate. Law enforcement has data on reported crimes.

(31:44):
Technology providers have access to reports from their users. Organizations of all sorts have logs of suspicious activity on their networks. Antivirus companies have data from scans of their customers devices and so on and so forth. European legislation in the form of GDPR mandates reporting of data breaches to national authorities, but governments very often find that they have to rely on estimates based on surveys with some fairly small sample sizes. For instance, the crime survey for England and Wales estimates that 1.6 million incidents of computer misuse as defined in national legislation in the year to March, 2022. But this was based on a sample of just 13 and a half thousand households and the UK government's cybersecurity breaches survey estimators that 39% of businesses identified that they had suffered a cyber attack in 2022 based on a sample of just 1,244 businesses. Now there's nothing wrong with these numbers. They are definitely very helpful indicators, but they are incomplete data on which to base national responses and to spend national resources, we need the data on cyber threats to be much more systematic and comprehensive in order for us to be able to decide whether we really do have a cyber pandemic or whether that is just marketing hype. So we could do with a public health approach to data collection, perhaps even dare I say, a world cyber health organization to do this.

(33:46):
A public health approach to cybersecurity could also legitimately adopt the language and imagery of community disease control while at the same time giving agency to citizens public health communications need to be easily understood. So the fear, the uncertainty, and the doubt of cybersecurity must go as must the overuse of technical jargon, which we will unpack further in the next lecture. If we want target populations to take some kind of action and even change their behavior, we need to communicate clearly what they should do and ensure that these actions are convenient and attractive. Incidentally, these are the results. Google returned when I searched for images of public health last week. And I think it's fair to say that they are a lot more inclusive and accessible than those for cybercrime prevention. We have rainbow colors, we have non-threatening represe representations of people with faces at the height of the Covid pandemic.

(35:05):
Members of the public were not expected to have an advanced understanding of virology, of immunology or of epidemiology, but we were expected to understand that hygiene and distancing measures helps to control the spread of infection in the us, the uk and in commonwealth countries. Generations of people became familiar with this concept through the slogan Coughs and sneezers spread diseases. And while for some the encouragement to use a handkerchief may smack of the nanny state, this phrase is so memorable that the World Health Organization still uses it in its video content. A lighthearted approach to disease control is perfectly acceptable, but humor is very rarely deployed in public information on cyber threats. One notable exception is Disney's Ralph breaks the internet. It's an animated comedy from 2018 that firmly targets a family audience. I've deliberately left this slide blank so that it will be all the easier for you to imagine as I described the scene, but also because Disney has a fairly robust and formidable process for requesting use of its content for educational purposes.

(36:33):
The main characters are two friends, wreck it Ralph and Lop Pon Schwetz. And they are characters in video games in an amusement arcade and they physically enter the internet via a wifi router or router. If you're listening outside the uk. Online platforms in the internet are depicted as physical, physical locations and algorithms are physical creatures. And that overall presentation is very accessible and very non-threatening. One of the characters is a pop-up advertiser and his name is JB Spam Lee. And he guides Ralph into the dark net to source a virus that will slow down a racing game with which Penelope has become absolutely obsessed. The aim is to make the game so boring that she will want to leave and go home. So Ralph and Spam, they descend in a lift to the dark net, which is of course a kind of underworld. It's a dank, dimly lit green tinged rather than blue tinge street which houses the premises of double Dan. Dan is a man sized slug with more than a passing resemblance to Star Wars jab of the hut and the voice of a cockney gangster or rather Russell Brown's version of a cockney gangster. It's a scene that's reminiscent of Monty Python's dead parrot sketch or the purchase of the mawa in gremlins. The dark net is essentially transformed into an exotic pet shop. The virus for sale bursts out of its cage and he is a mechanical serpent like monster, twisting and turning and his name is Arthur.

(38:36):
Now Arthur is by no means acute pet and his sudden explosion from his confines is surely intended to make a younger audience jump out of their seats. He's clearly quite dangerous. But that comic setting, the informal dialogue and the cartoonish rendering, recast cyber threats as intelligible to mass audiences and as portrayals of my subject go, this is one of the most inclusive and engaging. Now its impact on the next generation of the world's adults remains to be seen. But it nevertheless illustrates that a more lighthearted approach to cyber threats is possible. And in fact, there is research to suggest that images with positive emotional impact are more likely to be remembered, especially by older adults. So a cyber positive approach could actually be more effective. Now it's all very well my standing here and diagnosing the problem. That is what I most like to do in this world. But what we really need now are solutions. And here too, public health can serve as our guide. And here is my personal inspiration for what I think we need to produce.

Speaker 2 (40:17):
You may have met a few people who like doing this sort of thing. They're a nuisance. I agree, but pretty harms. You have certainly seen problems like this. They're not a nuisance. They are real danger.

Speaker 3 (40:30):
Woo.

Speaker 2 (40:31):
Hi. Stop it. You woo. Stop it. Stop it. Come here. What do you think you're up to? You're probably infected thousands of people already. What do you think this is for? Yes, that's all right. But yes, another way of using your handgun. Now Snee, come on. All right, nevermind. Close your eyes.

Speaker 3 (41:02):
<laugh>

Speaker 2 (41:06):
Now. Handker sneeze, sneeze, handker. Got it.

Speaker 3 (41:13):
Hi,

Speaker 2 (41:17):
Handker chair sneeze. See what I mean? That's the idea. Now you can carry on.

Speaker 1 (41:40):
It gets me every time though. Sorry. I've seen it hundreds and hundreds of times. Um, the infectiously, pardon the pun, joyful genius of Richard Massingham at work there with his 1945 public information film entitled Coughs and Sneezers. And I am beyond excited to share with you that at Gresham we have set ourselves the task of producing public information films on online safety that hits that spot. They're not quite ready yet, in case you were as excited as I am. Um, but they will be in the next few weeks and we will be sharing them far and wide on our websites, on our social channels, and they will feature in my next lecture, cybersecurity for humans on the 9th of May.

(42:37):
So that is my call to action for people like me and institutions like this one, to do a better job of showing you what you can do, not just what you mustn't to promote cyber hygiene to perhaps encourage people to practice safe cyber, perhaps even keep our communities cyber clean and tidy. It certainly sounds more achievable and empowering than messaging in which cybercrime is catastrophic. Demonic, inescapable and unintelligible. The Covid 19 pandemic showed that many people are capable of taking measures to protect themselves and their communities. So why don't we entrust them to do the same with cybersecurity? We've tried fear, uncertainty, and doubt for the last three decades, and it doesn't seem to have worked. We stand a better chance of defeating digital viruses if we act as a community. So let's harness the lessons of the last few years to improve our cyber health. In fact, it's not even cyber is it? It's just health. It's just safety. And we, you know how to do that. So I expect to see you all back here and you at home on the 9th of May so that you can receive your orders. Thank you very much.

Speaker 4 (44:32):
Thank you so much Professor Baes for the fascinating lecture. I've got some questions from online and then I hope, hopefully some in the room as well. Um, first one from online, is it possible to design an operating system that protects against viruses?

Speaker 1 (44:46):
Oh goodness. Um, so, um, speaking from past experience where I work for a large technology company, one of whose motivational motivational slogans used to be move fast and break things, uh, but he's now just moved fast. Um, one of the challenges we have in technology is that we want to ship stuff out really, really quickly. So apologies to the, to the person at home. I'm not gonna talk exclusively about operating systems, but certainly in the world of software, we want to get it out quickly, um, so that it can hit the market as soon as possible because it needs to make money. Um, over the last 10 years, I would say there's been more of a focus on security by design. And one of my jobs in big tech actually from a a safety perspective was every time a new product was being developed to come in and say, actually, have you thought about the safety of young people?

(45:43):
Have you thought about X, Y, and Z? And, and to actually spend that time tweaking products before they hit the market. Now that's a great way of doing it. Um, another way of doing it is to make sure that there are security patches available for software. And I would say that reducing risk behaviors that we had on the, on the table there. Another one is making sure that your software is up to date. So Microsoft is famous for this. They have patches coming out every week updating their software to minimize security vulnerabilities. If you have a smartphone, you will see that Apple and Samsung or Apple and um, Google, sorry, Android, um, will be constantly pushing you to up, uh, install security updates. Please do that because they're finding the bugs. They've also got kind of people out in the wider world finding the bugs, reporting them to them through bug bounty programs. So every time you update your software, you are safer. So is it possible, I I've not seen a hundred percent secure operating system. I doubt that that exists, but the more that we can build security by design into any tech that we develop, then the lower the risk at the start.

Speaker 4 (47:08):
Um, I've got another one from online before going to the room, if that's alright. Um, is there anyone in cybersecurity who does public information well?

Speaker 1 (47:17):
Yes, I think so. So yes, I gave you a very negative picture of the cybersecurity industry. Um, obviously I'm not going to do product placement or endorsement, so I'm not going name this company. Um, but um, if you are in the UK at home and certainly people in the room, if you watch tv, you might have seen some TV adverts for an antivirus software company. And what they do is they stage cybersecurity problems, almost like a mental health intervention. Um, so they have a room of people challenging the, um, the the technology and saying, I, I received a, an image and I didn't wanna receive that. And it's actually an older lady, which is why it's meant to be funny. Sorry, older ladies. As an older lady myself, I I don't think it's that funny that people get intimate images, but there you go. Um, but yes, that's one example.

(48:11):
Another one, um, you know, is a, a victim of ransomware and says, somebody's just asked me for Bitcoin and somebody else says Bitcoin, what is Bitcoin? So it's demystifying all of that. It's not making it blue lights, it's not making it cascading zeros and ones. It's not, um, faceless muggers in hoodies. It's taking it down to how would we actually approach this if this was a problematic person? Well, we'd take them to one side and we'd say, Hey, your behavior's really out of order. We need to make you safer and more secure. So anything like that that makes it more immediate without just piling on the fear.

Speaker 5 (48:51):
One of the things strikes me is there's no national approaches and old enough to remember the, the company, every trick felt things. So where's the don't click every link one or something like that. I mean, is there anything that you are aware of that's coming through like that?

Speaker 1 (49:06):
Yes, we're making it now. I, what I think is really challenging because I've had to get my head around this is, um, slogans. Yeah, it's, it's really, really challenging because you know, the minute you talk about, um, the language of cybersecurity, you may have noticed when I put botnets up on the screen, I was very careful every time I mentioned botnets to explain exactly what that was because I recognize that that's a made up word as well. Cyber, cyber security and cyber crime is full of these port manto words where you get one word, you squash it onto another word, acronyms. So you know, every time we think about Trojans you say, oh, well that's rats. Trojans are full of rats. And you think, what, what language are you talking? Well, you know, Trojans are programs that get into your system and then like a Trojan horse sit there for a while and then do what they need to do.

(50:08):
And a rat is a remote access Trojan. And the reason I mentioned that, pat, is that every time you think of, well what are we asking people to do here? Can we put it into three words? It's really, really difficult with cybersecurity to put it into three words because the vocabulary is so technical. So you will see in the coming weeks that what we've done is we've taken a slightly different approach, which is really looking at it from the kind of cyber coughs and sneezers perspective, keeping it clean and safe and secure rather than putting the focus on cyber. Um, and just as an aside, if I may, um, some of the really good educational programs that I've seen, or some of the best ones that I've seen have not been about treating cybersecurity as a separate thing. So, uh, in case you're interested, age, concern, do a fantastic program is called Get Comfortable Online, which is exactly what you want people to be. You don't want people to be terrified, particularly older members of the community that might not be digital natives as we call them. Um, and um, the Women's Institute is fantastic. The Women's Institute trains ambassadors in the Women's Institute to train other members of the Women's Institute. So they're getting it upskilling and online safety and online security information from peers that they trust rather than people who are out to not intentionally bamboozle them, but whose default is to use technical jargon, the fantasy language of cyber. Um, I think there's one at the back. Yes.

Speaker 6 (51:55):
Yeah, good evening. Uh, thank you very much for the insights and encouragement and the achievements you have done so far. Um, my colleague there, my senior colleague mentioned about standard, um, they are pushing everybody into the IT knowledge based things, but they're not, um, as much as you are working for the service security, they are not copping they're increasing people. They're doing things to be online. Online, online. Yeah. But the more you are, we are online, the more the fraud is increasing.

Speaker 1 (52:41):
Okay.

Speaker 6 (52:42):
So what are you doing to reduce it or avert it? Thank you. Yeah.

Speaker 1 (52:48):
So, um, if you don't mind, can I go, am I all right to go back? That's right. So this is on online child abuse and online child safety. Um, but what you see with anything like fraud, with anything that happens online and, and as I discussed to a certain extent in my first lecture on who owns the internet at the, at the back end of last year, is really that you need a whole society response. So you are absolutely right if companies are developing software, if they're developing products that are digital, they absolutely have a responsibility to make sure that those products are as safe and secure as they possibly can be. But they're not the only people to combat fraud in society. So you absolutely still need well-resourced law enforcement. You need enough police officers, um, you need police officers who understand FinTech, for instance, you know, and all the products that are coming out.

(53:47):
Um, you need everybody to understand that environment. You need legislation to be up to speed with how crimes are being committed in the real world. You need policy makers, you need politicians who understand the technology as well. Um, you need the media to be reporting on it responsibly. So again, I didn't mention the media very much in this talk, but the media are very fond of scaring the hell out of people when it comes to cyber crime. You'll be unsurprised to hear, um, you need academics, you need people like me to actually be researching and using the data, collecting the data, you know, tracking, changing trends on how crimes are being committed. And importantly, you need that human awareness. You need that education for society at large. So while this map isn't specifically about fraud as you asked, I think every single issue that relates to online safety and security has to be a whole society response. And that's one of the reasons why I think this public health framework could be a real winner.

Speaker 4 (54:51):
Could I take one more question for you? Um, from the online audience? Mm-hmm. <affirmative>. Um, so, uh, the question is, are there any public health campaigns that have not worked so

Speaker 1 (55:01):
Well? Ah, yes. So I painted a very brosy picture of public health campaigns, and I think that's because to a certain extent the UK government and other countries around the world, the World Health Organization, they've had time to get this right and they've had time to make mistakes. Um, I was a child in 1987 when the AIDS Don't Die of Ignorance Campaign came out in the uk and I understand that in lots of other countries there were very hard-hitting campaigns. So for those of you who might not remember that, um, that involved, um, I think it was, I think it was, it wasn't Ridley Scott, but it was Nick Rogue, the famous film director directing an ad in which, uh, John Hurt did the voiceover. And it was all very sinister. It was all very dark, and there was a huge tombstone that had AIDS and then some lilies.

(56:00):
Now, as a child, I thought that was absolutely terrifying. And the, I I, I think that was deliberate by the Thatcher Governments and the Minister in Charge saw it as a success and still sees it as a success. However, there has been research since, and I can see exactly where this research is coming from, um, suggesting that if you already HIV or aids, that campaign was hugely demonizing and exclusionary. So thinking about public health as that whole society approach, but also serving everybody in society, not just, you know, the, the bulk of people through a TV campaign. But I believe that lessons have been learned since then. So that would be my, that would be my negative exemp that is still seen as hugely positive in some circles. So,

Speaker 4 (56:54):
Um, we only have about one minute to go, so, um, I'm very cheekily going to offer you this question from online as well. Okay. Um, cuz it's short. Do you, do you foresee any difficulties about a world's cyber health organization collecting data?

Speaker 1 (57:09):
Yes. <laugh>, even though I suggested it, the thing about public health, the thing about Covid numbers is that by and large countries weren't infecting each other with covid. Now you can argue the toss of that as to who let it spread, et cetera, et cetera. Um, the trouble with cyber crime is that we have nation state activity and state sponsored activity. So at the moment, you know, the UN is trying to come to an international cyber crime convention, and this is one of the sticking points is that countries do cybercrime to each other. So collecting data is more problematic when it becomes an issue of national security like that, it doesn't mean we shouldn't try it, it just means it's not quite as, I wouldn't say, simple a, a coalition of the willing as it might be on public health.

Speaker 4 (58:08):
Um, thank you so much Professor Baines, and uh, thanks you to our audience in the room and our audience online. And please come back, professor Baines' next lecture on Tuesday, the 9th of May. Thank you so much.

Speaker 1 (58:19):
Thank you.