Faceless hackers in hoodies, intergalactic warriors, and technology out of human control: are these representations of cyber threats accurate? And what might be their impact on levels of personal safety and security for organisations?
This talk presents ideas for how we might empower people to protect themselves and help address human issues in the IT sector by thinking differently about how we portray security threats and operations.
Support the show
A lecture by Victoria Baines recorded on 9 May 2023 at Barnard's Inn Hall, London.
The transcript and downloadable versions of the lecture are available from the Gresham College website: https://www.gresham.ac.uk/watch-now/cybersecurity-humans
Gresham College has offered free public lectures for over 400 years, thanks to the generosity of our supporters. There are currently over 2,500 lectures free to access. We believe that everyone should have the opportunity to learn from some of the greatest minds. To support Gresham's mission, please consider making a donation: https://gresham.ac.uk/support/
Be afraid, <laugh> be very afraid.Be the more afraid than you ever thought you needed to be because cyber threats are coming for you and there's absolutely nothing you can do to stop them.Now in my last lecture defeating digital viruses, I shared with you that I have a bit of a problem with this.I have a problem with the myth that we have constructed around cybercrime, what it is, who is responsible, and what we can all do about it.In this lecture, we're going to strip away the layers of that myth.We're going to bust jargon and we're going to examine exactly how cybercrime really works.Cybersecurity is nothing more than protecting networks and information, and in fact, network and information security is precisely what we used to call it before we got all caught up in science fiction hype.When we want to protect networks and information effectively, it helps to know what we're defending against.The trouble is that in order to understand those cyber threats, we have to learn what looks very much like a foreign language.On screen here is a synthesis of terms from three glossaries compiled respectively by the US National Institute for Standards and Technology, the UK National Cybersecurity Center and Cybersecurity Company, CrowdStrike, and a number of patterns emerge.There are firstly a lot of acronyms, so let's liberate some of those B e C.That stands for business email compromise, and that's when someone is tricked into transferring funds or sharing valuable information by what looks like an official email from a colleague or a business partner.A P T is advanced persistent threat, and that's something of a, a catchall term for criminal groups who are able to conduct sophisticated attacks because they really do their research on high value targets.Now they're quite often funded by or otherwise affiliated to national governments.Then we have DDoS, which is distributed denial of service as the full name suggests.That's when an online resource, like a website simply stops working because it's flooded with traffic from different directions.You'll see there that there's a rat.Let's let it out of its cage.Let's liberate it.Let's set it free.Rat.R A T stands for Remote Access Trojan.And this highlights another trend of the language that I think we're going to call this evening ces, and that's a pong for fantasy myth and macho military imagery.The remote access parts is quite straightforward.If you've ever worked in an organization with an IT support team, you will be aware that they can access your computer desktop when you have a problem so that they can fix it themselves.But that kind of tool is also, as you can imagine, of great interest to cyber criminals.Trojan meanwhile suggests something rather epic, doesn't it?But also underhand, an unseen, adieu and the other Greek warriors sneaking in through the walls of Troy in the belly of a wooden horse.And that's precisely what a Trojan does in this context, albeit metaphorically, it's a program that seems legitimate but actually contains malicious code and that hides in plain sight until it is activated.You might also be able to see that there are several words here that end in where W A R E.Now, computing relies on hardware.That's the equipment and software, which is the programs, the applications that run on the equipment.By extension, there's also firmware, which is somewhere between the two.It's software that makes hardware work properly.All of the wheres you might encounter in cybersecurity are just port Manto words.They blend software with other characteristics.So malware is any malicious software.Ransomware is software that attempts to blackmail the user.Adware describes those nasty pop-up advertisements and using logic that that's similar, but using it slightly differently.Some people prefer to call that malting.There's also spyware, which gathers sensitive information without your knowledge, stalk aware, which can track someone's online and offline activity.And scareware, which is malicious software that pretends to be legitimate antivirus software.You may also have noticed that cybersecurity is keen on fish based terms.What on earth is all that about?Well, in the 1960s and seventies, hackers who tinkered with phone networks including Apple founders, Steve Jobs and Steve Wosniak were known as phone freaks or Freakers.And over time, this pH spelling was transferred to other words beginning with F, including farming.That's when people trying to reach a legitimate website are redirected to another, not so legitimate one.And of course, fishing, which describes a number of different ways of luring someone into sharing sensitive information or taking a particular action.Fishing relies on social engineering manipulating us into unwittingly facilitating cybercrime against ourselves or another target.And this is where it gets really interesting because then we see S phishing, which is when phishing communication is sent by sms, by text message and phishing, which is phish by voice message.And because fishing involves metaphorically catching people on a hook on them taking the bait, we also start to play on an association with angling.So we have spear fishing, which is targeted at a particular individual designed to look like it's from someone we know and trust.And then wailing, which is aimed at senior executives so-called big fish.Now in the previous lecture defeating digital viruses, we encountered botnets, and that's another of those Port Manto words.It's a network of bots, a network of infected devices that are used to conduct attacks on other devices, other systems, other networks.And we discovered how our devices can become part of a botnet when we click on malicious software, which often arrives as a web link or in an attachment.When the malware infects the device, it hijacks the processing power to conduct denial of service attacks.DDoS on websites not downloading the malware in the first place is the surest way to prevent the device being infected.And for all that cybercrime exploits technology.Most of the time it doesn't succeed and crucially doesn't pay if we don't play along.When criminals send a phishing email offering us money or a prize, they use the same tactics as legitimate advertisers.They play on our desire to acquire to be that little bit better off.Their offers are very often urgent and time-bound, very much like the proverbial furniture discount sale that must end Sunday, but never ever seems to.In the 20th century, we became wise to those hard sell tactics of the vacuum cleaner salesperson who dumped a pile of dirt on the carpet creating a problem so that we were reliant on their product to solve it.Also, the various cold callers who kept us talking on our doorsteps until we complied with their wishes.Well, we can apply precisely the same defensive measures against anyone who asks us to click on a web link, open an attachment, disclose our passwords, or make an online payment.If someone you didn't know rang your doorbell and asked you if you would like a free iPad or a million pounds or to have sex with them, you would probably have your suspicions about their motives and the legitimacy of their request.But for some reason, we find it harder to trust that healthy suspicion when we receive an email or a chat message when we see a flashing advert or hear a stilted voicemail.Why is that?We have had thousands of years of practice defending our homes.They are our fortresses.They protect us from the dangers of the outside world.Many of us perceive home to be a safe space where we can let our guards down.Communications technology, however, is now already behind the lines.It's in that safe space.Earlier in my career, I investigated crimes against children online and I was struck by the number of parents who told police and the media that they had thought their child was safe precisely because they were in their bedroom.That's not to say that children are always unsafe when they use it, far from it, but it does suggest that we may have something of a blind spot and when we're away from home, technology is our assistant.It helps us navigate.It keeps us informed and entertained, connected and enabled.It's become an essential service.It's in our personal trust bubble, and that's why I think people follow SAT navs to the edge of the cliff and why people in some countries call the emergency services when Facebook goes down.It has already become an extension of us, our capability, our intellectual capacity, our bodies, even along with our five sensors.It's in each of our toolkits for tackling daily life and the world around us.It amplifies, enhances, even compensates for those sensors and faculties.I used to have to remember phone numbers and I did, but now my phone does that for me.Computer vision allows those of us with impaired eyesight to appreciate images through audio description.Automated close captioning of TV shows and transcription of meetings supports those of us who are hard of hearing.So many of us no longer consider technology to be something apart from us.It's already in our personal space, which could make it harder to question.Prevention is naturally better than a cure, and I remain optimistic that we can use our critical thinking to spot when someone is trying to scammers.If someone came to your door claiming to be a police officer or another official, you would like to see their id, I would imagine.Likewise, checking just two things in any message can prevent you falling victim to a large number of cyber crimes.It's simply a question of developing a habit of looking at who the message is really from and where they really want to send you in an email.The account sending the message may be different from the display name you see, and depending on the device, depending on the app, depending on the provider that you use, you can reveal the real address by hovering over the display name, by right clicking on it or by pressing and holding on it.So we have a selection of emails I received last week.Um, last week I received this email claiming to be from the dating app Tinder, but when I looked more closely at the sender's address, it was for a named person at a totally different company.Most likely their accounts had been hacked in order to scam others.But also if a message directs uss to click on a link like this big pink button here, we can check the real link behind the display text using similar methods, which again vary based on the device and the apps that you use.In this case, the link would've taken me to a site that has nothing to do with Tinder.And if some of you out there are thinking she's a good looking woman for her age, I wonder whether she is on the market.Um, I'm sorry to disappoint because I'm not actually on Tinder.Uh, so for me that would be something of a red flag as the recipient.Here's another one that I received last week, which contains some suspect items.Congratulations, dear customer, Tesco <laugh>.Now I don't know about you, but this rather suggests to me that whoever sent this doesn't really know who I am and the use of English does lead something to be desired.And I know that some of us feel that standards of written English have dropped, but I think even the real Tesco would probably do a better job than this.Now, one of my emails is accurately reproduced, which is why I've obscured it under that black box that may give a superficial air of legitimacy, but it's worth noting that our email addresses are often widely available to criminals, especially if they've been involved in a data breach.So to me, information like this is itself suspicious.Someone is trying way too hard to convince me that I already trust them.But also the claim that a British supermarket runs its marketing from Omaha, Nebraska also doesn't smell quite right now.This address does exist.I googled it.It houses a mailbox rental service, a post office box service.So it is possibly a leftover from a criminal campaign targeting people in the us.And I really must share with you my favorite recent example of language as a red flag.This is delightful.It's from someone called Gong Wang and Gong writes, hello, hello Gong Wang.I am writing to you with a 100% legitimate business preposition that is worth your time and consideration.This preposition could be of immense value to you and I would like to discuss it with you in detail.Now, leaving aside the fact that Gong also seems to be protesting a little too much about the legitimacy of this offer, I'm not going to do business with anyone who doesn't know their propositions from their prepositions.So if any of those things don't look quite right, please do not click.Take a minute, go and make yourself a cup of tea.Do some more research.For example, one of the things I do is if the body text of a message like that email looks a bit fishy, I copy and paste it into Google to see whether other people have identified it as a scam.And I would say, although this isn't statistical, probably nine times out of 10 somebody has, and they've already reported it and they've already shared it in a forum, but on the basis that some of us will fall for scams, some of the time technology comes to our aid.Large email providers such as Microsoft and Google have spam filters that identify and quarantine potentially suspicious messages.They use a combination of filters to flag something as junk.They use content filters for formulate features of scams such as urgency and unsolicited sexual content.They use block lists of known bad senders and bad IP addresses, and they use Bayesian filters that learn, for instance, when you consistently mark something as spam, rooting a message to the junk folder is the provider's way of telling you there's something about it that may not be entirely legitimate.They may also prevent certain content from loading in messages marked as junk so that you don't inadvertently click on it.And this creates a very useful distance between us and the criminals.In the last few years, government services, banks and delivery companies have taken to sending us short updates by sms, by text message, and we've naturally seen an increase in criminals, imper, impersonating those services.Now, cyber criminals will exploit whatever is topical, hence all those covid related scam texts that we've seen.Another one that has increased in frequency recently pretends to be the child of the recipient, sometimes in distress and sometimes asking for money.There is an easy way to confirm whether these are genuine and that is to contact the real source.Um, again, this was one I received.I wasn't particularly convinced because I don't have kids <laugh>, and if they, if I did have kids, I would not allow them to use such poor pr uh, punctuation as that <laugh>.Um, so there is always something we can do to double check.We just need to resist the temptation in the moment to be convinced that we need to comply immediately.But for some of us, conversely, it may be the unfamiliarity of technology that makes us less comfortable in acting on our suspicions, novelty can be as scary as it is exciting.And that's particularly important to recognize given that scaring us is a key tactic of cyber criminals and it's a common feature of their business model.I received this email last week.I received quite a few of these last week, um, purporting to be from Microsoft and informing me that someone in Moscow had logged into my account.Now, of course, this conforms to our expectation of who cyber criminals are.It conforms to our expectation that a lot of cyber crime comes from Russia.But as soon as we look more closely at the sender's email address and the link behind the big blue button, we find that these are not official Microsoft addresses.Also, just for fun, that IP address in the red box is in India, not Russia.But cyber criminals play on our fears for our safety and our fear of loss and also of being found in the wrong ransomware is profitable because threatens people with the loss of all their data.Businesses understandably perceive this as catastrophic.If they don't have a backup, the threat of that loss may be sufficient for them to pay the ransom, even though it doesn't guarantee that access to the data will be returned.In 2010, I was working for ol the European Police Agency and we started to see something like this police themed ransomware.It locked computers and it demanded a fine as penalty for illegal activity typically for serious crimes such as child abuse and terrorism.The popup lock screen always included a deadline for payment use of legitimate branding and logos to lend an heir of authenticity.And it quoted criminal laws often incorrectly.The threat to victims was not just that they would lose their data, but they would be arrested if they didn't comply.So this approach relies on the threat and the sense of urgency outweighing our suspicions.It makes us suspend our disbelief.It makes us forget to question what we normally would such as why is the police asking me to pay a relatively small fine 200 pounds for some very serious crimes?But once we know how the scam works, it immediately becomes easier to spot.And this is my very favorite example of this, and apologies for the poor quality of the image.But back in 2013 when this variance was at large, it wasn't possible to take high resolution screenshots.So it just goes to show how much consumer it has progressed in the last 10 years.This lock screen boasts an abundance of official imagery.We have multiple logos, some of which are even real photos of what will happen to you if you don't comply.The former commissioner of the London Metropolitan Police to Paul Stevenson and even her late Majesty is watching you.The fact that the IP address of your device appears to have been captured and used to locate you adds to the impression that you are under official surveillance.But as we've just seen, it doesn't have to be accurate to be persuasive.And it also doesn't matter that this is very easy for anyone to capture.It's all laid on so thickly that you may even overlook the fact that my former employer, the serious or sirios organized crime agency, doesn't seem to be able to spell its own name <laugh>.But even if only a few of us pay the ransom, the criminal makes a profit in the last decade.The tactic has evolved so that small and medium sized businesses are issued ransom demands of thousands of US dollars.While large corporations may be targeted for millions and insurance companies now include ransom payments in their cyber risk policies for businesses, this is highly controversial because paying the ransom directly funds organized crime and rogue states with oppressive regimes, law enforcement agencies naturally don't want criminal groups to make any more money.And the US government has even suggested that victims who pay the ransom may be liable to prosecution.It's my personal opinion that it's part of our civic duty not to pay the ransom.But I do completely understand why people and organizations of all sizes ultimately choose to pay.Luckily, there are alternatives.If a message has made it through your junk folders and you have already downloaded something nasty, that's where antivirus software springs into action.Even if you click on a suspicious link or attachments, the malicious program can be a detected and removed before it can do any damage.And a good antivirus tool will scan files as they enter your device and scan them already on your device.It then compares both to signatures for known malware malicious software, and it quarantines or removes any for which it gets a hit.Some good free options are widely available, but increasingly this kind of protection is also incorporated into the operating systems for our devices.Now, new malware is constantly appearing and new vulnerabilities are being discovered.This means antivirus libraries have to be updated, security issues fixed and new versions of software released.And that's why it's so important for our devices to run the latest versions of their software.There's a striking illustration of what can happen when they don't.And that is the WannaCry ransomware attack of 2017.It's since been attributed to affiliates of the North Korean government and it infected computers in more than 150 countries.It led to the declaration of a major incident in the UK's National Health Service.Some NHS trusts had to cancel medical appointments and procedures as a result because effectively their non-human workforce was incapacitated.But the health service wasn't the target.It was impacted purely because some trusts had not kept the software on their computers up to date.And already there are millions of us who have pacemakers, continuous glucose monitors, insulin pumps and prosthetics that are connected via Bluetooth and wifi.Millions more of us now use mobile apps for our mental health and wellbeing.And it seems to me that if our health relies on our connection to the internet now, and if a criminal could either interrupt that service or exploit our sensitive medical information, we should all be stepping up to do whatever is necessary to secure those connections.However, even if a scary screen like this does pop up and lock your computer, help is still at hand and there are still places you can go.One of these is no more ransom, and that is a partnership of leading antivirus companies and law enforcement around the world.This website contains decryption tools, which are free to download so that you can unlock your files without having to pay the bad guys.And you'll be pleased to hear that I have included the link, um, for this in the further reading for this lecture.Other scams are designed to trick you into sharing your login credentials With criminals and any cyber criminal worth, their salt will reuse those credentials to try to gain access to other services.So fair warning, if you have the same password for all of your accounts, one leaked password could give you, uh, could give a criminal rather access to everything else, including your finances, your social networks, and your work environment.It's akin to using the same key to open your house, your office, your car, and your bike lock.Actually, it's worse than that, isn't it?Because if someone gets into your primary email accounts, they can see who you bank with, which apps you use, which retailers you buy from.So having the same password for all of these services is more like giving a criminal, a set of your keys and then telling them where to find your house, your office, your car, and your bike.There is ongoing debate.I'm afraid about the rules we should be using for choosing our passwords.Many websites and apps force you to use a combination of letters, numbers, and symbols, but government agencies and cybersecurity specialists recommend three random words.Now, in case you were wondering, the ones on screen are negative examples.Please don't use these, although you may later on recognize this last one.But regardless of the format, you need to make sure that it's not something that somebody else can guess like the name of your pet plus the year of your birth, because criminals troll social media for that kind of information and spookily.It's also the kind of information that millions of us give away when we take part in those quizzes on social media.Your passwords should be something that only you know.But we can also make use of things we have such as our phones, hardware, security keys, smart watchers, mobile authentication apps and things.We are our fingerprints, facial recognition, and other biometrics.And this is known as multifactor authentication.By combining more than one type of authentication, the risk of unauthorized access is reduced.So the facial and fingerprint recognition features on mobile devices use something.The owner is biometrically to unlock a store of passwords for online services, and it's become routine for banks and other services to send an additional one-time password or verification code by SMS whenever a customer logs in with their own password.So the minor inconvenience of an extra step makes it that much harder for a criminal to get into an account.If you do think that someone may have gained access to your financial data, for example, bank account or credit card details, you should always contact your providers so that they can be aware of any suspicious transactions.And I'd recommend that even if you haven't seen any money, leave your accounts and any time you suspect that one of your accounts has been compromised, you should immediately change the password.Again, if you use the same password for multiple accounts, you'll need to change them all, which is a pain.Did I mention that you should use different passwords?I did.I did.Good.But I hear you ask, how do I know whether an account has been compromised?Well, fortunately there is a website, a legitimate website called Have I Been POed, where you can find out whether any of your login credentials have been involved in a data breach.And I'm not going to lie, it can be quite a sobering experience to input one's email addresses and phone numbers into that search bar and see the results.You should always change your passwords regularly in any case, but knowing exactly which accounts require urgent attention can be very helpful.So I have also included this link in the further reading for the lecture.There is no denying, however, that regularly changing different passwords presents something of a practical challenge given the sheer number of social, financial, medical government, retail and other accounts many of us have.But here too, there are technical solutions.Dedicated password manager apps are widely available, and increasingly, web browsers and device operating systems offer to store passwords for us so that we don't have to remember them all individually.Throughout this lecture series on humanizing cyberspace, we have seen how the benefits of information technology, along with its problems and their solutions all entail a dynamic relationship between people, process, and technology.And this applies as much to cybersecurity as it does to how we govern the internet, how we tackle fake news and how we behave towards each other in connected spaces.Because so much of the cyber crime to which most of us are exposed in our daily lives relies on our being manipulated on social engineering.There are concrete steps that we can all take to significantly reduce the risk of falling victim.We can get into that habit of checking where a message really comes from and where web links really go to.In doing so, we address the human vulnerabilities, the people parts, and we put to good use that healthy suspicion that has served us so well for millennia.We can ensure that when it comes to passwords, we have a digital housekeeping process that prevents criminals guessing our credentials and reusing them to cause us further damage.And finally, by installing antivirus and keeping other software updated, we can make use of technology that is designed to defend us against attack.There is, I'm afraid, no such thing as absolute cybersecurity, but with these three things, we really can arm ourselves against the vast majority of cyber crimes that we encounter as citizens.With these three things, we really can stop criminals, hijacking our devices, stealing from us, holding us to ransom, and just as importantly, we can protect our family and our friends to do cybersecurity and to do it well.You don't have to be a hacker in a hoodie, and you certainly don't have to have a computer science degree.Don't tell anyone, but I don't.All you need is to be invested in protecting yourself and others.And as we have found time and again in this year's lecture series, we humans consistently demonstrate that we are, we also really shouldn't panic about cybersecurity because panicking is possibly the worst thing we can do.It's precisely what criminals want.We are more likely to fall victim to cyber crime if we panic.Conversely, the better informed we are, the more capable we feel to resist manipulation, the better defended we are technically and the less likely we are to facilitate that panic being passed on.But rather, like the Hitchhiker's Guide to the Galaxy, we need straightforward descriptions of unfamiliar concepts.And in my wildest most fanciful dreams this week, um, I hoped that this lecture might be something approaching a hitchhiker's Guide to cybersecurity.And in hindsight, I'd rather wish I'd called it that curses.But above all, I believe that basic cyber hygiene is our global civic duty because with another nod to Douglas Adams, everyone is interconnected.Now, action you take to prevent your accounts and devices being misused by criminals can protect people all over the world from harm from your loved ones to people you will never meet.And so this is a call to action once we've done those three things for ourselves.Let's go out there and show everyone else how to do them too.Thank you very much And thank, thank you very much, professor Baes.I've got a couple of questions from online and then perhaps fantastic, we can go to questions in the room.Um, so the first question I've got, um, is about, um, connected healthcare mm-hmm.<affirmative>.So when did you first start to think about, um, connected healthcare?Yes.Goodness.Um, so I have quite a personal story about this, and it goes back about 10 years.Um, again, when I was working at Europol at the European Police Agency, um, and it was part of my job to look at crime futures.So at the time I was working on a project called Project 2020, thinking about, I mean, that's 2020 is old news now.And we didn't predict the pandemic, I'm afraid to say.Um, but, um, we were looking at how people might use a misuse technology.Um, and I was quite interested in some of the connected medical devices that people were starting to get.And completely coincidentally, my dad was fitted with an implantable cardioverter defibrillator, so a pacemaker, and it sat underneath his collarbone, so actually inside his body.And I went back to the UK to visit him, and we were having a cup of tea, um, and he said, look at this amazing thing.It reports to a base station.The base station uses my home internet connection.So it to my cardiologist.I said, that's great.And in the space of that same cup of tea, which as we know is an official unit of measurement of time in the uk, um, he said, you are good with computers, aren't you?And I, and, and if anybody works in it, you know that feeling at parties when someone says to you you're com with computers, aren't you?And I, my, I just, my heart sank.And I said, why?He said, oh, the computer's been running a bit slow recently, ever since someone downloaded some games.And I thought, goodness, this man has just told me that his heart is effectively connected to his home internet and that he's dependent on that to report back to his cardiologist, but he doesn't realize that he needs to keep his antivirus software up to date at home.And I said to him, so you've got dad, you've got antivirus software, haven't you?And he said, um, oh, that's that box that keeps popping up saying that I need to renew it.I don't really know what it does.So I didn't think it was worth the 25 pounds.And don't worry, nothing terrible happened.We sorted it out.But it made me realize that when we were thinking about people, process, and technology, there was something in the process here that we already had at the time, hundreds of thousands of people walking around with internet connected devices inside them.But no one had said to them, what's your cyber hygiene like at home?Now a lot of those devices now run through your phone.Um, so you might have a, you know, using Bluetooth, your phone and then an app on your phone that reports to your healthcare provider.Um, but to me, that sense of potential interruption, I think is as problematic as whether someone can get in and steal your data.Thank you very much.Um, can we go to the room now?Are there any questions from the room?Um,Thanks.Um, so any of us who've, you know, obviously the, the theme of the talk is a responsibility is on us to, to make these things happen, but if things do go wrong, uh, any of us who have been hacked or whatever, uh, know that the police just aren't interested in individuals or possibly even businesses.Do you think, first of all, are there any countries where the police do actually get involved or is, you know, are experienced in the UK the same as everybody else's?And do you think there ever will be a day when the police are interested in individuals?Gosh, that's a very good question.So I think, uh, one of the things that I have noticed with any online crime, whether it's the cyber crime that we've talked about this evening or whether it is, um, child abuse, is that, um, what we're seeing with technology is an increase in the volume that local police forces can't cope with.Um, at the same time, and this is something that I've seen for many years, even as an intelligence analyst in law enforcement, there is quite rightly an expectation that if somebody steals money from you online, you perceive that as being burgled.You perceive that as a robbery and you want the same kind of response.Um, at the same time, we also have a complicating factor, and this is not to excuse the, the police as a kind of ex-police person, um, but one of the things about cyber crime that is perhaps more complicated than being burgled, um, is that, um, very often the suspect will be in a different country.So that becomes really challenging if the suspect is in Russia or if the suspect is, um, in South America getting the evidence to prosecute somebody.Unfortunately, the systems that we have for that, um, are very antiquated.They're not quick enough for cyber crime.That's why I think to a certain extent over the last 20 years, the tech companies themselves have stepped in.That's why antivirus has become so important is because we've realized that preventing and disrupting cyber crime might be one of the best ways to, to really tackle it.Um, I would always say if you are a victim of cyber crime, do still report it to the police.You might not get the same response that you, you know, that you would expect if you report a burglary or if you report an assault.But what you don't necessarily see is that behind the scenes, there are people like the job that I used to do, where they're piecing together all of that information from all of the UK victims, and then that will give them the opportunity to share information internationally.And there might be, say, a joint European operation, as there often is hosted by my former agency, um, where a bunch of countries will share information and they'll go and arrest the people down on the ground.But what you certainly don't get is that full chain of criminal justice.Also, of course, with cyber crime, particularly the fraud side of things, that's where the banks have stepped in as well because they've realized that so often people will authorize payments that are actually scam payments.That the more and more now banks are just saying, do you know what, if you tell us that's fraud, we're gonna give you the money back.So it's, it ends up being a different kind of response to the traditional law enforcement response.Um, Sophie, could I ask the lady just behind the gentleman here, if, um, we could take, thank you very much Questions, please.I just watched last week on, um, sky News, um, Ian King's program that he was talking about, um, a Norwegian company promo who is in, who is the only cybersecurity for all the apps that we use, that existing apps that we use at the moment.That's the first question.And the second question is, is their legislation coming on the way the banks have frequently failed in their, uh, to provide their best cybersecurity to protect their clients, yet they want us to do everything online at the moment, but then do not compensate people.Thousands of people have never been compensated for large amounts of money they lost due to lack of the bank cybersecurity.Is there legislation coming on the way to provide for that?Please,Could I just ask you, could you keep the mic for a second?Could I just ask you to repeat part of the first question?So The first question was that Ian King said on the BBC on Sky News that there was just one company, a Norwegian company called Proman, P R O M O N, and that was, that company's only cybersecurity of all the apps that we use, all existing apps,But that's not something I'm aware of.That sounds unlikely.Okay.Um, but not least because, um, I used to work for Facebook and, and I saw everything that they had in place.Yeah.And you know, not only did they develop a lot of in-house security capability, but they had lots of different providers.So, okay.I that I, I, I think we'd, I'd need to check that out a little bit more to, to see exactly what that coverage said.Um, the second question about the banks, so I think it was definitely before Covid because I did a, an interview on the Today program about it.So let's go for 2019 or possibly early 2020, I think it was.TSB was the first bank in the UK that said regardless of whether the victim had authorized the payment or not, they would refund the money when they were contacted.Um, and then other banks have followed suit after that because then it became, you know, a kind of a, a a selling point really for, you know, good responsible corporate behavior.Um, so I think we're in a place now where, um, the banks certainly, um, are more and more routinely refunding the money that doesn't help the people who might have been affected by it earlier.Um, but I think certainly in the financial institutions, I would say also in some of, some of the big tech companies in some respects, um, there is a recognition that they need to step up precisely because of, you know, the, the previous question that the response from law enforcement is more challenging, but there's definitely more to do.I would agree with you.Um, could we also take, um, the question from the lady down here?Hi.Um, my question is about, uh, electronic IDs.So I know that that is, um, something that the government is debating and they have them in Estonia.Um, a lot of people that I've talked to about it were quite concerned from a cybersecurity point of view that that would be easily hackable and that all their information could be taken as it's in a centralized place.What do you think about that?Gosh, that's a brilliant question.So I think there are pros and cons.Now, Estonia has seen some real pros, but then Estonia are real pros at cybersecurity because they had that terrible, um, cyber attack.Um, and, and so since then, um, I would say Estonia is some of the best in the business at, at computer emergency response and also at cybersecurity.Um, partly because where they are geographically, um, they have some real positives of using that, that e i D system.Um, one of which is that if you do anything bad online, your enforcement know who you are <laugh>, so that they can kind of metaphorically knock on your door and say, OI, stop cyber bullying that person, you know, that's, there's, there's, there's an advantage if you're law enforcement because you've got that central electronic id.On the other side of it, there are very, very legitimate privacy and surveillance concerns.So that's a, that's another part, which is if all of those different IDs get joined up, um, how do we keep those nominally separate, even if they're all linked to the same overarching e i d And then equally the hackable side of it, you've just got to make sure that you've got, you know, um, silos really, that if one part is hacked, that you're in a position to shut off all the others.And that's complex.So I think there's, I, I completely see all the different perspectives on an e i d fantastically useful, um, fantastically convenient for us to not have to remember all of those different passwords for all of those different services and all of those different credentials.Um, but we need to be assured, don't we, that it's going to be as secure as it can be.Again, recognizing there's no such thing as, as absolute security.Um, I'm sorry not to take questions on the front row.We are actually outta time.Can I, before we, um, show, uh, can, can I very quickly flag up, uh, a future lecture by our business professor, which is going to be AI business on the 22nd of May at 6:
00 PM which is quite related to this series, but obviously is a different professor.That's, uh, Ragu Rao, our business professor.Um, and I wanted to say thank you very much to Professor Victoria Banes.Thank you so much, professor.