Bad Education: How The Security Community Has Failed

Education, Education, Education. Those were the priorities laid down by Tony Blair when he came to power in 1997. Whether he and his educational tsar Andrew Adonis actually achieved much is up for debate.

They certainly cranked up spending. Between 1997 and 2007, when Blair finally stepped down as prime minister, per pupil funding rose 48 percent, whilst teacher numbers were up 35,000. There was a massive increase in teaching assistants too – up 172,000.

Yet a recent Organisation for Economic Co-operation and Development (OECD) report claimed despite all the extra government money, there was “no improvement in student learning outcomes”. Pupil performance has been flat since the mid-1990s, the OECD said.

What has this got to do with tech? Well, it looks very much as if the IT security community has also failed in the education sphere – and for similar reasons. At the heart of the matter is spending: how much should the state splash on cyber education and where should it go?

Fail, Fail, Fail

The majority of people in the UK rely on safe Internet services everyday, but understanding of the real issues remains low. It’s evident in the poor password practices of today. Every time some fresh breach emerges and passwords are leaked, as in recent cases with LinkedIn and Yahoo, we find people still punting for easy-to-crack classics like ‘123456’ and ‘password’. Most still use the same login details across different sites too.

This lack of awareness is also evident in the security of web applications today. A report on Android apps and SSL discovered over 1,000 applications on Google Play were guilty of weak SSL implementations – where connections made over HTTPS designed to encrypt communications weren’t as secure as they should have been.

If that’s not concerning enough, just look at major vendors like Oracle, who still don’t follow the Microsoft model and implement monthly patch cycles, even when faced with concerted efforts by legitimate researchers and criminals to reveal and exploit application flaws.

“The bottom line is that the experts are well aware of the problem, but those who wield a lot of power most commonly don’t have the same deep understanding,” says Ivan Ristic, director of engineering at web application security company Qualys.

It’s not surprising that four in 10 UK citizens admit they need to know more about staying safe on the Internet, according to a Get Safe Online poll. That survey also showed 40 percent of those who had been hit by a cyber attack had to change all of their passwords, whilst 19 percent lost money. Lack of understanding, it seems, is hitting people’s coffers as well as costing them valuable time.

This all indicates that the educators, from non-profits to private bodies with vested interests, are failing. As is the media. But most importantly, government is failing too.

Measuring success

This is all despite a massive push to educate users over the last decade. Today marks the beginning of Get Safe Online Week, which has been attempting to get people interested over the last seven years.

Get Safe Online is an admirable non-profit, which works with partners across the public and private sectors in a bid to inform the general public on issues from password protection and social networking, to phishing and more direct attacks. Has it had much of an impact, though?

Tony Neate, CEO of Get Safe Online, says it is hard to quantify the success. “It is difficult to get measurements on what we’re seeing,” he tells TechWeekEurope.

Neate could not offer much in the way of data to back up his claims that his organisation was changing the habits of UK web users. “We like to think we’re changing people’s attitudes,” is as far as he is willing to go. It’s not exactly heartening to see a lack of solid stats from, as Neate put it, the “de facto place for impartial advice” on security.

The spike in the number of people running security software on their PCs, now well over 80 percent in the UK, offers proof of a shift in attitude, he claims. But Get Safe Online can hardly claim to have been the main driving force behind that change. And such figures do not prove the body is attracting those without a predisposed interest in security.

On two fronts groups like Get Safe Online therefore have to improve. First, they need to find better metrics than uptake in security software and the number of unique website visits to prove they are gaining the interest of the public. If they can, they should come up with data to show how they are really enforcing change. If they can’t, they will either be forced to change or be killed off.

That builds into the second point – educators need greater ambition. One week a year of solid campaigning, along with intermittent periods of activity, is not enough. The Citizens Advice Bureau showed earlier this year it was capable of working with possibly the biggest Internet company of all – Google – in delivering an attractive marketing push for better security practices.

The ads (one promoting two-factor authentication is shown to the right) offered guidance on security issues, and were splattered all over the Underground and across London. They were smart, attention-grabbing adverts too. Much more of that is needed from all parties.

Dodgy figures

Those selling security software also need to change. Over the past two years, umpteen studies on the cost of cyber crime have emerged. One of the more contentious ones from Detica, part of BAE and one of the biggest cyber security government contractors in the country, claimed Internet-based crimes were costing the UK £27 billion a year.

Rightly sceptical onlookers lambasted the report, saying it was full of “fake precision” and BAE was only putting out the figures as a “sales promotion exercise”. Yet the government, and even Neate, still chuck that £27 billion figure around as if it were gospel.

Other studies have put the cost as low as £2 billion, so who should people trust? There are similar data crises in other areas. Today we see “sources from the intelligence community” claiming the UK is hit by 1,000 cyber attacks every hour, with no official word on where that figure came from. It seems like an arbitrary number, one that is most likely too low.

A recent report from the HP and Ponemon Institute’s ‘2012 Cost of Cyber Crime Study’ looked at 38 companies in the UK, who admitted they were pierced by 41 attacks a week. Consider that those were just successful attacks, not including the masses of failed daily attempts, and that only 38 of the UK’s thousands of companies were surveyed, and it seems likely that the 1,000 per hour figure is far too small. That’s not even taking into account the porkies some of those firms would have told.

Such mixed messages from a purportedly cohesive industry – another dubious claim in itself – and from government do nothing to help the wider public. The industry has to be honest and clear, if it wants individuals and business to understand the risk. Vendors should not be scaremongering, they should be setting out rules on how to measure cyber crime.

Putting out wildly different, histrionic messages with questionable statistics only confuses people. When users understand the true nature of the problem, they will be more willing to address it.

Jargon and journos

Those influencing the cyber security debate could do with making themselves clearer too. Jargon remains a big barrier to entry for many, putting up a barrier and creating the ‘us and them’ mentality that has hindered IT in general for so long.

Journalists, including your occasionally-humble reporter, do not always convey messages with the average Joe in mind. We sometimes fail to appreciate that not everyone in IT takes a serious interest in security. As Neate says, “We are all guilty of it.”

This was indicated in a recent poll on TechWeekEurope, which asked what readers thought of zero-day exploit sellers. Despite a significant piece of work on the market put out by this publication this summer, over half of the 400 respondents said they failed to understand the question. Perhaps we should have been clearer about what we were asking [Maybe the security industry should say “fresh unpatched security flaws” instead of “zero day exploits” – Editor].

Language should be inspirational, aspirational, not full of terms no one understands, nor wants to understand. If we can shift the diction to a more accessible level, for both those in IT and out of it, we can make security far more interesting for younger and older communities, and hopefully inspire those to look at a potential career in the industry.

“My belief is that people now see computing as a mundane, utilitarian subject. We need to do more to show that they are missing something much more exciting than they might imagine,” says Alan Woodward, from the Department of Computing at the University of Surrey.

“Perhaps what we need is something akin to a public health campaign with broader advertising. It is like practicing safe sex, and, regardless of how amazing one might find it, we know that such behaviour increases only when people have the risks and simple precautions they can take to avoid those risks.”

Such innovative approaches, borrowing language and ideas from more successful campaigns elsewhere, could help a great deal. Everyone in the community, including journalists, has to let their haughtiness slide and use more natural terminology. Too often in the IT world, it is forgotten that language really is at the core of everything we do.

Securing the future

But, as Keynesians might argue, government can be the biggest force for change. The toffs at the top are the ones who can provide impetus by investing efficiently.

Blair may have been able to quote big figures on teacher numbers and investment, but he could not make similarly big claims on quality, of both teacher and pupil. Hence why the OECD report was so damning. Blair was right to invest in education, but wrong in how he did it.

Coalition spending has already been dubious. It currently gives £300,000 to Get Safe Online every year. But the Cyber Security Challenge, which is attempting to inspire youngsters and fill the growing security skills gap, only gets £180,000 and will be getting that until 2015. That’s out of a pot of £650 million, a large chunk of which is thought to be going straight to GCHQ, leading one to wonder how serious David Cameron and his cohorts are on the cyber education issue. That doesn’t seem smart to me.

Yet it’s in school and university education where the government can and should inspire real, long-term change. The Coalition is already drawing together a fresh ICT curriculum, but it’s far from clear how keen it is to embed security in it. Many want it to be a major part of children’s studies in the future.

“This [problem] does have lot to do with how computing is taught. Encouragingly, the UK government is trying to engage on this problem. In doing so, I really would encourage them to include a good grounding in security as that will bring more into that niche,” Woodward says.

As with stimulating the economy in general, smarter spending on education from the state can cut inequality. Various studies have indicated that the better education is in a country, the less inequality there is. A notable 1999 paper from Claudia Goldin and Lawrence Katz, two economists at Harvard, showed how in the middle of the 20th century there was a decrease in inequality in America.

One of the major reasons for that shift was the massive increase in government investment in public high schools. The “high school movement” of the early 1900s and a rise in funding after the Second World War, leading to “labour market entry of the baby boom cohorts”, both brought about “substantial reductions in educational and skill wage differentials”, Goldin and Katz argued.

In much the same way, better government spending in schools, universities and elsewhere can help cut inequalities between experts and amateurs, all of whom are similarly impacted when attacked by criminals. In turn, that will boost people’s own bank accounts and therefore the UK economy.

The government needs to stop simply chucking money at the problem. It needs to chuck it at the right places.

How well do you know Internet security? Try our quiz and find out!