How can we protect against cyber attacks?

So, in a world almost totally reliant on technology to communicate and do business,what measures can be put in place to protect institutions and individuals? The University of Cambridge's consultant in security engineering, Ross Anderson.

Ross - If you're a business that is a real target of capable state actors. If you're someone like Google or Facebook or Microsoft or Infosys or Tata or firms that the Russians and Chinese will have dedicated teams trying hard to hack, you end up having several hundred people in your security team, perhaps even more. You have more than one security team. You've got a network control centre where you're monitoring all the traffic coming into and out of the devices on your network. You're looking constantly for signals, indicators of compromise, which suggests that there may be a compromised PC on your network, which you might spot because it's phoning home to a known command and control server that somebody else has pointed out is under the control of a foreign intelligence agency. You have got various kinds of malware detection, what used to be called antivirus. You have got rigorous controls to ensure that your software is patched all up to date. You then have a fair amount of staff training. Now, most of the initial compromises of people in companies are due to phishing. Somebody sends you an email that purports to come from somebody inside the company, but is actually from outside. And this tricks people into entering their credentials. And so companies who take defence seriously very often have regular drills where they send phishing emails to their own staff and staff who keep on repeatedly clicking on phishing links may actually be fired. But that's only part of what you do. Another part of what you do is to see to it that phishing won't work. You see to it that you get two factor authentication and everything, and at the same time you assume that some attackers will always get in because attackers will always be able to subvert somebody who works for you. They can just get some of their intelligence agencies to apply for jobs.

Will - And all of this we've spoken about to this point, has been focused on large scale companies, but for the individual who is worried about fraud, who is worried about getting scammed, are there any lessons we can take? Obviously the, it feels like the obvious ones are to be vigilant and enable two factor authentication, but is there anything else you would recommend?

Ross - From the individual's point of view, it's difficult because the tech industry has devoted an awful lot of time and energy and attention over the past 30 years to training people to click on links and working out all sorts of ways to grab your attention and to persuade you to pay with money you don't have for junk that you don't need. And so scams are just more of the same in many cases. Just as you have got people who will try and sell you diamonds on the internet, there's other people who will try and sell you cubic zirconia pretending that it's diamonds. And when that happens, it's a scam. So we live in a world of wall to wall scams and one of the things that a prudent citizen will do is to start understanding this. So understanding where the hustle is, where the squeeze is, because if you've got a general understanding of how people get persuaded and how people get ripped off, then that sixth sense will stand you in good stead. As for specific scams, the problem is that these scammers are very often following the scripts that are developed by exploitative companies. We've all experienced that you may be just driving along one day and somebody phones up and says, ''hello, this is Lloyd's Bank. What's your mother's maiden name? If you say 'take a hike' and put the phone down, then you may suddenly find that your bank cards don't work. But if you give the time of day to these callers, you may find that this isn't in fact the bank that's calling you, but somebody who's pretending to be the bank. So it's extraordinarily difficult and you just have to keep your wits around you in the online world, just as you have in the offline world.

Will - What do you anticipate for the future? We've got so much AI stuff coming in, we've got a shift in increasing ransomware perhaps. What do you anticipate for the future in terms of cyber attacks?

Ross - In terms of the common or common or garden cyber attacks where you, um, have people being scammed by people overseas for smallish amounts of money, for rentals and things like that, that's going to continue I think because it's a fairly stable ecosystem and we've tried on numerous occasions to try and get the politicians to change the rules a bit so that for example, there's some enforcement against cyber criminals. And I can see no real way to get traction on that. I'm afraid ransomware is going to continue to grow because there are large numbers of medium sized companies which are absolutely inviting bait for the ransomware gangs. And the ransomware gangs will now share their profits with a disloyal employee at a company. If you can give the ransomware people your company logons, so they can go in and hold up the company to ransom, you can get a share. So it's very, very difficult to deal with that given that these gangs have got sanctuary in Russia and Russia is not going to extradite them. So ransomware is going to continue, it's going to continue to be a bonanza for lawyers, insurers and others. It will eventually train owners of medium sized companies, government departments, hospitals, schools, et cetera, to be a little bit more careful about how they organise stuff. As far as individuals are concerned, the majority of the cyber crimes to which we're exposed, they're actually hustles by companies, by perfectly respectable companies whose shares are quoted on the stock exchange. And we have seen one scandal after another where things like payment protection insurance and so on ends up being declared by the financial conduct authority to be a scam. And so the banks end up having to pay billions back. We see the American government cracking down on junk fees on airline tickets, for example. So there's going to be continued pressure from companies to rip us off using all sorts of mechanisms and growing pressure on politicians to start doing regulation properly and push back on that. And that's going to be a big political thing I would expect over the next 10 years. As far as the high-end stuff, states going after other states. The fact that the Russians are doing more and more attacks on our infrastructure as are the Chinese may with luck result in our having more resilient infrastructure because people like power companies and telcos and so on are being pressured by governments to get their act together to replace old weak cryptography with modern more resilient stuff and to patch stuff faster. But it all depends on the trajectory. You see if you suddenly get a rapid escalation in global tension, say for example if China invades Taiwan, then you would expect to see the Chinese breaking as much infrastructure as they can as quickly as possible, particularly in America, in order to blunt any possible military response and to run the Americans off engaging in a protracted conventional war in the Western Pacific. So in that case we might see a whole lot of damage being done to infrastructure before we've had time to harden it, but that work of hardening is ongoing. So it's difficult and it's complex, but you know, there's an awful lot of interesting stuff here to study.