With the recent passing of the Investigatory Powers Act, internet civil liberties are being scrutinised more than ever. F-Secure security advisor Sean Sullivan talks to Jonathan Easton about the law and our relationship with the internet.
The Investigatory Powers Act recently passed into law with little fanfare. What are your thoughts on what the new law means for cybersecurity?
My colleague, Erka Koivunen, took part in a panel to a joint committee of parliament in December 2015. One of the questions that was asked at the time was, is this bill “future proof”?
What does the new law mean? What will be the actions and reactions to its passing? The government’s new powers will spur new innovations and, before long, the government’s investigative powers will be out-of-date.
For example, based on my reading of the bill some months ago, I don’t think citizen-powered mesh networks are covered. If a few thousand people decide to set up a private Wi-Fi mesh network in central London… what’s the government going to do?
Such private networks are not “communication service providers”. Wi-Fi networks already exist in several cities in Europe, mainly because of cost. But now in the UK, one may emerge as a reaction to the IPBill.
What are the positives – if any – of the Investigatory Powers Act from a security perspective?
At this point in time, I don’t know. It very much depends on how it is implemented. Will the government insist that VPN service providers are “CSP”s and force backdoors? If yes, I don’t think the security benefits will outweigh the negatives caused by bad engineering.
There is also a significant danger of gathering too much information – too much hay in the haystack. But if the government can remain focused, the IPBill could make it easier for the big Internet giants to work with the government.
With the new law, what can disgruntled users do to retain privacy?
I long ago made moves to reduce my usage of multiple online services and user accounts. I rarely log in to Facebook and I don’t have a Google account. If I had an Android phone I’d create a new “admin” account just for that device – as I do for my existing hardware. I don’t mix “communication accounts” with “admin accounts”.
So, in short, if you want to retain your privacy first, get organised. Then investigate various sorts of technology to enhance that privacy.
One of the biggest areas of focus for F-Secure is VPN, an area that is generally the realm of the more tech savvy consumer. What are you doing to make it more friendly for average users?
As a paying customer of Freedome, I don’t think it could be much easier. My father uses it on his phone just fine. The hard part isn’t using the software – it’s making people aware of what it’s for.
Are people growing more aware of the potential threats facing them on mobile devices, or do you believe that most consumers think that their devices are 100 per cent secure?
Mobile devices are generally secure from commoditised crimeware threats. And because they are, people generally assume that mobile devices are far safer than they really are. Nothing is 100 per cent secure.
What are the biggest security problems associated with the cloud?
Too many passwords. In many ways, the cloud is more secure. But the problem is often securing the access to that secure cloud. Multifactor authentication is very important for primary accounts.
What can users do to ensure that their data – on their computers or in the cloud – is secure?
Uninstall software that you don’t use. Make sure that the software that you use is up to date. Use a password manager and maintain unique password for your various accounts. Use security software to defend your devices.
Ransomware is the big topic of discussion in the cybersecurity community right now, but what threats are on the horizon?
Extortion via targeted hacking. The bulk of crypto-ransomware is currently pushed via spam.
Hospitals and schools are being targeted via vulnerable servers. San Francisco’s public transit system was recently affected by an extortionist. Systems such as that could be targeted next, and the trend will be for hackers to push further downstream to smaller organisations, and perhaps even individuals.