App-based freedoms and the relentless battle for cybersecurity
As our movements increasingly depend on using our smartphones to demonstrate status, we need to ensure technology is secure, according to Dr Sarah Morris, of Cranfield University.
Where we can go – both travel and entry – now depends on a smartphone. Freedom of movement is app-based.
It’s a change in the mechanics of everyday life that was already underway, but then drastically accelerated by Covid-19 and the need for touch-free access, to prove vaccination and health status.
Apps can make access to events, venues, buildings and transport quicker and easier to manage, and cheaper to run for public sector operations. Or, they can bring problems, a breakdown in trust and weaken the resilience of systems and national infrastructure.
First and foremost, relying on apps opens up a much wider front across society in the battle with cybercriminals. The fundamental issue is that the more widely used an app is, the more ‘normal’, the bigger and more attractive the target.
The flaw at the heart of app design is human. App security is only as strong as the human team involved and experience shows that, over time, people become predictable.
Reportedly, hackers had ‘defeated’ Microsoft’s recent attempts to make a new hardware component compulsory to Windows 11 within the space of 30 minutes. The NHS Test and Trace app was immediately ripped apart to explore the data waiting there. It can be done for the fun of it, to purposely cause damage to organisations, as the basis of extorting money, or for committing fraud.
An app-based life encourages a mix of criminal activity with gaming.
Whatever the motivation, the frailties of digital systems will undermine public confidence in the security of the information they provide. Try telling the football fans who struggled to get into the ‘once-in-a-lifetime’ Euro 2020 final at Wembley because of a software breakdown that app-access is safer to use than paper tickets. The nature of IT means there will always be technical problems caused by internet connections, the need for resetting, or unstoppable automatic updates.
Digital will not be any kind of greener option for public sector organisations if users end up having to print – easily faked – paper copies of information as a back-up.
Chaos and suspicion
The bigger problem is the potential for nationwide systems plagued by chaos and suspicion: a snowballing of minor issues with entry and disrupted plans; lack of public trust in digital proof of Covid-19 evidence leading to an ongoing sense of insecurity when travelling or entering public places, undermining the progress being made towards rebuilding ‘normal’ activity post-pandemic.
And what about when there are the inevitable data hacks: who can see where we are and what we are doing?
In practice, the use of app-based access is so fundamental, to both commercial and public sector activities, that cybersecurity will be ramped up and stay top of priority lists. When there are problems there will be patches. But that does not mean there are any solutions. For the foreseeable future the reputation of digital access is going to be involved in a constant battle, another crisis just around the corner.
So, the world needs IT talent, and lots of it.
Because the flaw at the heart of app design is human. We might have skilled staff, but do we have skilled, creative, highly motivated people willing to keep up the relentless fight?
App security is only as strong as the human team involved and experience shows that, over time, people become predictable. They have their favourite ways of putting code together, meaning patterns of code, data structures and file locations that can be more easily anticipated and taken apart. Solid-looking walls to public sector organisations that are riddled with entry points. We need freewheeling creativity to stay ahead. Rather than working in silos, software engineers should be embedded alongside security experts. Start with the security element.
We are going to be using our smartphones as a kind of passport for free movement, locally and internationally. Which means this is not going to be just a techie issue. It is one for whole societies to think about. We are all going to have to start thinking about the part we play in the battle, add to the pipeline of cybersecurity talent, and what is needed to keep us all moving.
Specialist firm sought to help identify areas where security could be bolstered
Consultation launched on code of practice for Apple, Google and others – although adherence would be voluntarily
New ‘Gov Assure’ process aims to provide a government-wide overview of risk, minister tells PublicTechnology Cyber Security Summit
Document covers issues such as assessments of suppliers and delivery models, and upfront consideration of potential issues with legacy IT