Professor Carsten Maple, an international expert on cyber security will be speaking on emerging threats at Digital Health’s new Public Cyber Security conference, 7 December. In the first of our profiles of speakers at the event, Maple speaks to Vivienne Raper about the cyber security threats facing public services, and suggests how the NHS could better have handled WannaCry.

According to Professor Carsten Maple, a key problem facing public sector organisations on cyber threats is how to respond and stay up-to-date when with the sheer proliferation of attack tools, both new and existing ones that are constantly being modified.

Maple has worked as a cyber security researcher for about 15 years. Today he’s the lead researcher at the University of Warwick’s WMG Cyber Security Centre, one of 14 Academic Centres of Excellence in Cyber Security Research at universities across the UK.

He’s worked with various public bodies on cybersecurity. Among his other credits, he co-authored a 2010 report, supported by the Serious Organised Crime Agency, analysing data security breach cases across the UK.

Looking ahead: the cyber arms race continues

Maple’s PCS talk will be about emerging threats.  Asked which cyber threats should worry public sector IT professionals over the next 12 months, he said: “One problem is the proliferation and modifications of attack tools.”

He added: “So WannaCry and the various incarnations of that. Attack tools are shared freely, customised and improved, so it’s something of an arms race to protect systems a lot of the time.”

Intersection of physical and virtual

Maple said his talk will give PCS attendees an “accessible route” to thinking about the role of both physical assets, such as people and devices, and virtual assets in security breaches.

“Many people just focus on just the physical or just the cyber, but it’s at the nexus of both physical and virtual where we will see future threats and the future impact of such attacks.”

He said a big threat for the next five years is ransomware attacks on physical devices and Internet of Things, such as insulin pumps and pacemakers, which can be used to remotely monitor a patient. He gave the example of a ransomware attack on a da Vinci surgical robot, which would stop patients being treated.

Resilience and recovery

Asked what public services, such as the NHS, should do to respond to emerging cyber threats, Maple said they should design their processes to be resilient in case of attack, including building in redundancy.

As an example of poor fall-back planning, he mentioned recent newspaper reports of the development of navigation systems with roots in Second World War radio technology. These are designed to function after a cyber attack on ship GPS.

“They should have thought about this at the start. This is how we can make big strides and nullify the impact of some attacks.”

In the case of the WannaCry attack on the NHS: “If 10 computers in the office were affected, pull out a dumb terminal with read-only access to a copy of the data. One terminal can book in patients and check whether they have an appointment.”

Staff key to effective cyber security strategy

He argued staff are key to a good business continuity plan. “You have to communicate to people what they need to do.” In the case of WannaCry: “Staff felt stressed, they felt they couldn’t have done much, whereas they should have been involved in the plan.” 

Responsibility, ethics and professionalism

Maple said he became motivated to work on cyber security during his first research project after his PhD. He was analysing structures, such as bridges and buildings, across distributed systems, and realised the importance of keeping these data secure.

When he started his academic career, he joined BCS, The Chartered Institute for IT, which he said: “was the most natural for what I did.” Today he is a BCS Fellow and has sat on their Security Community of Expertise.

Asked why IT professionals should consider joining the BCS, he said: “It’s vital we have the recognition and skills to act professionally. Joining a professional organisation like BCS is one of the only ways to do this.”

Maple will be speaking 12.15 – 13.00 on Future Threats at Public Cyber Security, 7 December, ICC, Birmingham.

PCS is the new free to attend show focused on protecting citizen-facing public services and is free to attend for public sector information security, IT and IG professionals