Spy stories, data encryption and how well companies are protecting your data were just a few of the topics discussed at this year’s Faculty of Science York Forum: Cybersecurity in the Age of Espionage at the Toronto Reference Library.
Eric O’Neill, a cybersecurity expert and former undercover FBI operative, took the audience inside one of the most notorious security breaches in United States history, and how the FBI eventually caught the spy or mole, Robert Hanssen.
The faculty’s current Science Communicator in Residence Dan Falk, an award-winning freelance science journalist, author and broadcaster, moderated the event. It included panellists Patrick Ingram, a mathematics professor in the Faculty of Science who teaches courses in cryptology, and Kristin Ali, a lawyer in the Privacy & Data Management group at Osler, Hoskin & Harcourt LLP and an adjunct Professor at York’s Osgoode Hall Law School.
O’Neill was instrumental in gathering information and evidence needed to capture Hanssen one winter evening after he left a package of secrets for the Russians under a footbridge in a local park near his home.
“He gave up secrets regarding the nuclear arsenal for the United States. What we would do if the Russians fired. Where we would send the government, the president, vice-president, the congress, the cabinet ... if there was an attack or a catastrophic event. He also gave up undercover operations and undercover operatives.” said O’Neill. “He even gave up people who could have potentially pointed the FBI at him from Russia. Spies that were working for us. He gave them up knowing they would be flown back to Moscow and killed.”
What did this have to do with the topic of the evening, cybersecurity? Everything. “He was our first cyber spy,” said O’Neill, the national security strategist for Carbon Black and author of a new book about the case, Gray Day: My Undercover Mission to Expose America’s First Cyber Spy. “He was able to do what he did because he exploited computer systems inside the FBI.”
Although, this particular arrest happened in 2001, today’s cyber criminals or hackers have evolved. According to a threat report conducted by Carbon Black, O’Neill said some 83 per cent of Canadian businesses surveyed reported they had suffered a cyber-attack in the last 12 months.
“You are definitely under siege,” he said. It is no longer good enough to respond to these attacks, the best way to catch these cyber-attackers is to hunt them before they do damage.
“Data is one of the biggest commodities you can have,” said Ali. “Organizations, whether they’re in the private sector or the public sector, have become more and more aware of the obligations they have to safeguard your data. A big change to the data privacy landscape has been that there is now mandatory data breach reporting in Canada that came into force on Nov. 1. That’s had a huge impact.”
More organizations “are taking reasonable steps to safeguard the data that they collect to protect users and minimize the extent that they have to report that they’ve had a data breach,” she said.
Many cyber-attacks also happen to individuals through spear phishing attempts targeting email accounts with the intent to trick people into clicking on a malicious link. The message here was to be extremely careful what you click on, what websites you visit and remember nothing is free. Simple measures can go a long way to help keep your data secure. Create complex passwords, use a different one for each thing, and change it often. Avoid using some of the most popular passwords, such as 123456 or password1.
“One mathematical measure you can have of the complexity of passwords is entropy, which is essentially, how hard is it to guess the next character based on the previous characters,” said Ingram, who spoke about the importance and evolution of encryption.
“We’ve been encrypting things for thousands of years in various ways.”
One of the flaws, however, was if you know how the message was encrypted you could figure how to break the encryption. “In World War II the Germans had these enigma machines that you dialed in the settings. If you knew the settings on the enigma machine, if you knew every detail of how it was encrypted, you could reverse those steps and decrypt the message.”
In the 1970s, a paper by mathematicians Whitfield Diffie and Martin Hellman proposed a new approach to cryptology that involved easy mathematical operations that were impossible to reverse. “Probably the best example of this right now is the RSA public-key cryptosystem. This came out a couple of years after the original paper,” said Ingram. It involves multiplying two 300-digit prime numbers. “Someone can try and reverse the process…but the inverse operation turns out to be much, much more difficult.”