Skip to main content

Cybersecurity between Brno and Cambridge

Read the interview with Ross J. Anderson who received an honorary doctorate from Masaryk University.

Ross J. Anderson at Masaryk University.

Ross J. Anderson is active in the fields of security engineering, security economics, cryptography and technology policy. He has worked in computer labs at the University of Cambridge and the University of Edinburgh and is a Churchill College Fellow. In April he received an honorary doctorate from Masaryk University.

The honorary doctorate degree is conferred not only in recognition of his professionalism and scientific achievements, but also for his contribution to the collaboration with Masaryk University, especially with the Faculty of Informatics.

You have received many awards and honours during your career. What makes the honorary doctorate from Masaryk University special for you?

It was completely unexpected. I learnt about it three years ago, shortly before the Czech Republic and then the UK went into lockdown due to the pandemic, so I will also remember it because of the long wait.

You have collaborated with the Faculty of Informatics since 1996. How has your cooperation evolved over the years?

I first met Vašek [Václav Matyáš, head of FI MU Centre for Research on Cryptography and Security], who spent a year working with us on an HTML document security project. Security protocols have, in fact, been the basis of our collaboration all this time. My thesis supervisor, Professor Roger Needham, started organising workshops on this topic in Cambridge in 1992, and they have been attended by people from Masaryk University since the mid-1990s. They were held abroad on three occasions, of which twice were in Brno.

What was the greatest success resulting from this cooperation?

In recent times definitely the projects related to the testing of payment protocols. When you are developing a payment protocol, you have to test if it works correctly on all devices and check for vulnerabilities. In doing so, we discovered the “no-PIN” attack, which can let the attacker use a payment card by convincing the payment terminal to accept the PIN and the card that a signature was used to authorise the transaction. Today, “overlay SIM cards” just a few microns thin can be programmed with Java Card and used quietly inside the payment terminal for these kinds of attacks. This is how fraudsters like to steal from tourists, for example, who are then shocked to find their accounts emptied. The story begins with a Romanian PhD student who created a prototype device to demonstrate how to program these attacks. Then a Czech researcher, Dan Cvrček, who was introduced to us by Václav, stepped in and turned the prototype into a real product, i.e. an actual integrated circuit. He made a manufacturing deal with a company in Cambridge and sold about two thousand of them, mainly to bank security engineers. So this is one of the indisputable successes that our cooperation has brought about, as it has ultimately resulted not only in a new product but also in a new company.

What do you think about the work and projects carried out at the Faculty of Informatics and Brno in general in the field of computer science and technology?

Brno’s reputation in cybersecurity and cryptography is well established. There are more specific projects that are being implemented between Cambridge and Brno, but I can’t speak about all of them. For instance, there is a company developing equipment for intercepting various types of communication, where people from Cambridge and MU have collaborated.

Your Wikipedia entry states that you have always campaigned for computer security to be studied in a wider social context. Have you seen some progress in this area in recent years?

Many people in the field still view this only through the prism of technology, but that is becoming less and less relevant. Today we have fairly good access control and cryptographic mechanisms, but we have to deal first with the fact that they are often difficult for ordinary programmers to grasp, and second that all possible risks have to be understood in the right context. It is no longer just cybercriminals who use manipulative techniques to get us to click on something or subscribe. These days, even legitimate companies do so. Just look at how the European Commission is wrestling with Google, Facebook, Amazon and others over their deceptive business practices, ranging from harassment of ordinary users with cookies to predatory behaviour. One has to consider what poses the greater risk. Whether some Russian guy sitting in front of a screen with a slice of pizza in hand, trying to figure out how to hack into your computer and steal your bitcoins, or predatory companies that use similar psychological tricks to abuse the data of their users and customers.

Technology is moving forward by leaps and bounds. Can we even keep up with technological progress?

The most pressing research topics are changing, but others stay the same. Sometime in 2010 and 2011, we did a survey on the costs of cybercrime, looking at how much money was being lost due to various types of online fraud. We repeated the same survey in 2017 and 2018 and found that the amount had hardly changed. It is fascinating to realise that while the way we use technology has completely changed in those seven years, the patterns and general typology of cybercriminals have stayed more or less the same. This suggests that what determines the prevalence of these scams is not the technology itself, but the socio-legal framework in which it operates. In most countries, for example, the police do not care about petty fraud perpetrated by foreigners. So if someone engages in cybercrime, they can do so with virtual impunity as long as they don’t steal from people in their own country.

You have talked about cybercrime, manipulation, misuse of data and how the world of technology is evolving rapidly. Personally, doesn’t all of that scare you sometimes?

The subject of cybercrime doesn’t scare me. When I think of my grandchildren, I’m much more concerned about things like environmental degradation, global warming, damage to oceans due to overfishing and biodiversity loss. And now, of course, also the risk of a major European war, although I am a bit reassured that if the Russians seem unable to conquer Ukraine, they would certainly be unable to conquer Poland, whose skies are also patrolled by American fighter jets. In the medium term, the prospect of China’s technological competition is quite worrying, given all that is produced there. If a similar stand-off we are now having with Russia over Ukraine ever happens with China over Taiwan, it could pose a far more serious problem. I am equally concerned about the growth of monopolies, particularly those in the technology sector. While we understand why this happens – due to compatibility issues, connectivity and so on – we are slowly starting to notice that the number of virtually monopolised sectors is increasing. This is eroding competitiveness and stifles innovation, and we are seeing that it also leads to a polarised society. This is a fundamental problem concerning large tech companies that we need to resolve somehow in the next 20 years or so.