Dominic Carpenter, Author at CACI

Top 5 Cybersecurity Threats to Businesses in 2023

Posted on: 7 March 2023

We have recently seen significant growth in cybersecurity threats and malicious cyber activities due to the increased use of remote working. This has expanded the remote attack surface and companies have been forced to invest enormous resources in cybersecurity to quickly identify and neutralise threats before they cause financial or reputational loss.

In this blog series, we’ll identify the most common cybersecurity threats, what tools exist for threat detection and the best practices for threat management.

1. Business Email Compromise (BEC)

BEC is an email attack designed to trick victims into transferring a considerable amount of funds or revealing sensitive information. The target usually receive convincing-looking emails that request abnormal payments or contain links/ attachments that harm their company’s system.

In 2021, BEC scammers made nearly £1.9 billion ($2.4 Billion) in the US alone, far more than via other types of cybercrime. The tactics and techniques are evolving – scammers will capitalise not just on the opportunities created by current social issues but also the latest news about a company.

During the COVID-19 pandemic, scammers targeted large organisations and local government. Victims were asked to transfer enormous sums of money to secure limited medical items such as ventilators and PPE. Also, there was a case where a company that announced it was exhibiting at an Expo on social media was targeted. Scammers claimed they had all the Expo visitors’ contact information and persuaded the company to pay for a list that promised to help generate sales leads but in fact was worthless.

2. Ransomware

Ransomware is malware that encrypts confidential data, applications or day-to-day operating systems; making them inaccessible to users until the target company pays a ransom. Phishing emails, Remote Desktop Protocol (RDP) exploitation and exploitation of software vulnerabilities remain a popular way to deliver ransomware.

The National Cyber Security Centre (NCSC) considers ransomware a national security risk given its potential impact on critical national infrastructure and essential services. In 2021, the NCSC coordinated the national response to 18 ransomware attacks, including the attacks on a supplier to the NHS 111 and South Staffordshire Water. However, the number of attacks is higher than we know since organisations seldom report incidents.

In January, a Russian-linked ransomware attack seriously disrupted the Royal Mail’s overseas delivery service. The postal giant worked hard to recover from the cyberattack for over a month and finally restored their service by the end of February. Their financial loss is yet to be known but is likely significant.

3. Phishing and Smishing

This is when attackers trick people into disclosing sensitive information such as credit card details, usernames & passwords or other private information. Phishing comes in email form and smishing as text messages. Both pretend to be legitimate organisations and contain a fraudulent link diverting victim to completing a seemingly genuine form with their personal information.

In the Cyber Security Breaches Survey 2022, 83% of the identified cyberattacks were phishing attempts. Some attackers pretended to be HM Revenue and Customs, saying the victim was eligible for a tax refund and asking them to provide personal financial information.

4. Poor Vulnerability Management

A weakness in an IT system that an attacker can exploit to deliver successful attacks is normally due to poor vulnerability management. They can often occur through software bugs, features or user errors which attackers use to achieve their end goal.

Log4Shell, a zero-day vulnerability, has globally affected countless computers since December 2021. It has been discovered in Log4j, a Java-based logging framework that allows software developers to log user activity and the behaviour of applications. Log4Shell enables attackers to execute the code remotely on a target computer, allowing them to do nefarious activities such as stealing sensitive data, taking control or installing malware.

A cybersecurity company has tracked 10 million attempts per hour to exploit Log4Shell in the U.S. Many technology suppliers were affected including Apple, Amazon, IBM, Cloudflare, Microsoft’s Minecraft, Palo Alto Networks and Twitter.

5. Proliferation of offensive cyber capabilities

This sophisticated approach combines cyber tools, vulnerabilities and skills to conduct offensive cyber operations.

The NCSC anticipates that the proliferation and commercial availability of offensive cyber capabilities will expand the cybersecurity threats to the UK. In the future, malicious and disruptive cyber tools will be available to a wider range of state and non-state actors and deployed with greater frequency and with less predictability.

Conclusion

Attackers are ingenious and aren’t bound by the governance, compliance and regulatory frameworks which most companies have to comply with. Companies are under pressure to react quickly to constantly changing cybersecurity threats. Formulating cybersecurity strategies and reviewing them regularly to protect your business is crucial. Attack vectors such as ransomware no longer make activities such as Disaster Recovery Planning an optional undertaking; Business Continuity Planning must be at the heart of your organisation’s approach to cyber risks.

How CACI can help

CACI has cybersecurity experts who can improve your business’s protection levels. Our capabilities include Zero Trust Network Architecture, Threat Analytics, Systems Hardening and Network Analytics. We can perform a risk assessment to see how ready your organisation is to counter threats such as those listed here and advise on how to address any shortcomings that are found.

Find out more about our cyber security capabilities.

Notes:
[1] Business-email-compromise-infographic.pdf (ncsc.gov.uk)
[2] NCSC Annual Review 2022
[3] Internet Crime Report 2021 (FBI)
[4] FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic — FBI
[5] Cyber Security Breaches Survey 2022 – GOV.UK (www.gov.uk)

UCLH’s ‘Find and Treat’ team to screen & treat homeless via eco-tricycle

Posted on: 2 March 2023

Thousands can now be screened by UCLH’s ‘Find and Treat’ team for illnesses including tuberculosis, HIV and Covid-19

Doctors can now cycle around London to treat homeless and marginalised patients via eco-tricycle, the UK’s first fold-out health clinic on wheels.

The tricycle, nicknamed the “Electric Trike”, will be used by the University College London Hospital’s “Find and Treat” team to screen and treat the most vulnerable of the UK’s population for illnesses including tuberculosis, HIV and Covid-19. According to the Evening Standard, a lack of documentation typically prevents these vulnerable communities from accessing a GP or visiting A&E, resulting in living with untreated illness. Outreach workers will be supporting the “Find and Treat” team by using their own experiences of homelessness to encourage others to use this service.

CACI is a proud sponsor of the eco-tricycle, and has supported the UCLH’s “Find and Treat” team by developing an application, ITRICS, that equips them with the latest secure connectivity and cloud technologies. This technical solution supports the workflow of a real-time end-to-end process from diagnosis to treatment, with ongoing enhancements to ITRICS projected to continue into summer 2023.

The “Find and Treat” team will now be able to deliver high-quality care to higher-risk communities in an eco-friendly capacity through these “smart connectivity” capabilities.

UX: Let’s make tech accessible

Posted on:

It’s not a new concept: from lifts on the Underground to ramps into public buildings, we’re all used to seeing the real-life equivalent of accessibility features as we go about our day. Airbnb hosts are encouraged to list any issues or benefits on their ads. Public buildings and new built spaces are expected to take disabled visitors’ needs into account as well.

However, challenges still prevail, both in technology and in real life. Despite the fact that over 10 million people (over 18% of the population) have a limiting long-term illness, impairment or disability, they are often simply forgotten.

As in life, so it is online

Like restaurants that have invested in wheelchair ramps but hidden them at the back of the building, lots of ‘real life’ and online places are technically accessible. But the extra time and effort needed to use it means the problem isn’t really being solved and disabled people are still being excluded.

In fact some measures seem to have been taken with an insultingly thoughtless, check-box mentality. In June 2022, Wireless Festival at Crystal Palace decided to pitch the accessible viewing platform at the top of a hill to save money, requiring patrons’ friends to push their wheelchairs up a 10% incline or carry them! I wonder how many websites are similarly inconsiderate of actual needs for certain users.

On the other hand, treasured old buildings and ancient pieces of tech alike were often simply not built with accessibility in mind. When visiting Madame Tussauds with a friend who walks with a stick and finds stairs agonising, we used a total of 4 randomly located lifts to access 5 floors. They required us to weave through exhibits the wrong way and wait around for staff help. As a mind-bending response to a building that’s almost two hundred years old it’s better than nothing, but nobody would design it that way if they’d thought about accessibility first.

Online leads the way

Online systems that are built first and add accessibility only once the product is complete face similar risks. The infrastructure of our lives is no longer solely built around physical spaces: it’s built around online ones too, where we now conduct every conceivable part of our lives. According to a Deque survey and research, 73% of accessibility professionals saw an increase in accessibility awareness on digital channels throughout the pandemic. Not being able to access these spaces can hugely restrict access in their lives, restricting them from opportunities.

Actively discriminating against anyone is of course illegal – and there can be hefty fines and reputational damage for not adhering to WCAG standards. What’s often forgotten is that systems that don’t think about disabled users ultimately exclude by default. It’s worth remembering that anyone can become disabled, even if it’s just a broken arm that restricts typing for six weeks or an ear infection that leaves you temporarily deaf. More than that, accessibility features benefit all users such as captions on video content benefitting a user in a noisy office. We all win when accessibility is considered.

Value UX and value your users

Code is easier to rework than bricks and mortar. But what’s easiest of all is building things right from the beginning . Understanding that all users need an equally positive experience is crucial.

Karen Hawkins of eSSENTIAL Accessibility, the world’s #1 Accessibility-as-a-Service platform, has emphasised the importance of making sure ‘foundational elements are as accessible as possible, these foundational elements being colours, but also typography, small atoms and molecules, like your buttons and your links and your text boxes – they get used everywhere’.

Adopting the right mindset where accessibility is the default and not a bolt-on is an ideal way to start. Don’t stop at whether it is possible for a disabled user to complete a task – also consider how easy and fast it is too.

Ask your customers about their disabled user base and see if you can speak to disabled users as part of gathering requirements. However, they may not have the best visibility of such users – in fact the customer may not have put any thought into accessibility at all. This can be an area where tech developers can provide leadership as well as creative ideation about the potential needs of unknown users.

Specific accessibility features might include using subtitles or transcripts for all video content. Or it could involve using a high contrast ratio between text and background, relying on more than just colour to convey important information. Furthermore – do things like screen readers work accurately? Will the screen flash causing fits in some users? How about automatic log outs due to inactivity – which could impact users with movement issues, who may take longer completing forms? Will the complexity of any language be difficult for some users? Considering and including these features from the onset as well as testing them on users with disabilities can save time and money later on.

Accessibility is about so much more than speaking to any one user: it’s about challenging your expectations of who will ultimately end up using your product. Tim Berners-Lee, the intervenor of the internet, said that ‘The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect.’ A software product is only as good as its end users find it to be: design that needlessly excludes potentially 20% of the working population should be seen as a failure. Design that includes everyone is the ultimate success.

To find out more about our capabilities in this area, please check our Digital Design, Build & Operate page.

How much design is enough?

Posted on: 28 February 2023

Imagine two people are decorating houses, side by side. One wants every detail mapped out in advance, researching all the possibilities and putting in a massive order before seeing anything in person. The other prefers a more spontaneous approach. They might have a vague outline of the sort of house they’d like, but they’d prefer to make it up as they go along.

As things come together, the first person realises that nothing they’ve committed to quite looks or goes together in the way they imagined and there’s no real turning back. The second has a rather more chaotic process, but everything that goes into their house is absolutely fabulous. It’s only at the very end that they realise they have painted the same room seven different colours throughout the process.

These ways of thinking shape more than just our interior décor – they crucially apply to how we understand tech and software development. Committing to a large amount of architecture before kicking off is no longer considered best practice, but including it is still vitally important. Architects, developers and potential clients are left to decide – how much design is enough?

Getting it wrong

Without architecture, the bigger picture quickly gets lost. For instance, a developer might be working on new functionality that will be shared to various departments. Developing it for one customer in one department is fairly straightforward. However – have they considered all of the flows and interactions with other parts of the business? Is there a potential to consolidate some functions into a shared one stop shop service?

Good architecture provides an awareness of dependencies, interactions and other contextual drivers, like legacy systems and stakeholder mapping. If you want something that’s more than the sum of its parts, it’s essential.

Too much upfront design though, creates a very long feedback loop where you’ve built half a system before you have any clue if any of it works. In the worst cases, “solutioneering” takes over and the design itself – sometimes pre-issued by the client, with tech already decided – becomes more important than understanding and meeting the requirements. By that point, whether or not it actually benefits the end user has probably been completely forgotten.

Most often, things go wrong when architects and developers don’t talk to each other. Each withdraws into an ivory tower and fails to communicate or remember the benefits of collaboration. As a formalised process, architecture can become too distant from the reality of building it and too rigid to flex to new information that arises from agile iterations.

How do we get it right?

Agile has taken over – and architecture must flex to fit in. This means greater levels of collaboration, working hand in hand with development teams.

Breaking up the architecture approach so that it’s completed in segments that align with actual development can keep the process one step ahead of the actual build while ensuring it’s still adaptable. This can also allow both sides of the work to both validate and verify: build the right thing via architecture that focusses on big picture goals, the right way through feedback focussed iterations. Features will not just be effective in their immediate goal but in the broader context of the software.

Architectural principles and patterns can also be vitally helpful by collaboratively establishing the broad guidelines for architectural decisions that will be made later on. To go back to our house designing metaphor, you might not decide exactly what furniture is going into each room, but you might decide on distinct colour schemes that harmonise with each other.

Together, principles and patterns keep services and features aligned and consistent. Not every detail is planned out, but there will be a clear understanding of how things like naming conventions and interactions will be done and how users will be authenticated. That can be easily replicated in the future while still leaving flexibility around it.

At its best, architecture works in harmony with other delivery roles, working toward the same goal and focussing on software that solves problems for the client and the end user. Balancing development and architecture means finding effective methods to maximise both capabilities and harmonising with each other. In this, as in most other things, teamwork and collaboration is key.

To find out more about our capabilities in this area, check out our IT Solution Architecture & Design page.

How ethical is machine learning?

Posted on: 27 February 2023

We all want tech to help us build a better world: Artificial Intelligence’s use in healthcare, fighting human trafficking and achieving gender equity are great examples of where this is already happening. But there are always going to be broader ethical considerations – and as AI gets more invisibly woven into our lives, these are going to become harder to untangle.

What’s often forgotten is that AI doesn’t just impact our future – it’s fuelled by our past. Machine learning, one variety of AI, learns from previous data to make autonomous decisions in the present. However, which parts of our existing data we wish to use as well as how and when we want to apply them is highly contentious – and it’s likely to stay that way.

A new frontier – or the old Wild West?

For much of human history, decisions were made that did not reflect current ideals or even norms. Far from changing the future for the better, AI runs the risk of mirroring the past. A computer program used by a US court for risk assessment proved to be highly racially biased, probably because minority ethnic groups are overrepresented in US prisons and therefore also in the data it was drawing conclusions from.

This demonstrates two dangers: repeating our biases without question and inappropriate usage of technology in the first place. Supposedly improved systems are still being developed and utilised in this area, with ramifications on real human freedom and safety. Despite its efficiencies, human judgement is always going to have its place.

The ethics of language modelling, a specific form of machine learning, are increasingly up for debate. At its most basic it provides the predictive texting on your phone, using past data to guess what’s needed after your prompt. On a larger scale, complex language models are used in natural language processing (NLP) applications, applying algorithms to create text that reads like real human writing. We already see these in chatbots – with results that can range from the useful to the irritating to the outright dangerous.

At the moment, when we’re interacting with a chatbot we probably know it – in most instances the language is still a little too stilted to pass as a real human. But as language modelling technology improves and becomes less distinguishable from real text, the bigger opportunities – and issues – are only going to be exacerbated.

Where does the data come from?

GPT-3, created by OpenAI, is the most powerful language model yet: from just a small amount of input, it can generate a vast range, and amount, of highly realistic text – from code to news reports to apparent dialogue. According to its developers ‘Over 300 applications are delivering GPT-3–powered search, conversation, text completion and other advanced AI features’.

And yet MIT’s Technology Review described it as based on ‘the cesspits of the internet’. Drawing indiscriminately on online publications, including social media, it’s been frequently shown to spout racism and sexism as soon as it’s prompted to do so. Ironically, with no moral code or filter of its own, it is perhaps the most accurate reflection we have of our society’s state of mind. It, and models like it, are increasingly fuelling what we read and interact with online.

Human language published on the internet, fuelled by algorithms that encourage extremes of opinion and reward anger, has already created enormous divisions in society, spreading misinformation that literally claims lives. Language models that generate new text indiscriminately and parrot back our worst instincts could well be an accelerant.

The words we use

Language is more than a reflection of our past; it shapes our perception of reality. For instance, the Native American Hopi language doesn’t treat time in terms of ‘chunks’ like minutes or hours. Instead they speak, and indeed think of it, as an unbroken stream that cannot be wasted. Other examples span across every difference in language, grammar, sentence structure – both influencing and being influenced by our modes of thinking.

The language we use has enormous value. If it’s being automatically generated and propagated everywhere, shaping our world view and how to respond to it, it needs to be done responsibly, fairly and honestly. Different perspectives, cultures, languages and dialects must be included to ensure that the world we’re building is as inclusive, open and truthful as possible. Otherwise the alternate perspectives and cultural variety they offer could become a thing of the past.

What are the risks? And what can we do about them?

Language and tech are already hard to regulate due to the massive financial investment required to create language models. It’s currently being done by just a few large businesses that now have access to even more power. Without relying on human writers, they could potentially operate thousands of sites that flood the internet with automatically written content. Language models can then learn what characteristics result in viral spread and repeat, learn from that, and repeat, at massive quantity and speed.

Individual use can also lead to difficult questions. A developer used GPT-3 to create a ‘deadbot’ – a chatbot based on his deceased fiancée that perfectly mimicked her. The idea of chatbots that can mask as real, live people might be thrilling to some and terrifying to others, but it’s hard not to imagine feeling squeamish about a case like that.

Ultimately, it is the responsibility of developers and businesses everywhere to consider their actions and the future impact of what they create. Hopefully positive steps are being made. Meta – previously known as Facebook – has taken the unparalleled step of making their new language model completely accessible to any developer, along with details about how it was trained and built. According to Meta AI’s managing director, ‘We strongly believe that the ability for others to scrutinize your work is an important part of research. We really invite that collaboration.’

The opportunities for AI are vast, especially where it complements and augments human progress toward a better, more equal and opportunity-filled world. But the horror stories are not to be dismissed. As with every technological development, it’s about whose hands it’s put it in – and who they intend to benefit.

To find out more about our capabilities in this area, check out our DevSecOps page.

What can a Digital Twin do for you?

Posted on: 27 January 2023

Meaningfully improving your organisation’s operations sometimes requires more than just tinkering: it can require substantial change to bring everything up to scratch. But the risks of getting it wrong, especially for mission critical solutions depended on by multiple parties, frequently turn decision makers off. What if you could trial that change, with reliable predictions and the potential to model different scenarios, before pushing the button?

CACI’s Digital Twin offers just that capability. Based on an idea that’s breaking new ground from businesses like BMW to government agencies like NASA, it gives decision makers a highly accurate view into the future. Working as a real-time digital counterpart of any system, it can be used to simulate potential situations on the current set up, or model the impact of future alterations.

Producing realistic data (that’s been shown to match the effects of actual decisions once they’ve been undertaken), this technology massively reduces risk across an organisation. Scenario planning is accelerated, with enhanced complexity, resulting in better alignment between decision makers.

What are Digital Twins doing right now?

From physical assets like wind turbines and water distribution, Digital Twins are now being broadly used for business operations, and federated to tackle larger problems, like the control of a ‘smart city’. They’re also being used for micro-instances of highly risky situations, allowing surgeons to practice heart surgery, and to build quicker, more effective prototypes of fighter jets.

Recently, Anglo American used this technology to create a twin of its Quellaveco mine; ‘digital mining specialists can perform predictive tests that help reduce safety risks, optimise the use of resources and improve the performance of production equipment’. Interest is increasingly growing in this tech’s potential use within retail, where instability from both supply and demand sides have been causing havoc since the pandemic.

This technology allows such businesses to take control of their resources, systems and physical spaces, while trialling the impact of future situations before they come to pass. In a world where instability is the new norm, Digital Twins supersede reliance on historical data. They also allow better insight and analysis into current processes for quicker improvements, and overall give an unparalleled level of transparency.

Where does Mood come in?

Mood Software is CACI’s proprietary data visualisation tool and has a record of success in enabling stakeholders to better understand their complex organisations. Mood is crucial to CACI’s Digital Twin solution as it integrates systems to create a single working model for management and planning. It enables collaborative planning, modelling and testing, bringing together stakeholders so they can work to the same goals.

Making effective decisions requires optimal access to data – and the future is one area we don’t have that on. But with Digital Twin technology, you are able to draw your own path, and make decisions with an enhanced level of insight.

If you’re looking for more on what Digital Twin might be able to do for you, read ‘Defence Fuels – Digital Twin’. In this white paper we show how we’re using Digital Twin to make improvements worth millions of pounds.

Top 3 types of cyberattacks in blockchain

Posted on: 12 January 2023

Since the emerging development of blockchain technology, a surge in cyberattacks targeted cryptocurrency, sensitive personal data and NFT game spending, causing billions of dollars in losses in recent years.

We previously discussed the strategic business values bought by blockchain technology, data governance changes, and cybersecurity improvement. Now, in our final discussion on blockchain, we will illustrate examples of the top 3 types of cyberattacks and how to avoid them.

1. Exchange Hack

Since 2012, at least 46 cryptocurrency exchanges have suffered significant hacks and nearly $2.66 billion (~ £2.3 billion) has been stolen from crypto exchanges.

Binance, the world’s largest crypto exchange, suffered about $570 million (~£491 million) hack in Oct 2022. The hack was caused by a bug in the cross-chain bridge’s smart contract that allowed hackers to forge transactions and send money back to their crypto wallet. The company coordinated with Binance Chain validators to enact an upgrade for bug fixing.

Such a notable attack demonstrates the importance of smart contract security and regular technical audits to ensure the system is as safe and secure as possible.

2. DeFi Hack

The gaming-focused Ronin network announced a loss in USDC and ether (ETH) in March 2022. A security breach in secret keys caused the incident. A set of nine secret keys secures the funds on the platform. To unlock and release the funds, it requires approval by a majority of five of those keys. The hacker found a backdoor in the Ronin Bridge node and got control of more than half of the validators. The hacker unlocked the vault and withdrew funds valued at more than $620 million.

The company promptly increased the validator threshold from five to eight and migrated their nodes to the new infrastructure.

No wonder The Federal Bureau of Investigation (FBI) asked decentralised finance (DeFi) platforms to strengthen security measures and warned investors against the vulnerabilities in these platforms.

3. Ransomware

Analysis found that businesses in the UK suffered the third highest rate of ransomware attacks in the world, followed by the US and Canada. Not just attacking the financial industry but also education, healthcare, the legal profession and the public sector.

One of the most well-known attacks was the outbreak of WannaCry in 2017, adversely affecting more than 200,000 computers in over 150 countries, costing £92 million in the UK and running up £6 billion across the globe. It began with emails that tricked the target audience into opening the attachments which then released the malware onto their system. Once a computer was infected, it would lock up the files and the users could not access them anymore.

The NHS was suspended for several days, affecting at least 80 of the 236 trusts across England, 603 primary care and 595 GP practices. Thousands of appointments and operations were cancelled and urgent relocation of emergency patients from stricken emergency centres. Staff were forced to record everything with pen and paper!

To combat ransomware, a strong way of defence is always appropriate cybersecurity training for staff, like sending dummy phishing emails regularly to arouse their awareness. Also, implementing blockchain analytics tools can monitor activities and detect ransomware-related patterns.

Conclusion

Blockchain technology has improved cybersecurity across industries but hackers are always looking for ways to unravel high-security systems. Unaudited environments and a lack of cybersecurity training can lead to devastating attacks. We should all constantly update the security layers and keep an eye on hacker trends to block any security breaches.

How CACI can help

Make sure your business is safe from cyber attacks. Our experts monitor the latest cyber threats regularly and can carry out proper technical audits and cybersecurity training for your business.

Get in touch with us today.

Notes:
[1] List of Crypto Exchange Hacks: Updated 2022 | HedgewithCrypto
[2] Crypto exchange Binance suffers $570 million hack (nbcnews.com)
[3] Cyberattack: Over $600m lost in a Ronin Network hack – Technext
[4] FBI Asks DeFi Platforms to Increase Security Measures, Warns Crypto Investors Against Vulnerabilities (coindesk.com)
[5] UK suffers third highest number of ransomware attacks globally (computerweekly.com)
[6] The NHS cyber attack: how and why it happened, and who did it (acronis.com)
[7] Investigation WannaCry cyber attack and the NHS (Summary) (nao.org.uk)

How does blockchain improve cybersecurity?

Posted on: 4 January 2023

Cybersecurity breaches are a serious threat to most businesses and can have devastating consequences. A study found that companies typically spent $3.86 million (£2.9 million) per cybersecurity incident.

Exploring advanced technology is one of the solutions to reduce your losses in the event of a breach. Blockchain’s features mark a change of era in cybersecurity. We will use the CIA Triad model, a standard model for information security guidance, to highlight some of the features and assess the security level of blockchain. Some business use cases leverage these features to improve their cybersecurity.

CIA Triad Model

The Model represents 3 pillars of Information Security – Confidentiality, Integrity and Availability. This is a valuable model to guide your team in developing security systems.

Confidentiality
Confidentiality means preserving authorised restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Encrypted data
Blockchain technology can provide high-level security control to assure the confidentiality of data. Even if an attacker can access the blockchain network, fully encrypted blockchain data ensures the attacker cannot read or retrieve information properly.
Public and private keys
Public and private keys are a string of letters and numbers generated by cryptographic algorithms, which are hard to decode by current computing power. They are critical to protecting your user information, the confidentiality of data, authentication and authorisation to the network.

Integrity
Integrity means guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity.

Cryptographic hashing
Using cryptographic hashing in a decentralised system creates a barrier for any party trying to alter the data. This ascertains the integrity and truthfulness of the data in your system.
Timestamps of data
Transactions in the system are digitally signed with timestamps so that you can trace them back throughout history.
Smart contract
A smart contract is a computer program that automatically executes when specific conditions between buyers and sellers are met. It permits trust transactions and agreements without an intermediary’s involvement. All these transactions are trackable and irreversible.

Availability
Availability means ensuring timely and reliable access to and use of information.

Decentralised data storage
By storing a complete set of data in a peer-to-peer network, data is still accessible in other nodes if a node is down or attacked. This highly reduces the chance of an IP-based DDoS attack causing operational disruption.

Business use cases in cybersecurity improvement

Lockheed Martin
Lockheed Martin integrates blockchain-based cybersecurity applications into their engineering processes, supply chain risk management and software development efforts.

Ron Bessire, the Vice President of Lockheed Martin Aeronautics Engineering and Technology, believes these new cybersecurity approaches will enhance data integrity, speed problem discovery and mitigation, and reduce the volume of regression testing, which results in reduced schedule risk.

Colorado, the U.S.
In 2017, The Colorado government faced 6-8 million attempted cyberattacks daily. The Colorado Senate passed a bill involving blockchain technology for government record-keeping and cybersecurity. They are confident that the expanded use of blockchains may offer transformative improvements to data security, accountability, transparency and safety across dispersed state departments and jurisdictions.

Barclays Bank
Barclays files two patents that revolve around account security – a blockchain platform which can facilitate cryptocurrency transfers and a private blockchain that streamlines know-your-customer processes (KYC).

They created the “world-first” blockchain platform to handle the documentation to approve fund transactions, which was made through the Society for Worldwide Interbank Financial Telecommunication (Swift). The platform uses smart contracts to track log changes of ownership and payment processes automatically.

The other platform allows the bank to store all customer personal information, verify customer identity and trace their credit history easily in a secure environment.

Philips
Philips calls their blockchain project “verifiable data exchange” – researchers in a network of hospitals and universities can request medical-sensitive data they need for research in the system. User experience revolves around three disciplines: anonymising data, requesting data and fulfilling requests. The system stores a full and immutable trail of how data is used, who has accessed it and who has seen it.

Philips researchers believe the transparent storage of data exchange between the involved parties will create a system of shared risk and responsibility.

Conclusion

While blockchain features continuously evolve in order to strengthen cybersecurity, hacking techniques are ever-developing, creating more and more vicious attacks. For cybersecurity specialists, staying up-to-date with the latest changes is essential. Our next article will examine a number of cyber-attacks coordinated against blockchains.

How CACI can help

Keeping up to date with the latest regulations and cybersecurity trends, our experts can enhance your company’s data management solutions, IT architecture and design, service design, business process service, and cybersecurity.

Get in touch with us today.

Notes:
[1] The cost of a cyber attack in 2021 – IT Governance UK Blog
[2] Executive Summary — NIST SP 1800-26 documentation
[3] Lockheed Martin Contracts Guardtime Federal for Innovative Cyber Technology – Apr 27, 2017
[4] Colorado Passes Bill Advocating Blockchain For Gov’t Data Protection And Cyber Security (cointelegraph.com)
[5] Barclays Seeks Twin Blockchain Patents for Banking Services – CoinDesk
[6] Philips Research Trying to Encourage Healthcare Industry to Utilize Blockchain (newsbtc.com)
[7] Philips will challenge tech giants to bring blockchain to healthcare (thenextweb.com)

Blockchain, The Game-changer of Data Governance

Posted on: 29 November 2022

Data Governance is our priority when designing a data management solution. The significant contradictions between blockchain technology and The European Union’s General Data Protection Regulation (GDPR) arouse vigorous discussions in the industry. In contrast, European Parliament highlights that it can be a suitable tool to achieve some GDPR objectives.

Make sure to read blockchain technology’s features and strategic business values, as we now explore how blockchain technology changes the game in data governance as more governments experiment with new operations.

Contradictions between blockchain technology and GDPR

The study “Blockchain and the General Data Protection Regulation”, written by European Parliament, highlights several paradoxes in the fundament of blockchain technology and GDPR:

Data Controller
GDPR assumption: Data is centralised on at least one or legal person.
Blockchain technology concept: Data is decentralised to multiple nodes.
Data Modification
GDPR assumption: Data can be modified or erased where necessary to comply with Articles 16 (Right to rectification) and 17 (Right to erasure).
Blockchain technology concept: Data is immutable and stored in the append-only database to ensure data integrity and increase network trust.
Data Process
GDPR requirement: Personal data to be kept to a minimum and only processes data purposefully specified in advance.
Blockchain technology concept: Databases grow continuously as new data is added.

The study also underlines different forms of distributed databases. Hence the compatibility between distributed ledgers and the GDPR is determined by a case-by-case analysis that accounts for the specific technical design and governance set-up of the blockchain use case.

The above analysis leads to two overarching conclusions:

Blockchain use cases’ technical specificities and governance design can be hard to reconcile with the GDPR. Therefore, blockchain architects must be aware of this from the beginning and ensure their design complies with GDPR.
It also stresses the current lack of legal certainty on how blockchain can be designed to comply with the regulation – Not just due to specific features of this technology but also highlights significant conceptual uncertainties related to GDPR.

How can blockchain technology achieve GDPR objectives?

There was an ongoing policy debate in European Parliament on this topic. Their report in 2018, Blockchain: A Forward-Looking Trade Policy, pointed out that ‘blockchain technology can provide solutions for the ‘data protection by design provisions in the GDPR implementation based on their common principles of ensuring secured and self-governed data.’ Recital 7 GDPR foresees that ‘natural persons should have control of their own personal data.’ This rationale is based on the data subject rights, such as the right of access (Article 15 GDPR) or the right to data portability (Article 20 GDPR) that provide data subjects with control over what others do with their data, and what they can do with that personal data by themselves.

At the 52^nd Hawaii International Conference on System Science in 2019, a group of experts proposed a multi-layer blockchain system which can provide users with complete data transparency and control over their data. European Parliament commented that this solution would help comply with the right to access (Article 15 GDPR) and grant a fundamental right to individuals to access their personal information. This looks like a significant move in blockchain because European Parliament recognises the new standards. We believe more corporates are willing to explore the feasibility of applying blockchain in their business, and experimental cases will be boosted out in the market.

Blockchain applications in European Union

Estonian eHealth Patient Portal
Estonia is one of the first governments to embrace blockchain technology. Estonian eHealth Patient Portal, a blockchain-based infrastructure, has been used by their eGovernment to give individuals more control over their health data. A patient can authorise access to their data. By default, medical specialists can access data. However, a patient can deny access to any case-related data to any care provider, including their own general practitioner/family physician.

MyHealthMyData
MyHealthMyData is a project funded under the EU Horizon 2020 scheme that uses blockchain technology to create a structure where data subjects can allow, refuse and withdraw access to their data according to different cases of potential use. Further research can build on this project to determine whether blockchain technology can achieve GDPR objectives and create a benchmark for the industry.

Blockchain Roadmap of the UK Government

The UK Government is endeavouring to develop blockchain use cases and governance. A report by the UK Government Chief Scientific Adviser in 2016 acknowledged that Distributed Ledger Technologies could help governments collect taxes, deliver benefits, issue passports, record land registries, assure the supply chain of goods and generally ensure the integrity of government records and services. In the NHS, technology can enhance health care by improving and authenticating the delivery of services and by sharing records securely according to exact rules.

Yet, effective governance and regulation are critical to successfully implementing distributed ledgers. Law will need to evolve in parallel with the development of new technology applications.

HM Revenue and Customs started a trial on social welfare payment distribution in June 2016 to track the distribution of benefits. They are still working with a UK start-up to integrate blockchain technology into supply chains to increase efficiency and security.

Department for Work and Pensions studied the first full production implementation, such as Santander’s One Pay FX, a blockchain-based international payments service to retail customers in multiple countries. The benefits include reducing transaction time, cost and failure rate whilst data is stored on a secure, immutable ledger.

Conclusion

Though there are significant tensions between the nature of blockchain technology and the legal frameworks surrounding data privacy, blockchain technology can be an alternative form of data management system for you to achieve particular data governance objectives, depending on the system architecture. With more governments recognising the benefits brought by blockchain, we believe blockchain technology can be compatible with data privacy law.

Despite the legal framework of GDPR being built on the fundament of a centralised database system, corporates should be more familiar with the regulations; they can face catastrophic data breaches and hefty fines in light of weak security layers. Data breaches of British Airways in 2018 and Marriott in 2020 were considered case studies.

British Airways was fined £20m for a data breach which affected more than 400,000 customers. A subsequent investigation concluded that sufficient security measures, such as multi-factor authentication, were not in place at the time.

Marriott International was fined £18.4m for a data breach that exposed 339 million customer records in 2018, caused by poor data management policies and unencrypted sensitive data. An investigation by the Information Commissioner’s Office found the hotel giant “failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.”

In other words, a robust security system is essential to data protection, not the technology itself.

Other than data privacy law, Financial Stability Board intends to implement its first recommendations on global crypto regulation in early 2023. This powerful regulation may provide more clarity for the crypto businesses on how to set up the blockchain system. Let’s follow the latest news on the regulation.

Our upcoming discussion focuses on how blockchain can improve cybersecurity and impact different business cases.

How CACI can help

Our experts can advise you on the best practice for managing your data under your regulatory requirements. We help large enterprise organisations define and execute data standards, policies and strategies.

Get in touch with us today.

Notes:
[1] Blockchain and the General Data Protection Regulation (europa.eu)
[2] Article 16 & 17: Right to rectification (gdpr.org)
[3] REPORT on Blockchain: a forward-looking trade policy | A8-0407/2018 | European Parliament (europa.eu)
[4] BPDIMS:A Blockchain-based Personal Data and Identity Management System (researchgate.net)
[5] Estonian Health Records to Be Secured by Blockchain – Bitcoin News
[6] Personal control of privacy and data: Estonian experience | SpringerLink
[7] My Health My Data
[8] Distributed Ledger Technology: beyond block chain (publishing.service.gov.uk)
[9] GovCoin Systems Implements Social Welfare Payments Distribution Trial for UK’s Department for Work and Pensions | Business Wire
[10] Transforming for a digital future: 2022 to 2025 roadmap for digital and data – GOV.UK (www.gov.uk)
[11] Santander One Pay FX, a blockchain-based international money transfer service – (enterprisetimes.co.uk)
[12] The changing world of payments – DWP Digital (blog.gov.uk)
[13] British Airways fined £20m over data breach – BBC News
[14] Lessons learned: the Marriott breach – Infosec Resources (infosecinstitute.com)
[15] Marriott Fined £18.4m Over Data Breach – Infosecurity Magazine (infosecurity-magazine.com)
[16] FSB ready for rapid rollout of global crypto standards (ft.com)

The Metaverse – Innovate or Die?

Posted on: 24 November 2022

What is the Metaverse?

The metaverse is a term which describes a collection of virtual worlds that we can work, play, explore and collaborate in. Whilst the term has become a popular buzz word of late, the name ‘metaverse’, itself, comes from Neal Stephenson’s 1992 science fiction novel Snow Crash, a book which envisioned a virtual world in which people would use avatars to interact with each other. Similar, is Stephen Spielberg’s more recent 2018 movie Ready Player One, which saw individuals find salvation from the chaos of reality in the virtual world: OASIS. Currently, there are multiple metaverse platforms in use, all with incredibly different interfaces, user bases and access credentials. The aspirational term ‘metaverse’, refers to an all-encompassing decentralised virtual world, rich in offering, interoperable and governed by the community.

The powerful combination of the emergence of 5G, offering us the infrastructure and connectivity needed for access, the advance of computing and processing power needed for availability and affordability, powerful blockchain technologies, in addition to the seismic emergence of cryptocurrencies, NFT’s, wallets and exchanges, means that a new Goldilocks zone has emerged, whereby the conditions for an entirely new economy to thrive within the metaverse are just right. Enter, Web 3.0.

How can companies leverage the Metaverse now?

“The metaverse will likely infiltrate every sector in some way in the coming years, with the market opportunity estimated at over $1 trillion in yearly revenues.” J.P Morgan

As with previous technology paradigm shifts, such as the birth of the internet, the metaverse is poised to transform almost every aspect of society. So, as we sit at the edge of the Web3 precipice, it is important for companies to understand, accept and embrace the new technology epoch and how they can fully leverage its presence.

Five key areas to currently observe: Talent Acquisition, Branding, Digital Products, Training and Work Structure.

1. Talent Acquisition
With driving demand and heavy investment being placed into the technological infrastructure of companies, there has been an uplift in the talent demand for many of these skilled roles. Jeremy Dalton, global director of metaverse technologies for PwC, said: “For recruitment, we are already using a metaverse platform, Virtual Park, to interview job candidates and offer them the ability to meet our people and find out more about our culture, values and opportunities”, since launching two years ago, they have reached roughly 20,000 users, a much wider talent pool than could have typically been accessed previously.

2. Branding
The social side of the metaverse is just as vital as the commercial side. Consumers will soon be able to make purchases of goods and services (including land) in both the physical world and the metaverse. Brand loyalty will become increasingly dependent on how well a company adapts and translates their current offerings onto the metaverse. As with all major technological shifts, the metaverse will gain traction slowly over time, 3D imaging for example, made its debut in the late 1800s, as well as games like Second Life, an alternate-reality video game which took 4 years to get its base to a million users (Fortnite then built upon this and after initial release in 2017 is now used by roughly 125m users worldwide). The metaverse will force companies to consider how their brand appeals to early adopters and stays relevant to their traditional customer base. This could have major implications on how a company defines and markets themselves to potential customers.

3. Digital Products

One of the ways multiple businesses are enriching the consumer experience of their brand via the metaverse, is by creating digital products and therefore generating new revenue streams. Luxury fashion brand Gucci opened a virtual space ‘Gucci Garden’, based on the philosophy of their creative director, Alessandro Michele and went on to sell a digital version of their ‘Queen Bee Dionysus’ bag on the Roblox marketplace for $4,115, more than the price of the bag’s real-world equivalent of roughly $3400.

Nike, a leading brand in the metaverse, acquired a non-fungible token studio, RTFKT, that produces digital collectibles (including digital sneakers) to merge culture and gaming. Previously RTFKT collaborated with teenage artist FEWOCiOUS to sell real sneakers paired with virtual ones, selling 600 pairs and NFT’s in six minutes and netting over $3.1 million. In addition to NFT’s, events are also able to be held in the space and are quickly gathering momentum; fashion shows, book launches and film premieres are all possibilities. In 2020, hip-hop star Travis Scott, earned millions of dollars by his avatar appearing on Fortnite, performing in concert and then sold virtual goods around it such as Travis Scott gaming skins.

4. Training/development
The rise of virtual and augmented reality has made huge waves within the gaming world, one popular example being Pokemon Go, and Anthony Wong, marketing director of Attensi (gamified solution training), believes that the same principles used for gaming, can be applied to learning and development in workplace training. Adding this new dimension to information sharing could transform business processes from onboarding sessions to simulation training/testing for complex practical roles. L&D practitioners will now need to be mindful of up to four generations, all equipped with multiple learning styles and consider how best to encourage fun, fast and ultimately more fruitful learning, essential in maximising growth potential.

5. Work Structure

Post covid, the majority of companies have moved to a hybrid structure of working, with many meetings and collaborations taking place across multiple technology platforms. The emergence of the metaverse could see companies pivot again, interacting using hands-free devices, avatars and new tools rather than only laptops and phones.

Frank Diana, managing partner and futurist at Tata Consultancy Services (TCS), likens the workplace shift to the metaverse to the transition from typing pools to having an entire workforce typing into personal computers. “What if there are boundary-less 3D collaboration tools in the metaverse and the team could transport themselves to the Louvre Museum for inspiration?” Diana asked. “If working remotely in the metaverse provides both increased productivity and better collaboration, today’s office model gets totally upended.”

Matterport, a tech company whose 3D modelling software digitally replicates physical spaces, has been developing digital twin workflows that lets employees collaborate, learn and engage remotely. For example, architects can virtually collaborate with clients by remodelling ideas to make faster decisions, retailers can virtually collaborate on store layouts to discover problems or opportunities sooner. Current 2D models of working are posed to advance with haste to 3D virtual environments, allowing workers to interact in immersive ways, consumer relationships to develop and companies to foster their company culture.

Whilst it’s easy to assume the metaverse is a faraway galaxy when compared to our immediate reality, many companies are already harnessing its power and proving the benefits of virtual worlds. Zwift for example, an MMO cycling game meets training tool established in 2014, has a 4 million subscriber base and through use of minimal kit; a bike, smart trainer and viewing device such as your phone or TV, riders can move through virtual imaginings of real-world routes across cities like London and New York and can also ride through the imagined worlds built by Zwift, such as Watopia.

Riders can input their height and weight data and this in addition to ANT+ and Bluetooth connectivity, then allows Zwift to calculate performance and show standings in comparison to other users. Since 2016, the company has also held world championships which have produced athletes who have gone on to secure real pro team contracts. Loes Adegeest, the 2022 winner, currently rides for UCI World Tour Team, ICBT and gained 5th place in general classification of the Lotto Belgium Tour. Zwift are proof that companies can both excel and profit by embracing virtual reality and their data sets around improvement to users health and social dynamics has cemented its status as a leading pioneer in the space.

Challenges and Risks firms face from the metaverse

Consider first, whether it makes sense to be engaging across these platforms. As the metaverse isn’t yet a single entity, but instead a collection of technologies, many would argue investing whilst still in its infancy could pose many financial and reputational risks to businesses. Privacy and safety concerns around hacking, impersonation and importantly, data use, rank highly among consumer fears, whilst the commercial, legal, and regulatory implications of the metaverse for businesses are enormous. If we were to take intellectual property, for example: What are the limits of IP, piracy, ownership, and patents in the virtual world? Are there digital land rights? How do brands deal with counterfeit digital products? Do you need a license to practice law in the metaverse?

This presents a new arena for hackers and new opportunities for criminal behaviour. How will misconduct be monitored, reported and remedied? What recourse do victims of avatar identity theft have? Are financial transactions protected? There is currently little regulation in place. Lastly, technical challenges such as computing power, interoperability and connectivity (bandwidth), present difficulties most companies simply aren’t ready nor equipped for. A true ecosystem of virtual worlds, where a person’s digital assets can be carried from one world to another, will require significant preparation and collaboration from large tech players, which could potentially conflict with their own nature.

That being said, the other end of the spectrum would be that companies face an even greater risk by failing to innovate. Similar to the Zuoara’s documentation of the mass extinction of companies who failed to embrace the “subscription economy”, innovation and the rapid progression of these technologies should not be ignored. A recent study by McKinsey found that the average lifespan of companies listed in Standard & Poor’s 500 was 61 years in 1958. Today, it is less than 18 years. McKinsey believes that, in 2027, 75% of the companies currently quoted on the S&P 500 will have disappeared.

In these evolving times, businesses are advised to exercise caution when investing in the metaverse and to facilitate early conversations between IT, compliance, legal, finance, and security.

How CACI can assist companies within the metaverse space

According to a recent Bloomberg report, the metaverse is on track to have a market size worth $678 Billion by 2030. For business, the implications of an immersive, persistent and decentralised digital world could be enormous. Since 1962, CACI has been aiding companies identify emerging technologies, utilise their strengths and build protective solutions from potential threats. Whilst the metaverse is still very much an evolution rather than a revolution, its foundational elements lay within connectivity, processing power, data storage and security. Drawing on the advanced capabilities of 25,000 skilled professionals worldwide, we offer a spectrum of services across the entire metaverse continuum to aid mission led enterprising companies in their pursuit of innovation:

Cloud technology addresses processing power and storage to support extended reality and immersive interfaces
Hyperconnected networks leverage the power of 5G
Cyber Security solutions protect vital information
Blockchain-based platforms to buy and trade in
Business architecture and digital twin through our data visualisation platform
Bespoke digital solutions that are designed, built and supported to meet your customer needs across the virtual landscape
Customer Insights
Service Design
Governance
Dark Web Analysis Technology

Source: PwC 2022 Business and consumer metaverse survey, July 2022

“…what attracts human attention is change. …if the temperature around you changes, if the phone rings — that gets your attention. The way in which a story begins is a starting event that creates a moment of change.” – Robert McKee

Contact us here to get in touch about any of our services.

Notes:
[1] Opportunities in the metaverse (jpmorgan.com)
[2] Metaverse Market Size Worth $678.8 Billion by 2030: Grand View Research, Inc. – Bloomberg