Article from the DTU magazine DYNAMO, no 71 and dtu.dk, Journalist Sari Vegendal, Photo: Thomas Sørensen
Identity theft, espionage targeting state secrets, ransom demands, and companies paralyzed. These are not doomsday scenarios from a sci-fi series, but real examples of the consequences of the cyber threat that Denmark faces.
The Centre for Cyber Security’s latest threat assessment states that the risk of cybercrime and espionage in Denmark is ‘very high’. In 2021, this was evidenced by 31 reports from companies of hackers demanding ransom payments - also known as ransomware attacks. In the first six months of 2022, the number of attacks of this kind - both nationally and internationally - doubled.
The hackers are constantly getting better, their earning potential is far greater than that of criminals in the drug trade, and the risk of getting caught is generally minimal, according to Christian Damsgaard Jensen, who is an Associate Professor in IT Security at DTU. He is also a member of the Danish Cyber Security Council.
Among other things, he refers to the 48,000 financial cybercrime cases with the Danish National Police that were still unsolved at the end of 2021.
“The Danish authorities are simply not geared up for this kind of crime. They lack resources and are unable to keep up with developments. The main challenge is that cybercrime is, per definition, cross-border in nature, which means that hackers jump from country to country via networks, in the process erasing any trace of themselves that the police might find,” he explains.
Inspired by humans
Most of Christian Damsgaard Jensen’s working life has been spent making illegal intrusions of this kind difficult to begin with. Just like the hackers, he has been forced to get creative, think in the abstract, and adopt an unconventional approach.
Early on in the process, he acknowledged that the mechanisms underpinning the existing security systems are not good enough to keep criminals at bay.
Instead, he began to see human relationships as his most important source of inspiration: How do we assess who we can trust in situations where there is a high threat level? And what does it take to build trust?
Today, Christian Damsgaard Jensen develops security systems that interact with other stakeholders in exactly the same way that people do in the real world: The greater the trust, the greater the openess.
For instance, if a user is unknown to the system then it uses recommendations from others to form trust in the person. If no recommendations are available, the stranger must exhibit trustworthy behaviour over a long period of time - this may entail accepting cookies that make it possible to recognize the individual - if they are to gain access to the system in question.
The recognition of users across systems makes it possible to enforce restrictions, e.g. blocking someone if they are up to no good.
An encounter with a hacker
His ability to understand the mindset of hackers and get to grips with alternative IT solutions can be traced back to 1990 when Christian Damsgaard Jensen was a student assistant at the University of Copenhagen (UCPH) and witnessed firsthand one of the first ever hacker attacks in Danish history.
At the time, the internet was the preserve of academic environments where everyone blindly trusted everyone else, and most people’s insight into the drawbacks of the internet was decidedly limited.
For Christian Damsgaard Jensen, this changed abruptly when a hacker in Roskilde gained access to the network at UCPH. At the time, he was working in UCPH’s computer department in the Department of Computer Science. Yet, while most other places that the hacker gained access to shut down as soon as they discovered their intruder, the computer department spotted an opportunity to be a fly on the wall in cyberspace.
“By agreement with the police, we stayed online and monitored everything that he did. Back then, hacking occurred at a pace that allowed us all to keep up, so each time he logged on we would receive an alert. We’d dash into the engine room and peer over his shoulder as we tracked his every move. It was incredibly exciting,” remembers Christian Damsgaard Jensen.
This surveillance work continued over a period of several months as the computer department at UCPH supplied the police with logs showing the hacker’s actions. Eventually, there was sufficient evidence to arrest the individual, who was later convicted for his illegal intrusion into the system. However, while the case was serious, there was no indication that the hacker had acted with malevolent intent.
“That’s what hackers were like back in the day. They were just curious—there wasn’t any great wealth to come by,” says Christian Damsgaard Jensen, before adding:
“It’s rather different these days, now that business has become such a major part of digital life, and globalization has radically changed the threats we face.”
Everyone must be seen as a potential threat
According to Christian Damsgaard Jensen, globalization is the main reason why security systems struggle to keep up. The need for digital interaction across national borders is increasing by the day, and this is also increasing hackers’ opportunities to find loopholes in existing security systems.
Christian Damsgaard Jensen notes that these systems have an out-of-date perspective on security.
“Historically, humankind has tended to build walls around whatever we wanted to protect. We did this in the Middle Ages when we built walls around our cities, and we’ve been doing it for the last 30 years online with firewalls. Just as in the Middle Ages when a guard was posted to admit or refuse people at the gate, so the firewall critically filters all traffic that approaches it,” explains Christian Damsgaard Jensen.
The problem is that the physical borders have been shifted by globalization, and these systems don’t take into account that potential hackers may also be inside the walls. This has seen the concept of zero-trust - which Christian Damsgaard Jensen’s years of research are based on - begin to really make its breakthrough.
“Zero-trust means that the system sees everyone as a potentially suspicious user who must be validated. This means that while we previously had blind trust in those who were inside the same firewall as us, we now look at every single individual as a potential threat. Everyone you interact with has to prove themselves to one extent or another,” he says.
This mindset already permeates the mechanisms found in the IT solutions that Christian Damsgaard Jensen has helped to develop on behalf of both companies and municipalities.
He believes that the paradigm shift in IT security is a significant step on the way to making cyberspace more secure. However, if the threat level is to be seriously reduced, this will require a change in the mindset of many different entities, not to mention action.
“In ten years’ time, I hope the police are equipped to get a better handle on cybercrime. What’s more, we will be in a much better place if manufacturers of IT products have to live up to certain security requirements as it would allow businesses to rest assured that the products are safe to use. The most important thing of all is that the work is actually done to solve this problem - everyone has to get involved,” says Christian Damsgaard Jensen.