Chair: Martin Gill

Panellists:
Gary Hibberd – The Professor of Communicating Cyber at Cyberfort Group
Pauline Norstrom – CEO at Anekanta Consulting
Dr. Victoria Wang – Reader in Security and Cyber-crime at University of Portsmouth

Key points

Gary Hibberd clarifies understanding of the so called dark web, distinguishing it from the deep web, they are not the same thing. In particular he warns of the difficulties of using it. For the untrained and unaware there are real dangers not least in being confronted with shocking images that can have a lasting impact. Use needs to be governed by an awareness of how to navigate. To improve things you will hear Gary make a distinction between improved governance and improved policing. As he says all types of the internet are made for information sharing, and so it is perhaps better to talk of improved policing than regulation. On policing though, despite some improvements, there is a lack of coordination and policing is under resourced. Organised criminal networks have established effective trust protocols (somewhat ironically) so that only ‘trusted’ criminals can access the areas they operate for illicit gains and purposes. Different governments take a different view of the dark web, and that undermines attempt to regulate it and cooperate on policing, overall there is a lack of political will to act. All organisations can take steps to protect themselves and it starts with getting the basics right; checking patchworks are effective and that they are updated, assessing vulnerabilities and penetration testing are recommended. As Gary says, ‘put security on the agenda before it becomes the agenda’.  

Pauline Norstrom discusses whether the dark web is an offenders’ idea of paradise, and in conclusion questions whether it is, not least because it is infiltrated by law enforcement. As she says using the dark net is not illegal (although engaging in crime on it clearly is of course), and that it started with funding support from the US Government; Pauline suggests we should call it the ‘second internet’. The main difference with the dark net is that resources are protected, which is why it is considered ‘dark’. Some companies make it really easy for criminals to operate and she notes that the weak link is often human behaviour; making key staff aware of the vulnerabilities and how to manage them then is fundamental to maximising security.  She floats the idea of improving security by regulating hardware, and emphasising Gary’s point she stresses the importance of ensuring basic security is applied, it all starts with having secure passwords, using two factor authentication, and training people of the dangers and how to mitigate them.

Building on a need to clarify our terms of reference Dr Victoria Wang offers a very helpful distinction. The WWW she says is accessible and indexed. The deep web is accessible and not indexed. The dark net is not indexed, it is akin to being located in the basement somewhere, you know it is down there, but you have to find it.  Lot of people know about it, many learn at school leading her to question how dark it is; threatening it may be for some but not all. Her own extensive research has thrown light on the matter, and she mentions one study (to be published in the Handbook of Security, third edition, by Palgrave in 2022), looking at the abuse of leading brand names on the dark net and found it to be ‘shocking’; in some cases company details, their clients’ personal details were for sale. Victoria argues the dark net is being regulated in that markets are shut down, but there is a need for caution here, user forums she has accessed tend to prefer self-regulation as more befitting. Police forces are more active, but policing is complicated. Nevertheless, there is no doubt that for criminals the dark net provides many opportunities; criminal commercial markets operate in the same way they do in the legitimate world but where the need for trust and know your customer requirements have an extra significance. The dark net presents multiple opportunities for offenders, and while policing has been more prominent, it suffers from a lack of co-ordination; a lack of resources; the fact that it is complex; and the reality that criminal networks are adaptable and flexible and have had a head start. For organisations, understanding the risks it poses are key. Organisations can protect themselves in different ways, good risk assessments and effective security are key, so is staff awareness, and like is so often the case, there is a fundamental need to be good at the ‘basics’, perhaps better termed the ‘essentials’. This webinar highlights the risk of not being so!

Martin Gill
24th March 2021