COP28: Climate, Cyber and Credibility
Why a cyber-attack can damage research credibility?
The King has given his speech to the COP28 (Conference of the Parties) United Nations Climate Change Conference in
the United Arab Emirates today, 1 December 2023. COP conferences face a significant and multiple challenges to limit global climate change to the Paris Agreement of 1.5 degrees above pre-industrial levels. However, alongside the political, economic, and diplomatic obstacles faced at these conferences, no one would include cyber-attacks in that list.
In 2009, cyber-attacker gained unauthorised access to the email server of Climatic Research Unit (CRU) of University of East Anglia and targeted the communications of Professor Phil Jones and copied several thousand his documents and emails. These were then published to seize upon a discussion about a statistically insignificant data anomaly that demonstrated a seven-year digression from accepted climate trends.
The effect was two-fold: the ability to publish private and raw communications out of context allowed the hackers to target the reputation of a global expert. The secondary effect was ‘climategate’ and a probably deliberate effort to damage popular faith in scientists and their expert views on global climate change. In other words, to sow seeds of doubt of the existence and impact of the climate emergency.
The loss of political and public trust in climate science contributed to the failure of the negotiations in Copenhagen in December 2009 for COP15. It has been stated that the failure of COP15 set back global action on climate with the representation from Bangladesh commenting on how it will make us more vulnerable, more exposed to climate change.
The resulting media storm came to the attention of world leaders. Unfortunately, their response was to focus on the validity of the science and not on the reasons for the cyber-attack or even who the actors were behind the cyber-attack.
This was over ten years ago, so why are we talking about it now?
The world has moved on and the stakes are much higher. Most notably with the Covid-19 pandemic and subsequent vaccine. In December 2020, the European Medicines Agency (EMA) was attacked and vaccine approvals documentation was stolen, amended and the republished in an attempt to undermine trust in vaccines.
Cyber criminals are not just hacking into institutions to steal sensitive information to sell back to them but are stealing the information to amend, republish and undermine public trust, fuelling the cycle of mis- and mal-information.
Furthermore, the media coverage of the current climate conference will act as a reminder to those who, during ‘climategate,’ suffered the most repugnant abuse from email lynch mobs.
What is Oxford doing about this threat?
It is recognised that Business Email Compromise is one of the key attack vectors for cyber activity. Our Email Security and Simplification Project will seek to improve the security of all of our university email communications.
The first of the four project elements (cessation of indiscriminate auto-forwarding of email) has been delivered. The second element, the implementation of a widespread digital signing service (Domain Keys Identified Mail – DKIM) is underway with a pilot live in IT Services.
The next steps include the reduction of local email services which are not on Office365. This will allow the final step of the delivery of outbound privacy protection on our emails to reduce the likelihood of accidental data breaches.
