The academic year is well under way and students are settling in; but how protected are universities to the cyber threat?
De Montfort University in Leicester has a Cyber Technology Institute, which 'provides high quality research and outstanding training and consultancy services in the fields of cyber security, software engineering and smart systems'.
We spoke to the Director, Professor Eerke Boiten, to get an insight into what sparked his interest in the world of cyber security. The interview considers where cyber security fits within education, warning universities what they ought to be prepared for and speculating about what the future might look like.
As a professor in Cyber Security and Director of the Cyber Technology Institute, you must be passionate about the importance of this field. What initially attracted you to this subject?
A very academic but important problem: my previous work was in using mathematics and logic to prove that computers program behave as specified, and I wanted to apply that approach to cryptographic algorithms, which turned out to be very hard.
Could you tell us about the kind of fraudulent activity universities may experience, and why university staff and students might be a target?
Financial fraud (e.g. fake demands for fees, or attacks on internet bank accounts), identity fraud, which may enable financial and other fraud. There have been reports of students being used as money mules for criminal gangs, passing on money.
Universities are large, complex, and fairly open organisations, with “important” communications coming from so many sides that it is relatively easy to construct convincing fraudulent messages.
They also tend to have large computer networks with a high variety of devices and systems attached, not all of them centrally controlled, which makes holes in the cyber defence more likely.
I personally recall falling victim to a phishing email with a malicious link when I was a student at university. What advice would you give to people starting out at university in terms of being cyber savvy and digitally protected?
Most students coming into university are relatively cyber savvy already, but they may not always be as cautious as they could be. Not being impulsive and giving it a little bit of thought before looking at an attachment in an unexpected email, or a link that is begging to be clicked. And of course keeping all aspects of their systems and devices updated.
With the growing relevance of being safe online in today’s digital climate, there’s suggestion that cyber security should be taught in schools, to raise awareness early on. What are your thoughts on this?
I think it is unavoidable, and I believe it already happens as part of “internet safety”.
What kind of cyber security education system or programme would you like to see in place for young people in the future and why do you think it would work well? Could it take inspiration from your Cyber Technology institute at De Montfort University?
To answer this question properly, you would need research in education related to cyber technology – we are in principle open to this, and we do look at psychological and other human factors in cyber security more broadly, but not specifically for education.
Considering data privacy is one of your research interests, what do you think about the following statement from Shoshana Zuboff, author of Age of Surveillance Capitalism: ‘Surveillance capitalism is an assault on human autonomy’?
I think it is a very credible statement – digital surveillance is currently in the process of transition from “merely” knowing everything to controlling everything.
Google Maps and for some Pokemon Go already influence where we drive and walk. Google Search determines much of where we gather our information. It is already happening, and with “smart cities” and connected vehicles it will gather pace.
Knowledge is power. Research by ProtectWise suggests "A…step would be to increase the cyber security learning opportunities available to millennials and post-millennials. This lack of awareness and opportunity shortage is directly feeding the pending and future skills shortage”. Do you think education will bring about a rise in young people wishing to pursue a career in cyber security?
I am not convinced that there is a lack of educational opportunities in cyber security for those wanting a career in the area. I am also not sure whether a higher baseline of cyber literacy will have much of an impact – numeracy lessons in school are probably not a main factor in recruiting mathematics students either.
We need to investigate more closely what it is about cyber security culture that mostly discourages females from engaging – if we solved the gender gap in cyber we could nearly double the workforce.
Speaking about the appeal of working in cyber security, Robert Herjavec claims “I don’t think many people realize what a great job this is. If you know cyber security, you have a guaranteed job. For life”. Do you agree and why?
Maybe, but as in many technical jobs, you would need to work hard to keep up with technical developments in order to be sure of an ongoing career.
For the foreseeable future, we will be building more and more complex systems whose components are not fully understood or don’t fit together seamlessly, and as a consequence there will be potential vulnerabilities leading to cyber attacks for a very long time indeed.
Finally, if you could describe the future of cyber security in 3 words, what would they be?
Security by design. Making sure that systems are secure, against a clearly specified model of attacker capabilities, as they are designed and built, rather than worrying about security as an afterthought. But there’s a fair bit of idealism in that – I’d be disappointed if the future of cyber security was “break and fix” for any longer.
Want to learn more? You can check out the Cyber Technology Institute projects and publications here.