There are two types of companies in the world: those who’ve been hacked and those who don’t know they’ve been hacked.
These were the words of Courtney Gibson, a University of Toronto adjunct professor and security expert. Speaking during a panel discussion, “Understanding Technical Capabilities & Vulnerabilities in Cyberspace,” Gibson explained that hackers, usually state-sponsored, regularly steal data from companies and governments.
“We’ve seen, recently, a slew of medical devices that have been found to have poor security,” Gibson said. “And you can go online and, with various search engines, find ten thousand industrial control systems that have been poorly secured.”
The panel was part of “Decoding the Digital Debate,” a daylong conference held on March 31 at the Munk School of Global Affairs. The event was organized by a team of Master of Global Affairs (MGA) students, including Creed Atkinson and Nicole Gladstone, both in their second year of the program.
“We organized this event because we found there was a lack of cross-discipline dialogue on how the term ‘cyber’ can mean different things to various actors,” said Atkinson and Gladstone in a joint statement. “In starting that conversation, it was important for us to have participation from those working in academia, government and the private sector and civil society.”
MGA students Gabrielle Lim and Alessandra Jenkins rounded out the planning committee, which was overseen by Jon Lindsay, assistant professor of digital media and global affairs at the Munk School.
A theme of the day was the need for multi-disciplinary collaboration to create protocols for security, free speech and privacy.
In a world where Russia and China are suspected of regularly hacking U.S. federal government computers, Gibson said that companies don’t have high standards to maintain security, don’t nurture cultures to build security and don’t collaborate internationally to defend themselves.
Nart Villeneuve, a former Citizen Lab researcher who now works for a company that defends against online security breaches, outlined some of the major security threats –and solutions for them.
“Simply tricking people is still the most common security breach,” Villeneuve said. “There’s no technical patch for human stupidity.” Still, beyond that, hackers exploit security holes in software from Microsoft, Yahoo and others. “Some hackers have better software than nation-states,” he explained.
Solutions for all this won’t depend mainly on engineers. Multi-disciplinary international collaborations are needed. “My company, based in Canada, has Cloud-based services on machines in the U.S. that get attacked by a machine in China that’s run by somebody in the Ukraine,” Gibson said. “Trying to follow that chain is a jurisdictional nightmare.”
And finding out exactly who’s responsible for an attack is near impossible. Experts like Villeneuve categorize attacks by threat group, not by individual. For example, attacks using techniques associated with Russia contain the word “bear,” as in “Cozy Bear” and “Fancy Bear” (the hackers that infiltrated Hilary Clinton’s email servers in 2016).
Villeneuve outlined three steps to preventing security breaches, starting with user education. “It’s critical to start young, especially because kids are vulnerable online,” he said. Second, security technology, such as encryption, needs to be easier to use. “It’s ridiculous how complicated it is to encrypt email,” he said. Third, he explained that policy development would go a long way to reducing attacks.
Students in attendance agreed with this multi-disciplinary approach.
“This type of event is very useful, because it brings together different people and disciplines,” said U of T student Lennart Maschmeyer, who’s working on a PhD in political science specializing in cybersecurity. “My discipline (political science) is constrained by traditional thinking. The only way to go beyond that is by collaborating with different disciplines. We need software engineers to explain how technology works, but we need people with political understanding to look into what that means for policy and society.”
Soheil Milani, a first-year MGA candidate, agreed. “It was encouraging to see people who understand the social and political aspects – people who have worked at the Munk School and have gone on to work at the cutting edge of technology.”
April 7, 2017