The New Zealand Herald
A fictional attack by killer drones has a real-world goal for NZ’s cyber-warriors.
A fictional cyber security threat has a real-world goal, reports Andrea Fox
We don’t have enough people in cyber security, so finding someone to help you can be difficult. Sometimes they are booked three to nine months out.
Ben Creet, InternetNZ
Information is growing at such a pace, we need such machinery or [artificial intelligence] for the speed to catch criminals.
Dr Ryan Ko
Not to alarm anyone, but killer drones are taking over the world this weekend.
New Zealand should be okay, though, because by Sunday someone will have won the country’s biggest cyber security challenge at Waikato University’s NZ Institute for Security and Crime Science, and the deadly drones will be toast.
It’s the fifth year of the challenge and hundreds of aspiring heroes will be lining up to save us from the latest threat.
Last year, a killer monkey artificial intelligence (AI) outbreak attracted 460 people in the first qualifying round, from high school kids to PhD students.
Participants in the challenge must defeat an onslaught of attacks made by cyber professionals in another part of the university’s computer sciences building.
While it’s all good fun, the reason for the challenge is deadly serious.
Participants are getting a taste of the action — and profession — that protects business and other institutions from cyber attacks.
The challenge was established by institute director and founding head of the university’s Cyber Security Lab Dr Ryan Ko, who developed New Zealand’s first Master of Cyber Security degree.
He’ll be counting on the participants’ taste turning into an appetite, because New Zealand — and the world — badly needs more cyber security experts.
The challenge isn’t a PlayStationtype shoot-em-up for computer geeks.
Participants have to solve a series of difficult cyber challenges to make it through to the next round. Those who get the most points from all the rounds in the fastest time win.
The challenge gets tougher each year.
“Because cyber security is becoming more multi-disciplinary with legal, psychological and geo-political aspects, last year we introduced a policy round so they have to consider policy aspects too,” says Singaporeborn Ko, whose PhD is in computer science, specialising in AI.
His day job, between teaching, supervising graduate student research at the university’s cyber lab — New Zealand’s first — and writing research papers for publication, is developing tools for business to combat cyber crime.
Ko cut his cyber security teeth at Hewlett-Packard, the American multinational information technology company headquartered in Palo Alto, California. He rose to be a lead computer scientist in the company’s labs and has worked around the world.
His academic and professional accomplishments and associations, awards, research impacts and recognition run to 10 A4 pages.
He’s a member of the NZ Cyber Security Skills Taskforce, which reports to the Government, and a technical adviser to the Ministry of Justice.
A fellow of the 80,000-member global Cloud Security Alliance, he established and leads the Cyber Security Researchers of Waikato (CROW), which works with more than 50 international and New
Zealand organisations including Interpol, NZ Police, InternetNZ, NZ Defence and the Gallagher Group.
He’s the principal investigator and science leader of the $12.2 million six-year MBIE-funded Stratus cyber security project, and co-created the (ISC)2 Certified Cloud Security Professional (CCSP) certification — the top cloud security professional certification in the world.
The B.Engineering (Hons) holder also holds three international patents in cyber security.
Ko’s main research goal is “returning control of data to users” and his research interests cover cyber security, cloud data provenance or data tracking, applied cryptography, data visualisation and cloud computing security.
So how did this Silicon Valley man end up at Waikato University six years ago?
A mentor told him it was time to fulfil his career ambition of being a professor and the Asia-Pacific region beckoned.
Ko says most of the interest in him came from Australasian universities, including the 30-year-old computer science department at Waikato.
“When I came here, to be honest it was a neutral feeling, but when I saw the pedigree and history of the department I felt I could learn something here.
“I realised I had used some of the tools at HP that they created here. It was a real humbling experience.”
New Zealand’s first connection to the internet was through
Waikato University’s computer science department. Its alumni include such stellar achievers as
Craig NevillManning, who founded Google’s first remote engineering centre, in midtown Manhattan, and a world
AI leader Shane Legg, co-founder of Google DeepMind.
Since Ko established
CROW lab in 2012, it has produced close to 50 graduates.
The master’s degree has about 80 enrolled students and the lab about
20 students at any time.
But demand is “starting to feel overwhelming”, says
There will never be enough cyber security professionals because someone creates unique new malware every half a second, he says.
So the university must also pick up the pace. It has advertised new joint industry-university positions and is setting up a professorship in cyber security.
Late last month it started a new teaching course for IT professionals to convert to certified cyber security experts, a programme it will move around the country.
Emerging graduates will hold the qualification of Certified Information Systems Security Professional (CISSP), the entry requirement for all US Federal Government jobs involving cyber security. One of its main lessons is to help technical people bridge the language gap with senior company or organisation executives when quantifying risk and protecting assets.
Cyber risks for business change from time to time says Ko, whose team recently developed an AI fraud detection tool in a business area seldom checked because the task is timeconsuming and troublesome.
That area is payments and the new tool can track anomalies in bank account details.
“Sometimes insider fraud happens
at the very end when payment is about to be made,” says Ko. “That’s when people sneakily change the bank account to their own or some other account. We are seeing quite promising results with checks and balances before payment is made. This could make a big difference for small to medium businesses where every cent counts.”
Ko says the big risk to business used to be the takedown of websites used by the public, where an outage leads to business losses.
But two other concerns have been emerging. “One is not-so-cyber-aware staff and customers who click on links or download things and introduce those things into the infrastructure. The banks call people who always click on hyperlinks ‘the Daves’. “That is a developing problem. Fire alarms always have glass over them so people can’t accidentally hit them — is there a way we can do that to reduce clicking in the way we design software interfaces? We are doing that — we call it returning control to users.”
Ko says what is needed for people who get into trouble through clicking links is a software solution so simple that anyone who knows how to send a text message can use it.
The second issue is malicious insiders — staff given privileged access to a company’s systems when that privilege is not really aligned to their jobs.
“An example is a system administrator who can view the entire company’s records and payroll — everything. Can you trust them? They may be a nice employee one day then something happens and they get disgruntled. It happens every day,” says Ko.
“One way we solve that one is to create tools which are like CCTVs inside the machine and track the provenance [of access]. We are trying to create X-ray-like systems so that whatever goes on in a computer can be displayed.”
The solution has to be tamperproof, says Ko. “You’d think twice before you do anything because you know you’re being tracked.” AI development is progressing at pace, but it’s not yet at the stage of killer robots, he says.
“The current state is that it is able to do a specific task very, very well after it’s been trained to do so. For example, there is personal assistant or executive assistant AI-backed software which can manage co-ordination of your diary for you and even send human-like emails to people trying to make an appointment with you. “It can’t replace the personal touch but it can do the job of scheduling really well. Information is growing at such a pace, we need such machinery or AI for the speed to catch criminals. The reality is, if we stay in the sticks and stones era we will become obsolete.” InternetNZ has sponsored Ko’s annual cyber security challenge since 2015.
Policy manager Ben Creet says that’s because New Zealand needs more people working in this sector and the challenge is an exposure to cyber security thinking. The shortage of people is a global issue, he says. People are realising cyber security is a business risk, not an IT risk.
“Organisations need to think about how to support and train their people, improve processes, secure their technology and have the governance in place to mitigate the risk.
“It’s an over-arching thing and needs a culture shift. We’ve had that cultural shift on health and safety.”
A small business without some good basic security or “hygiene” that gets hit by ransomware could be out of business if it doesn’t have backups, Creet says.
“We don’t have enough people in cyber security, so finding someone to help you can be difficult. Sometimes they are booked three to nine months out.”
A cyber security incident can also damage a business’ reputation, he says.
Basic cyber security doesn’t have to cost much. Creet recommends downloading a copy of CERT NZ’s Critical Controls 2018, a summary of 10 controls that would mitigate most information security incidents that CERT NZ has analysed so far.
Deloitte is another platinum sponsor of Ko’s annual challenge.
Partner and national leader for cyber, privacy and resilience, Anu Nayar, says Deloitte wants to help improve cyber maturity in New Zealand.
The firm has had a cyber practice here for 15 years, advising on strategy and governance, to hands-on tech testing, social engineering and technical instrumentation and design.
Deloitte is an advisory member of the Data Privacy Foundation, another product of Ko’s lab.
Nayar says Ko’s programme and work is “definitely up there” and turns out some “really good candidates”. Deloitte has a lot of respect for Ko’s “passion and integrity”.
Nayar says cyber security awareness is “evolving”. Deloitte believes it’s important New Zealanders continue to see cyber security as an integral part of what provides economic and social wellbeing and resilience, he says.
The firm’s watchwords for cyber security are “secure, vigilant and resilient”.
”[It’s] typically thought about from the perspective of just security. We’ve also got to focus our efforts and our spend and thinking around things like do we have situational awareness, and how do we act, monitor and detect when something is starting to go awry in an organisation?” says Nayar. “The resilient part is how do we respond, how do we recover and minimise potential disruption or impact?
“It’s important for us that [cyber security] continues to be conveyed and embraced and thought about this