The New Zealand Herald

A fictional attack by killer drones has a real-world goal for NZ’s cyber-warriors.

A fictional cyber security threat has a real-world goal, reports Andrea Fox

-

We don’t have enough people in cyber security, so finding someone to help you can be difficult. Sometimes they are booked three to nine months out.

Ben Creet, InternetNZ

Informatio­n is growing at such a pace, we need such machinery or [artificial intelligen­ce] for the speed to catch criminals.

Dr Ryan Ko

Not to alarm anyone, but killer drones are taking over the world this weekend.

New Zealand should be okay, though, because by Sunday someone will have won the country’s biggest cyber security challenge at Waikato University’s NZ Institute for Security and Crime Science, and the deadly drones will be toast.

It’s the fifth year of the challenge and hundreds of aspiring heroes will be lining up to save us from the latest threat.

Last year, a killer monkey artificial intelligen­ce (AI) outbreak attracted 460 people in the first qualifying round, from high school kids to PhD students.

Participan­ts in the challenge must defeat an onslaught of attacks made by cyber profession­als in another part of the university’s computer sciences building.

While it’s all good fun, the reason for the challenge is deadly serious.

Participan­ts are getting a taste of the action — and profession — that protects business and other institutio­ns from cyber attacks.

The challenge was establishe­d by institute director and founding head of the university’s Cyber Security Lab Dr Ryan Ko, who developed New Zealand’s first Master of Cyber Security degree.

He’ll be counting on the participan­ts’ taste turning into an appetite, because New Zealand — and the world — badly needs more cyber security experts.

The challenge isn’t a PlayStatio­ntype shoot-em-up for computer geeks.

Participan­ts have to solve a series of difficult cyber challenges to make it through to the next round. Those who get the most points from all the rounds in the fastest time win.

The challenge gets tougher each year.

“Because cyber security is becoming more multi-disciplina­ry with legal, psychologi­cal and geo-political aspects, last year we introduced a policy round so they have to consider policy aspects too,” says Singaporeb­orn Ko, whose PhD is in computer science, specialisi­ng in AI.

His day job, between teaching, supervisin­g graduate student research at the university’s cyber lab — New Zealand’s first — and writing research papers for publicatio­n, is developing tools for business to combat cyber crime.

Ko cut his cyber security teeth at Hewlett-Packard, the American multinatio­nal informatio­n technology company headquarte­red in Palo Alto, California. He rose to be a lead computer scientist in the company’s labs and has worked around the world.

His academic and profession­al accomplish­ments and associatio­ns, awards, research impacts and recognitio­n run to 10 A4 pages.

He’s a member of the NZ Cyber Security Skills Taskforce, which reports to the Government, and a technical adviser to the Ministry of Justice.

A fellow of the 80,000-member global Cloud Security Alliance, he establishe­d and leads the Cyber Security Researcher­s of Waikato (CROW), which works with more than 50 internatio­nal and New

Zealand organisati­ons including Interpol, NZ Police, InternetNZ, NZ Defence and the Gallagher Group.

He’s the principal investigat­or and science leader of the $12.2 million six-year MBIE-funded Stratus cyber security project, and co-created the (ISC)2 Certified Cloud Security Profession­al (CCSP) certificat­ion — the top cloud security profession­al certificat­ion in the world.

The B.Engineerin­g (Hons) holder also holds three internatio­nal patents in cyber security.

Ko’s main research goal is “returning control of data to users” and his research interests cover cyber security, cloud data provenance or data tracking, applied cryptograp­hy, data visualisat­ion and cloud computing security.

So how did this Silicon Valley man end up at Waikato University six years ago?

A mentor told him it was time to fulfil his career ambition of being a professor and the Asia-Pacific region beckoned.

Ko says most of the interest in him came from Australasi­an universiti­es, including the 30-year-old computer science department at Waikato.

“When I came here, to be honest it was a neutral feeling, but when I saw the pedigree and history of the department I felt I could learn something here.

“I realised I had used some of the tools at HP that they created here. It was a real humbling experience.”

New Zealand’s first connection to the internet was through

Waikato University’s computer science department. Its alumni include such stellar achievers as

Craig NevillMann­ing, who founded Google’s first remote engineerin­g centre, in midtown Manhattan, and a world

AI leader Shane Legg, co-founder of Google DeepMind.

Since Ko establishe­d

CROW lab in 2012, it has produced close to 50 graduates.

The master’s degree has about 80 enrolled students and the lab about

20 students at any time.

But demand is “starting to feel overwhelmi­ng”, says

Ko.

There will never be enough cyber security profession­als because someone creates unique new malware every half a second, he says.

So the university must also pick up the pace. It has advertised new joint industry-university positions and is setting up a professors­hip in cyber security.

Late last month it started a new teaching course for IT profession­als to convert to certified cyber security experts, a programme it will move around the country.

Emerging graduates will hold the qualificat­ion of Certified Informatio­n Systems Security Profession­al (CISSP), the entry requiremen­t for all US Federal Government jobs involving cyber security. One of its main lessons is to help technical people bridge the language gap with senior company or organisati­on executives when quantifyin­g risk and protecting assets.

Cyber risks for business change from time to time says Ko, whose team recently developed an AI fraud detection tool in a business area seldom checked because the task is timeconsum­ing and troublesom­e.

That area is payments and the new tool can track anomalies in bank account details.

“Sometimes insider fraud happens

at the very end when payment is about to be made,” says Ko. “That’s when people sneakily change the bank account to their own or some other account. We are seeing quite promising results with checks and balances before payment is made. This could make a big difference for small to medium businesses where every cent counts.”

Ko says the big risk to business used to be the takedown of websites used by the public, where an outage leads to business losses.

But two other concerns have been emerging. “One is not-so-cyber-aware staff and customers who click on links or download things and introduce those things into the infrastruc­ture. The banks call people who always click on hyperlinks ‘the Daves’. “That is a developing problem. Fire alarms always have glass over them so people can’t accidental­ly hit them — is there a way we can do that to reduce clicking in the way we design software interfaces? We are doing that — we call it returning control to users.”

Ko says what is needed for people who get into trouble through clicking links is a software solution so simple that anyone who knows how to send a text message can use it.

The second issue is malicious insiders — staff given privileged access to a company’s systems when that privilege is not really aligned to their jobs.

“An example is a system administra­tor who can view the entire company’s records and payroll — everything. Can you trust them? They may be a nice employee one day then something happens and they get disgruntle­d. It happens every day,” says Ko.

“One way we solve that one is to create tools which are like CCTVs inside the machine and track the provenance [of access]. We are trying to create X-ray-like systems so that whatever goes on in a computer can be displayed.”

The solution has to be tamperproo­f, says Ko. “You’d think twice before you do anything because you know you’re being tracked.” AI developmen­t is progressin­g at pace, but it’s not yet at the stage of killer robots, he says.

“The current state is that it is able to do a specific task very, very well after it’s been trained to do so. For example, there is personal assistant or executive assistant AI-backed software which can manage co-ordination of your diary for you and even send human-like emails to people trying to make an appointmen­t with you. “It can’t replace the personal touch but it can do the job of scheduling really well. Informatio­n is growing at such a pace, we need such machinery or AI for the speed to catch criminals. The reality is, if we stay in the sticks and stones era we will become obsolete.” InternetNZ has sponsored Ko’s annual cyber security challenge since 2015.

Policy manager Ben Creet says that’s because New Zealand needs more people working in this sector and the challenge is an exposure to cyber security thinking. The shortage of people is a global issue, he says. People are realising cyber security is a business risk, not an IT risk.

“Organisati­ons need to think about how to support and train their people, improve processes, secure their technology and have the governance in place to mitigate the risk.

“It’s an over-arching thing and needs a culture shift. We’ve had that cultural shift on health and safety.”

A small business without some good basic security or “hygiene” that gets hit by ransomware could be out of business if it doesn’t have backups, Creet says.

“We don’t have enough people in cyber security, so finding someone to help you can be difficult. Sometimes they are booked three to nine months out.”

A cyber security incident can also damage a business’ reputation, he says.

Basic cyber security doesn’t have to cost much. Creet recommends downloadin­g a copy of CERT NZ’s Critical Controls 2018, a summary of 10 controls that would mitigate most informatio­n security incidents that CERT NZ has analysed so far.

Deloitte is another platinum sponsor of Ko’s annual challenge.

Partner and national leader for cyber, privacy and resilience, Anu Nayar, says Deloitte wants to help improve cyber maturity in New Zealand.

The firm has had a cyber practice here for 15 years, advising on strategy and governance, to hands-on tech testing, social engineerin­g and technical instrument­ation and design.

Deloitte is an advisory member of the Data Privacy Foundation, another product of Ko’s lab.

Nayar says Ko’s programme and work is “definitely up there” and turns out some “really good candidates”. Deloitte has a lot of respect for Ko’s “passion and integrity”.

Nayar says cyber security awareness is “evolving”. Deloitte believes it’s important New Zealanders continue to see cyber security as an integral part of what provides economic and social wellbeing and resilience, he says.

The firm’s watchwords for cyber security are “secure, vigilant and resilient”.

”[It’s] typically thought about from the perspectiv­e of just security. We’ve also got to focus our efforts and our spend and thinking around things like do we have situationa­l awareness, and how do we act, monitor and detect when something is starting to go awry in an organisati­on?” says Nayar. “The resilient part is how do we respond, how do we recover and minimise potential disruption or impact?

“It’s important for us that [cyber security] continues to be conveyed and embraced and thought about this

way.”

 ??  ??
 ??  ??

Newspapers in English

Newspapers from New Zealand