ETSI’s annual flagship event on Cyber Security, the ETSI Security Conference, took place face-to-face from 16 to 19 October 2023, in ETSI, Sophia Antipolis, France, and gathered more than 200 people. This year the event focused on Security Research and Global Security Standards in action. The event also considered wider aspects such as Attracting the next generation of cybersecurity standardisation professionals and supporting SMEs.
At the ETSI Security Conference 2023, we spoke to Dr. Claire Vishik, a founder and CTO of a startup Naiga, and a former Intel fellow/BU CTO. Her work focuses on Artificial Intelligence, hardware and network security, Trusted Computing, privacy-enhancing technologies, some aspects of cryptography and related global policy and trade issues. In this interview, we explore emerging trends, disruptive tech, and the future of cybersecurity.
Could you share your insights on how emerging trends in the cybersecurity field have changed in the past years?
Claire: Cybersecurity is a very dynamic field, the trends change and they remain the same. This is not untypical for a complex field like cybersecurity. What has emerged in the past 5-6 years is pretty unique, but it certainly has its roots in the earlier history of the cybersecurity field. Take the hybrid cloud, for instance. It used to be that everyone moved to the cloud, either public or private, but now it’s a combination because of the diversity of the attacks, the importance of having data close to the source, and some other issues. Now it is important to have a combination on-premise of cloud environments which complicates the architecture but also improves security. Another trend that is not so positive is everything criminal, associated with cybersecurity provided as a service. This again is not new but it has developed to the extent that it has become commonplace. I first heard about it maybe 15 years ago when it was a novelty. Now, you can get ransomware as a service, you can get alerts as a service, and you can buy these services from malicious software specifically created for your task with excellent customer support everywhere. In fact, a few years ago, a young man, an 18-year old was arrested in the Middle East. He provided services to school children in the US where, when they didn’t want to take a test, he threw an automated script, and phoned in a bomb alert. And then, there was no test. So, you can see the trends associated: with moving to the cloud, providing everything as a service, incorporating artificial intelligence in security attacks, and massive automation of both defender activities and attacker activities. They have been there before, they have just escalated significantly. Today, artificial intelligence is probably the newest trend, as well as the automation of a lot of things, including building threat models based on software and architecture footprint. They are going to change the picture in a few more years certainly and this is something that I am watching very closely.
In your opinion, which technologies are especially disruptive for cybersecurity, in the short term, and in the long term?
Claire: Long-term is usually very difficult to see because 10 years in technology time is something like 10 million years in the evolution time. Almost anything can happen, but when we look at what is going to be disruptive for cybersecurity, several things come to mind, probably short to medium-term. Those things are new technology, or rather at this point, scientific trends, looking at new ways to do things in cybersecurity that have the potential to become disruptive. One of them that comes to mind is approximate security. Approximation has been very popular in artificial intelligence, for instance, because it usually takes very little effort to do 80% of the task and then the effort goes to the more complicated 20% of the task, as we are attempting to save resources, cycles and energy. Approximation in a number of areas from artificial intelligence to biology has become extremely popular and very helpful. In security, however, it was believed for a long time that you need to match things exactly. Security technologies are based on precision. For instance, if you look at hashing algorithms like SHA, the difference of one byte is detected. So, in many situations, it is important to be very precise, and it is not mathematically possible not to be precise. But if you look at how this works with regard to energy consumption, in an average system, security consumes something like 40% of cycles even though it is not visible to anyone’s eye. So, eliminating in situations where it is not needed, those especially expensive 20% is important. And now there are cryptographic schemas and other security approaches, at least in research labs. For example, Queen’s University Belfast, use approximation for security. So, I think, the more creative use of artificial intelligence, approximation, use of economics as a defence mechanism… Many years ago, we were discussing how economic disincentives can change the situation between the defenders and the attackers. It’s difficult but not impossible to define it technically. For instance, all the spam mail used to predominately come from China. But at some point, there was a change in regulation there, and it became much more complicated to register a domain. Once this became a reality, the number of spam domains diminished significantly, and the volume of spam mail from that direction diminished as well. There were discussions early on about using disruption, rather than prevention to eliminate the incentive of attacking in many situations. For instance, when you detect something that approximates an attack, you throttle the bandwidth so that it’s difficult to do anything for the attacker. And if you look at the motivation for attackers, predominately, not exclusively, but predominately, they’re economic. Economic disincentives when they are well defined, and when they are directly linked to technology, probably will make a significant difference in time.
The demand for cybersecurity professionals is on the rise. How can an aspiring cybersecurity professional prepare for a career in cybersecurity? What can society do to alleviate the cybersecurity skills shortage?
Claire: This is the question everyone is struggling with, not just in cybersecurity, but in areas such as chip design and fabrication. How can we deal with it? First of all, raising the general level of exercise in cybersecurity is a good idea. No cybersecurity is practically taught in schools today, with a few exceptions. But when we conduct hacking camps for, even elementary school, students, there is a lot of interest, and they learn how to attack and how to protect properties. They begin to understand how it works. So, in order to create a situation in cybersecurity where you start developing specialised skills at a much higher level than you do today, will probably alleviate the skill shortage. It could also be done because it’s a practical field, in many areas, not exclusively, but predominantly, it could be done through more creative formulation of requirements. In the US government, recently the degree requirements were eliminated for cybersecurity professionals who are working on practical tasks because this is really practical preparation and it does not require a four-year degree. Planting the seeds of cybersecurity into general STEM education will certainly make a difference as well. When we were talking on various committees about how to change the education system in universities to ensure more cybersecurity experts, most people said you need to teach programming and security at the same time, you need to teach mechanical engineering and security at the same time, but I don’t think it’s realistic. Cybersecurity is very complex, it does not include only technical disciplines. What’s more realistic is to implement some kind of badge or certification as you are getting your degree. In many countries at this point, skills are in short supply, in STEM areas, there are short courses, 6 to 10 hours that you can take online and a certain number of that create a certification. So, you have a better opportunity to get a job and, once you get a job, you have less to learn. Now, acquiring a certification early, before you obtain practical skills does not appear to me like a good idea – you will memorise some things, but you will not be able to use them creatively. I would say, wait until you know more.
What advice would you offer for young people, who are considering a career in cybersecurity? What different careers are available in cybersecurity?
Claire: That’s an excellent question. Cybersecurity comprises a lot of things, you can be a psychologist who studies reactions to cybersecurity, or a privacy professional – who is connected to cybersecurity, or you could work in the area of creating regulations, or conducting certifications of cybersecurity products, or you could be a hardcore technologist, you could be a cryptographer, you could be a security engineer, you could be a network security engineer. All of those things require specialised skills, on top of your core engineering skills. So, what would I say to young people who prepare for a career in security? Well, it’s a lot of things, you don’t need to be necessarily technical, but it is a technology field so make sure you have taken core technology classes in college or studied these classes independently because this information will come in handy. It’s also a very practical field, expertise comes with practice so don’t be afraid to start, even if you start as a junior professional because, in a few years, you will become an expert, knowing your area better than anyone else.
Regarding startups and new companies, what would you recommend or how would you advise them to incorporate cybersecurity from the ground up?
Claire: Well, I think that because all the startups, with a few exceptions, use systems, even if you decided to form a company that focuses on building homes, or plumbing or some areas of agriculture, there will be information, data, documents that you will need to handle, there will be areas associated with tax employment if you have employees. All of them require knowledge of cybersecurity and privacy. So, if you don’t have this knowledge yourself, make sure it is provided by specialists who are active in those fields. But, in technology startups, it has become a given that, in order to be operational, you need to incorporate cybersecurity from the beginning. One of my startups is a chips community that provides expertise sharing, interview training, as well as a lot of other more sophisticated services. We are going to release the first version of that in a couple of weeks. Really, a lot of cybersecurity areas are important there – you need to protect data and information, you need to protect the accounts, you need to set up authentication for users, you need to incorporate secure payment systems, and you need to make sure data pricey is taken into consideration. It’s not a security startup, but everything we do has a security component in it, and that is true for almost any technology startup out there.
We have discussed various aspects of cybersecurity. What would you say is the key takeaway or message that you would like to share?
Claire: An ancient Roman philosopher said, the importance of the problem is not in its solution, it’s in the strengths you acquire looking for that solution, and I think cybersecurity is just that. So many discoveries were made, and so many creative solutions came into being, sometimes not even associated with cybersecurity, in searching for this solution that will protect our assets and our users from cybersecurity threats. This is my takeaway. It’s a journey, looking for a solution, even if we don’t have a perfect solution yet, is rewarding, it’s important and it makes things better.