City University London: Cyber security issues in the world
City University’s Institute of Cybersecurity is described as being a place which takes the real problems from the outside world and solves them, via scientific research, as well as from a commercial angle. The department works with research and government agencies, as well as with industry to try to solve some of the most cutting edge, real-world problems in terms of the exponential growth of cyber security.
Its head, Professor Muttukrishnan Rajarajan, says some of its uniqueness lies in the fact that the institute has several ‘spin offs’ which means its research is then taken into the commercial world, something that not many similar institutes do. He adds another uniqueness is being able to search through big data when it is protected in a privacy preserving manner.
This particular centre was established some 20 years ago when Prof Rajarajan joined as an academic and since then, he says, it has evolved as a centre for security in information security and now cybersecurity.
“Because many of the projects we pick up have multidisciplinary angles and we realised that we needed expertise from right across the University and not just a few technical people trying to solve problems. We needed to get expertise from psychologists and lawyers, which was very interesting because when it comes to cyber-attacks you can understand better the behaviours of people who can turn from a decent citizen into a threat actor. We pretty much bring people together from very different backgrounds and expertise which also enables us to come up with more creativity and innovation at the same time,” explains Muttukrishnan.
Real aims and objectives
Muttukrishnan keeps it simple by saying the main aim was for the department to help fight against the many cyberattacks they see, so it continues to build systems and techniques to safeguard the cities and corporates around the UK and counter what he calls cyber terrorism.
He offers an example: “We worked on a European Commission project called Red Alert by which we tried to understand via social media how terrorists are radicalised over a period of time. We studied data from across many European countries, several social media platforms and in ten different languages to see how over a period of time how people’s mindsets were influenced by specific groups. It gave us a lot of insight into understanding the attitudes and behaviours.”
And he adds the reasons for the radicalisation was based on political ambitions rather than financial, which is the other main reason for attacks such as ransomware. However, the tendency for hybrid and remote working and employees being given various devices over which employers then have no control over is another omnipresent challenge. “These are insider threats, not outsider ones, so another big issue to try to solve,” he says.
He mentions a company called Crossword, a cybersecurity company which was formed by a product which came out of the Institute for Cybersecurity. Crossword has been involved in the digital verifiable credentials for Covid passports for travel. It is a company which has worked with many universities across the UK, similarly to City University of London, which also translates research into commercial products. Muttukrishnan describes such innovative start-ups as the way to address the very many cyber security challenges in the world today.
The evolution of data mining and blockchain.
Muttukrishnan says there is a new hot topic in this field of technology, known as federated learning. This is when tech companies, including the giants such as Google, Facebook and Microsoft analyse and mine data without actually ‘getting hold’ of it. It is about providing the answers to the mining questions without revealing personal data itself and the owner keeps control of it and how it’s being processed. “The idea behind federated learning is to offer full privacy and preserve data mining both at the same time,” he says.
The evolution of multiple blockchain platforms in recent years has presented another challenge in terms of how we work across them and enable them to also work together, according to Muttukrishnan. He added this was exacerbated by the way the technology was growing.
“The number of blocks is increasing,” he says. “This means when it comes to something like green computing, you need to somehow minimise the amount of computing power needed to mine all the blocks. One of the ways it’s being done is minimising the amount of blocks needed in a typical blockchain and therefore reducing the amount of computational power required.”
Security in terms of identity and historical data
Muttukrishnan explains that nowadays, tech giants such as Facebook and Google can be asked to delete certain historical data, like mistakes made when growing up, so they don’t have an impact as people grow older and affect their employability and social recognition.
“GDPR has enabled this, as it now allows the owner to request for historical information from these types of platforms. It is the same for data being shared with third parties, people can request to see how and with whom it is being shared”.
He went on to say that, on top of this, the major browsing companies change their privacy policies very regularly, such as cookie preferences. This has also been because of GDPR and the number of fines they can receive if there are any breaches. More hefty penalties are now coming in from different bodies, such as the UK’s Information Commissioner’s Office.”
Muttukrishnan emphasises the importance of multifactor authentication as a good way forward as the new technology in this space removes the need for passwords which people either forget or do not change regularly enough.
He says: “The beauty of multifactor authentication is, it allows you to use features such as gait and facial features which are things which are very hard to steal in real time. It can be used alongside biometrics, which we call multimodal modalities, which looks into how people run and even how they use their phones, and what for, as well as the environment they are in, background noise etc. This is an area known as continuous authentication.”
But, he says, this goes further. By combining behavioural biometrics together with physical biometrics, such as voice and face, he says we can achieve very unique patterns for each individual. And adds even identical twins don’t have the same voice patterns.
The power of partnerships
Muttukrishnan firstly cites mainstay telco BT as one of the department’s closest partners of more than ten years. The City University department has worked with the company sponsoring their PhD students who are still employed and leading security teams in areas of cloud, IoT and continuous authentication. He says he also has students sponsored through another mainstay, Huawei.
But, he says, the department also works with innovative start-ups, helping them to build their products so they can then scale them up when they start to get better revenues. He describes building such varied relationships as an artform which comes through good networking skills and maintaining credibility.
“It’s a combination of people recognising you as someone who has specific skills and how to approach you, say in industry forums and also through interactions and collaborations going forward. The relationships you already have can be used to create new and extended ones. It can be at a slow, organic pace but it is the best way. That’s because especially in the cyber security industry there is a lot of snake oil.”
He sees the future of partnerships being long term with organisations like the National Cyber Security Centre (NCSC), as well as the innovative newcomers involved in such technology as facial recognition systems, and place the department’s Masters and PhD students into them to help them grow.
The future of the cybersecurity industry, both near term and further afield
Apart from ransomware, a cyber skills shortage in schools is a growing issue, according to Muttukrishnan and says there are not enough students at school level taking up subjects such as maths and physics, which are fundamental for translating into good cybersecurity. He says this is something he is promoting across schools around the country.
“We have a huge shortage in terms of machine learning, data science and cybersecurity and are still depending a lot on foreign players to back this up. Especially in cyber, if you don’t have the internal skills then there is going to be a big challenge going forward, because other countries around the world have made big investments and the UK is not able to keep up.”
He concludes that he believes the cyber security skills gap is probably the biggest challenge of the current time and that as a country we need to do more to address this. He gave an example as the apprenticeship programme, training people up while they are on the job, then fast tracking the candidates into the industry.
“One way is going back to having strategic partnerships with industry, something that I am trying to do. We are trying to build relationships with big consultancies, security providers and also SMEs and train graduates then make it more attractive by offering internships, placement and projects sponsored through industry.
Then we will have more skillsets that will be able to fill the gaps that are out there now and not just in the UK, it’s a global issue and has been for quite some time.”