In the wake of global cyberattacks and data leaks in the public sector, how can organizations around the world confront cyber vulnerabilities in their infrastructure?
At a June 1 event titled, “The Future of Cybersecurity,” a panel of experienced information security experts shared insights about cyberthreats that have arisen from the digital revolution, and how cybersecurity practitioners can help organizations mitigate risks as today’s hacks become more hazardous, complex, and widespread.
The event, which was co-sponsored by the Fordham Center for Cybersecurity and the Graduate School of Arts and Sciences (GSAS), was also a celebration of the launch of the center and the University’s recent designation as a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE) by the National Security Agency and the Department of Homeland Security.
Joseph M. McShane, S.J., president of Fordham, said the event aligned with Fordham’s mission of promoting wisdom and learning in the new century.
“Cybersecurity is also a perfect example of a 21st-century discipline, or a cluster of disciplines that require multiple avenues of research to be fully grasped,” he said.
Thaier Hayajneh, Ph.D., director of Fordham’s Center for Cybersecurity, said the center seeks to make cybersecurity a major focus everywhere, both “in the institution and beyond it.”
Eva Badowska, Ph.D., dean of GSAS, said the center aims to help create a society that’s safe from cyberattacks without compromising the virtues that it stands for, including privacy, individual rights, democracy, and ethics.
“While we’re creating and educating intellectuals and experts in the area, we’re also going to be contributing to an area of research that is going to help us build better systems,” she said.
A “people and operations” issue
Panelists said the recent ransomware known, as “WannaCry,” which affected about 40 National Health Service (NHS) organizations and more than 200,000 computers in at least 150 countries, was a wake-up call to organizations that neglect “patching,” or routine security updates. Without these types of updates, which aim to fix vulnerabilities in software and operating systems, many users are open to malicious hacks, the panelists said.
Nick Levay, chief information security officer of the Council on Foreign Relations, said many users were also still operating the out-of-date Windows XP, which had seized deploying patches in 2014.
“The bedrock [to]build a security program on is really a good operational practice,” said Levay.
Lance James, chief scientist at Flashpoint, a global Business Risk Intelligence (BRI) company, said some cybersecurity breaches “were not a technology problem,” but a “people and operations issue.” He argued that attacks like “WannaCry” are similar to a server failure, and require just as much preparation.
“The impact is the same,” he said. “It’s trying to lock you down and shut you out.”
Assessing and mitigating risks
From the medical field to the financial sector, cybersecurity has become an issue across industries. Thomas Ryan, a software security solutions architect at Hewlett Packard Enterprise, said that in recent years, many medical equipment and devices like insulin pumps, pacemakers, and defibrillators have been crippled by cyberthreats, because manufacturers don’t always assess cyber flaws effectively.
“Everybody thinks there’s a silver bullet,” he said.
Levay said support people often create applications that aren’t ‘upgradeable,’ which poses a security risk.
“I like to remind my applications people that they’re on the front line,” he said. “We’re going to find problems, and they can fix them. But if we can’t get those fixes out there, then we’ve got a problem.”
According to the panelists, cybersecurity isn’t just about securing networks and computers; it’s also about securing business and processes. But Joel Rosenblatt, director of computer and network security at Columbia University, cautioned against developing elaborate systems that cost more than the value of what is being protected.
“Understand where you are and what you’re trying to do, and make sure that what you’re securing matches your environment,” he said.
Mapping the future of cybersecurity
As the cybersecurity field expands, James said he is particularly excited about machine learning, an application of artificial intelligence using algorithms, as well as longstanding practices like cryptography.
“That’s going to introduce innovation,” he said, adding that analytical skills are valuable in the field.
Panelists said a practitioner’s ability investigate and identify threats, and provide key metrics about detection, mitigation, and containment, can help to improve how organizations respond to cyberattacks. While many organizations are aware that cyberattacks exist, today’s cybersecurity professionals must go beyond awareness to create a culture of cybersecurity in the workplace.
“It’s always the people, the process and [then]the technology,” said Ryan.