In the coming months, we will take a closer look at the field of Cybersecurity. What is the current situation in research, politics, industry and what can we as citizens do to be more resilient? For the first blog post, we interviewed Sokratis Katsikas, Director of the Norwegian Center for Cybersecurity in Critical Sectors and Professor at the Norwegian University of Science and Technology (NTNU).
Sokratis Katsikas lives at times in Norway and at times in his home country Greece – depending on the season. He has led or participated in more than 60 funded national and international Research & Development projects and published more than 300 books, book chapters, journal papers, and papers in conference proceedings. Next to his academic career in Norway, he recently joined the Greek Government as expert minister (ad interim). I met him thanks to the Cyber Resilience Network for the Canton of Zurich (CYRENZH, see box at the end of the page), which invited him as a speaker for the event “Towards cyber-resilient critical infrastructures and societies”.
Since you started your research on cybersecurity, what has changed?
Sokratis Katsikas: Well, my first paper was published in 1987, so many things changed since then. To start with, it was not called “cybersecurity” in these days, but “information security”. The term cybersecurity came up somewhen in the past 10 years. Also, back in the late 80s and early 90s information security was not considered to be a scientific field but mostly a professional one. Only when the Internet became a commodity of everyday life, and information security affected everyone, academia and governments took interest in it. And of course, during the time I conducted research on cybersecurity, there was a lot of development in technology, as well as an increase in criminal activity.
Did you know? The representative “Crime Survey 2022” by the Zurich University of Applied Sciences and the University of St. Gallen shows that in Switzerland, one in seven people (14.6 %) had been the victim of a cybercrime offence at least once between 2017 and 2022. This is much higher than the number reported in the “Crime Survey 2015” (6.6%). The study also found that the number of unreported cases is high and that 2022 most cases involved the hacking of social media and mail accounts. Source: Markwalder, N., Biberstein, L., & Baier, D. (2023). Cybercrime gegen Privatpersonen in der Schweiz : Ergebnisse des Crimesurvey 2022 | ZHAW digitalcollection (pp.113-130) |
When talking about criminal activity: What are the biggest threats nowadays?
Some trends are stable, but in general the ranking of cybersecurity threats changes every year. There exist several different reports, and each has its own ranking. For instance, many industry-reports ranked malware as the biggest threat in the last years, but now it’s on the fourth place. In the ENISA Threat Landscape (ETL) report, the annual report of the European Union Agency for Cybersecurity, the attacks against critical infrastructure are now on the first place – more specifically the cyber-physical type of attack. These types of attack are launched in cyber-space but have a tangible effect in the physical world. For example, a digital attack on an energy system that shuts down as a result. We have seen an increase in these attacks against Ukraine, that are allegedly state sponsored. From 2019 to 2020 the serious incidents and attacks tripled.
Since the cyber space is international, is the response internationally coordinated?
Cyber space is indeed international, but on the other hand you can assign national “borders” – more abstract than those on land, sea and air space. When you think of countries that limit access to the web, this invisible “border” is in place. This means that cyberspace is the 4th kind of national space, that countries need to defend. The fact that it is more international than the other spaces adds complexity, but should not hinder nations to do everything they can to defend it. In case of cyberattacks on a national level, I think we can place similar trust in the defenders of all the national spaces – there is no reason to fear. On an individual or company-level we all share the responsibility of protecting ourselves.
Are there many differences between Norway and Switzerland concerning cybersecurity?
Across Europe there are more similarities than differences how to treat cybersecurity. When looking at our research agendas, they are international. The European framework programs of the European Union are well defined, much of these are on the security of critical infrastructure to make them more resilient. On a national level, the countries in Europe align more or less with the priorities of the EU. What experts realized is that systems will be attacked and sometimes successfully – we are past the ability to fully protect them. Therefore, we are not looking for designing just secure systems, but resilient ones. This change in the attitude has taken place not only in research, but in cybersecurity at large: on the strategic level, policy level and so on.
Does this mean we can never catch up with criminals – in methods and numbers?
If we try to be one step ahead of criminals, then that is a lost battle. Just imagine: the defenders have to cover all the weak spots, while the criminal needs only one unguarded spot in the system. We are always behind the sophisticated attackers. That is why the strategy is to prepare for the eventuality of an attack, because it will happen. We make our systems resilient, not only secure, so that the systems work also during attacks, are quickly restored and no serious damage is done. When talking about numbers: yes, there is a big deficit in security personnel and a skills gap. But I think that we can overcome this, using the same recipe we used with the IT skills gap: we should increase educational programs in cybersecurity and come up with conversion courses.
Expected development: Worldwide, there will be a shortage of qualified personnel in the ICT sector in the coming years. In Switzerland, according to ICT-Berufsbildung Schweiz, there will be a shortage of almost 20% of the demand for qualified ICT personnel in 2026, of which up to 25% will be in the security sector. […] Innovative and agile ways of working as well as attractive working methods will make it possible to recruit qualified personnel and a higher proportion of women. Source: Strategie Cyber VBS (admin.ch) (13-15) |
What is the relationship between artificial intelligence (AI) and cybersecurity?
On the one hand you have AI that can improve cybersecurity, and on the other hand there is cybersecurity for AI, as AI has its own cybersecurity problems. When you focus on AI for cybersecurity, there are two branches: AI for defensive and offensive cybersecurity. Looking at the other side of the coin: also, criminals use AI to design attacks, and AI itself can be attacked. When this happens, we cannot trust the outcomes of the AI. Usually in attacks, the first step of the criminal is to get hold of legitimate credentials, which is often done through phishing [Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware]. The methods are now more sophisticated thanks to AI. AI has for example been used to mix up different facial features that resulted in look-alikes that could pass through border control or facial recognition software.
What can we do at an individual level, what are your personal tips?
I employ a zero-trust approach to everything that comes out of the internet. I do trust people, but still, I think the zero-trust approach is the safest one. Especially if one is not trained as a cybersecurity expert. I would suggest to always think twice before you click on something. It is so easy to just click – I almost fell for it myself.
Cybersecurity at ZHAW: Upcoming events: – “Cybersecurity – Training by Gaming?”, 09.11.2023, 16:30-19:30. – “Kenneth Paterson: Cryptography in the Wild”, 23.11.2023, 16:30-19:00. – “Digital Futures: AI and Cybersecurity”, 30.11.2023, 16:30-18:30. – “1 Year CYREN – Update + Future Questions”, 24.01.2024, 16:00-19:30. – Internal events: ICT «Mission Security» Institutes, networks: – CYRENZH is a joint DIZH-project by experts from ZHAW and University of Zurich that conducts research, develops education programs, establishes a volunteer network and organises events. – Institute of Applied Information Technology, School of Engineering: Information Security. Topics: Software Security, Cyber Attacks and Defense – Institute of Applied Mathematics and Physics, School of Engineering: Safety-Critical Systems Research Lab – Institute of Embedded Systems (InES), School of Engineering – Institute of Business Information Technology, School of Management and Law: Center for Process Management & Information Security. – Institute of Delinquency and Crime Prevention, School of Social Work: Focus on digital crime Continuing education: – CAS Angewandte IT Sicherheit – CAS Cyber Security – CAS Datenschutzberater:in – CAS Integriertes Risikomanagement – WBK Security in Embedded Systems |