In the second story in a series on the future of work, Alex Braae looks at the vulnerability of our data, and the cyber security industry whose job it is to protect it.
About a year ago, a Californian company started crowdfunding for the Smalt – a ‘smart salt dispenser.’ It streams music, helps you monitor your salt intake, and can even set the mood with muted, romantic lighting. It potentially even dispenses salt. How does it do all of these wondrous things? By being hooked up to your smartphone, and controllable through Amazon’s Alexa voice activation.
This makes it part of the burgeoning field of products that make up the so-called Internet of Things (IOT). The Internet of Things is a term to describe a range of interconnected devices that get hooked up to both the wifi network, and each other, and then they communicate. It’s your smartphone, your smartwatch; you can even connect your scales and mirror, and ask Siri or Alexa to play you music or read you the news. It apparently makes life more convenient, somehow. But products like this can also cause serious concerns for cybersecurity experts and technicians, because they can open up all sorts of unintended vulnerabilities.
“Why on heaven’s earth would you need that?” asked Dr Christian Probst, the director of Unitec’s High Technology Transdisciplinary Research Network, when he heard about the Smalt for the first time. He says his colleagues have always been aware of the threats that can be leveraged through IOT devices because they’re generally not well protected, but those concerns haven’t necessarily filtered down to the general public.
Part of the reason why a device like this is so attractive to consumers is because it can network up to other devices in a wide range of ways. But it’s precisely that networking that makes IOT devices vulnerable. You might not mind if a hacker can gain access to your salt shaker (unless you’re particularly worried about cholesterol) , but if that hacker can use that connection to gain access to other devices – like a smartphone in which you also have emails, a banking app and personal photos – then that’s a lot more concerning.
Organisations are being forced to become more aware of these vulnerabilities in device networking as well. An infamous example of this came from the USA, where a casino installed a ‘smart fish tank,’ which was connected to the internet so that water temperature and salinity could be monitored, and fish feeding could happen automatically. Unfortunately, hackers exploited that connection through a vulnerability in the thermostat, and managed to slip away with 10 gigabytes of the casino’s data.
They’re questions that businesses, government departments and other organisations will increasingly have to grapple with. An enormous amount of data is now stored by all sorts of places, from mailing lists, to bank and credit card details, to names, addresses and phone numbers. Sometimes the data breaches reveal information that nobody would want in the public domain, such as in 2012 when more than a million credit card numbers were put at risk after a hack of US payment processing firm Global Payments. And sometimes, like in the case of the notorious infidelity website Ashley Madison, simply being among the email addresses released was enough to cause some users significant embarrassment.
To prevent these security breaches of our data, specialists are required in an increasingly broad array of industries. Dr Probst says these people need to have a fundamental understanding of how to develop programmes that behave securely, know how to treat data in the right way, know how to encrypt data and protect it against leakage, and how to create systems that can communicate with each other without leaking data. He says “calling such systems unhackable is wrong, because there’s no such thing, but are at least hardened in a way that makes it very difficult to hack them.”
Dr Probst says every organisation needs to have an understanding of the risk assessment process around data and cybersecurity, which will mean having people employed in specialist positions. And the demand far outstrips the supply of trained people – a recent report from cybersecurity firm McAfee about the global job market for experts showed people skilled in “intrusion detection, secure software development, and attack mitigation” were in critically short supply, and that people with these skills could expect to earn well above the market average for IT professionals.
That’s good news for Dr Probst, who helps train the next generation of cybersecurity professionals at Unitec’s Cyber Security Research Centre – the first such institution of its kind in New Zealand. Students there work on real world problems, and Dr Probst is responsible for going out and talking to companies who need solutions, which helps get the students ready for work straight away. It also helps the researchers understand how the field is changing, “so they get out and get their hands dirty, and work on something that is needed for society,” says Dr Probst.
One of the fundamental rules of cybersecurity that remains true to this day is that weaknesses are not necessarily technological – it’s often human. Email scams that result in unsuspecting lay people exposing their data, or downloading malware, can compromise entire networks. And in many of those cases, it’s completely outside of anyone but the recipient’s control as to how successful the scam is.
Last year, the IRD warned about a “very sophisticated” attack in which people were sent convincing looking emails, using the lure of a tax refund to get marks to input their financial details. There’s very little the IRD can do to prevent people from falling for it, short of putting out warnings and reiterating safety messages. That all means it’s ultimately up to individuals to be aware that they might be being tricked – or as it is described in technical terms – fall victims to phishing.
Other types of cyber attacks take more technical forms, such a Dedicated Denial of Service attacks – often termed DDOS. This is basically when websites or networks are flooded with requests – often made by bots – to the point where the server is overwhelmed, and it crashes. Another common type of attack that can leave people exposed is through the use of keylogger software, which tracks what keys are typed when. That can make it incredibly easy to work out what a password is (just look at whatever was typed after a known username) and is a real risk for people using public computer terminals.
So is New Zealand behind the curve on cybersecurity? Dr Probst says it’s not so much a matter of New Zealand being backwards, but that we aren’t being noticed by bad actors and hackers quite so much as other countries are. “Even so, our government is doing everything to put New Zealand on the map, and rightly so,” said Dr Probst. That means that with greater connectivity to the rest of the world, that will change, and local experts will be in high demand to help the country keep pace.
Unitec offers a friendly and diverse learning environment with flexible study programmes, lots of support, and hands-on experience to build the skills you need for your future. So if you want a career – professional, vocational or trade – then visit unitec.ac.nz and apply today.