Interview with Ryan Ko – University of Waikato

Ryan Ko, Associate Professor within the Faculty of Computing and Mathematical Sciences, University of Waikato

Ryan KoRyan Ko is an Associate Professor within the Faculty of Computing and Mathematical Sciences at the University of Waikato. Ryan is also the Director of the New Zealand Institute for Security and Crime Science, and Head of the Cyber Security Lab. He is a member of the Cyber Security Skills Taskforce, established and leads the Cyber Security Researchers of Waikato (CROW) and is also a Fellow of the Cloud Security Alliance (CSA)!

We spoke with Ryan ahead of the upcoming NZ Cyber Security Challenge (12-26 June) about his passion for cyber security, the opportunities it can offer and exciting areas for future research. 


Connect Smart: You are heavily involved in cyber security – what draws you so strongly to this field?

The key thing that draws me to cyber security is the ability to do research that can bring benefit beyond the people that are doing it, i.e into society and how we can translate this research into real technology that can help people to secure themselves. Through that we are also teaching students about this latest research and technology. As for building alliances, as you say, we have to pass on our research to someone so through that, we build the bridge. There's a very strong giving-back-to-society aspect of cyber security that draws me to the field. I'm not so drawn by the fact that people are hacking and whatnot, but I am drawn to the promise that we can be the first research group that can beat the cat and mouse game by empowering more people to help themselves.

Connect Smart: What brought you to the University of Waikato?

I came to the University of Waikato in November 2012 because I was trying to pursue my academic dream of being a computer scientist and a professor. I had experience from Hewlett-Packard Labs, where at the time, I was working on solutions that were helping the vendor. When I came to Waikato, I thought that was a great opportunity to create solutions to not only address the vendors but also the users since there are a lot of people that can't help themselves when they get hacked. So, I thought to move my research into that area. I was attracted to the University of Waikato because it has a very strong Computer Science culture - it brought the Internet to New Zealand; very strong in data mining and at the same time, they have a strong networking group. I was using some of WAND’s tools as well before I came to New Zealand, so I thought I would be able to not only contribute, but also learn from the greats and learn from seniors. Turned out to be a great option and a great choice. 

Connect Smart: What are some of the opportunities for people studying cyber security?

The main opportunities are beyond computer science actually. If you are from computer science, you can go into consulting, you can go into penetration testing, you can do secure software engineering. Beyond computer science, there are areas like cyber insurance, there are people talking about economical decisions for expenditure on Cyber security as part of your cost or as an investment. Then, there are people who are into Policy Making, they could join that as well. Besides these kinds of fields, there's a cross between computer science and management, there’s also information assurance where they can do IT auditing, they can audit data governance. There are a lot of areas. Most interestingly, there are actually a lot of opportunities for people to come up with the next big idea and become the next Bill Gates or Steve Jobs. In this field, there’s a general potential for people to do that.

Connect Smart: Where are you seeing some exciting areas of growth and research?

Most exciting areas of growth in research, I think, are definitely not block chain and definitely not just IoT. So, if I was a person going into research right now, I would go into homomorphic encryption, in the area of how do I preserve privacy when I’m putting data into someone else’s hands. The second one is attribution. You can see in a lot of global cyber attacks and elections being hacked, e.g. the French and the USA elections, where they cannot find the exact perpetrators of cyber attacks. Attribution is a great area of research as well and the first people who come out with techniques to do great attribution might be the next Bill Gates too. The third one is what the industry would call “post quantum cryptography”, how can the current cryptographic schemes be resilient against future computing paradigms, e.g. quantum computers. Great research area in this and it’s not so much of post-quantum, but also the rise of computation power - how do we ensure that the encryption schemes are difficult enough so that computers cannot crack them easily. That’s a wonderful research area and it has lot of applications, not just military and defence, but also into banking, EFTPOS transactions, etc.

Connect Smart: Does NZ need more computer science graduates? You are a member of the New Zealand Cyber Security Skills Taskforce. What is the taskforce focusing on?

The linkage with the NZ Cyber Security Skills Taskforce is that we’re trying to address NZ’s skills gap in cyber security. You can’t do cyber security without a good grasp of all areas of Computer Science, so a person going into the Cyber Security field will need all of these skills. The Cyber Security Skills Taskforce is a central point where it recommends a certain strategy and policy which then translates into actual implementation into the different institutions. Being a member of the team allows me to give feedback on what works and what doesn’t work in the education space. At the same time, I can see the demand and also how feasible it is and what are the demands from industry perspective. Does NZ need more Computer Science graduates? Absolutely! Right now, the Cyber Security Skills Taskforce is focusing on a Level 6 qualification. This Level 6 qualification allows someone to be trained in vocational skills with a compulsory internship component. This gives them a direct line into an actual job, e.g. security operations centre, analysts, etc. This group is focusing on making that work.

Connect Smart: What other areas does New Zealand need to look into?

We really need to ramp up on understanding the small and medium enterprise sector, the budget that they can spend on cyber security and how we can help them. That’s an under-studied area. I also serve on the Harmful Digital Communications Act as a Technical Advisor. I see cyber awareness as not just into the tech space but also put into curriculum, especially some aspect of responsible behaviour when we’re doing digital communications since that could prevent harm to people, suicides, mental health problems, etc.

The newly established New Zealand Institute for Security and Crime Science (NZISCS) looks into preparing New Zealand ahead for problems relating to these, so that when the problem becomes mainstream and primetime, we are ready for it. We’re working with psychologists, sociologists, economists, law professors and experts from the Faculty of Maori and Indigenous Studies.

Connect Smart: The NZ Cyber Security Challenge is coming up next month, tell us more about this exciting competition!

The first Cyber Security Challenge was established by CROW in 2014, and we have witnessed an exponential increase in participants - from 70 University of Waikato students in 2014 to 267 participants from the North and South Island in 2016.

Competitors first attempt the online qualifying round, “Round 0”, which is available from 12 - 26 June. The Top 150 players based on scores will be invited to the University on the 14 and 15 July for a full day of training and competition.

We also have a series of talks by cyber security experts and a job fair featuring our supporters Endace, Aura Information Security, InternetNZ, Insomnia Security, ASB, Gallagher, Datacom, among others. The 15 starts with training for the new policy round, followed by the official launch of the competition by our guest of honour, Andrew Hampton, Director of the GCSB. Round 1 is a Capture-the-flag (CTF) competition where competitors solve challenges for scoring. Next is the policy round where we’ll test the players’ understanding of policy using a set of scenarios and questions. This new round was added to create awareness of policy, cyber security law, governance and regulations, and standards and practices. Finally, the 5 best teams of Rounds 1 and 2 compete in the finals: a Blue team vs. Red team scenario where the 5 Blue teams defend their vulnerable servers from Red team attacks, which consists of Industry professionals.

Competitors going through the 3 rounds can expect to get a glimpse of offensive security in a controlled and safe environment, e.g. trying out a remote code exploitation or sql injection, examine policy from an organisational standpoint, and also experience the other side of the coin, i.e. defensive security. For some competitors, they may be headhunted by the government and industry guests present at the challenge and who knows, they may even get a job offer!

For more information or to register your interest please visit the NZ Cyber Security Challenge 2017  website.