Turning the Tide with Cyber Toolmakers (a.k.a. computer scientists)

Date
Author:
Associate Professor Ryan Ko – University of Waikato

Think about this: A unique malware is created every half a second[1], but it takes companies on average 100-120 days to patch critical vunerabilities[2].

Some may say that the crux of the cyber security problem is skills shortage, while others lament the rigidity of corporations versus the abilities for cyber criminals to work in guerilla-styled “Team of Teams”[3].

I agree with both schools of thought, but would like to challenge us to think deeper. We cannot approach this sustainability issue in a quantitative way, but in a hybrid qualitative-quantitive way.

We must train more research-minded cyber security specialists to create new approaches and tools to change the game – turning the tide. We need more cyber toolmakers.

When we watch a concert, we admire the beautiful music played by the musicians and the conductor. Many of us are also aware of several other people working behind the scenes: the sound crew, stage manager and his/her crew, publicity, ticketing, etc.

However, one person influences all of the above mentioned roles, just like a vine and its branches. This person who wrote the musical score – the composer. Composers like Mozart and Rachmaninoff may not be alive today to witness their works being performed, but the ongoing impact and game-changing influence of their work is immeasurable. 

Computer scientists are the composers in the cyber security field, but few have chosen this path. To make it worse, criminal organisations are able to recruit “evil composers” which then contribute to the insurmountable problem we are now faced with.

During the early 2000s, the Web’s feasibility was faced with a challenge: how can websites stop automated scripts from spamming their online forms? How does a website prove that its user is a “real human” (i.e. a reverse Turing test)?

The solution was not just to train more software engineers or IT support personnel, but a simple challenge-response test called CAPTCHA (Computely Automated Public Turing test to tell Computers and Humans Apart). We all use and know the impact of CAPTCHA[4], but few realised that it was proposed by a group of computer scientists. Public key infrastructure, homomorphic encryption, and several other scientific breakthroughs, are also due the work of computer scientists.   

Being a cyber toolmaker is not just a calling, but has practical implications too. A recent Mackinsey article[5] listed jobs which will likely become obsolete and susceptible to automation. It shocked the world. Jobs with predictable physical work, data processing, and data collection are highly susceptible. On the other hand, jobs which require the application of expertise are least susceptible. In this report, jobs with premium salaries such as lawyers and accountants were not spared, and face a future with large attrition rates. Closer to the cyber security subject, in my opinion, I believe that the penetration testing industry will be fully automated within the next five to ten years.

As such, we cannot train more penetration testers but we must train more computer scientists and cyber toolmakers. This not only changes the game, but offers export opportunities – an effort recognised by the Ministry of Business Innovation and Employment in funding the NZ$12.2 mil STRATUS[6] project which I am leading.

If I was a high school student now, I would aim for a scientific career in this space. Looking back, I feel blessed that I was asked at an early age : “Is your work making an impact beyond your life?” This led me to an ‘alternative’ science career, leaving a systems engineer role and moving into a scientific role.  I started as a lead computer scientist in Hewlett-Packard Labs, witnessing my cyber security patents and inventions deployed worldwide, and now as an associate professor at the University of Waikato,  leading a great team of smart talents aspiring to be future cyber toolmakers.

Now, I challenge you to think about this question too: “Is your work making an impact to the cyber security industry beyond your life?”