Turning the tide with cyber toolmakers

Opinion: Vision and expertise are the duo that will evolve the cyber-security industry.

Think about this. A unique malware is created every half second, but it takes companies on average 100-120 days to patch critical vulnerabilities.

Some may say the crux of the cyber-security problem is a skills shortage, while others lament the rigidity of corporations versus the abilities for cyber criminals to work in a guerrilla-style “Team of Teams.”

I agree with both schools of thought, but want to challenge deeper thinking. We cannot approach this sustainability issue in a quantitative way but must do so in a hybrid qualitative-quantitative way.

We must train more research minded cyber-security specialists to create new approaches and tools to change the game – turning the tide. We need more cyber toolmakers.

When we watch a concert, we admire the beautiful music played by the musicians and the conductor. Many of us are also aware of several other people working behind the scenes: the sound crew, stage manager, crew, publicity, ticketing and everything else.

However, a certain stakeholder influences all these roles, just like a vine with branches. The stakeholder is the composer who wrote the musical score. Composers like Mozart and Rachmaninoff aren’t alive to witness their works performed, but the impact and influence of their work are immeasurable.

Computer scientists are the composers of the cyber-security field, but few have chosen this path. To make it worse, criminal organisations are able to recruit evil composers who contribute to the problem the industry faces.

During the early 2000s, the internet’s feasibility had a challenge: how can websites stop automated scripts from spamming their online forms? How does a website prove its user is a “real human” (a reverse Turing test)?

The solution wasn’t to train more software engineers or IT support personnel but to implement challenge-response tests such as CAPTCHA (Computely Automated Public Turing test to tell Computers and Humans Apart). We all know the impact of CAPTCHA, but few realise it was proposed by groups of computer scientists. The same goes for public key infrastructure, homomorphic encryption and several other scientific breakthroughs. 

Becoming a cyber toolmaker is not just a calling. It has practical implications. A recent Mckinsey study listed all the jobs likely to become obsolete due to automation. It shocked the world. Jobs with predictable physical work, data processing and data collection are highly susceptible. On the other hand, jobs requiring expertise are the least susceptible.

In this report, jobs with premium salaries such as law and accountancy were not spared and face a future of high attrition rates. In cyber-security, I believe penetration testing will be fully automated within the next five to ten years.

As such, we cannot train more penetration testers but rather more computer scientists and cyber toolmakers. This not only changes the game but offers export opportunities – an effort recognised by the Ministry of Business Innovation and Employment in funding the $12.2 million STRATUS project.

High school students today should aim for scientific careers in this space. Looking back, I feel blessed to have been advised at an early age with this challenging question: “Is my work making an impact beyond my life?”

This led to an alternative career in science, leaving a systems engineer role and moving into a scientific role. I started as a lead computer scientist in Hewlett-Packard Labs witnessing my cyber-security patents and inventions deployed worldwide. Now I am an associate professor at the University of Waikato leading a great team of smart talents aspiring to be future cyber toolmakers.

I only have one question: Is your cyber-security work making an impact beyond your life?

Associate Professor Ryan Ko is director of the New Zealand Institute for Security and Crime Science, and head of the Cyber Security Lab at the University of Waikato

All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.