A Scientific Approach to Security What it Means to be a Cybersecurity Center of Excellence

Information security students today need to have a future-proof education to be able to predict current and forthcoming attacks and defenses, says Angela Sasse of University College London.

UCL, which was recently named one of eight Centers of Excellence for Cybersecurity Research by the UK's GCHQ, is addressing the way it teaches students information security so they can be adaptable for tomorrow's challenges.

"We have made quite a significant change to the teaching we do," says Sasse, head of information security research in UCL's Department of Computer Science, in an interview with Information Security Media Group's Tom Field [transcript below]. "We're looking to give them a much broader grounding that includes the understanding of economics and different types of attacks."

Further, UCL's education offerings look into the strategies attackers typically use and defenses that generally work, "so that when new types of attacks emerge, they can apply that to developing new cybersecurity counter-measures," Sasse explains.

Having an eye towards the threat landscape is also important for students so they can understand opportunities hackers will go for and when measures make it too difficult for them to want to consider an exploit, Sasse says.

In an interview about being designated an Academic Center of Excellence, Sasse discusses:

  • University College London's approach to cybersecurity research;
  • How UCL is preparing tomorrow's cyber pros;
  • Advice to those starting their cybersecurity careers.

M. Angela Sasse is Head of Information Security Research in the Department of Computer Science at University College London, UK, and the Director of UCL's Academic Centre of Excellence for Cyber Security Research (ACE-CSR). A usability researcher by training, she has been an academic in Computer Science since 1990. She started research into usable security in the mid-90s, identifying problems with passwords in the seminal CACM paper "Users are not the Enemy" co-authored with Anne Adams. She is expert on human behavior in security, and she and her team focus on measuring short- and long-term costs and benefits of IT security measures in organizations.

Centers of Excellence in Cybersec Research

TOM FIELD: For background, the GCHQ in the UK has just designated its first eight centers of excellence in cybersecurity research. What's the significance of this designation overall to all the centers of excellence?

ANGELA SASSE: It's recognition that in each of these eight centers, there's a significant capacity of high-quality research in the security area. It serves as a signpost for industry for instance who are looking to get advice and help on particular cybersecurity problems, and it's also an encouragement by GCHQ to those centers to work together to better bring together the different bits of expertise so that overall we enhance the capability of what academia can offer in cybersecurity research and how we can help industry.

University College London

FIELD: Let's talk about the significance specifically to UCL. What does it mean to you?

SASSE: For us, it's a wonderful recognition of the quality of the research that we do. As I mentioned earlier, we have a very significant networking research capability and within that working security has always been a big topic and it's certainly very much still today. One of my colleagues, for instance, has been looking at a fairly ambitious undertaking, whether it's actually possible to encrypt all of the traffic on the Internet.

But in addition to that, we also have colleagues who are working at the design stage on security so we're trying to boast key [developing] programming languages and specifications to help design security in right from the beginning, to move on from the current state of affairs where we seem to be always discovering vulnerabilities later and then creating security kind of like patches that we stick onto things. And really that kind of system's getting a little creaky. I would say it's getting increasingly expensive.

Another team of research is looking by design to make something more secure or to also make it, even if there are vulnerabilities left, harder to exploit those vulnerabilities for attackers.

Finally, another big theme of our work is to look at the cost and benefits of different security measures and really bring a scientific approach to the field of security which we haven't necessarily taken a systematic scientific approach in the past. Basically, what we're trying to do is build a knowledge base where we systematically evaluate cost and benefits of security measures in different kinds of application areas and move on from the best practice approach that characterizes much of what's going on in the field of security today.

Unique Approach to Research

FIELD: What would you say it is about UCL's unique approach to research that sets you apart from organizations that aren't designated centers of excellence?

SASSE: What GCHQ was trying to do with this exercise as I understand it was to recognize institutions that have both high-quality research and a significant capacity. So that's recognizing the quality of our past research and the fact that we have a substantial number of researchers here. There's nearly a dozen at UCL who are permanent academic members so far. And of course, in addition to that, there are doctoral students and post-doctoral researchers and so on. Part of this dispatch is to give industry confidence that basically if they come to us with their problems, they will get the best possible advice that's available.

Top Cyber Threats

FIELD: The threat landscape's evolving daily. What do you find to be the cyber threats of greatest concern to you and your fellow researchers today?

SASSE: The threat landscape has been changing quite rapidly really, and there are many, many aspects that we could talk about. Probably the significant concerns are that many of the attackers are not only technically very skilled, but they also are able to draw on significant resources, for instance, to organize attacks. Understanding that kind of landscape is quite important. We're fortunate at UCL that we collaborate very closely with the crime department [to] understand who the attackers are and typically what kind of criminals have had activities we can see, and what we can learn also about the economics of the attacker - what kind of measures make it not just difficult but unattractive for them to attack. That's the key point.

That's basically connected to the fact that a lot of the attacks are now carried out for commercial gain, to gain a competitive advantage, to steal intellectual property for instance. We really need to understand better what the capability of those attackers are and how we can make systems resilient against this attack. But also the idea of resilience is quite important to us, and that means that we can not predict all possible attacks on systems, so what we're looking more and more to do is to make sure that the systems we build survive even in the face of the same attack, so that's the bit of the business. The transactions that matter can carry on even when particular parts of cyberattack are used.

Preparing Tomorrow's Cyber Pros

FIELD: What are you doing within University College London to help today's and tomorrow's cybersecurity pros prepare to face these evolving threats you've just discussed?

SASSE: We have made quite a significant change to the teaching we do, both to the students in our normal university courses and also to the researchers of tomorrow, the doctoral students. We're looking to give them a much broader grounding that includes the understanding of economics and different types of attacks, what kinds of strategies attackers typically use and what kinds of defense mechanisms in general work, so that when new types of attacks emerge, they can apply that to developing new cybersecurity counter-measures.

Public/Private Sector Support

FIELD: I know academic institutions exist in a vacuum. You need help from a government and you need help from businesses. Where would you say UCL most needs support from government and the private sector to succeed in this mission?

SASSE: For a research institution, we always used to say, "We need more money," so we can have more doctoral students, we can have more post-docs and that will increase our capacity to do the work. But to ask something else that's really important, that's access to data, in collaboration with industry, being able to get data from real attacks, about how well certain counter-measures perform and which ones don't perform. Access to that data is really, really important to move security research on to really build a scientific base, and traditionally a lot of companies have tendencies to think that anything to do with their security measures is sensitive and better best kept secret. That for us is now a really important step forward, that we collaborate more closely to get real data and overcome this.

We've had a little bit of division in security research that industry would accuse us in academia of being an ivory tower and that the kinds of things we develop are more designed to impress our fellow researchers and not really solve the problems. But by bringing in the data from the real world, hopefully we can overcome that and so we need more companies to reach out and work with us, to trust us, to have the confidence that we would keep the data - the information that they give us - secure and that can become part of a knowledge base that will benefit everyone in the long term.

Advice to Those Starting Cybersec Careers

FIELD: For those looking to enter the security profession today, what advice would you give to them?

SASSE: Go for it. That would be my advice. If you're interested in security research, it's a profession that's likely to expand both in the U.S. and in the UK. Government and industry have diagnosed a skills gap, a very significant skills gap in this area. Meaning, this is going to be a good career to choose provided you're really interested in this topic, you've got good skills and you've provided to work hard. I would encourage them to get very good, general IT skills, good understandings of how systems are designed, how systems work and then build on that too. As part of the specific security training, learn more about the threat landscape, but also get a future-proof education to learn principles of attack and defense. Learn the economics of how you can defend systems at a cost businesses can afford.

And finally, one of my particular areas of research is to also learn a bit more about human behavior in security because the counter-measures we have today fail because they're too difficult to use and so individual employees or individual customers just can't really do the things that are required of them and tomorrow's professionals really need to understand and look at all the stakeholders in a security system and make sure they're not asking them to do things that are just too difficult or too expensive for them to do.

Around the Network