The image of cyber security relying on lone hoody-wearing teenagers hacking in the dark needs to change. In reality, to improve cyber security, engineers, lawyers, economists, criminologists and policy makers need to collaborate to address cyber threats with comprehensive strategies. Prof. Dr. Solange Ghernaouti, Director of the Swiss Cybersecurity Advisory & Research Group, President and Founder of the SGH Foundation - Social Good for Humanity and Professor of Cyber Security at the University of Lausanne, has found success in building her career on such an interdisciplinary approach.
“During my PhD and the first years of my professional career, I gained experience in most areas of computer science, such as databases, operating systems, programming, electronics ands telecommunication networks. I discovered a particular interest for networks and technical network security and quickly realised that technical security would never be enough; vulnerabilities will always remain. This led me to study network management, a field that I found particularly fascinating and still do. That realisation brought me to focus on cyber risk management and I joined the University of Lausanne’s business school as professor.
As a consequence of wanting to better understand cyber criminals’ motivations, I started exploring the field of criminology. Then, understanding that politics and the economy are what make the world go round, I started becoming active in those aspects as well.
Throughout my studies and career, the trust I received meant a lot to me. For example, before starting my PhD, my advisor told me that if I wanted to graduate with him, he expected me to teach him something. The fact that this expert believed that he could learm from me powered my will to do good research and not disappoint him. I had a similar experience when writing my first book. I had never done anything like that before and didn’t know where to begin. Having the editor’s trust and support went a long way in helping me achieve that milestone in my career.”
As our society becomes increasingly digitised and connected, more security requirements and challenges naturally arise. Solange, who has been involved in the development of cyber security technology, standards and policies from their early years, believes there is still a lot of work remaining to improve the current state of cyber security and to create a safer world for future generations. Solange explains: “If we want to serve the common good, think about our youth’s future and the legacy we will leave behind, we should care much more about cyber security, including data protection, mass surveillance and the means we will use to address these issues”.
When asked why we are struggling to keep safe in the digital realm, Solange points out: “The biggest mistake we are making is thinking that technology alone can solve a human problem with socio-economic and political entanglement. Technology can help to solve certain issues, but it can also create others.” According to her, there are three critical obstacles in the way of robust and effective cyber security:
- A lack of cyber security awareness within the general population;
- Insular cybersecurity measures that fail to comprehensively address complex cyber risks; and
- Insufficient collaboration on national and international scales due to the fear of reputational damage in case of a security incident.
Let’s take a closer look at each one of these obstacles.
Lack of cyber security awareness
“How many campaigns or public service announcements related to cyber security risks have you seen in Switzerland recently? None? Exactly.”
Solange currently sees a paucity of resources and funds dedicated to cyber security on a federal or cantonal level in Switzerland. Solange believes that our authorities and the private sector need to invest in educating all of their citizens in cyber security risks.
Solange sees a power imbalance between those that control and those that use technology and strongly disagrees with claims that our children will all naturally be digitally fluent and security aware. She believes that we must adapt our education systems to the increasingly digitised world around us if we want to develop proper digital skills: “Having children use tablets in schools is not enough! Students need to be taught how to programme; not only to create new applications, but also to de-code what is happening within the devices we use every day.” She believes that awareness is the first step in understanding the long-term consequences of our word’s digital transformation.
Solange may be onto something, and not just for youngsters. How many of us can say we understand how our everyday tools work, be they SAP, Facebook or even email services? Today, most of us use these as black boxes, not knowing how they function and make use of our data.
Insular cyber security measures
“There is a certain over-confidence of technical people with regard to others with non-technical backgrounds; similar to lawyers and non-lawyers, doctors and patients.”
This can make collaboration tricky amongst experts in engineering, law, politics, social sciences, industry and research.
Instead of seeing cyber security as an issue that only engineers can solve, Solange argues that we need to recognise and value a wider variety of professional experience as well as education. For example, professionals should have the opportunity to complement their existing work experiences with courses to obtain specialised technical, managerial or legal skills.
Solange cites understanding the need for surveillance and intelligence as well as that of the fight against cybercrime as challenges where a variety of different skills are essential. Solange is very clear about this: “It’s not reasonable to assume one single profile can cover all facets of these complex issues and diverse expertise and experience ads significant value in cyber security.” This is why she believes that an integrated approach to cyber security is vital for our society and that efforts should stretch beyond traditional boundaries, whether they be geographic, political, military-civilian, left-right, black-white-purple. According to Solange, there is an urgent need to overcome conventional political divergences if we want to master cyber risks.
No company wants to grace the pages of newspapers because they fell victim to a cyber attack or because they produced or used vulnerable technologies or services. However, the reality is that major breaches occur regularly and there are many lessons to be learned from vulnerability disclosures:
“We should not let the fear of reputational damage stop us from sharing these lessons learned and hinder our progress towards true cyber security, but instead should understand the benefits in sharing knowledge, expertise and experience.”
To overcome this obstacle, there needs to be more encouragement from the top, be it from regulators or the government. In addition, processes and tools such as anonymised reporting and privacy-preserving data sharing must be developed to enable and encourage companies and people to share valuable information while protecting data subjects’ privacy.
Reflecting on Solange’s career path and her views, it is clear that greater collaboration from all relevant areas of expertise is in everyone’s best interest. We all have a stake in cyber security; it’s an issue that we as a society and individuals cannot ignore. We all need to work towards security in cyberspace and the physical world. Although the path to true cyber security may be long and at times tedious, Solange keeps a pragmatic and positive attitude: “We might as well enjoy the ride!”