Cybersecurity Lecture Debunks Myths of Field
NYU Tandon School of Engineering’s Cybersecurity Lecture Series recently hosted the 10th lecture in its series, which brings together some of the top experts and tech professionals to speak on the latest advances and issues within cybersecurity. Now sponsored by finance and insurance corporation AIG, the lecture comes on the heels of recent global cyber-attacks and ransomware such as Petya, which affected a Ukrainian power grid; WannaCry, which disrupted hospital and school systems; and the 2016 email leak from the Democratic National Committee.
With today’s global scale of ransomware and hacking repercussions, cybersecurity no longer remains only within the purview of technology companies, financial institutions, or government agencies. In his opening remarks to the lecture, Professor of Electrical and Computer Engineering and co-founder of NYU Center for Cybersecurity (NYU CCS) Ramesh Karri shared that when establishing CCS, “we recognized cybersecurity is much more than a tech challenge and only way to secure digital world is to work with industry, educational institutions, governments, and others.”
Because of this vast scale of cybersecurity, it’s no surprise that many misconceptions and beliefs arise about what it is, how to address it, and how it’s going to affect our future.
This year’s lecture featured a keynote speech by Dmitri Alperovitch who is the Chief Technology Officer at CrowdStrike, the cybersecurity company that is part of the investigation that discovered Russian hacking of elections in the U.S. Alperovitch broke down some of the top ten myths about cybersecurity, dispelling some of the most prevalent beliefs, including:
- Myth 1: Attribution is impossible in cyberspace.
Making an analogy to seeing patterns in a string of bank robberies, Alperovitch noted that attribution is “not a new thing and can be done without technical means.” “We’re getting much better at attribution because we have a long history of tracking attacks and understanding full scope of operations of different nation states.” - Myth 4: Information sharing is the answer.
Alperovitch distinguished between two types of companies, ones that already share and generate information, like big financial institutions, versus the majority of companies that don’t have the same capabilities. “Most people aren’t prepared to use information you give them, because they don’t have the basic technology to investigate it,” he explained. - Myth 6: This is a solvable problem.
What makes cybersecurity so different from other areas of science is that “we’re dealing with a sentient adversary who wants to cause harm to you or your company and can be bribed,” he said. - Myth 8: Cyber-attacks are done at the speed of light.
Sharing insight from CrowdStrike’s profiles of 25,000 breaches they stopped, Alperovitch detailed how the average breakout time for attacks was 1 hour and 58 minutes. The time-frame could allow defenders to readily contain hackers in one location and from breaching their full system. - Myth 9: It’s all about keeping the enemy out.
“Cybersecurity is all about the speed of response,” he shared, adding three essential metrics including 1 minute for time to detect a threat, 10 minutes to investigate, and 1 hour to remediate.
After his speech, Alperovitch was joined by panelists and information security experts including Omkhar Arasratnam, former Global Director of Cyber Security and Americas Regional Head TSS at Credit Suisse; Quiessence Phillips, Deputy CISO of Threat Management for the City of New York; and Garin Pace, Cyber Product Leader and Financial Lines and Property at AIG. Moderated by Randal Milch, Co-Chair of the NYU Center for Cybersecurity and Distinguished Fellow at NYU Law Center on Law and Security, the panel addressed the importance of translating awareness of cybersecurity issues into education and ways in which cybersecurity is at the heart of industries like finance, insurance, government, and more.
“We need more people to think about cybersecurity and execute it better, so more education and understanding of the risk is necessary,” Pace said. Phillips discussed how “grooming the next generation of security analysts and engineers starts at younger age,” she said. “We need more of these small K-12 programs in schools and online.” Panelists all agreed on starting cybersecurity education much earlier than college. Affordable and inclusive options and scholarships are also important, such as NYU Tandon’s NY Cyber Fellowship. Phillips also shared Mayor Bill de Blasio’s announcement of NYC Secure, a new cybersecurity initiative that aims to protect New York’s phones, Wi-Fi networks, and more.
Alperovitch and Arasratnam emphasized the importance of building relationships and trust for productive information sharing. “Through official information sharing channels, you get information that sometimes will be stale and nonspecific,” Arasratnam said. “Informal relationships and conversations can have more value than these.
Even research and discoveries here in New York can have a significant impact everywhere. “New Yorkers will take the lead in cybersecurity, as it’s the world’s epicenter of finance and media industries,” Karri explained. “When we protect NYC, we protect the economy of our nation and the world.”
The lecture was organized by AIG, NYU Center for Cybersecurity and Tandon Online.
Watch the full lecture: