University’s Cyber Security Dept and the State of the Industry
DIGITAL REPORT 2021
REAL WORLD
PROBLEMS AND SOLVING
SECURITY ISSUES
BY RESEARCH 2
city.ac.uk
CITY UNIVERSITY COMPANY LONDON NAME
city.ac.uk
3
CITY UNIVERSITY LONDON
How a University’s cyber security institute solves real world problems from the outside through research and partnerships
T
he City University Institute of Cybersecurity is described as being a place which takes the real problems from the outside world and solves them, via scientific research, as well as from a commercial angle. The department works with research and government agencies, as well as with industry to try to solve some of the most cutting edge, real-world problems in terms of the exponential growth of cyber security. Its head, Professor Muttukrishnan Rajarajan, says some of its uniqueness lies in the fact that the institute has several ‘spin offs’ which means its research is then taken into the commercial world, something that not many similar institutes do. He adds that another uniqueness is being able to search through big data when it is protected ina privacy preserving manner. This particular centre was established 20 years ago when Prof Rajarajan joined as an academic. Since then, he says, it has evolved into a centre for security in information security and cybersecurity. “Because many of the projects we pick up have multidisciplinary angles, we realised that we needed expertise from right across the University and not solely from a few technical specialists trying to solve problems. We needed expertise from psychologists and lawyers, which was very interesting because when it comes to cyber-attacks we needed to understand
4
city.ac.uk
Professor Muttukrishnan Rajarajan
CITY UNIVERSITY LONDON
CITY UNIVERSITY LONDON
Cyber security issues in the real world and research answers
“I TEND TO TAKE MOST OF THE PROBLEMS FROM INDUSTRY AND THEN TRY TO IDENTIFY HOW WE UNDERSTAND THAT THROUGH FUNDAMENTAL RESEARCH” MUTTUKRISHNAN RAJARAJAN
PROFESSOR OF SECURITY ENGINEERING AND THE DIRECTOR OF INSTITUTE, CITY UNIVERSITY LONDON
6
city.ac.uk
the behaviours of everyday people who can turn from a decent citizen into a person of concern. We pretty much bring people together from very different backgrounds and expertise. This enables us to come up with more creativity and innovative ideas at the same time,” explains Muttukrishnan. Real aims and objectives Muttukrishnan keeps it simple by pointing out that the main aim of the department is to help fight against the many cyberattacks they encounter, so it continues to build systems and techniques to safeguard the cities and corporates around the UK and counter what he calls cyber terrorism. He offers an example: “We worked on a European Commission project called Red Alert by which we tried to understand via social media how terrorists are radicalised over a period of time. We studied data from
across many European countries, several social media platforms and in ten different languages to see how over a period of time how people’s mindsets are influenced by specific groups. It provided us with insight into attitudes and behaviours.” Prof Rajarajan adds the reasons for the radicalisation was based on political ambitions rather than financial, which is the other main reason for attacks such as ransomware. However, the tendency for hybrid and remote working and employees being given various devices over which employers have no control over is another omnipresent challenge. “These are insider threats, not outsider ones, so another big issue to try to solve,” he says. He mentions a company called Crossword, a cybersecurity company which was formed by a product originating from the Institute for Cybersecurity. Crossword
EXECUTIVE BIO
CITY UNIVERSITY LONDON
MUTTUKRISHNAN RAJARAJAN TITLE: PROFESSOR INDUSTRY: EDUCATION LOCATION: UNITED KINGDOM Muttukrishnan Rajarajan (Raj) is a Professor of Security Engineering and the Director of Institute for Cyber Security at City, University of London. He currently leads the Information Security Group at City and his research interests are in the areas of Intrusion Detection, Cloud Computing security, Internet of Things Security, Network Security and Privacy. He has published well over 300 papers and continues to be involved in the editorial boards and technical programme committees of several international security and privacy conferences and journals. Professor Rajarajan is a visiting research fellow at the British Telecommunication’s Security Research and Innovation laboratory and is an advisory board member of the Institute of Information Security Professionals (IISP), UK. He has worked on several European Union and UK research councils and internal research agencies supported projects. He has also acted as a reviewer for several research agencies evaluating real-life and academic research projects. He co-founded CityDefendTM in 2019 with his PhD students to protect the data stored in the 3rd party Cloud. He is also an advisor to several SMEs in the areas of blockchain, privacy, data science and digital transformation.
CITY UNIVERSITY LONDON
CYBERSECURITY Cyytirusce nrgabicwnofrg s e f no i s l u b ae ’ z i l s arn e bm yi cr e u sn dci t a o c i t ys l gh np io s a e r c n i .snoitGa a s opn tu rg s io d t rh eg ni s s ed l un t o ca wp ehi s j u r b p e r on ma h3 t2i y 1l $ n or b u ci e 0 s 2 s t dc e n ar jhu otg i p f w o r g 4 t. 0 7 1 $ n o i l y b. 2 0 Cysno9i.t2lra$esbminrcog ,yertuvnim se dnroaljismub 52$retpunisma atlus,efroahtc derb gnidrotc a RiIks .hcQraes r
8
city.ac.uk
CITY UNIVERSITY LONDON
has been involved in the digital verifiable credentials for Covid passports for travel and leisure purposes. The company which has worked with many universities across the UK, translates research into commercial products. Muttukrishnan describes such innovative start-ups as the way to address the very many cyber security challenges in the world today. The evolution of data mining and blockchain. Muttukrishnan says there is a new hot topic in this field of technology, known as federated learning. This is when tech companies, including the giants such as Google, Facebook and Microsoft analyse and mine data without actually ‘getting hold’ of the data. It is about providing the answers to the mining questions without revealing personal data itself and the owner keeps control of it and the data being processed. “The idea behind federated learning is to offer full privacy and preserve data mining at the same time,” he says. Over recent years the evolution of multiple blockchain platforms has presented another challenge in terms of how we work across the platforms and enable them to work together, according to Muttukrishnan. He added this was exacerbated by the way in which the technology was growing. “The number of blocks is increasing,” he says. “Whenwe consider something like green computing, you need to minimise the amount of computing power needed to mine all the blocks. One of the ways it’s being done is minimising the amount of blocks needed in a typical blockchain and therefore reducing the amount of computational power required.” city.ac.uk
9
CITY UNIVERSITY LONDON
Security in terms of identity and historical data Muttukrishnan explains that nowadays, tech giants such as Facebook and Google can be asked to delete certain historical data, like mistakes made when through adolescence, so they don’t have as impact on people as they grow older. Which could affect their employability and social recognition in later life. “GDPR has enabled this, as it now allows the owner to make a request for historical information from these types of platforms. It is the same for data being shared with third parties, people can request to see how and with whom it is being shared”. He went on to say that, the major browsing companies change their privacy policies very regularly, such as cookie preferences. This has also been because of GDPR and the number of fines they can receive if there are any breaches. More hefty penalties are now coming in from different bodies, such as the UK’s Information Commissioner’s Office.” Muttukrishnan emphasises the importance of multifactor authentication as a good way forward as new technology in this space removes the need for passwords which people either forget or do not change regularly enough. He says: “The beauty of multifactor authentication is, it allows you to use features such as gait and facial features which are things which are very hard to steal in real time. It can be used alongside biometrics, which we call multimodal modalities, which looks into how people run and even how they use their phones, and what for, as well as the environment they are in, background noise etc. This is an area known as continuous authentication.” But, he says, this goes further. By combining behavioural biometrics together 10
city.ac.uk
with physical biometrics, such as voice and face, he says we can achieve very unique patterns for each individual. And adds even identical twins don’t have the same voice patterns. The power of partnerships Muttukrishnan firstly cites mainstay telco BT as one of the department’s closest partners of more than ten years. The City University department has worked with the company sponsoring their PhD students who are still employed and leading security teams in areas of cloud, IoT and continuous authentication. He says he also has students sponsored through another mainstay, Huawei.
CITY UNIVERSITY LONDON
“WE AS A TEAM HAVE VERY VARIED BACKGROUNDS AND TAKE A 360 DEGREE VIEW, RATHER THAN IT JUST BEING A PURELY TECHNICAL SUBJECT” MUTTUKRISHNAN RAJARAJAN
PROFESSOR OF SECURITY ENGINEERING AND THE DIRECTOR OF INSTITUTE, CITY UNIVERSITY LONDON
But, he says, the department also works with innovative start-ups, helping them to build their products so they can then scale them up when they start to get better revenues. He describes building such varied relationships as an artform which comes through good networking skills and maintaining credibility. “It’s a combination of people recognising you as someone who has specific skills and how to approach you, say in industry forums and also through interactions and collaborations going forward. The relationships you already have can be used to create new and extended ones. It can be at a slow, organic pace but it is the best way. city.ac.uk
11
CITY UNIVERSITY LONDON
12
city.ac.uk
CITY UNIVERSITY LONDON
“MANY OF THE TOPICS WE COVER ARE VERY NEW, WHICH MEANS WE HAVE TO LEARN QUICKLY AND CHANGE WITH THE NATURE OF THE PROBLEM WHICH IS BEING IDENTIFIED AND RESOLVED” MUTTUKRISHNAN RAJARAJAN
PROFESSOR OF SECURITY ENGINEERING AND THE DIRECTOR OF INSTITUTE, CITY UNIVERSITY LONDON
That’s because especially in the cyber security industry there is a lot of snake oil.” He sees the future of partnerships being long term with organisations like the National Cyber Security Centre (NCSC), as well as the innovative newcomers involved in such technology as facial recognition systems, and place the department’s Masters and PhD students into them to help them grow. The future of the cybersecurity industry, both near term and further afield Apart from ransomware, a cyber skills shortage in schools is a growing issue, according to Muttukrishna. He believes says there are not enough students at school level taking up subjects such as maths and physics, which are fundamental for translating into good cybersecurity. He says this is something he is promoting across schools around the country. “We have a huge shortage in terms of machine learning, data science and cybersecurity and are still depending a lot on foreign players to back this up. Especially in cyber, if you don’t have the internal skills then there is going to be a big challenge going
forward, because other countries around the world have made big investments and the UK is not able to keep up.” He concludes that he believes the cyber security skills gap is probably the biggest challenge of our times and as a country we need to do more to address this. He referred to the apprenticeship programme, training people up while they are on the job, then fast tracking the candidates into the industry. “One way is going back to having strategic partnerships with industry, something that I am trying to do. We are trying to build relationships with big consultancies, security providers and also SMEs and train graduates then make it more attractive by offering internships, placement and projects sponsored through industry. Then we will have more skillsets that will be able to fill the gaps that are out there now and not just in the UK, it’s a global issue and has been for quite some time.”
city.ac.uk
13
City, University of London Northampton Square London United Kingdom EC1V OHB
T 0207 040 4073 | www.city.ac.uk
POWERED BY: