‘The Internet is currently treated as one of the dimensions in which there is war’, says AGH UST Professor Marcin Niemiec from the Faculty of Computer Science, Electronics, and Telecommunications. The scientist, who deals with cybersecurity issues, answers our questions about the threats that lurk in the corners of the Internet.
Professor, the Russian invasion in Ukraine has been going on for two months now. In relation to this ongoing war, are we exposed to additional threats on the Web?
As far as the Russian invasion in Ukraine is concerned and the threats in cyberspace related thereto, we haven’t, in fact, registered any new spectacular attacks. The dangers that we see on the Internet are usually threats that we are already familiar with, take the attacks related to blocking access to services or websites. Currently, however, we are dealing with an intensification of such activities. In my opinion, the only new threat that deserves a mention is broad misinformation, which targets the integrity of states. This phenomenon can be classified as something we have not experienced so much in the past. None of these threats are to be dismissed. Clearly, this is why the third-level alert CRP-CHARLIE has been in place for many weeks now – we should definitely increase our vigilance on the Internet.
What can a regular user do to increase their vigilance on the Internet? How can we defend ourselves from these types of attacks?
I always offer this basic piece of advice: We should always remain reasonable. This is also true in this situation – our everyday activity in cyberspace should always be thought-out and responsible. That is to say, we all, individual Internet users, have influence on the security of our country. If we carelessly click on suspicious links or open attachments sent to us by strangers, this can result in our device being exploited as one of the tools used to disable services critical for the functioning of the state. The Readers might be interested in the recommendations prepared by CERT Polska – this team of experts has posted useful information on its website for citizens and people responsible for keeping company IT systems safe.
Does our university have a team that monitors the safety of the Web?
The AGH UST has a central unit dealing with cybersecurity – the Independent Section for Cybersecurity Monitoring. Many other AGH UST units, such as faculties or institutes, also have designated people who are responsible for securing and protecting particular networks and servers from hackers.
The stereotypical hacker looks like a young genius trying to crack the toughest firewalls. However, isn’t it more often so that to acquire sensitive data, it’s easier to make use of social engineering?
Indeed, there is an image of a hacker being a person with incredible IT skills, who’s sitting with a black hood on their head in front of several monitors, on which they’re working simultaneously. Truth be told, there are individuals who are capable of attacking large IT systems, but very often these hackers are simply people who are not experts in cybersecurity. In their attacks, they use ready-made, intuitive tools that can be easily acquired or sometimes even bought with a manual. A hacker doesn’t have to be an IT specialist – sometimes, instead of good programming skills, plain sociotechnical skills suffice.
These people are probably assuming that the weakest link is the human.
Partially yes – humans are usually the weakest links, and by using manipulation techniques you can achieve better results than by hacking an IT infrastructure. On the other hand, attacking IT systems doesn’t require the perpetrator to have extensive knowledge. Let me use an analogous example: You don’t have to be a barista to make great coffee – it’s enough to press the right button on the coffee machine and there we have it – we made excellent coffee without knowing the ropes of making coffee.
Recent attacks on government websites were apparently not supported by extensive IT knowledge. Instead, spamming was used to overload the servers.
Exactly, the Distributed Denial of Service types of attacks are based on the strategy where we send sizeable amounts of queries which engage the computer assets of a given server, which renders it incapable of processing regular queries.
‘A hacker doesn’t have to be an IT specialist – sometimes, instead of good programming skills, plain sociotechnical skills suffice’, Professor Marcin Niemiec says; source: Dreamstime
What is the agenda of a country that conducts such attacks and propagates misinformation?
You are probably referring to the problem of information warfare, sometimes called cyberwarfare or war in cyberspace. Well, the net is currently treated as one of the dimensions in which there is war – sometimes compared to warfare on land, in water, or in the air. The thing is that this is always about achieving some political goals. If one country wants to endanger another, it tries to take advantage of cyberspace to manipulate opinions, for example, to aggravate fear or insecurity among the targeted citizens. Knowledge about misinformation techniques can be our weapon – it is our protection.
Do we have weaknesses? If so, how can we protect those?
It would be best to enrol in the AGH UST (laughter). Above all, look for verified information and trusted sources. You cannot blindly believe everything you find on the Internet, especially when it comes to news that plays on our emotions. One time, my friends, working in a company that deals with antivirus software, investigated the types of content a link should have to get the most clicks from Internet users, transporting them to infected websites. It turned out that those links with the most unexpected bits scored the best results. An example is the following link: Living Polish World War II soldiers found in a bunker in Masuria.
Meaning that we’re susceptible to sensation and this is our soft spot in cyberspace?
Does your faculty offer courses in soft skills?
The fact that we’re a technical university means that soft skills cannot overbalance typical technical knowledge and skills, but we try not to forget about those. For instance, when I teach a course in cybersecurity, I always dedicate some time to sociotechnical skills or present typical methods of attacks that rely on social engineering. To intensively develop the so-called soft skills, we use Oxford debates, during which we discuss the issues related to cybersecurity. The debates take place as part of our elective courses at the Institute of Telecommunications at my faculty.
Does this programme include cooperation with IT companies?
Of course. We cooperate with various companies that deal with information technologies. The names of these companies are recognisable instantly: we’re talking Nokia or Motorola, but there are also companies that deal mainly with security, that is, developing antivirus systems and producing devices supporting security services, as well as companies dealing with auditing or penetration tests. I, myself, invite experts to my classes to tell our students about the challenges they are currently facing.
Corporations can also be vulnerable to cyberattacks. Do large companies have their own mini intelligence agencies that guard strategic information?
Lord Baelish from Game of Thrones used to say: ‘Knowledge is power’ – this character used his knowledge most efficiently to build his position. Well, information is a valuable asset in a given company, and indeed, some, especially those big ones, do establish their own security teams. Such teams are often referred to as SOCs (Security Operations Centers). On the one hand, they monitor the traffic in the internal network – whether it’s not being targeted; and on the other, they build a broad record of knowledge on vairous threats – the so-called threat intelligence. Such teams scan Internet assets (including the dark Web) for confidential information about the company and check if there have been no leaks.
From what I understand, we have a set of cybersecurity specialists, be they analysts, programmers, and also cryptographers.
Cybersecurity is a very wide notion and might mean different things to different people. We do have analysts who analyse the current Internet traffic in terms of potential threats, but we also have people who are skilled programmers and create safe applications. We also have the aforementioned cryptographers who are responsible for checking if the already implemented algorithms are safe to use.
Will the courses prepare students to perform various types of jobs?
Naturally. All things to all people. If someone’s dream is to create new programs, they will acquire the necessary skills to become a good software developer. If someone wants to administer IT systems, they will learn about their maintenance, but also about efficient protection thereof. We offer a first-cycle field of study – Cybersecrity; and at the second-cycle level of education, we have elective courses, which allow our students to choose their individual paths of learning. For instance, if someone’s interested in virtualisation of resources, they will choose a different route than a person who wants to specialise in cybersecurity.
And what exactly do you do as part of your adacemic activity?
I’ve been interested in cybersecurity since the very beginning of my professional career; and since cybersecurity has multifarious dimensions, I too focus on its various aspects. I think these particular issues merit a mention here: quantum cryptography and other quantum technologies which serve to protect data – this was the theme of my doctoral dissertation. I’m also interested in artificial intelligence and its applications in cybersecurity, threat detection in cyberspace, and risk management. The factor that often determines the direction of my research is the current grants in which I’m participating – both Polish and international ones, where I get to cooperate with foreign experts. Each year, I also invite students to carry out their scientific investigations, and this, in turn, bears fruit in the form of joint publications at scientific conferences or in professional journals.
What are the interesting projects that you are currently working on with your team?
The most interesting project that I have to tell you about is the ECHO project within the framework of the Horizon 2020 programme. It’s a huge undertaking and one of the flagship EU projects in cybersecurity. The consortium is already made up of more than 30 partners from all over Europe, and its coordinator is the Royal Military Academy in Belgium. We’re focusing on the broad notion of cybersecurity, meaning technical aspects, but also social and legal ones. We conduct research related to the secure collaboration of units in critical sectors of the European economy (such as transport, energy technologies, and healthcare). We specialise mostly in technological issues – we develop digital watermarks and recognition methods for multimedia data. Currently, we are preoccupied with advanced research into artificial intelligence that supports us in determining secure cryptographic keys between users in the network environment.
Can the development of technology be a threat in itself? Let’s say quantum computers – don’t they challenge the currently used RSA algorithms?
This is a very interesting question. What threats are there to asymmetric encryption in the development of quantum computers? Now, when we communicate with our electronic mailboxes or when we order bank transfers, we commonly use asymmetric algorithms to determine cryptographic keys that ensure the confidentiality of this communication. Unfortunately, the security of these algorithms is conditional – the RSA algorithm is safe on condition that we won’t be able to factor large numbers. However, we are already aware of mechanisms that operate on quantum computers – the so-called Shor’s algorithm – which can do this very quickly. This is extremely dangerous because asymmetric cryptography rests on two keys – the Private Key and the Public Key. In the case of the RSA algorithm, the Public Key includes a number that is the product of two prime numbers – if someone’s capable of factoring this number in a reasonable amount of time into the product of two numbers, they’ll be able to easily calculate the Private Key; and in that moment the entire user-server communication is compromised.
Luckily, quantum computers are currently quite expensive, as they require specific conditions to work – very low temperature, for example.
It’s true. To avoid quantum decoherence, such computers have to operate at extremely low temperatures, e.g., close to 10 Kelvin. Therefore, at the moment, these devices are quite rare and very expensive. In addition, even the most powerful quantum computers today have very limited computing power. However, we face many different threats related to the development of information technologies. Take, for instance, artificial intelligence. I, myself, am afraid of the new dangers brought about by the use of the so-called deep fakes. Currently, with readily available tools and with very little effort, you can create videos in which public figures of your choice will present the text that you have prepared for them. Imagine a situation where in a war-stricken country the assailant published a doctored video in which the head of state declared unconditional surrender, ordering its army to immediately stand down. We are not accustomed to misinformation with the use of these deep fakes, and this can have very serious consequences. The dynamic development of technology indeed breeds new threats. Our shield and weapon in this case must remain education, experience, and knowledge. All this is available here at the AGH UST – come and join us in exploring the arcana of cybersecurity!
Thank you for your time.
The interview with AGH UST Professor Marcin Niemiec was conducted by Michał Ciesielka from the AGH UST Centre for Communication and Marketing.
All rights reserved © 2021 AGH University of Science and Technology