Laura Scherling | Essays

A New Age for Cyber Resilience & Cyber Security Design

The Cyber Resilience Centre Greenport West-Holland
The Cyber Resilience Centre Greenport West-Holland, which will be a “main centre of expertise and information on cybersecurity issues in the horticultural cluster.” Photo by Remco Zwinkels, courtesy of Security Delta.

It’s been another extraordinary year for cyber crimes. The FBI's Internet Crime Complaint Center (IC3) has reported a continuing rise in extortion, personal data breaches, identity theft, phishing, vishing, smishing and pharming attacks. Just as the design of software and digital technologies has grown in vast technical and visual sophistication–and concurrently Internet use has become exceptionally fundamental–cyber crimes have soared. Scams are varied. These manifest as “romance scams” where fraudsters manufacture relationships, even proposing marriages, through email account compromise (or EAC) schemes in order to steal from their victims. These also manifest through ransomware, where data is held hostage until a ransom is paid. Data journalist Martin Armstrong described that the Covid-19 pandemic has additionally led to the emergence of new schemes targeting both individuals and businesses, now working virtually. For instance, in virtual meetings, fraudsters have used deep fake audio to impersonate C-Suite executives and have instructed employees to initiate wire transfers. The cost of such damages can be challenging to assess and cybercrime research expert Joseph Johnson has estimated that the global average cost of a data breach to be as much as 3.86 million U.S. dollars.

Elaborating on these chilling data points, Nicole Perlroth pointed out that a cyberattack can strike as much as every eight minutes. Perlroth, painting a picture that looks more like Sci-Fi scene from Masamune Shirow’s Ghost in the Shell or a sentient computer program designed for the Wachowskis’ Matrix, has detailed advanced cyber attacks on pipeline operators, hospitals, ferry systems, as well as a 2021 cyber intrusion where a hacker infiltrated a water treatment plant’s remote access software system in Oldsmar, Florida and attempted to change the water supply's levels of sodium hydroxide thus planning to poison it. Threat analyst Lesley Carhart, in an interview with journalist Andy Greenberg, compared the Oldmar cybersabotage attempt to an attack in Moochy, Australia. In this attack, a hacker used his remote access to dump millions of gallons of raw sewage into local parks and rivers. They also recalled a high profile assault where the Russia-based hacker group Sandworm hijacked utilities software in Ukraine that resulted in a power outage for a quarter million civilians, just days before Christmas, 2015. Beyond some of the more commonly understood cyber crimes like financial fraud schemes, attacks like those on industrial control systems (ICS) in Australia or Ukraine have been increasing on a yearly basis and are terrifying in both size and damage. Perlroth concluded, “We are racing toward — in fact have already entered — an era of visceral cyberattacks [...]”

In an era with design undergoing digital transformation— where we are inundated with websites, databases and online communications, Internet of Things (IoT) devices like smart locks and lights, and artificial intelligence (AI) products like navigation systems and manufacturing robots are becoming more ubiquitous—so is the risk of getting hacked. A recent report on ensuring online safety, described that the current system that protects our online activities and communications is in danger of becoming obsolete. Sundar Pichai, CEO of Google, warned that advancements in quantum computing might break traditional encryption methods within the next 5 or 10 years. Quantum computers, as opposed to the classic supercomputer, can do things like more accurately simulate molecules, protein folding, and the “behavior of a battery” for use in electric vehicles. These are just a series of real life scenarios, unfolding, that puts forward the burning question of what the future of cybersecurity design might look like as data amasses and technologies become more innovative yet nefarious.

Sundar Pichai
Google CEO Sundar Pichai at the Google I/O annual developer conference. Courtesy of Maurizio Pesce.

A lot of developments have already taken place in the field of digital security. Still, an employment gap persists with acute demand for cybersecurity talent like Oscar Anaya who the BBC described as taking a circuitous route into his career that began with an interest in hacking computers but would later culminate in training with a prestigious cybersecurity apprentice program with IBM. Anaya’s unorthodox career in comparison to hackers like virus writer Kimberley Vanvaeck “Gigabyte” or British computer researcher Marcus Hutchins might not seem unorthodox at all. Hutchins, for example, worked underground as a cybercriminal malware developer before rehabilitating and beginning a productive career with the cybersecurity firm Kryptos Logic. Nevertheless, public reverence of bigger-than-life figures like these illuminates that a lot of people, generally, do not fully grasp the technicalities of hacking or the frailty of digital systems.

Bryon Hundley, in his work as Vice President of Intelligence Operations for the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), has observed that cybersecurity threats are constantly evolving, but the “basic principles remain the same.” He recounted, “Threat actors seek to steal information that can be used to accomplish a goal, typically for financial gain. They steal this information — which often includes things like credit card numbers, social security numbers, passwords, etc. — by exploiting technological vulnerabilities in a system. As everything in our lives becomes more digital, and as these systems become more interconnected, the number of potential vulnerabilities increases.” Likewise, Maksim Iavich and Giorgi Iashvili, President and Technical Director at the Scientific Cyber Security Association (SCSA), an NGO located in Tbilisi, Georgia, reflected that given that the cybersecurity field is “quite new” cyber ethics education is becoming necessary. Iavich and Iashvili expanded that cyber ethics education “must be a part of school education” and in today’s environment it is “as important and obligatory as writing skills are.” According to Bert Feskens, manager of the Netherlands-based Greenport Cyber Resilience Centre, many organizations “underestimate the consequences of the failure of digital systems” and that nowadays the “maturity level of cyber resilience differs from organization to organization.” In Feskens’ work to develop cyber resilience practices in the Dutch greenhouse sector (among the “top 5 export sectors” in the Netherlands) a central aim has been to raise awareness about cyber-related incidents among entrepreneurs, CEOs, managers; provide victim support; and impart security advice about “vulnerabilities in hardware and software (both in the field of automation and in the field of process technology).” Together, these experts also agree that design plays a decisive role in digital security.

The annual Scientific Cyber Security Association (SCSA) “Ethical Hacker” Camp was founded in 2018 by Maksim Iavich and Giorgi Iashvili. The main purpose of the camp is to prepare young cyber security specialists. Courtesy of Maksim Iavich.

Designers who create systems, products, and specifically ICSs like safety control systems can potentially inspire a new generation of cyber resilience experts and cybersecurity designers. This is critical given that the implementation of security features are essential in all the cycles of product design. Hundley, seeing first-hand the need to enhance resiliency in retail and hospitality, stressed the significant relationship between user experience, user interface design, and cybersecurity practices and that security incidents can easily erode consumers’ trust in a brand. The SCSA also highlighted that product usability and security features must be balanced and work together with an ongoing issue that “systems which have high security are more complicated for the user and vice versa.” Feskens also pointed out that designers can take on roles as “ethical hackers” where they can pen test security. By running pen tests and modeling real-life threats, companies can gain more experience in identifying vulnerabilities. Ultimately, as processes in business continue to be automated, new threats will arise and the need for those well versed in systems and usability design, product management, cyber security offerings and security posture, will grow— with the current “talent” shortage already hovering at 2.7 million professionals.

An important consideration in filling this gap will also be to build a more robust and diverse workforce. As it stands the cybersecurity industry lacks women and people of color, and (as lamented by Feskens) is too much of a “black box” which can make the field “much more difficult for people to understand what quite often are relatively basic risks.” The SCSA has also seen that exclusionary practices remove key members of testing groups, which then results in more usability issues. Taking steps to address lack of equity in cybersecurity, the RH-ISAC has collaborated with the International Consortium of Minority Cybersecurity Professionals and developed educational materials to improve “recruiting applicants from diverse backgrounds.”

These steps forward, while positive, are also pressed for time against a tidal wave of digital attacks on infrastructure, the energy sector, financial and food systems, in an ever-expanding attack surface that extends throughout the world. The Russian invasion of Ukraine has illustrated this sharply with Ukrainian IT engineers and hacktivists uniting to organize offensive and defensive teams of cyber experts to support the country during the war. The IC3 further illustrated this with its report of ransomware attacks across critical infrastructure sectors including healthcare and first-responder networks. Conceptually, digital security and cybersecurity design can conjure up a variety of images, from dystopian visions of cyber wars to mutations of the Stuxnet virus, to everyday applications in credit card fraud detection, network and cloud securities. In reality, all of these threats are already live, with malware sold and replicated across the Internet underground. In this new age for cyber resilience & cyber security design, product design goes hand in hand with informational and operational technologies, and its vulnerabilities simply cannot be neglected.

Interviews quoted in this essay were courtesy of Bryon Hundley at the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC); Professor Maksim Iavich and Giorgi Iashvili, Ph.D. at Scientific Cyber Security Association; and Bert Feskens and Chantal de Niet at the Greenport Cyber Resilience Centre / Security Delta.

Posted in: Technology

Laura Scherling Laura Scherling is a designer, researcher, and educator––working and teaching at Columbia University. Scherling holds a doctorate from Columbia University Teachers College. She is the co-editor of the recently published book Ethics in Design and Communication: New Critical Perspectives (Bloomsbury Academic UK). Scherling is also the co-founder of GreenspaceNYC, a nonprofit sustainability and design collective. Her work has been published by Brookings Metro, Design and Culture, Spark Journal, Interiors: Design/Architecture/Culture, and the Futures Worth Preserving Cultural Constructions of Nostalgia and Sustainability. Her work can be viewed at laurascherling.info.

Jobs | June 24