Dr. Jan Van Den Berg is a Full Professor Cyber Security at Faculties of EEMCS and TPM (TUDelft), Full Professor Cyber Security at Faculty Governance & Global Affairs(LU), Scientific Director of the Cyber Security Academy The Hague. Since January, he is also the honorary professor at Amity University within the Amity School of Engineering and Technology.
We recently got into a conversation with him about the general idea of cyberspace and securing it. Here are the answers to a few questions we asked him.
What is the most problematic situation in cyberspace?
As explained by Dr. Berg, a very problematic situation is the lack of understanding of what cyberspace precisely entails and what its cyber security challenges are: most people think it is just about technology (here IT), which they don’t understand. The lack of understanding also arises because of the complexity of cyberspace.
However, if we conceptualize cyberspace as the domain of cyber activities (i.e., the IT-enabled activities we execute using our PC or mobile device), we get already a much better understanding of this self-organizing and evolving ecosystem and its related cyber security challenges. An example to explain this: people know how to use social networking applications, which concerns a basic communication-related cyber activity that everybody understands. The underlying technology is mostly a miracle to most of us, but the framing of being a communication-related activity, with the possibility of leaking personal data, enables a discussion on how to deal with the privacy of users’ data. Unfortunately, the conditions on how to properly use most social networking applications are embedded in such unreadable texts by their providers, that most of us still have to difficulties to bargain about the proper exploitation of their personal data.
What do you Identify as the attack surface in this cyber multiverse?
I feel that cyberspace may be conceptualized as three layers, which are the technological layer, the socio-technical layer, and the governance layer.
- Technological layer: This layer refers to the technology that enables the cyber activities we execute in cyberspace.
- Socio-technical layer: This layer explicitly describes the concrete cyber activities we execute and concerns the behavior of individuals using IT, i.e., their behavior in cyberspace.
- Governance layer: This layer concerns all management and governance efforts to properly structure cyberspace including its security.
Based on this conceptualization, we observe that the attack surface concerns both IT (where vulnerabilities in the IT-architecture can be exploited by attackers), and people using IT (which concerns attacks on human behavior/vulnerabilities like social engineering) and people with a governance role on the use of IT (here attacks concern, for example, attempts of the well-known tech giants like Facebook and Google to limit governmental supervision on their activities and to prevent legal arrangements that protect end-users but make their business less profitable).
What are the possible solutions for these problems?
Here Dr. Berg proposed two solution directions, the first being education. He indicated that people need to be educated, not only about the use of certain applications but also their working as well as their possible implications. E.g., email is a great application for communication purposes but users should understand how written messages are being perceived by receivers and that links in an email may be related to a phishing attack (and thus, should not be clicked on!).
The second approach is about the adoption of a holistic approach towards cyber security. He emphasizes again that security cannot be achieved when a group of people is just thinking in terms of IT-solutions (like cryptography, network security or application security). In the first place, it should be observed that every cyber security problem concerns a cyber risk management challenge w.r.t. the cyber activity at stake (in the socio-technical layer). Having identified the importance of that cyber activity for the person or business (e.g., a type of IT-enabled financial transaction), an acceptable risk level should be defined. Finally, a balanced set of countermeasures should be taken, again at the technical layer (e.g., only transactions are accepted below a certain max value), at the socio-technical layer (e.g., people should cover the device when typing their pin code), and at the governance layer (e.g., the supervisor authority might prescribe that all financial transactions should be monitored).
Nowadays tech giants collect a lot of personal data in the name of user experience. How do you justify It?
These are very unhealthy practices that are being followed by all the tech giants. Facebook, Twitter, Google, to name a few, use and collect information about you irrespective of your will. Most of these services are free. People should understand that they actually pay by giving up part of their privacy. If you do not wish this, you should not subscribe to their services of course.
What do you think is the solution for this problem of data-collection?
It would be great if also paid services would be available where your privacy would be fully guaranteed. This would provide more choices to the public. Apparently, the current business model of the existing tech giants is great, so they do not yet change their services very much into that direction.
I suggest that an open source solution for providing user experience may be developed which scrape the personal information after use so that it cannot be stored or used by other companies for their interests. This would develop a sense of security and safety among the individuals using services, which barter with personal information.
How do you think the government layer must be filled in?
I feel more like “It must be made transparent to the public how tech giants and governments act in cyberspace“. And by that, I do not mean that government should make everything public like what they collect and how they implement their intelligence services. But they should share the basic outline of their functioning. Let us compare this to the government’s functioning in the physical world. We all know that government does infiltrate into all kinds of locations with the aim to protect us against, for example, terrorist attacks. We may feel a certain loss of our private information but, for protecting us against severe attacks, we are willing to accept that. Similarly, If they do it in the cyber world they must let the people of the world know what they do and the basic reasons behind it.
What is your take on Edward Snowden? A hero or a villain
I think, “He is a villain in the eyes of law but had done a very heroic act”. Since he
was sworn to maintain the secrecy of all the confidential data within the NSA organization, which he did not, so he is a criminal according to the law. On the other hand, he became aware of the largeness of scale of the
activities by the NSA and their methods which were, in his view and that of many people, disproportional at least and even possibly illegal. He did what he felt was the right decision making the NSA activities public to the world, thereby waking up 3.4 billion people connected to the WWW
What is your take on activities of Anonymous?
I agree to the fact that the anonymous comes for a cause of Internet privacy. He states “But I don’t consider them ethical they at certain times go way too far”.
How do you see the secure and safe concept of smart homes, smart cities, and connected cars are?
I agree that these are emerging fields where a lot of work has to be done. With respect to connected cars: since it is a new technology and the related cyber risks include possible loss of human life, the highest priority must be given to the security of such devices. For the car industry, safety is a well-known concept but security (which is about securing against intentional attacks) concerns a paradigm shift in their thinking.
Furthermore, standardization in the IOT community including the fixation of ‘acceptable risk levels’ must be taken up in order to ensure a minimum level of security of such devices. It is better to bolt the door if we cannot lock it. By the way, it is not that all IOT application require the same level of security. Also here, the standardization should be based on a cyber risk assessment about the way the IOT device is used.