When the Concorde jet was invented. It was possible to have breakfast in New York and lunch in Paris. This innovation revolutionized the world of travel at a time when foreign business relation was still a pain to do efficiently.
While international travel still takes time, the barriers when it comes to international business have all but fallen away. If you have a client in Riyadh, you can get on a flight and be there in eight hours. During that time, you can prep for the meeting and do all of the administrative work that needs to be done before the meeting.
We take it for granted that airports have become intermediate business’ offices, but they are not safe. According to recently conducted research, South Africa’s three major airport have serious cyber inefficiencies. This is on par with many airports around the world that face similar challenges.
Troubling findings.
The IT Web article pointed out that OR Tambo in Johannesburg, Cape Town International, and King Shaka International have been found to have risks relating to cyber security, compliance and privacy.
This came to light during a research exercise conducted by Switzerland-based Web security company ImmuniWeb in response to a recently released World Economic Forum (WEF) report.
The “Advancing Cyber Resilience in Aviation: An Industry Analysis” report is aimed at “raising awareness about key systemic challenges to cyber resilience in the aviation industry”.
In the report, the WEF noted cyber resilience involved more than the security of assets. It also required a focus on protecting critical functions. In addition, it warned that cyber security challenges, including privacy issues, remained largely underestimated.
We are not alone.
South African airports are not alone in their cyber-vulnerability. ImmuniWeb's research covered all of the 2019 Top 100 Airports voted for by air travellers in the Skytrax World Airport survey. Only four of these airports are in Africa (the fourth is Mauritius Airport); 35 are in Asia; 33 in Europe; 19 in North America; six in Oceania; and three in South America.
Of the 100 airports, ImmuniWeb found that only three – Amsterdam Airport Schiphol, Helsinki-Vantaa Airport, and Dublin Airport – successfully passed all the security tests without a single serious issue being detected.
The survey also revealed that:
- 97% of airport Web sites contain outdated Web software with 24% of the Web sites containing known and exploitable vulnerabilities;
- All of the airport’s mobile apps contain at least two vulnerabilities;
- there are an average of 15 security or privacy issues detected per mobile app;
- 66% of airports are exposed to the Dark Web, with 72 of the 325 exposures regarded as being of a critical or high risk, indicating a serious breach; and
- 87% of airports have data leaks on public cloud repositories – with 503 of the 3 184 leaks rated as critical or high risk for potentially enabling a breach.
The IT Web article point out that the ImmuniWeb report did not specify which airports had each of the different vulnerabilities, nor how seriously the specific airport was affected. So, for example, while 87 of the 100 airports had some sensitive or internal data exposed at various public code repositories – and 59 of these were identified with code leakages of a critical risks and 61 with high risks – it is impossible to determine whether SA airports are included in that number.
The report also noted that while application weaknesses and software vulnerabilities continue to be the most common means by which cyber criminals carry out external attacks, only three airport Web sites received the best possible “A+” grade – meaning no single issue or misconfiguration.
Fifteen airports were rated “A” with only minuscule issues found, while a troubling 24 were found to have exploitable and publicly known security vulnerabilities, thus earning an “F” rating. A further 47 were found to have security vulnerabilities or several serious misconfigurations.
Major need.
This highlights the fact that there needs to be serious investment into cyber skills.
The article points out that New York City wants to keep young technology professionals from fleeing to California’s Silicon Valley, and the city has turned to an established Israeli venture capital firm to help them keep the tech talent on the east coast.
The city recently launched a unique partnership with Israeli venture capital and start up incubator firm Jerusalem Venture Partners with a flashy celebration at the new tech hub in downtown Manhattan, featuring deputy mayor Vicki Been and actress/entrepreneur Gwyneth Paltrow.
Commenting on the research, Ilia Kolochenko, CEO and founder of ImmuniWeb, told the Times of Israel, “Given how many people and organisations entrust their data and lives to international airports every day, these findings are quite alarming. Being a frequent flyer, I frankly prefer to travel via the airports that do care about their cyber security. Cyber criminals may well consider attacking the unwitting air hubs to conduct chain attacks of the travellers or cargo traffic, as well as aiming attacks at the airports directly to disrupt critical national infrastructure.
The $100 million partnership, including a $30 million contribution from New York City, will focus on companies working in the cyber technology sector.
Significant shortage.
The article points out that New York City settled on cyber security as an under-represented sector in the technology world with officials saying that there are approximately 10,000 job openings in the cyber security field in New York City alone, and a shortage of more than one to two million cyber security experts around the world in the coming years.
“The bottom line is that there are not enough well-trained people in cyber security to fill the jobs that are required for a safer, more thriving commercial sector,” Wilson Lin, the Head of Cyber NYC, a city initiative of the New York City’s Economic Development Corporation, told The Times of Israel.
One of the biggest issues is that large companies are able to afford expensive cyber protection from established security companies, but small to medium size businesses do not have affordable solutions. As data is increasingly online, hackers can target anything from health data to a city’s electric grids to nuclear reactors to home security systems to stealing personal information from your local coffee shop’s loyalty program. Smaller companies need new cyber security solutions from up and coming companies, ones that will hopefully be scaled up at the joint JVP-NYC hub.
“Cyber security is continually growing more and more complex, and it is more and more urgent not only for large corporations like banks and large companies, but also for your own personal lives,” Lin added. “There are new stories every day, every week about some large credit agency or large hotel chain being hacked. People are continually realizing that we are vulnerable, and a lot of our personal data is at risk.”
Skills development.
The article points out that the partnership between New York City’s Economic Development Corporation also includes cooperation between a number of universities, led by a new cyber security mentorship program at Columbia University. NYC is also offering scholarships for the first cohort of 150 students to do a four-month cyber security boot camp, in order to diversify the tech world and provide high starting salaries to people who have traditionally been excluded from technology jobs.
The article adds that the average starting salary for a cyber security expert is between $70,000 to $80,000, said Lin. Like many jobs in the technology sector, the job does not require a four-year degree, or any degree, but rather a deep grasp of the latest cyber security technology, which is changing rapidly.
“Cyber security was about protecting large utility companies, large banks, and large cities, that was one phase,” former Israeli politician Erel Margalit told The Times of Israel. “Now we’re coming to the next phase, which is protecting information democracies, the rights of the individuals… Cyber security now touches every category of technology.”
Education is key.
We have written extensively in the past about the need for there to be an increased focus on cyber education and growing the cyber skills base. However, recent studies show that cyber security courses are desperately lacking in engaging, and relevant content.
The blog article points out that Cybersecurity is of increasing importance to societies around the world. This is reflected in national debates, where news stories about breaches, attacks, and policy challenges find their way into the headlines nearly every day. It is also reflected in the curricula of colleges and universities; many are starting to include cybersecurity as an explicit course of study.
As cybersecurity is still a maturing topic for the education community, it is prudent and timely to evaluate the state of cybersecurity instruction in political science and discuss how to improve it. To undertake this task, our forthcoming article in the Journal of Political Science Education examines patterns and variations in the content of syllabi on cybersecurity courses within political science, looking across campuses to understand the relative balance of policy topics, technical concepts, and theoretical debates in how courses are structured and presented.
Casting a wide net.
The article pointed out that its review included thirty-two syllabi whose main focus is on cyber conflict, cyberwarfare, cybersecurity, or offensive cyber operations and discusses in depth our review criteria and other syllabi not included in the study. Twenty-seven of the thirty-two syllabi were from the United States. The five exceptions included several courses on cybersecurity and international relations at King's College London and Charles University, governance of cybersecurity at Leiden University, and cyberwarfare at the University of Nicosia.
The main finding of the research was that few courses overlap in using the same readings—there is tremendous intellectual and disciplinary diversity in course content.
This diversity defies an easy categorization of the ‘canonical’ or core literature of the field of cyber conflict scholarship. Rather, the field is scattered across a disparate range of topics and disciplines. The article added that, of the top thirteen readings across the surveyed syllabi, all but two were published in the last seven years. These results are a remarkable contrast with other fields, including international relations, which exhibit a clear and relatively consistent core literature.
Central themes remain key.
One of the web findings of the research was that, while readings vary, there is some overlap in central themes.
Most syllabi include at least one week of coursework on cyber-warfare. Cyber power, espionage and intelligence, and China were the three most popular topics, each occurring in nearly 60 percent of our reviewed syllabi.
The article added that another sub finding of the research was that Syllabi vary significantly in how they rely on non-academic sources.
Even though we do not have comparative data from other fields of study, there appears to be a relatively heavy reliance on literature from media outlets. Less than half of the readings assigned are academic publications (47.2 percent). Combined, news reports (15.9 percent) and government and policy reports (15.9 percent) make up just below one third of the reading on syllabi. Think tank publications and specialized blogs account for another 9.8 percent. Notably, just below 3.4 percent of syllabi rely on reports from cybersecurity firms and other companies. Of these, most only include two reports: Mandiant’s report on APT1 and Ralph Langer’s report on Stuxnet.
No focus on methodology.
The article pointed out that, across all of these syllabi, there is little discussion of methodology.
Only 6% of the syllabi explicitly discussed methodology questions in relation to studying cyber conflict. This is not entirely surprising; explicit discussions of research design in academic cyber articles are scarce. The lack of methodology discussion may also owe to the academic level of syllabi examined; the bulk are for undergraduate and masters courses. Some courses start with conceptual clarification, an initial discussion of what cyberspace is, for instance, but this varies between technical underpinnings, like the internet’s design and core protocols, and philosophical or ideological discussions, like John Perry Barlow’s “Declaration of Independence for Cyberspace.”
The article added that while cyber conflict as an academic discipline does not yet have the characteristics of a coherent field of study, its varied topics have only grown in importance and public attention in the past decade. This growth has had a delayed impact on academia, but nevertheless each year brings new courses and syllabi. Our review is an attempt to systematically evaluate this nascent field and advance its maturity—not just as an area of research but also as an area of education.
Focal areas.
According to the World Economic Forum, there are some major areas where cyber security leaders can shift attention to when it comes to cyber security.
Real-time information sharing.
The pace of the digital world continues to increase exponentially. To keep up, security professionals have to address threats and security weaknesses rapidly, before cybercriminals strike. Speed is fundamental to an effective cybersecurity strategy; cybersecurity systems must keep up with the increasing speed and volume of internet traffic. Speed of reaction is vital as well. Too often, there are long lag times in addressing cybersecurity problems. Criminals can – and do – take advantage of this.
But speed requires visibility. To act fast, we must share threat information in near real-time. Cybercrime has no borders. In a world that is so deeply interconnected by digital technology, cybersecurity and global security are the same thing. No single organization, public or private, can have a complete view of the entire cyber landscape. Senior leadership must insist organizations share information to put the pieces of the puzzle together. Otherwise, we will be flying blind.
Widespread collaboration in cybersecurity.
Effective cybersecurity must be deeply and widely collaborative. Collaboration enables the good guys to create a hive mind, to learn rapidly, constantly expanding our competency and capacity. If organizations or states do not learn from one another, the same attacks will needlessly take down countless entities.
Wide collaboration means including everyone in a broader conversation about cybersecurity. Deep collaboration means making everyone smarter and creating knowledge repositories that are part of our operational systems. It means collaborating on threat intelligence sharing and it means collaborating on education.
The more we talk about the importance of cybersecurity and its fundamental role, and the more education is shared, the more we will educate and nurture the future generations of cybersecurity professionals we very much need. The estimated cost of damage caused by hackers, malware and data breaches is projected to reach $6 trillion by 2021. To empower leadership to meet these challenges, technological experts and top-level decision-makers across the public and private sectors must work together. This takes time. Senior leaders should make it clear that such collaboration is time well-spent.
Working together, we could see tangible results very fast. More than 92% of malware is delivered via email. With the right awareness campaigns and policies, as well as diligence in practice, we could eliminate more than 90% of malware simply by teaching new skills that overcome ingrained behaviours.
Creating and promoting a common vision for integrated cybersecurity.
Public and private sector leaders must commit to creating a common vision for integrated cybersecurity - something akin to NATO, which is based on clearly defined fundamental principles.
This vision for integrated cybersecurity must be comprehensive and inclusive, anticipating the next actions of cybercriminals rather than solely reacting to them. Just like NATO has well-trained armies and constantly evolving battlefield strategies, the common vision must be operational and must look at how best to address the technical challenges of effective cybersecurity, including the skills gaps I focused on in a previous piece.
Cybersecurity competency must be embraced by individuals and organizations. Cybersecurity education and training should be part of everyone’s educational development. Without such efforts, we will not have enough experienced soldiers to fight this war.