- Cyber security industry to grow by 8.4% per annum
- Expected to grow to a $ 130 billion industry by 2021
- Cyber security specialists in high demand for large corporations
By Maleesha Sulthanagoda
In an effort to facilitate the growing need for cyber security specialists in Sri Lanka, the Centre for Integrated Communication Research and Advocacy (CICRA Campus) recently held the Youth Cyber Security Summit 2018 to encourage school students to get into the industry as well enhance their knowledge on importance of protecting against cyber-attacks.
Skills for ethical hackers, entrepreneurship, careers in cyber security, and security in online banking were among some of the topics discussed by the industry professionals to an audience of over 400 students drawn from 50 Government, private and international schools countrywide.
The summit which was organised in partnership with Daily FT featured guest speakers from around the world, including Cyber Security Expert from the UK and ethical hacker Zoe Rose, Deakin University Senior Cyber Security Academic Dr. Amani Ibrahim,Secretary to the Minister of Telecommunication and Digital Infrastructure Wasantha Deshapriya Dialog Axiata PLC Director and Group CEO Supun Weerasinghe, Microsoft Sri Lanka and Maldives Country Manager Hasitha Abeywardena, Standard Chartered Bank Sri Lanka Country Technology Manager Sobitha Weerasekara, 99X Technology CEO and Co-Founder Mano Sekaram, and CICRA Consultancies General Manager and Cyber Security Architect Rukshan Devendra.
The Official Banking Partner was Standard Chartered Bank while Incotech Lanka was the Co-Sponsor. The event was endorsed by the Ministry of Telecommunication and Digital Infrastructure, while ICTA was the National Partner. Triad was the Creative Partner.
The need for cyber
Secretary to the Minister of Telecommunication and Digital Infrastructure Wasantha Deshapriya said that countries needed to emphasise their stance on cyber security and facilitate for more cybersecurity specialists.
“Cyber security is now a global matter. The UN has announced that cyber security is global issue demanding global recognition and cooperation. In 2017, half of the countries were shown to be aware but they didn’t incorporate it in national planning. In the same report, they highlight that out of the 193 countries that are a part of the UN, only about 38% of the countries have a strategy to address cyber security. The same report highlighted that developed countries are spending billions of dollars to address this issue but the governments are falling behind in their target achievements,” he said.
Deshapriya also mentioned that the rapid development of technology had paved the way for more cyber security jobs opening in the market.
Deshapriya noted that there was a concern that cyber security could hinder or prevent democracy from being established in countries since access to information was a basic human right.
Stating that everything is connected and everyone depended on the reliability of the internet and the services provided through it, any incident preventing such access to information could contribute to hindering democracy and imposes restrictions on the basic human right of access to public information. “Cyber security has become an issue that is impacting all the aspects of social life. There will also be an increase in the need for cyber security specialists, especially in developing countries such as Sri Lanka. All things are connected.”
Deshapriya also said that the General Data Protection Regulations (GDPR) published by the European Commission had imposed several requirements with IT security experts must comply.
Technology and telecommunication
in cyber security
Dialog Axiata PLC Director and Group CEO Supun Weerasinghe who spoke on the ways that technology and telecommunication affects cyber security said that it evident that there was a major impact on the industry by the fourth industrial revolution.
He said that the current industrial revolution would change almost all of the local industries and increase the need for cybersecurity specialists.
“We are now in the fourth industrial revolution. When you head into the job market, it will be the post-industrial revolution era and much will have changed. The fourth industrial revolution is about digitisation and bringing all the connectivity in the world to drive this digitisation. This will shape the world that you going into in the near future when you come into employment. In 2010, the top five listed companies in the US were all traditional companies. Oil, gas, and retail, but today, the top five are tech companies. This change is only going to get accelerated and new technologies are going to get more affordable. The speed of adoption of these new technologies is also increasing. People are becoming more open to change, especially the younger generations,” he added.
According to Weerasinghe, the new generation will drive innovation to the next level and new technologies like AI will fit into this future.
“The human brain has an average IQ of about 100 or more. Then the persons in the ‘Genius’ category have IQs surpassing the 170s, but when we compare this to the IQ of Artificial Intelligence (AI) programmes we have now, we pale in comparison. The IQ of most AI programmes are about 10,000 or more, keeping in mind the AI technology we have access to now is in its primitive stages. This shows the power of computing and the power of technology in relation to the human brain.
“The world is adopting AI very quickly too. This is also due to the fact that the computing power of the chipsets we use is increasing. In general, the computers have a better IQ and processing of information is getting faster. In 2010, it might have been equal to the brain capacity, but as of now it is about 10 times that of brain capacity. This pace of this evolution is also growing and we expect by 2040 that it’ll grow to about a million times bigger than brain capacity. All of this will happen within the upcoming years and the new generation will drive this change.” he said.
Safety concerns when online
Speaking on safety concerns when using internet services, Microsoft Sri Lanka and Maldives Country Manager Hasitha Abeywardena said that the users of these media platforms should be responsible for their own safety.
“Over the past couple of years and in the next five years, the world will transform into a different place. There are many factors that play roles in this transformation. One is AI, secondly social media. The entire world is getting connected socially. Then there is the amount of data we generate and lastly the Internet of Things (IoT). All of these things are being connected together. These technologies are changing the world. You all are from the digital age. The jobs that we have today aren’t going to be there in this same form in the future. This is obvious. With the kind of intelligence that AI will have around us, some jobs will vanish.
“You heard about blockchain. People are asking whether we need jobs for accountants and lawyers if we introduce this. Today, you are here because you have chosen IT. Back in the day, about 10 or 20 years back, we could get a job in the IT industry because we knew Word and Excel, but today it is very different. What you learn is very important for your future. If you are looking at for a job in the IT industry in the future, these new technologies will play a big role in your employment,” he stated.
He added: “Our parents can’t guide us into the world of the internet. Therefore it is our own responsibility to take care of our safety. There are no rules and regulations when interacting on the internet. Governments are trying to figure out ways of coping with these issues. Another issue is that there are no boundaries. When you are in the digital world of the internet, there are no boundaries. Anyone can log in from anywhere and access information as they please. Even though you don’t now most of these people, you’re are open to them.”
Abeywardena advocated for the use of strong passwords and for the importance of vigilance when using the internet services. “When you log on to the internet, we use a device. It is of paramount importance that we encrypt these devices with passwords before we use them. Your passwords must be kept private. It should be for your perusal only. The only ways another person can access your accounts are by brute force or by knowing your password. So it is important that passwords be kept secure. If your online identity is breached by a stranger, all your personal information such as bank account details, addresses, and phone numbers like information is available to them. That person who has access to your identity is you as far as the internet is concerned. Whatever that person does using your name can be considered as actions done by you.
“What you do on the internet is also very important. You must make sure the sites that you get onto are genuine and protected. Bank transactions or money transactions especially should be done with utmost vigilance. There are programmes and workarounds to make your online life more secure. Multi-factor authentication, two-step verification, and personalised questions are some examples for these.
“Most importantly, when browsing on social media websites and apps, young people should especially be vigilant and careful. On these websites, you may know some people but the majority of them will be people you don’t know. So you should be very careful when interacting with these people who you don’t know personally. There is a distinction that you should make when interacting with these people. What type of information you are going to share and how are you going to share it, because it is about managing your relationship and reputation.”
How entrepreneurship and cyber security are connected
99X Technology CEO and Co-Founder Mano Sekaram speaking at the summit highlighted how young entrepreneurs should look into the cyber security industry as it was a growing market.
“The fourth industrial revolution will really disrupt the way we work, the way we think, and the job market. It will disrupt every industry. In Sri Lanka, it will disrupt all the traditional industries in Sri Lanka. Our agriculture, our plantations, our garment industry, and everything will get disrupted. Things will happen in a completely different way. Just imagine, our garment industry will get disrupted, no longer will we need to have production facilities in the country. We could just send the design to a foreign country which will engage in the production. In DNA sequencing, we will find breakthroughs for medical science. Today, for any ailment everyone pretty much gets the same drugs, but in the future, based on your sequenced DNA you will have custom made drugs prescribed to you. It is also plausible that we could see cures to cancer and the diseases in the future.
“The whole world will change and what is important is important is that we should be ready for this change. We can be a part of this turnover. If we as a nation hope to go forward, we must face this revolution successfully. We have a fantastic education system. We are known all around the world for our education system. On the other side in terms of the innovation, out of the 127 countries which are listed, we are at 90. That means that even though we have a good education system, we are unable to innovate,” he added.
Contd on page 18
Pix by Lasantha Kumara and Ruwan Walpola
He also stated that innovation was the major link in the connection between the two professions. “The future of the world is about innovation. It’s about innovating and taking things to the market. So if we as a nation need to go forward, there are two most important ingredients we need to improve upon: constructing more and more innovators. Innovators are people who will innovate something new to the market, disrupt it, and make it a success. One of the fundamental ingredients on increasing innovation and moving forward is to have enough innovators. The other most important ingredient is to have enough entrepreneurs. Entrepreneurs are the people who will take a risk and look at the market opportunity and create production services,” he elaborated.
Cyber security within
Standard Chartered Bank Sri Lanka Country Technology Manager Sobitha Weerasekara noted that online banking was one of the main sectors that benefitted from the development of the cybersecurity industry.
“Security is important in our lives. We never leave the front door unlocked when we are leaving our houses, we never leave our confidential documents in unlocked drawers, we never leave our cars unlocked in public, and we especially don’t share our mobile and ATM pins with the world either. With regard to online banking security, people tend to ask the question whether it is safer to do our transactions by walking into a bank rather than by doing it online. There are many factors that come in to play regarding online banking, including the infrastructure and security features used by banks to provide online banking. In a financial institute, the infrastructure facilities play a major role.
“Another key factor is customer awareness on the safe use of online banking. This is also one of the reasons for the importance of awareness campaigns. The legal framework of the country is also an important factor. The actions of regulatory bodies such as the Central Bank also play a significant role regarding online banking and finally the country having a reliable and secure internet infrastructure is of paramount importance. A country must have a reliable and safe internet infrastructure so that people can engage in their baking activities without having any complications,” he continued.
Weerasekara went on to elaborate on the roles of the bank and the customer in online banking. “Everyone plays a role in online banking security. The banks, customers, suppliers, regulators, and even the criminals, who are in a constant search for unauthorised access. The bank plays the leading role regarding online banking. As banks we have a lot of policies. Those are the starting points that govern the good discipline of online banking. Strong and secured infrastructure, proper access control, information security policies, fraud monitoring systems, periodic vulnerability tests, two factor authentication systems are needed to be supplied by banks.
“After the bank, the next major role in online transactions is played by the customers. Here password protections and safeguarding online banking access points are really important. Regarding password protection, we must keep them safe by never sharing them. It is also important not to enable autocomplete password settings on our computers. Changing the passwords periodically and avoiding the obvious traps also help in protecting our passwords,” he added. He said that being vigilant and cautious concerning online banking needed to be encouraged.
“It is not a bad thing to be overly-vigilant and cautious about our online banking security. Checking your transaction history and details regularly, updating the bank immediately if you changed your contact details, notifying the bank if you are going abroad, avoiding use of public devices to do transactions as much as possible, and subscribing for bank transaction alerts are some of the steps we can take to be more secure during online banking,” he elaborated.
Careers in the cyber
Speaking at the summit on careers available for qualified individuals in the cyber security industry, CICRA Consultancies General Manager and Cyber Security Architect Rukshan Devendra managed to grab the attention of all the students from the 50 schools that participated in the event.
“If you look at 2017, cybersecurity is an $ 85 billion industry. Industry here means products, services, and everything globally. So we are looking at an annual growth of 8.45% with the current economic conditions. There is a steady increase. In 2016, it was $ 84 billion. We are expecting this to become a $ 130 billion industry by 2021,” he said.
He also went on to mention the growing need for cyber security specialists in larger corporations. “Cyber-attacks are everywhere, but when you become a large company, the number of threats and the severity get a bump. If you look at the cyber security industry, nearly 60% of organisations have unfilled cyber security or information security positions. That means there is a huge job market for future prospects. It is also important to note that it takes about three to five months to fill this kind of position. This means that there is a lack of professionals in the industry and that they are always on the search for candidates to fill these positions. From these facts it is evident that the cyber security industry is an industry with a high demand for qualified individuals. That also means that if you have completed your studies well, the job market is very welcoming towards you,” he added.
Pix by Lasantha Kumara and Ruwan Walpola
Overview of cyber security industry
Panel discussion focuses on local challenges, AI, qualifications and
restrictions for ethical hacking
Q: We are facing a number of cybersecurity issues in Sri Lanka. What are the corporates in Sri Lanka struggling
with right now?
Iyer: The biggest issue we are facing now is vulnerability. One of the major challenges that we face in South Asia and Sri Lanka is actually the skillset of the employees and professionals in cybersecurity. There should be a clearly defined skillset where we will be able to take the new prospects of the industry so we can give them on-the-job training. We fundamentally searching for five elements when we are looking at the new people who are coming into the field. Knowledge, required skillset, the appropriate tools, how to use the tools and finally the attitude. The attitude is lacking in the Sri Lankan cyber security industry.
Dayaratne: At CICRA, we pioneer the cyber security industry of Sri Lanka by giving interested future prospects with the required knowledge and training to be successful. What we see during the completion of this tasks that the attitude of these young talents are lacking. To be successful in any profession you need to have a go-getter attitude and you need to get your hands dirty. This is especially important in the cyber security industry. Self-Learning is also important, because in cyber security most of the tasks are technical. You can’t master thesis techniques by just learning them. You have to practice at it and get better.If you have the required skillset, a deep grasp of the knowledge, a good technical experience, and a great attitude to match, you will be successful figure in the industry.
Q: There are various degrees offered covering the cyber security field. What is the difference between a Bachelors degree in IT and a Specialised degree in Cyber Security?
Iyer: When it comes to the cyber security industry, there are professional qualifications and academic qualifications. It is important to find a balance between these. The academic field will give you the skillset which will never expire. Getting a degree is a must because it is forever. Doing a professional degree will give you updated state of affairs and knowledge on the cyber security industry. The importance of doing a specialised degree is that it will be very easy for you to get into the market. There are so many positions in this industry, so when you do a specialised degree it gives you a clear path to your profession. Doing a specialised degree will give you the specialised skillset for a certain position and an identity to you.
Dr. Ibrahim: In cyber security, there is no specified subject. A general IT degree will not give you a focused skillset into a single sector. Specialised degrees are more beneficial to you and the company that hires you in the cyber security industry. Cyber security courses don’t tell you what is happening in reality. It might be the official way but you need to get your hands dirty. You can’t succeed in the this industry without being technical or getting your hands dirty. Hans-on experience has a paramount of importance in the industry.
Q: Why is AI so prominent in the cyber security industry? What can it do?
Iyer: One of the challenged that we face in Sri Lanka is big data, meaning, the concept of the ‘3V’s. Velocity, volume, and variety. When all these three factors are high, it is almost impractical to manually code them. AI is very important here. In the Security Operations Centre (SOC), they need o automatically detect threats of attacks and take actions. To do this we need AI, because the data load is too much detect manually.
Dr. Ibrahim: AI, although in its early development stages, it is really important, especially in the bigger companies. In the future it will only get more important. Eventually AI might replace humans in some sections of the industry. AI is also more reliable than people because make significantly less mistakes.
Q: How far does the ethicality
of hacking go?
Dr. Ibrahim: It is up to you to decide on what kind of hacker you want to become, be it ethical or unethical. If you become an unethical hacker, the profit margins are better but the time you get to enjoy those profits are less, because you will eventually go to jail. If you become an ethical hacker, you actually benefit society. You are an asset to society.
Q: What are the
restrictions for an
Rose: It depends on the country and it depends on the company. For example, organisations are technically allowed to hack the people who are hacking them. The problem with that is, in some scenarios if you don’t get the information of the organisation, you have to go and find their IP addresses and all the other things depending on what they have. I have to verify that they have ownership of that before I start the task because if they don’t have that, even when my intention is good, I’m doing something illegal. You can’t just hack any company. They have to explicitly give you permission and the biggest challenge when starting out as an ethical hacker is knowing those limitations.
The journey to become an ethical hacker and how they are modern superheroes
At the event, Cyber Security Expert from the UK and ethical hacker Zoe Rose spoke on what a person should possess in order to become an ethical hacker and the life skills required.
“I’m an ethical hacker. My job is breaking things to make them more secure. I often get asked, how can you be an ethical hacker? The ethical part is that I only do it when I get permission and my goal always is education and making things more secure,” she asserted. “It simply means that I have a different mindset. You should have the DNA of a hacker. This is what makes up a hacker.”
Although people believe that having technical skills is the main requirement when becoming a hacker, she said that being a hacker doesn’t mean you have to be technically gifted. “It certainly helps but it is not a basic requirement. I do find that a lot of people get quite anxious, especially women, and then they deal with something called the Imposter Syndrome. That is the belief that you are not good enough and that everyone else will find out one day.”
The reason for thinking like this is the constant change of technology, she noted. “Technology is complex, there are things that we just won’t know. The cyber security domain is so vast that it is completely impossible for you to know everything. So I like to clarify that you don’t necessarily have to be somebody who is an architect, you can be somebody that simply understands people. You can do things like coding, networking, etc.”
Mindset is also very important for a hacker, she revealed. “Instead of looking at something for what it does, we should train to look at it in a different way. We should be able look at it and ask, ‘What can I make it do for me?’ And then after that resourcefulness is the next important point. What information can you get and what can you do with it is important here. Next the passion for what you are doing is really important. I am passionate about my work and what I do. I love my job, I love helping. My motivation is education, awareness, and promoting the wonderful field of cybersecurity. A not-so-ethical hacker would be usually financially well-off,” she said.
Rose said that many of the malicious hacks were carried out by people who are looking to earn quick cash and that most of these hackers were opportunistic. “What that means is the majority of hacks are just a bit better than the worst which are often overlooked. The reason for this is because for the hacker, they want to attack something but they also want it to be easy. They want to get the most out of their time. Here ethical hackers come in and they identify smaller issues. Eventually you become more and more secure, but you don’t have to be perfect. No one will ever be perfect. My technical skill is networking but for someone else it might be different. The tool kit depends on what your technical skill is. There is a lot of technology out there, which are mostly pre-built programmes so you don’t need to be that technical or technically gifted. Although you have to be technically gifted to build these tools, you don’t have to be technically savvy when it comes to operating them,” she added.
She also highlighted the importance of a good educational backgrounds for a hacker and how it would benefit in the future. “As an ethical hacker, you need to be innovative. You need to think what the others haven’t thought about. So what we do is, when we look at something, first we look at what it does and then what we want it to do and finally what our goal is in the end. To do this you need to understand the basics. As I said, there are a lot of skills that you can have. My happened to be networking, so I was a Network Architect. I built networks and I maintained them. So finding out what your specific skill is important. To find this out you need to have the basic education and the correct guidance. So if you can definitely go to school to learn more. It is very helpful and amazing, bit being self-taught is also very important, especially in the field of hacking,” she elaborated.
Rose also went on to mention the importance of self-motivated learning in the life of a hacker and how being curious helped her to get to the top of her field. “I had to be very self-motivated and I would go on things like YouTube and I would just watch. I learned lot through this. I learned a lot about virtualisation, system management and so on. So the first requirement of being a hacker is to be curious, you have to be self-motivated, and you have to continue in failure.
“The next one is Operational Security (OpSec). OpSec is about being aware about the amount of information you are giving away. This is important for ethical hackers because, when I broke into networks for penetration testing I didn’t want to get caught. I wanted to get access and then explore. A couple of years ago, hackers typically spent 205 days in a network before getting detected. The number of days you spent in a network is determined by your skill. The longer you can stay in a network without being detected, the more you can explore, and the more valuable information you can access. So OpSec is an essential skill that you need to have as a hacker.”
Rose also stated that in the future cyber security specialists would be in more demand due to the continuous development of technology. “As humans we are very collaborative. We like to connect with people and communicate with them. We look to go on the internet and build communities and connect with likeminded people. We like to go on the internet and collaborate with others, because of this we become reliant on technology. So in the future we are just going to have more technology. When building new technology it is just like everything else, we build it as fast as possible. So the value of ethical hackers in the future is you can look at something throughout the production process and also then after sales and you can see issues that others can’t. We see these issues because we are curious and so we can protect people that can’t protect themselves.”
“An ethical hacker is somebody that is a superhero. You are the one that is looking into these issues. You are looking where other people aren’t looking. As technology improves, the importance of ethical hackers will also grow. They will become vital to organisations, communities, and to the general public. We have smart homes now, thermostats which are connected to the internet, almost everything is connected. This is making us more vulnerable to the ones that do harm. This is where ethical hackers come in and protect people. An ethical hacker’s job is finding the issues, getting them fixed, and also making the world a more secure place,” she elaborated.
Importance of being cyber-safe
Speaking on the importance of being secure in the cyber space and how to increase control over the personal information shared online, Deakin University Senior Cyber Security Academic Dr. Amani Ibrahim stated that it was important to maintain a healthy social media presence among school children.
“Technology is taking over our world. We live in an age where almost everything is interconnected. Technology for one is making our life easy and comfortable. Most of us are active on almost all of the mainstream social media websites like Facebook, Twitter, and Instagram. Even I had accounts on some of these platforms because I liked sharing pictures of food and interacting with my friends and family. But do we understand the risks of spending time on these platforms? Virtually anyone can become a hacker’s target. Hackers also people for different reasons. Some do for the getting a profit like when a group of hackers released the WannaCry Ransomware. Some hacktivist groups engage in cybercrime. A crime that involves fundamental breaches of personal or corporate security.
“There are also hackers who engage in cyberbullying. A research presented at the 2017 Paediatric Academic Societies Meeting revealed the number of children admitted to hospitals for attempted suicide doubled between 2008 and 2015 which also linked to an increase in cyberbullying; 20% of reported cases mention that they were affected by online rumours. Seven percent of middle school and high school students had a mean or hurtful web page created about them; 79% reported that either their child or a child they know had been threatened with physical harm while playing online games. Cyberbullying tends to also occur on Facebook or through text messages,” she stated.
She expressed that the only way to have a healthy social media and cyber space presence was to increase the awareness of the new generation through intuitive education. “There are risks and challenges when interacting in the cyber space. There are mainly three areas we could focus on. Privacy management, relationship management, and reputation management.”
When we talk about privacy, the amount of information we share and the sensitivity of that information matters, she asserted. “Almost all of us have smartphones, and on these we have location services which is turned on most of the time. In reality, location services is one of the most ways for s hacker to have access to your phone. You are vulnerable anytime location services is turned on. So it is important to review our privacy settings from time to time. Especially whether we have sensitive information like our live location, phone numbers, and addresses to be viewed publicly. Maintaining up-to-date genuine software, and maintaining strong passwords are also some actions that can be taken in order to secure our privacy when interacting online. “In relationship management, we have to be careful. We have to be vigilant when talking to strangers online. They could easily misguide and mislead us into doing potentially harmful things. We shouldn’t completely trust or get into relationships with complete strangers. When we are talking to a stranger online, we don’t know whether that are a real person, a fake person, or an imposter. There are ways of safeguarding our managing our online relationships too. Talking about it, and blocking and reporting inappropriate individuals are some of these workarounds. Reputation management is also very important. Sometimes when we are young we don’t think about the consequences of our actions. It is of paramount importance to think before you post. It is important to be a positive role model online too,” she further elaborated.