Dr. Arun Vishwanath of Buffalo, New York, is a leading expert on the “human problem” of cybersecurity.
His research focuses on why people become victims of social engineering attacks and how we can use this understanding to improve organizational and national resilience to cyber attacks and secure cyber space. In addition to investigating the weakest link in corporate security – users – Dr. Vishwanath also examines how various groups – criminal syndicates, terrorist networks, hacktivists – use cyberspace to commit crimes, spread misinformation, recruit activists and radicalize others.
Dr. Vishwanath is a graduate of the Berkman Klein Center at Harvard University and is also a member of a respected panel of experts for the NSA’s Science of Security and Privacy Directorate. His research has been widely cited and published on CNN, the Washington Post, Wired, USA Today, Politico, and other national and international news outlets. He is a sought-after speaker and has featured his work in leading national and international forums to heads of national security and law enforcement agencies around the world.
Many of his original ideas have resulted in new products, processes, and guidelines.
For example, Dr. Vishwanath started creating a 911 system for reporting cyber violations in CNN and other branches in December 2014. Organizations in the United States and abroad are now working to establish such systems.
In February 2015, in another CNN opinion piece, he called for a 5-star rating system for new apps and technologies, similar to the 5-star rating system we use to test the crash protection of new cars. In 2019, Consumer Reports put in place a system to do just that.
In November 2017 He called for an open source breach reporting portal that stores and disseminates information about breaches so people and businesses know what information about them has been compromised. In 2018, Mozilla Corp. the Firefox monitor developed for this.
In January 2018, he wrote about how AI would adversely affect the American middle class, displacing truck drivers, retail workers, and even local news reporters – almost two years before presidential candidate Andrew Yang made it the central theme of his campaign.
He is currently the CTO of Avant Research Group (ARG) – a Buffalo, New York-based cybersecurity research and advisory firm – and also works as a technologist. He writes in the public interest to raise awareness of cybersecurity problems and find solutions to them.
Your work at the University of Buffalo earned you international recognition as an expert on cybersecurity. What are you doing now?
I still live and work in Buffalo, New York and I love the city! I was a professor at the University of Buffalo (also called the State University of New York at Buffalo) for almost two decades. I am currently the CTO of Avant Research Group (ARG)– A cybersecurity research and advisory firm based in Buffalo, New York, advising large corporations and governments on issues ranging from cybersecurity to consumer protection. I am currently also a member of a panel of experts for the The Science of NSA Security and Privacy Directorate.
Why is Buffalo, New York becoming a leading start-up city?
It’s an exciting time in Buffalo, New York. We are seeing a resurgence on many levels. Part of this was due to demographic change, with younger people steadily returning to the city. We now also have among the largest population of New Americans – immigrants and refugees – in the region.
This had led to many small businesses, startups, and entrepreneurial endeavors. We have always had the best schools and universities in the area that have attracted students from all over the world. But the students never stayed behind because there weren’t any good jobs. Now you can. Because of this, we have reached a turning point – where people can come here, learn here, stay here, and thrive here. This has led to a boom in startups.
What should Buffalo, New York, and other cities and towns do to better protect their digital infrastructure?
The starting point is knowledge. Buffalo, New York and the surrounding communities need to understand how we are exposed to cyber risk. This requires a cyber hygiene assessment by residents as well as within organizations. I have developed a Cyber Hygiene Inventory (CHI) to help with this. It helps determine levels of cyber awareness, knowledge, protection of people and the loopholes that exist. This is the only way we can determine exactly what is needed and then work on delivering it.
The other area that needs more support is cyber access. With so much internet access from home now, affordable gigabyte-speed internet services are required. There is limited competition in the city of Buffalo – and in many others – so no investments have been made through for-profit cable or telecommunications.
I wrote about it in medium Here I explain how Chattanooga, Tennessee stepped in and started a community ISP. Buffalo, New York, can learn for it. But don’t just stop there. Buffalo can provide secure networks, help desk services, and early warning systems that users can access to report online fraud and attacks. This can equip us with technology and expertise to achieve cyber resilience.
How has the move to cloud-based storage and computing services impacted cybersecurity?
I talked about it in Conference of the Digital Government Institute (DGI) in 2018.
Cloud computing, at least as it is currently implemented, adds to the surface of the vulnerability. One of the reasons for this: We’re sharing more links that routine link sharing. Current storage services have very poorly designed interfaces that make them easy to emulate and difficult to spot problems with. We rely on browsers to access them, and browsers are known to be easy to infect and attack because they are also used for many – arguably most – online activities.
And finally, more files and information are stored on other people than on the servers of the external cloud service or platform. Hence, we have to rely on an unknown entity for the protection and integrity of our data. When using the cloud, files can be hacked, even if our devices are secure, if your browser is hacked or worse, the service that provides the cloud storage platform will be hacked.
What’s one of the most interesting experiences you’ve had in cybersecurity?
I’ve had a lot. What is striking is how an organization asked me to rate the quality of their safety training. They had conducted internal penetration tests with simulated phishing attacks for a number of years, a kind of gold standard for training cyber security users, and achieved near-complete resilience – like no user or few, if any, would fall for the simulations. It was my job to judge how even these few fell.
I did it with the caveat that I design the simulated attack. The company’s IT sent out the attack and, with hours, had more “victims” than with clickers than in all of their multi-year simulations combined. I got a call from the company asking how I did this.
This has happened in many other cases, and it’s always interesting to see how IT people react to the ineffectiveness of training that they have been given and believe will work. The reason it doesn’t work is because users are never fully considered – how they think, what they believe, and how they act. So the training doesn’t teach them much more than teach them how to recognize a simulation, but not a real attack.
What’s one of the most satisfying experiences you’ve had as an academic researcher?
It is proven over time, not just once but over and over again in the face of recoil from academics. This includes the question of why I have to “waste my time” studying phishing. why smartphone-based social engineering should be explored; why Facebook could be an easy gateway for deception; and the way trolling, misinformation, and hacking into the Dark Triad can be orchestrated to create a concerted attack on a nation-state.
What has been the most satisfying moment in your professional career?
I have had many wonderful highlights including working with some of the brightest minds in national security, presenting in leading venues like Blackhat, being asked to show my work to audiences in the US Senate and House of Representatives more than a few times, and at present at the Army Cyber Institute and at Hopkins. These are just a few of the moments.
As I said before, when I started working in social engineering, there was no interest in my area of expertise. In fact, one colleague even wondered why I was wasting time studying something so small. It is gratifying to see that my work attracts public attention and is of value to the people.
Much of my research was ahead of time. I studied spear phishing before it became a cyber security problem. Likewise, I’ve studied deception about Facebook and what I call the Internet’s Dark Triad – the combination of organized trolling, social engineering, and misinformation campaigns – and tried to persuade policymakers during years before the DNC hack and Russian interference our last to warn presidential election.
I also wrote about the social engineering threats that are all the more pronounced on smartphones, another topic I’ve researched, and published articles years before the 2019 DBIR had data to prove that it was indeed the problem that I did had predicted. Again, when I presented the original paper on mobile social engineering attacks to a leading academic institution, some researchers wondered if it would ever be a problem. In 2019, the data proved this to be the case and I was asked by the Verizon DBIR team to write down the reasons for this based on my research.
What does the future hold for cybersecurity?
I think cybersecurity will be an issue as more and more technologies need to be commercialized, many of which have not really been tested for bug. Innovations like AI and inventions like quantum computers that make it more difficult to maintain security with our current Turing-based computer systems; and the fact that we have not spent time or effort correcting or improving the fundamental weakness of computing – its users.