My April 2021 interview with Kristen Staci that appeared in Influencive:
Your work at the University of Buffalo brought you international recognition as an expert in cyber security. What are you doing now?
I still live and work in Buffalo, New York, and love the city! I was a tenured professor at the University at Buffalo (also called State University of New York at Buffalo) for close to two decades. I am currently the CTO of Avant Research Group (ARG)—a cyber security research and advisory firm based in Buffalo, New York, consulting for major corporations and governments on issues ranging from cybersecurity to consumer protection. I also currently serve on an expert panel for the NSA’s Science of Security & Privacy directorate.
Why is Buffalo, New York, emerging as a leading start up city?
It’s an exciting time to be in Buffalo, New York. We are seeing a resurgence on many levels. Part of it has been because of demographic shift, where younger people have been steadily moving back into the City. We also now have among the largest population of New Americans—immigrants and refugees—in the area.
This had led to many small businesses, start-ups, and entrepreneurial endeavors. We have always had the best schools and universities in the region, which have attracted students from the world over. But the students never stayed back because there weren’t good jobs. Now they can Because of this, we have hit a tipping point—where people can come here, learn here, stay here, and thrive here. It’s what has led to the boom in startups.
What should Buffalo, New York and other cities and municipalities be doing to better protect their digital infrastructure?
The starting point is knowledge. Buffalo, New York, and surrounding municipalities need to understand our exposure to cyber risk. This requires a cyber hygiene assessment of residents as well as within organizations. I have developed a Cyber Hygiene Inventory (CHI) that helps do this. It helps pinpoint the level of cyber awareness, knowledge, how well protected people are, and where the gaps exist. This is the only way we can pinpoint what is needed and then work on providing it.
The other area that needs more support is cyber access. With so much Internet use now occurring from home, the need is for affordable gigabyte speed Internet services. There exists limited competition in the City of Buffalo—and many others–so there haven’t been investment by for-profit cable or telecom.
I have written about this in Medium where I explain how Chattanooga, Tennessee, stepped in and created a municipal ISP. Buffalo, New York, can learn for this. But not just stop there. Buffalo can provide secure networks, help-desk services, and early warning systems that users can call-into to report online scams and attacks. This can equip us with technology and know-how for becoming cyber resilient.
How has the movement to cloud based storage and computing services affect cybersecurity?
I talked about this at the Digital Government Institute’s (DGI) conference in 2018.
Cloud computing, at least as it is being implemented presently, increases the surface area of vulnerability. Among the reasons for it: we are sharing more links that routinizes sharing of links; the current storage services have very poorly designed interfaces, making it easy to mimic as in spoof them and hard to detect issues in them; we depend on browsers for access, and browser are notoriously easy to infect and attack because they are also used to do many–arguably most–online activity.
And finally, more files and information is being stored on other people as in the external cloud service’s or platform’s servers, so we have to depend on some unknown entity for our data’s protection and integrity. When using the cloud, files can be hacked even if our devices are secure, if your browser is hacked or worse yet, the service providing the cloud storage platform is hacked.
What is one of the most interesting experiences you have had working in cyber security?
I have had many. One that stands out is how an organization asked me to assess the quality of their security training. They had done internal penetration testing using simulated phishing attacks, a sort of gold standard for cyber security user training, for some years and achieved almost complete resilience—as in no user, or few, if at all, would fall for the simulations. My job was to assess how even those few fell.
I did it with the caveat that I design the simulated attack. The organization’s IT sent the attack out and with hours it had netted more “victims” as in people clicking than in than all their multi-year simulations combined. I got a call from the company asking me how I had accomplished it.
This has happened in many other instances and it is always interesting to see how people in IT react to seeing the inefficacy of training they have been told and are convinced works. The reason why it doesn’t work, is because it never fully takes into account users — how they think, what they believe, and how they act. So the training does little more than teaching them how to spot a simulation, but not a real attack.
What is one of the most satisfying experiences you have had as an academic researcher?
It is being proved right over time, not once, but repeatedly in the face of push back from academics. This includes being questioned about why I “waste my time” studying phishing; why smartphone based social engineering should be studied; why Facebook might be an easy gateway for deception; and the ways in which trolling, misinformation, and hacking can be orchestrated into the Dark Triad to create a concerted attack on a nation state.
What has been your most satisfying moment in your professional career?
I have had many wonderful highlights including working with some of the smartest minds in national security, presenting at leading venues such as Blackhat, being asked to present my work more than a few times to audiences in the US Senate and House, presenting at the Army Cyber Institute and at Hopkins. These are just a few of the moments.
As I said earlier, when I began working on social engineering, there was no interest in my field in the area. In fact, a colleague even wondered why I was wasting time studying something so small. It is satisfying to see my work come to the public’s attention and be of value to people.
Much of my research work has been ahead of the time. I studied spear phishing before it became the cyber security problem it is. Likewise, I studied deception via Facebook and, what I term the Internet’s Dark Triad–the combination of organized trolling, social engineering, and misinformation campaigns–and tried to caution policy makers about it years before the DNC hack and the Russian interference during our last presidential elections.
I also wrote about the threats from social engineering being all the more pronounced on smartphones, another topic that I researched, and published papers years before the 2019 DBIR had data to prove it was actually the problem I had predicted it would be. Here, again, when I presented the original work on mobile based social engineering attacks at a leading academic institution, I had some researchers question whether it would ever be a problem. In 2019, the data proved it was, and I was asked by the Verizon DBIR team to write up the reasons for it based on my research.
What does the future hold for cybersecurity?
I think cyber security is going to be an issue because of the rush to commercialize more technologies, many of which aren’t really fault tested; innovations such as AI and inventions such as quantum computing that are making it harder to keep things safe using our present Turing-based computer systems; and the fact that we haven’t spent time or effort in correcting or improving the fundamental weakness in computing – its users.
Original interview created by Kristen Staci and posted here.