Updates - From the Office of the NYIT President
Mar 25 2014
Opening Remarks: National and Corporate Threats, Protection, and Education

Edward Guiliano, Ph.D., President, New York Institute of Technology, delivered opening remarks at NYIT's Global Cybersecurity Conference held today in Abu Dhabi. The theme of the conference focused on National and Corporate Threats, Protection, and Education.

Edward Guiliano, Ph.D., President, New York Institute of Technology

Good morning and welcome.  As-salamu alaykum. There are many important guests with us here today, and I thank you for honoring us with your presence.  Your Excellency Sheikh Nahayan Mabarak Al Nahayan, you are a friend to the world and especially NYIT.  Thank you for gracing us with your presence and wisdom.  I am proud to note you hold an Honorary Doctorate from New York Institute of Technology.  We strive to make you proud. 

We are here today to talk threats and cyber-malfeasance. About blocking hacktivists and cybercriminals, some of whom are gangsters, terrorists and cybermilitary operatives.  Other players are arms of corporations and governments. Many live in the dark world of anonymity.

The indexed web alone now has at least 2.3 billion pages, and you can click on them in Greenland and even the Space Station. So anonymous activity has skyrocketed. And anonymous users perform extraordinary feats like spinning out electronic currency.

But anonymity goes both ways.  A dog can be talking to a giraffe.  It can be talking to no one: software.  Have you ever spoken to Siri or the GPS in your car?  

Today we can say: “On the Internet, nobody can know you’re even there.” Hidden software can be listening, copying, or destroying.So it can get bad. In fact, the most famous group of hacktivists calls itself —Anonymous.

In fiction, perhaps the ultimate in anonymity was H.G. Wells’s invisible man.  Clues to his identity and presence vanish, and what does the man do?  He begins a crime wave.  He had a backdoor everywhere.

Today, invisible men sneak in backdoors everywhere from iPhones to supercomputers.  It can be tough for the good guys in cybersecurity to figure out who the perpetrators are when there’s an attack.

Two types of cybercrimes are sure to make the headlines in 2014. Who knows what they will be in 2015?  One is identity theft yielding passwords and identity numbers that get people’s money.  We read about a piece of malware that helped criminals capture 300,000 names and personal information.  And then it gets posted worldwide on the Internet.  Just last month, a cybersecurity firm discovered stolen credentials from 360 million accounts.  Someone was selling them on cyber-black markets. 

Students sometimes get caught up in this.  Someone makes them an offer they cannot resist, especially if they are very poor and are dreamers.  “I will pay for you to go to school in America, England, Europe, the U.A.E.  I will pay for food and an apartment.  I will leave you alone, perhaps for a year or two. Then one day you will get a message, and in the next hour or two, you will go to as many ATM machines as I tell you to and withdraw all the money you can.”

And what’s really going on is that a gang, using servers along the way tied to some country without extradition laws—say Venezuela—hacks into the database of a processing company, lifts the cap on prepaid credit cards they own or just get into individuals accounts, and ka-ching, like an old-fashioned cash register, they just cash and cash out money.  Withdrawing $25 million USD in a couple of hours is not unusual.  A recent heist in India netted $40 million.

The students or other poor mules--as the FBI calls them, borrowing a term from drug trafficking--are the ones who go to jail if they are caught, as does the person they give the money to.  The gang who planned the heist?  They are many time zones away from the physical crime, perhaps sunbathing on a beach somewhere, many servers, people, and transfers away from any risk.  Plus they are anonymous and protected from extradition.  Or almost.

And you know what? This is minor stuff. Card fraud and money from identity theft does not really add up to big bucks or a global threat. It’s annoying. The victim is you or me or the person who stupidly left their laptop on the bus, their unlocked smartphone in the airport, or their password taped to their computer.  Yikes.  And let’s hope they are not using them to get into our organizational networks too deep. This is mostly all taking place on the Surface Web, the place you and I go to look up things or send messages.  Where you receive emails telling you someone left you money in a bank in Nigeria!

The big stuff takes place in the Deep Web, which is hundreds if not thousands of times bigger than the Surface Web, and where the true professionals live.  Drugs are for sale there, so is extreme pornography.  And that is where the real systematic digital espionage, corporate and governmental, is churned by big machines and complex software.  That’s where Big Data is probed and societal identities exposed or blocked.  That’s where the battles to protect us are taking place.

I said there were two types of cybercrimes that make headlines.  The second I just alluded to: spying, computers reading your emails and listening to your phone conversations, for example, especially if you are Angela Merkel, the Chancellor of Germany.

Advanced persistent threats are growing and the intrusions surprise us almost every week. Again, what will be the flavor of 2015?

So today we’ll address threats that we all face — as individuals, organizations, and nations. Our challenge — and our opportunity — is to develop sustainable defenses and — ideally — paintball all those invisible men and women on the Internet. 

Universities such as NYIT play an important and evolving role in the world of cybersecurity. Education has become a great universal on earth. It crosses borders and oceans…and brings solutions to our toughest challenges.

We’re the good guys. As we all know all too well, every year the Internet seems to grow more porous and the need for security becomes more urgent.  There’s no question our digital environment is changing rapidly, the architecture of the Internet is evolving, and innovators—many in their teens—are finding ways to exploit those changes for good and for bad. 

The financial damage from cybercrime is hard to calculate. But in 2013, Symantec estimated that it costs the world $113 billion every year. It also harms 378 million victims — far more than the population of the Middle East.

It could be worse. Consider oil. Without it, most people can’t get to work or to the market. Planes can’t lift off and ships can’t leave port. Oil is the most valuable commodity in history, and today, about a fifth of all world trade flows through the Straits of Hormuz. So it’s a vital chokepoint.  And military forces guard it carefully.

But there are other chokepoints — in software. The Middle East now has an Internet penetration of 40 percent, and a few months ago The National reported that the region has become “more vulnerable to cyber attacks in recent years, particularly where infrastructure is concerned.”  If saboteurs want to harm the planet, this is an obvious target.

Hence the U.A.E. plans to double spending on homeland security — to more than 10 billion dollars in the next 10 years.  A majority of the increase will probably go to cybersecurity. 

Of course, other areas of concern that I have touched upon include financial systems, corporate and personal data, and intellectual property. A report this month from Cisco indicates that businesses across the Middle East are at high risk, with 65 percent of employees not understanding the security threat from using personal devices in the workplace.

A stock exchange is the center of a nation’s economy. Another recent study found that 53 percent of surveyed members of the World Federation of Exchanges — meaning stock exchanges — faced cyber attacks in the last year.  And only 59 percent thought they had sufficient disaster recovery protocols in place.  Since companies in many countries don’t have to report successful attacks, it is safe to assume these figures are understated.

How do we reduce our vulnerability and improve our software assurance and system resilience?

A top IT research and advisory firm offers one answer:  Enterprises must avoid near-term fear responses. Instead, they must keep strengthening risk-based disciplines, which are rooted in data-driven decision making. They need strategic road maps to handle emerging threats.

Experts differ on the scope of the issue as well as possible resolutions.  Where will we find the greatest opportunities to safeguard cyberspace? 

I submit that a core component in heightening cybersecurity is … education.  

As in many problems facing civilization throughout history, answers lie in the hands of universities.  We must keep training students to join the cyber elite and ensure that organizations have: 1) the talent to manage risk, and 2) a workforce that can spot the potential for risk.

The demand for talent is intense.  In one recent study, the number of job postings for cybersecurity professionals was rising twice as fast as for IT pros in general.  And the average posted salary was a third higher compared with other IT pros.  This gap will almost certainly keep widening. 

As a leading educator in cybersecurity around the world, NYIT offers a concentration in network security, as well as a longstanding master's program in information, network, and computer security.  We are preparing to offer this in the U.A.E. soon. There, our students study network security, cryptography, computer forensics, and secure software engineering. We are also launching a concentration in big data analytics for computer science majors. Our NYIT faculty teaching these classes has won prestigious federal defense and corporate research grants in biometrics, swarm intelligence, authentication, cryptography, and mobile security. Importantly, they often conduct this research with faculty at other universities and with our top students.

Yet another answer lies in collaboration among industry, government, and academia.  As Steve Jobs said, most creative thought is simply the recombination of existing ideas. Thought-leadership conferences like this one spur such creative thinking. 

In this century, solutions to the world’s difficult problems will arise from a mix of education plus: 1) science and technology, 2) business and market economics, and 3) government and public policy. 

The key is idea flow — the lively interaction of people on once-separate islands of thought and action. As a result, we spread insights, we filter ideas through diverse critical minds, and we develop smart approaches to global problems.

In Europe right before the printing press, expertise was so rare that scholars trudged lonely roads from one university to another, just to cross-fertilize knowledge.  Today we are interconnected by the universal language of technology.  Discourse crosses the globe instantly.  Ideas have never flowed so freely, and we’ve never had this ability to recombine them. 

By inviting others to join the dialogue through “human-centered design” and “community-engaged design,” universities will spearhead tomorrow’s social and global economies. After all, a good university is a zone of exploration where we promote new ideas, accept failure, reward creativity, breed innovation, and foster interdependent learning. 

When galaxies collide, they form bright new stars, and when the best minds come together from different places, such as our esteemed guests from China, the same thing happens. We spark ideas and advance progress. 

Again, welcome, and enjoy what will no doubt be a most productive day.

Thank you.