
Loading summary
Lipperty Vittert
Welcome to the Harvard Data Science Review Podcast. I'm Lipperty Vittert, the feature editor of the Harvard Data Science Review, and joining me is my co host and editor in chief, Shallie Meng. In July, we witnessed one of the most significant Internet disruptions in history when CrowdStrike released a faulty update to its security servers. This Update impacted approximately 8.5 million systems, triggering outages across various sectors, including airlines, banks, stock markets and government emergency services. The global damage is estimated to exceed $10 billion. For years, the fight against hacking has been a critical focus in data science, and incidents like crowdstrikes underscore the growing importance of reliable security measures. So today we're speaking with Arun Seligon, a senior data scientist at at the Cybersecurity and infrastructure security agency CISA in Washington, D.C. where he has nearly two decades of experience in cyber operations. And Milena Rodban, a geopolitical risk advisor and interactive simulation designer working on issues at the intersections of geopolitics and cybersecurity. She was previously a senior advisor to the Director of the National Risk Management center at the Cybersecurity and Infrastructure Security Agency. Stay with us to explore the ins and outs of cybersecurity, how cyberattacks occur, and what steps you can take to protect your data from hackers. Arun, I'm going to start with you. For our listeners, we hear all these words. This word cybersecurity has been around forever. What does it actually mean? What's a typical problem in a cybersecurity agency? What does it look like for you in your agency? And what does a normal problem or issue in the cybersecurity field really mean?
Arun Seligon
Sure. So I'd say cybersecurity is looking to ensure the confidentiality, integrity, availability and authentication of our digital assets that we rely on every day to do normal life. Typical problems that we face in cybersecurity deal with everything from users. Can we trust our users to be who they say they are all the way to our data? Does it have integrity? If I make a change, is it doing just that change? Or are the changes happening to the data that I'm not aware of? And then we have our software systems. Can we trust our software to do the right things? And then is anyone else accessing our software and systems? So those typical types of data, hardware, software, data, and people issues all tie into cybersecurity problems that we face on a day to day basis.
Lipperty Vittert
What would be an example?
Arun Seligon
Phishing is a good example with emails. When you receive an email, how do you know the person on the other side of that email is who they say they are. They say, set an attachment. Is that attachment going to take over your computer and steal your data? So phishing is a good sort of example of that nexus of software. You know, your email client, your email server, the data, the email itself and attachments, and then the people. You as the recipient and the other person as the sender.
Lipperty Vittert
You know, it's so funny you say that. I have a really good friend who's like, he's, you know, 35. He's like, really big deal in the finance field, really smart guy, like the last person on earth you'd think fishing would happen to you. I always think about this happening to, like, old grandmas and stuff. And he had a. He got totally fooled by a bill, and he signed into one of his healthcare things, and he got into the website, you know, gave them his name, his password, his face id, everything, and realized it was fake. They're getting so sophisticated that people you would never think would get, or at least I had never imagined would get phished. It's happening to them.
Arun Seligon
Yep. And with AI, the attackers are getting more sophisticated and more convincing. And then there's normal fishing, and then there's spear phishing, where they can go to online resources, do their research about social media, who you interact with, what you like, and write. Very convincing phishing lures. And really sophisticated actors will gain access to your friend's account, maybe, or certain websites. So it seems natural to have a conversation with them, and then they'll send you either a link or a payload that you're very likely to click on. Here at cisa, we have a very good red team, and they write phishing lures all day to do what we call offensive security testing. And they're very successful, even getting into places you think they should not be able to get into.
Lipperty Vittert
And Melena, what about you? How do you define cybersecurity and what would be examples of sort of normal issues that you face on a regular basis?
Milena Rodban
Sure. First, thank you so much for having me. And a quick disclaimer that everything I say today is my opinion and doesn't represent the official position of any employers, past or present. Now that I wasn't a fed before at cisa, that disclaimer just comes with me wherever I go. I come at this a little bit differently than Arun. I used to work at cisa, but now I am firmly in the private sector. And so I think about the intersections primarily that join cybersecurity and business cybersecurity and operations. My clients are primarily the types of people who are worried about how these issues will affect their business's ability to function, how different policies that are dictated by the government will affect their operations, how a major cyber attack might take them down and cause problems for them, both on legal fronts, regulatory fronts, in their relationship with the government, in their relationship with clients, other vendors, third parties, et cetera. And the way I do this right now is primarily through interactive simulations that I build working with my clients. And the narratives are driven around issues that they've either faced historically, so a situation that keeps coming up and they're not managing well, or it is a decision that they're trying to make and they're trying to decide between different possibilities that they might pursue or different policies that they might enact and what the consequences of those might be for their ability to operate. So on a daily basis, I'm thinking through, through downstream issues of something like the CrowdStrike event that happened a few weeks ago and took down airlines for days. Or I might be getting ready to give a lecture on the geopolitics of whiskey, which is one of my favorite topics. And you wouldn't think of it, but whiskey is actually a growing industry where cybersecurity has become more important. As whiskey distillers use automated technologies to operate the distilleries and they're increasingly using AI to do master blending of blended whiskeys. And now they're having to worry about things like cybersecurity taking down their operations, and possibly destroying 20 year old barrels of whiskey in the process. So we're seeing so many more physical impacts of what cybersecurity used to be confined to a digital space.
Shallie Meng
Melinda, what you said about whiskey got me a peek. That's fascinating. But you know, cybersecurity affects everyone and many people want to do something about them. How did you to get involved and in your work, what you find is interesting, what you find frustrating, and also if anybody wants to get involved, you know what kind of training they need. How do we get into this obviously incredibly important field?
Milena Rodban
Sure. So I got into the industry a little bit counterintuitively. I started in good old fashioned geopolitical risk analysis where I was working with clients that had overseas operations, had long supply chains, had large geographic footprint, lots of offices all over the world, and helping them sort of navigate regulatory and compliance issues, taxes, currency arbitrage, all the sorts of things that used to dominate our world before computers became super, super ubiquitous. And then I started to see a sort of Pattern where you had companies that were mining or other extractives, companies that operate, you know, enormous hardware and infrastructure, they sort of had the hang of things. But growing technology companies, startups, they weren't quite understanding some of the elements involved and some of the dangers of operating in potentially lucrative but complicated overseas markets. And so I started focusing on the technology space and working primarily with technology clients. And then I sort of took a sideways jaunt to CISA for a few years during the COVID pandemic, helping them, using simulations and workshops and tabletop exercises, game out some of the possible futures that we were likely to encounter as the pandemic progressed, helping to understand how to maintain the continuity of the economy, how to safeguard things like the vaccine supply chain, how Covid and related effects might affect education and the workplace. And now I'm back in the private sector, like I said, working with clients, mostly in the technology space. I think one of the things that potentially is frustrating but is also exciting is that the pace of change and innovation in this field is just breathtaking. You know, it's. It literally is a fire hose, and you have to keep up with so much innovation. You know, we were just getting the hang of some basics, and now we've got to worry about the intersection of quantum computing and AI, which people think will be here by the end of the decade. And so there's a lot. There's a lot to. To keep up with, to know, to understand, to think about. And one of the things that I would recomm for people who are trying to get into the industry is to sort of pick a niche, either a sector or a geography or an element of cybersecurity that really interests you and really get to know as much as possible about it. My very favorite recent books was actually imaginable by Jane McGonigal at the Institute for the Future out in San Francisco. And her book is a tremendous resource for people who are looking to reconceptualize what the world is going to look like in a few years. And I think that we're going to need a lot more creative thinkers and a lot of people who not only understand the problems, who not only love to dig into data, but are really able to come up with new, innovative, smart, and effective solutions to the challenges we're facing.
Shallie Meng
Fascinating. Alroom?
Arun Seligon
Yeah. So growing up as a kid, I enjoyed playing video games, PC gaming. And when it was time for me to go to college, it was right after the dot com bubble burst in the early 2000s. So I decided to go into computer science as a degree and I'm planning to be a software engineer. Before I graduated, I went to the University of Tulsa. And Tulsa is an oil city, refineries and whatnot. So my university has a partnership with the petroleum department. So the computer scientists and the petroleum engineers kind of work together on problems. As a result, I started focusing on control system security. So the nexus of IT IT being information technology and OT operational technology and what are the impacts of cyber and physical systems, can you mess with the IT systems and cause an impact to the OT systems, which was a problem a lot of companies out in Tulsa were very concerned with. Given in the 2000s there were prevalent hacks such as Blaster Worm. So I always was very interested in computer security, even back in my academic years at college. When I graduated, I was part of a scholarship for service program run out of National Science Foundation. So I had a commitment to go work for federal government for a few years. Ended up working at Department of defense for NSA, also focusing on how to secure DoD's control systems. As a result, I spent many years at NSA looking at control system security and sort of hacks and responding to hacks in general. Part of that was actually working on election security. And that's how I ended up working at CISA. I think back in 2018, elections systems were designated as a sector of critical infrastructure. To your question about how would someone go about getting into cybersecurity, my advice is be curious and play around with things. I got into computer security just by playing around with systems that might be like an oil refinery. Playing around with PLCs and seeing how they work from a cyber perspective, how the software works, how you configure them, and just being hands on with the data and the systems really makes you an expert quickly. There's no better way. And if you're curious, you'll naturally find ways to do things you're not supposed to do or often do things the way they are designed. And unfortunately, things are not secure by design, which is actually one of the big mantras here at cisa. We want to make our nation more resilient by pressing our vendors to make things secure out of the box rather than push it on to users to secure the systems.
Shallie Meng
Very interesting, thank you.
Lipperty Vittert
You know, that's such interesting advice. It also seems like it's a field that things are changing so quickly that in some ways it's a really good thing to get into as a young person because it's not like everyone that's been doing it for so Long knows everything and that you can't learn because there's, there's so many things changing. But that also brings me to this idea of how do all the aspects of cybersecurity connect? You know, there's so many aspects. There's, as Milena, you talked about, there's risk analysis, Arun, there's data science. There also obviously must be law enforcement to this. So how do sort of all the pieces connect? Where do you see the role of these different pieces?
Milena Rodban
Everybody has a role to play within this universe of cybersecurity. I think that for too long, however, a lot of these functions have been severely siloed and cut off from each other. If any of you are fans of the Apple TV show Silo, you can imagine just everybody in their little bunkers together, working separately and not necessarily maybe tackling the problem that they're all facing because they don't talk to each other, because they don't see each other, because they don't see things from each other's point of view. You know, what the government is forced to do basically, given the pace of change in this field, is that some company will come out with some new technology, let's say generative AI, and suddenly you've got the government sort of playing catch up. Do we create a policy that prevents people from using AI to create election related materials? How do we crack down on deep fakes or voice cloning in election messaging or text messaging or voice messaging? So there's always an element to which the government is playing catch up because industry is innovating heavily in this space. So we need to get to a place where we're all talking to each other and better appreciating things from each other's point of view. I know at CISA there's the jcdc, the famous center that helps to sort of join industry and government together. And I'm sure Arun could speak a bit more to it, but they're doing a lot in terms of getting the right people to talk to each other. They're also doing things like they just hosted a big tabletop exercise at, I believe Microsoft HQ about a month ago where they really brought these people in together and gave them a scenario to contend with and see how they could all work together to solve problems that are increasingly common to everybody and affecting everybody. But not everybody is working together to solve and solving some of these problems piecemeal just doesn't really work. Think about it from the individual, right? If your employer only pays you through one payment platform, how do you Know that that payment platform prioritizes security by design. Like Arun said, you don't, you have no choice but to be paid through that platform. So you as an individual have limited ability to really safeguard your own information, your payment details, et cetera. So we need to consistently raise, you know, the level at which we are addressing these problems, because at the individual level, it's just not possible for us to each in our individual silo, address these things.
Arun Seligon
Yes, Liberty, that's a great and loaded question. You can really get quickly lost in the cybersecurity field when it comes to working with partners, tracing leads down rabbit holes. You asked specifically about how does it fit between doing risk analyses and working with law enforcement. I tend to like to abstract and look at the world through frameworks and there's a couple of really handy cybersecurity frameworks out there. One by MITRE called the DEFEND framework, and another by NIST called the CyberSecurity Framework, or CSF. And what they have in common is that they have phases on how to approach cybersecurity. With D3Fend, there's things like modeling, hardening, detection and response. And it's very similar with the cybersecurity framework where you prepare and then you respond. And in cybersecurity field, we talk about being left of boom or being right of boom. Boom being some sort of incident on the left of boom. That's what you can do to prepare, to avoid those events and make yourself resilient to those types of cyber events. Right of boom. This is something has happened. What do you do next to detect it? What do you do to evict a bad guy off of your network? So when it comes to left of boom to your question, this is where you do things like those risk analyses, where you identify your assets and take preventative measures, either by patching or eliminating systems you don't need, locking down user privileges, etc. So this is where you see a lot of those risk analyses be performed. Left of boom, going right of boom. This is where you do a lot of your incident response analysis, where you're deep into the data, hunting through your logs for signs of compromise. And then this is where you start maybe, perhaps engaging with law enforcement. When you do have a compromise, then you want to get your partners on the line to help you do that eviction, do that system remediation and hardening to close up the holes that were exploited. And this is where we start doing things like sharing intelligence. If you're a part of a certain sector that's being targeted by a certain actor. This is where you'll say, here's how we were impacted. Do you have the same systems? Are you seeing the same sorts of attacks on your networks? And this is where the community really shines when you share that information. This is where we kind of use information as a force multiplier for good.
Shallie Meng
So, Melinda, that question is for you. Could you speak a little bit more about how the geopolitical atmosphere intersects with the risk and security, and particularly how does looking at the problem with really worldwide lens provides more efficient fixes?
Milena Rodban
Absolutely. To really sum it up, world politics, trade, war, everything is now interconnected with cybersecurity. You've got, for example, the Russian invasion of Ukraine, where Everybody in the U.S. including assets, expected a huge increase in the number of cyberattacks. Why? Because although the initial invasion in the physical space was against Ukraine, Russia increasingly plays a very strong game on the cyber side of things. And you're seeing a lot of countries that don't have the traditional means to fight a physical war punching far above their weight on the cyber side of things. Think of North Korea, Iran, etc. In other ways. The. The issues here are things like infrastructure. So in the us, the infrastructure that we all rely on, you know, power, water, energy, of all different types, all of that is privately owned and operated. Now, that creates an issue where the government can't just say, this water utility has to do these certain things. They have to work together. And that water utility has owners and investors and other stakeholders who have other goals, not just national security, not just maintaining water to a particular locality in a particular way. And so you have a lot of these competing goals and business imperatives competing with national security interests. And you don't just have it here, you have it all over the world. We can all remember the controversy over China's Huawei infrastructure when 5G infrastructure was being put into places like Germany, the UK, Australia, and there were big questions about whether Huawei, a Chinese company, had or was allowing the government or the CCP backdoor access into their data, into the data that they were carrying across their infrastructure. So you have that geopolitical element there because China is considered an adversarial nation by some of these countries. They were worried about being compromised by being reliant on critical infrastructure in the form of 5G towers and hardware being provided by an adversarial nation state that could potentially cut off their access and leave them without means to communicate. And so, again, this is happening all over the world as countries are standing up their own version of cisa. We're seeing it in the uk, we're seeing it all over Europe, we're seeing it throughout Africa, we're seeing it in South America. A lot of countries are realizing that increasingly a lot of their infrastructure is not only privately owned and operated, but potentially operated by an adversarial power. And now they're reliant on so many critical things for that potentially adversarial power. If you go to war, that gives that adversarial power tremendous advantage. So thinking through these issues is really important for businesses increasingly as they go into foreign countries, whether they're going to be seen as potentially allowing their home governments backdoor access to their systems and data, whether those countries want to be reliant on a foreign company's hardware for critical infrastructure and operations. We're seeing it, you know, in terms of supply chains. During COVID we saw some countries pulling back on exporting certain things like gloves, like saline bags, whatever it was. Do you want to be reliant on another country in the cyberspace as well? And so increasingly I work with a lot of companies that are having to contend with these issues as they go into overseas markets and companies in the US that are considering using as major vendors for themselves or pieces of their platforms, services created by companies that could potentially be in adversarial countries. So every single decision that's being made in this space has a geopolitical aspect to it that needs to be contended with and examined and studied. And we need to sort of learn from the mistakes of others. And we need to head off problems before they get bigger and potentially devastating to our country's national security and operations and the livelihoods of our, of our people.
Lipperty Vittert
Milena, I have to ask, with all your work with so many countries here in the US and abroad, a lot of the cybersecurity, I guess disasters almost, you could call them that happen, aren't really widely reported on, or so it seems. I saw a statistic, statistic recently that like 1 in 5Americans healthcare data has been hacked. But what seems to happen is the hackers hack it, then they ransom the data, the company pays, they give back the data because that's their business model, is to get back the data. And no one really, I mean, it doesn't really get reported on to the, to the average person. And so one, is that happening? And two, you know, with, with these sort of cyber attacks that we're seeing, especially with CrowdStrike, which I think a lot of people were talking about, because it clearly affected them. You know, I was supposed to be on a plane that morning and all the flights were canceled. I went back home. That unless the cyber attacks are really in our face, we kind of ignore them or think, oh, that's somebody else, or whatever. What is being done to prevent these issues, and what kind of issues like this are we going to see in the future? Are we really at risk?
Milena Rodban
I think we absolutely are at risk. And I think that, like I said before, it's very hard for individuals to really do anything when it comes to some of these issues. I mean, I can't go to my cellular network provider and stand outside their office and demand better security, even though they've been hacked, you know, so many different times. We've all seen the headlines. I won't name names, but I think we know the big ones.
Lipperty Vittert
I mean, it feels like all of them. I get a lifelock alert, like, every day.
Milena Rodban
Exactly. And all we get out of it is three months of credit monitoring. Right. That's not really enough anymore. And so I think this is where the government has to play a bigger part in holding some of these companies accountable and not letting them just get away with, sorry, you know, for the inconvenience, which it's not really an inconvenience. You know, we. We just heard, I think it was a week ago, that all of our Social Security numbers were potentially hacked. And some people's attitude is, well, it's already out there. What can you possibly do about it? But I think that that is sort of an abdication of our ability to do better and try harder. And, you know, we've seen the very dangerous elements of some of this in the past. We've seen a jogging app getting hacked reveal the location of a military base. You know, we've seen concierge medical practices get hacked because they have congresspeople and VIPs as patients. We've seen dating apps get hacked because they reveal someone's sexual orientation. These are all issues that do affect people and in some cases can affect their livelihood, their reputation, their personal relationships. We do have to do better in demanding that our governments and our accountability measures hold these companies to a higher standard. Now, of course, we can encourage security by design for people who are building now, but we also have to demand better of the legacy companies that have a huge market share and basically hold all our information ransom, because we don't often have a choice. This is a space for the government. This is also a space for the companies to do better themselves, to innovate and it's another space where insurance can actually be a driver, where we can get some sort of premium reduction or discount or some sort of incentive structure where if you are abiding by a higher level of security then you can benefit. So we need to try both the carrot and the stick approach. We need to hold people responsible after the fact, but we also have to incentivize them to do better in the first place.
Shallie Meng
We talked quite a bit about hacking and as we all know, as you mentioned, the whole news about Social Security obviously got everybody worried because we are all affected. We all talk about hackers, but who are they? Also, for the average person, what does being hacked look like? What type of data most at risk? And how can the average person help to protect themselves from the hackers?
Arun Seligon
Sure, yeah, those are a great set of questions. The first question I believe was who are the hackers? And the answer is it depends and it varies. So you have at the bottom of your spectrum what we call script kiddies, which you know, think of like a teenager in his parents basement just kind of dabbling with hacking tools that are out there. Maybe starting off by hacking video games to gain an engine winning. So these lower tier actors will use tools that are available for them. They don't write the tools, they don't do the, the vulnerability research. They get something that's downloadable and they just use it out of the box without really knowing how it works. Moving up the ladder, so to speak. In terms of skills of attackers, you've got ones that might be financially motivated, your criminal actors, and they tend to be a little more sophisticated in terms of they will exploit known vulnerabilities. Again, they're not really doing their own research and writing their own hacking tools. They will use tools that are available to them, but they will go after things that are known vulnerable. So you have software vendors, when they become aware of holes in their software, they will go ahead and patch them. But at the same time that a patch is available, there tend to be exploits available to take advantage of those vulnerabilities. So this is where your criminal types of actors will exploit those known vulnerabilities. Unfortunately, this is very successful for giving them access to victim networks. So successful that we here at CISA have a program called the Known Exploit Vulnerabilities catalog where we document what are the vulnerabilities that are actually being exploited out in the wild, as we like to say. And unfortunately network owners are much slower when it comes to patching known vulnerabilities compared to the speed at which attackers exploit these vulnerabilities. So it's a race between the defenders and the attackers a lot of the time. I'd say up at the top of the attacker pyramid, you've got your nation state actors that are sponsored by certain organizations and states, whether military or intelligence. Sometimes transnational organizations think like terrorist groups, hacktivists, etc. Nation states definitely are more sophisticated. They tend to compromise supply chains. So they will actually go after software vendors and attack the software that gets then dispersed across different sectors. So think of it as if you live in an apartment building. They're going after the maintenance guy of your apartment building. This way they can get into everyone's apartment, not just your apartment. So the best way to defend yourself from a cyber perspective is to practice what we call good cyber hygiene. So really it's the basics that pay the most dividends in terms of securing yourself. So things like good password management. Are you using strong passwords? Even better than passwords is multi factor authentication. So multi factor authentication is having multiple ways to prove your identity. It's typically something that you know, like a password or something that you have, like a hardware token or something that you are. So this is like biometrics using a fingerprint or face ID to log in systems. So even if your password is exposed via data breach, they can't get into your account or your system unless they have that additional factor like an SMS code on a phone or hardware yubikey, sort of sort of token. The other basic hygiene you can do is patch your system see on top of your updates. This is what will help with avoiding those known vulnerabilities from being exploited. And I'd say beyond the basic cyber hygiene, just adopting a defense in depth sort of approach in this field, you have to assume breach because a determined actor will find a way in. The best thing you can do is build resilience into your processes. Assume someone will get your Social Security number. What can you do to prevent damage? So in the case of the Social Security number, you can go ahead to the credit bureaus and lock down your credit. That way, if anyone has your Social Security number is trying to open a line of credit in your name, they're going to be thwarted by that additional layer of authentication.
Shallie Meng
Thank you, that's very helpful. Melinda.
Milena Rodban
Just I would say I think it's important for people to be skeptical in their interactions with people. We see these sort of cyclical patterns when the economy gets worse and people get a bit more desperate and they're looking for side hustles or other short term jobs. They're sort of willing to give out their information to all these different job boards and job posting platforms. You really shouldn't be, you know, sending out an image of your entire passport or your entire driver's license to people just willy nilly. You should make sure that you know who you're talking to and really understand why people would need a piece of information. You can always seek further explanation for why someone might need a certain piece of information. So just approach things skeptically. Don't hand out things just to hand it out. And be aware of common scams. Really keep an eye out for common scams. A lot of times you know, your bank will email you something and say, we would never call you for this code or we would never text you for this other piece of information. Know the ways that legitimate businesses that you deal with communicate with you. And if someone calls you and says something's wrong with your account or whatever it is, hang up and call your bank's number on the back of your card. Don't just talk to someone just because they called you. Because in most cases a legitimate business or a legitimate bank won't just do that. They'll find a way to reach out to you through a secure portal, through your online account, something like that. So don't get caught off guard. A lot of people get really flustered when they get a call saying something's wrong with their bank account or whatever it is. So stay calm, be skeptical and guard your information.
Lipperty Vittert
You guys are stressing me out. I need to go change all my passwords from password 1, 2, 3, exclamation point. So we have 20 more questions here. This conversation could go on forever. I really hope you both will come back to talk to us because this is just fascinating and so important and it's just going to get clearly is just going to become more and more of an issue facing the public. But we are going to wrap up and we always end with a magic wand question. So for you guys, we have if you could wave your magic wand and you could instantly remove one major challenge, the data scientists. On the good guy side, I'll preface it with on the good guy side in the cybersecurity field, face, what would it be?
Arun Seligon
So as a data scientist, this might be a very nerdy response. I'd say if I can wave a magic wand, I would normalize the data into a common schema. One of the problems I face on a daily basis is get a new source of data and the data has very similar fields like IP addresses or host names, usernames, but you'll die the death of a thousand cuts because different field names, different data types, etc. As the world becomes more identity based in terms of. You have cloud accounts now, right? The networks are less on premise than they used to be. A lot of things are in the cloud. We're getting a lot of new cloud service provider logs. And the way that they do identity management, there's Okta, there's Azure based privilege identity management. AWS does things differently, so every vendor does things slightly different. And it's really hard for us as data scientists to write analytics that are portable across those datasets. So it would be great to say, hey everyone, let's converge to this data normalization schema and let's use that. That way we as defenders can write detection and models, and those models work across data sets, including the ones that will come online in the future. And in cyber security and software in general, things change every day. Attackers find a way in, the vendors change things to lock them out, and then it's a cat and mouse game. And all the while the data is changing. So my magic wand will give me a common schema and data normalization.
Lipperty Vittert
No matter what group of data scientists, everyone always asks for clean data. That's always the problem.
Milena Rodban
Melana, for me, you know, data normalization would be great as well. But I think for me, the really important thing would be for us to prioritize cyber literacy in the same ways that we prioritize traditional literacy and basic math and financial literacy. I think we all need to be at a sort of joint level, starting level, where we can all appreciate some of these issues, understand how they're interconnected, and understand what part we play as consumers, as creators and innovators, as designers, as business people. If we all had a common literacy, a common language, a common level of cyber maturity, I think that we would have come much farther than we are now in tackling some of these challenges. We really need to start getting this in front of. You know, kids are able to manipulate an iPad when they're like a year old. We need to start teaching cyber literacy in kindergarten. I think, as I said, you know, this field is innovating so quickly. There's so much more to learn every single day, and knowledge gets outdated really quickly. So it's a lifelong pursuit of learning. But I think it is extremely vital because I don't think this is going anywhere and we're not unfortunately going to be able to wave a magic wand and make everybody more secure quickly and easily. So it's going to take all of us demanding better, doing better, and enforcing better to make the world a more secure place.
Shallie Meng
Melinda, you said something just fantastic to end this podcast. Really, I think it's very important you mention these literacy issues that but we're all living this incredibly exciting age, right? This journal of the AI everything coming. And at the same time, there's no free lunch where there's so many exciting going on, there's so many distress and all these other issues. And I think education is absolutely important. I'm so glad you mentioned that we should start from kindergarten because to me, it's every single education to learn language. It's much easier to learn as a first language and trying to change it later. It takes generation to do well. But we need to start as soon as possible. But thank you so much. Thank you to both of you. This has been wonderful.
Lipperty Vittert
Thank you all so much.
Milena Rodban
Absolutely.
Arun Seligon
Thank you.
Lipperty Vittert
Thank you for listening to this week's episode of the Harvard Data Science Review Podcast. To stay updated with all things HDSR, you can visit our website at HDSR, MITPR Press, MIT.edu, or follow us on Twitter and Instagramhdsr. A special thanks to our executive producer Rebecca McLeod and producers Tina Toby Mack and Arianwen Frank. If you liked this episode, please leave us a review on Spotify, Apple or wherever you get your podcasts. This has been the Harvard Data Science Review. Everything Data Science and Data Science for everyone.
Harvard Data Science Review Podcast: "I Can’t Believe I Got Hacked! What Can We Do About Cybersecurity?"
Release Date: August 29, 2024
In the latest episode of the Harvard Data Science Review Podcast, hosts Lipperty Vittert and Shallie Meng delve deep into the pressing issue of cybersecurity. Featuring expert insights from Arun Seligon, a senior data scientist at the Cybersecurity and Infrastructure Security Agency (CISA), and Milena Rodban, a geopolitical risk advisor specializing in cybersecurity, the episode explores the multifaceted challenges and solutions in the realm of digital security.
Arun Seligon opens the discussion by demystifying the concept of cybersecurity. He defines it as the practice of ensuring the confidentiality, integrity, availability, and authentication of digital assets essential for daily operations.
"Cybersecurity is looking to ensure the confidentiality, integrity, availability, and authentication of our digital assets that we rely on every day to do normal life."
— Arun Seligon [02:03]
Arun further explains typical cybersecurity challenges, ranging from verifying user identities to maintaining data integrity and securing software systems against unauthorized access.
The conversation shifts to tangible examples of cybersecurity breaches, with Arun highlighting phishing attacks as a prevalent threat.
"Phishing is a good example of the nexus of software, data, and people issues we face every day."
— Arun Seligon [03:00]
Lipperty shares a personal anecdote about a friend in the finance sector falling victim to a sophisticated phishing scam, underscoring the evolving nature of these attacks.
Arun emphasizes the increasing sophistication of attackers, especially with the integration of Artificial Intelligence, enabling more convincing and targeted phishing attempts.
Milena Rodban offers a unique perspective by connecting cybersecurity with business functions. She discusses how cyber threats can disrupt operations, affect regulatory compliance, and damage relationships with clients and partners.
"Cybersecurity has become critical for businesses to maintain operational continuity and safeguard their reputation."
— Milena Rodban [05:08]
Milena introduces the concept of interactive simulations she designs to help businesses anticipate and navigate cyber threats, drawing parallels to incidents like the recent CrowdStrike update failure.
Both experts provide guidance for aspiring cybersecurity professionals. Milena advocates for specializing in a niche area, while Arun highlights the importance of hands-on experience and curiosity.
"Pick a niche that truly interests you and dive deep into it. Cybersecurity is a lifelong pursuit of learning."
— Milena Rodban [07:54]
Arun shares his journey from computer science enthusiast to a cybersecurity specialist, emphasizing practical engagement with systems as a key to expertise.
The hosts explore how various sectors—risk analysis, data science, law enforcement—interconnect in combating cyber threats. Milena points out the historical silos that hinder effective collaboration.
"We need to consistently raise the level at which we address cybersecurity problems because individual efforts alone are insufficient."
— Milena Rodban [17:03]
Arun discusses established frameworks like MITRE’s DEFEND and NIST’s CyberSecurity Framework, which provide structured approaches to both preventive (left of boom) and responsive (right of boom) cybersecurity measures.
Milena delves into the geopolitical dimensions of cybersecurity, illustrating how international conflicts and rivalries amplify cyber threats.
"World politics, trade, war—all are now interconnected with cybersecurity."
— Milena Rodban [19:54]
She discusses scenarios like the Russian invasion of Ukraine and the global concerns surrounding Chinese technology firms like Huawei, highlighting how national security is increasingly tied to cyber resilience.
Addressing the personal impact of cyberattacks, Milena reveals alarming statistics, such as 1 in 5 Americans having their healthcare data hacked.
"We need to do better in demanding that our governments and accountability measures hold companies to a higher standard."
— Milena Rodban [25:49]
She critiques the current response to breaches—primarily providing limited credit monitoring—and advocates for stronger government intervention and incentives for companies to prioritize security.
Arun offers practical advice for individuals to safeguard their digital presence. He categorizes hackers into tiers, from script kiddies to nation-state actors, and underscores the importance of cyber hygiene.
"Practicing good cyber hygiene—like using strong passwords and multi-factor authentication—can significantly enhance your security posture."
— Arun Seligon [28:38]
Milena complements this by advising vigilance and skepticism in online interactions, stressing the need to verify requests for personal information and recognize legitimate communication channels from businesses.
When prompted with a hypothetical scenario to eliminate a major cybersecurity challenge, Arun wishes for data normalization across the industry to streamline defenses.
"A common data normalization schema would allow us to write analytics that are portable across diverse datasets."
— Arun Seligon [35:44]
Milena envisions a future where cyber literacy is as fundamental as traditional education, advocating for its integration from early education to foster a society resilient against cyber threats.
Shallie Meng wraps up the conversation by highlighting Milena's call for comprehensive cyber education, emphasizing the necessity of starting cyber literacy from kindergarten to build a generation adept at navigating and securing digital landscapes.
"It's a lifelong pursuit of learning, but cyber literacy is crucial for making the world a more secure place."
— Milena Rodban [37:32]
Conclusion
This episode of the Harvard Data Science Review Podcast offers a comprehensive exploration of cybersecurity's current landscape, challenges, and future directions. Through expert insights and real-world examples, listeners gain a nuanced understanding of the vital role cybersecurity plays in our interconnected world and the collective efforts required to enhance digital security for individuals and organizations alike.
Notable Quotes:
Arun Seligon [02:03]: "Cybersecurity is looking to ensure the confidentiality, integrity, availability, and authentication of our digital assets that we rely on every day to do normal life."
Arun Seligon [03:00]: "Phishing is a good example of the nexus of software, data, and people issues we face every day."
Milena Rodban [05:08]: "Cybersecurity has become critical for businesses to maintain operational continuity and safeguard their reputation."
Milena Rodban [17:03]: "We need to consistently raise the level at which we address cybersecurity problems because individual efforts alone are insufficient."
Milena Rodban [25:49]: "We need to do better in demanding that our governments and accountability measures hold companies to a higher standard."
Arun Seligon [28:38]: "Practicing good cyber hygiene—like using strong passwords and multi-factor authentication—can significantly enhance your security posture."
Milena Rodban [37:32]: "It's a lifelong pursuit of learning, but cyber literacy is crucial for making the world a more secure place."
For more insights and discussions on data science and its applications, visit the Harvard Data Science Review or follow them on Twitter and Instagram @hdsr.