There is much to be done in cybersecurity

In this Nordea On Your Mind interview, Professor Pontus Johnson (PJ) tells Viktor Sonebäck (VS) about how the recent decades of rapid digitalisation have left us vulnerable to cyberattacks, as the cybersecurity side has struggled to keep up.

There is a great need for societal collaboration in both research and education, which is something currently being addressed by the soon-to-launch Cybercampus in Sweden. Professor Johnson also shares his thoughts on the current geopolitical landscape and how it ties into cybersecurity.

VS: Can you describe your background in cybersecurity and your role as professor at KTH and as Director of the Centre for Cyber Defence and Information Security?

PJ: I am an engineering physicist by training, but have worked with cybersecurity at KTH for a long time. It started with more general analysis of data systems and network architectures to evaluate not just cybersecurity but also accessibility, interoperability, and other properties. But, eventually, I became completely immersed in cybersecurity and have now been working in this field for many years.

From a research perspective, we focus on attack simulations. Think about the automotive industry. If you build a car, you need to know that it is safe. If you build a network in a computer environment, you want to know that it is secure. The safety of cars is tested through crash tests, in which you build the car and then basically drive it straight into a concrete wall, which is very expensive. Therefore, crash simulations, in which you build a virtual car and drive it into a virtual wall, have been developed. It becomes much cheaper, because you can do it as many times as you want. You can look inside the car, you can drive it in slow motion, you can throw in many variables that you cannot use in a physical crash test. We do something similar, but with penetration testing on computer networks. When you build a corporate environment and want to test it, you can call in penetration testers, who try to break in to the system to find any gaps or holes in the security protections. It is, like crash tests, very expensive and difficult to do comprehensively. To do more and cheaper testing, we can opt for what we call attack simulations, which is where we build a virtual computer environment, a digital twin of your IT system, and subject it to virtual cyberattacks in order to find vulnerabilities.

VS: At KTH, you hold courses in “Ethical hacking”. Can you tell us what this means and what students are doing and learning?

PJ: On the education side, I dedicate myself to courses in ethical hacking, where we teach students how to hack computer systems. There is a great need for many people on the defence side with knowledge about how to break into computer systems. There are several reasons for this. One reason is that it is very difficult to defend against a type of attack with which you are unfamiliar, so it is important to understand how attacks happen, in order to defend against them. Another reason is that, just like crash tests, we need people who can test the systems to identify where vulnerabilities exist. It has been shown that it is almost impossible to find certain types of vulnerabilities without testing. When I started these courses back in 2017, we had some 20 students. Last year, there were about 500 students.

Pontus Johnson, professor and director at KTH Royal Institute of Technology.

VS: Can you tell us more about the Centre for Cyber Defence and Information Security? Who are the participants and what is the purpose of the centre?

PJ: In addition to researching and teaching, I am also the director of the Centre for Cyber Defence and Information Security. It is a cybersecurity collaboration across the Swedish Armed Forces, KTH, the Swedish National Defence Radio Establishment (FRA), the Swedish Defence Research Agency (FOI), the Swedish Civil Contingencies Agency (MSB), and the Swedish Defence University. It started when the Swedish Armed Forces decided to inaugurate a programme for 'cyber soldiers'. They needed support for the technical side of the training, and hence turned to KTH. The endeavour was initially created due to an educational need, but soon led to a research collaboration, as well. Now, we probably spend more resources on research than education, and it has grown to the point at which we have many different research projects with the various agencies involved in the centre.

On the research side, we define joint projects, which are then funded by the participating agencies, such as MSB or the Swedish Armed Forces, and the research itself is then carried out by others, such as KTH or FOI. Examples include attack simulations or post-quantum cryptography research. This latter case is particularly interesting from a cybersecurity standpoint. When quantum computers arrive, they will be able to crack a large part of all the cryptography currently in use, which, for example, means that all bank transactions will be insecure – unless we replace the cryptographic algorithms used. In the future, we will need to use something called post-quantum cryptography, and this of course needs to be researched.

We also research something called side-channel attacks. This is a type of attack where, for example, you can listen to the power consumption of a computer to figure out which secret cryptographic keys are being processed inside it. You can listen to the sound of the fan. It is a kind of channel that may not seem like it would be able to convey detailed information, but it turns out that it can reveal very sensitive information, surprisingly often. It depends on how the computer processes the data, which affects energy consumption, cooling needs, etc. In certain circumstances, you can get down to such a granular level that you can distinguish individual bits of data just from these side channels.

VS: Can you tell us about Cybercampus Sweden, which is currently in its planning phase?

PJ: When we started the Centre for Cyber Defence and Information Security (CDIS), we were also looking at what other European countries were doing in terms of cybersecurity centres. CDIS is connected to only one university – KTH – and is quite small. In countries such as Switzerland, France, Germany and Norway, there are national centres for research, education and innovation. We believe that it is important to develop this in Sweden, as well, so that we can collaborate among universities and involve more partners, such as companies like Nordea. This is our ambition for Cybercampus Sweden.

The world is generally lagging behind on cybersecurity, and Sweden, in particular. We have woken up quite late to the issue, and there is a lot to be done. We have a great need for education, and there is a serious shortage of people with cybersecurity skills. One important challenge that today's universities have not quite managed to deliver on is to provide the type of education required, including agile training and further education, lifelong learning, etc.

Innovation is also important. Sweden is generally a very innovative country, but in the field of cybersecurity, we are lagging behind. Israel is often mentioned in international innovation rankings as a country equally as innovative as Sweden, but Israel has built this reputation primarily on cybersecurity. We have seen less of a push in this direction in Sweden, and believe that the Cybercampus can contribute positively to change this.

We currently have funding from VINNOVA and are in discussions with the government for funding, as well. We are collaborating in the planning stage with Karlstad University, the Swedish Armed Forces, MSB, Ericsson, SAAB and RISE. We have also invited other Swedish universities, numerous companies and government agencies to participate. The hope is that we will get started soon and then be able to invite partners to the Cybercampus and start a more extensive Swedish collaboration for research, education and innovation in cybersecurity.

I believe the building blocks are in place for us to become better at cybersecurity. There is a good system for innovation in Sweden, with a high level of education in the country and a lot of technical and IT competence. It is specifically in the area of cybersecurity that we have fallen behind. My theory is that we have built much of our future plans for prosperity and welfare on digitalisation, and if we are going to digitalise, we must create new functionality using IT. Cybersecurity does not provide any new functionality, but is instead like a killjoy towards digital innovation. A cybersecurity person typically says no to someone who wants to do something exciting and innovative. I believe that in our desire to move forward quickly in digitalisation, cybersecurity efforts have been deprioritised. We have also been lucky compared to countries such as Estonia. Estonia realised early on that it should digitalise aggressively, but was then hit by a massive cyberattack from Russia in 2007. Estonia was obliged to choose between backing off from its ambition to go digital or taking cybersecurity seriously. So, Estonia reorganised the entire country to be able to deal with cybersecurity challenges, because it did not want to back down on digitalisation. Yet, Sweden has not faced such an attack, so far, and we therefore have not addressed this problem until quite recently – maybe only in the last five years.

VS: Over the years that you have been working with cybersecurity, how would you say that the landscape has changed? Have threat levels for private individuals or corporates increased? Are attackers becoming more sophisticated? Has collaboration across different entities (corporates, institutions, etc.) improved?

PJ: For a long time, the threat consisted of teenagers sitting in their parents' basements trying to hack into systems simply because it was fun. They could deface websites or carry out similar small and, for them, entertaining attacks.

From this starting point, other significant trends have set in. The first is that digitalisation has been very rapid in recent decades. More and more of what is valuable to society and us humans has been handed over to the custody of computer systems. The banking sector is an excellent example, where a lot of things used to be paperbased. Now, everything is digitalised, essentially. If systems do not work, then the business collapses, meaning that there is incredibly high value at stake. And, it is not just individual banks, but the entire global financial system that is now completely digitalised. We are incredibly dependent on this digital infrastructure. Imagine if all IT systems just disappeared. It would be a complete nightmare situation. Even worse would be if a malicious attacker were to take over and control these IT systems, distort the information or just make it inaccessible. The magnitude of issues it would create is nigh on inconceivable.

Yet, it is not just in the financial sector, but everywhere in our society. Take our cars, for example. They contain hundreds of computing systems and are connected to the internet. They can be hacked. We place our lives in the hands of these cars and computers. They can control the gas pedal, brakes and steering. And if they do not do what they should, or if someone takes over these systems, the results can be very grim. The same goes for medical equipment. And, another example would be the power grid. Digitalisation is one of the major drivers behind our increased vulnerability.

Another trend in recent decades is a deteriorating geopolitical landscape. Just a decade ago, the world order was more secure. It was the unipolar moment. The US was the only superpower and there was no intense competition among the great powers – rather, we wanted to cooperate. All companies wanted to be in China. You could have your business in Russia. The whole idea was that through economic cooperation, we would create peace, prosperity and stability. This whole idea – of which Germany was perhaps the biggest proponent, at the time, as seen in its earlier attempts to cooperate with Russia, has now been turned upside down. We no longer believe it is possible. We now believe that security policy considerations are more important than economic prosperity. We are willing to give up substantial economic value for what we consider to be national security needs. Russia's invasion of Ukraine is the obvious case, but I think rising tensions with China and the way in which the global economy is being segmented into different zones may be even more significant trends in the long run. This also means that we have seen a significant increase in capabilities and investments in offensive cybersecurity. Cyber can be used very effectively for espionage, but it can also be used to influence operations to destabilise other countries, and it can be used for warfare. All of this, of course, is possible owing to how digitalised we are. We have state actors such as Russia, China and Iran. The Swedish Security Police has noted that these actors have conducted offensive cyber operations in Sweden, and of course, in other Western countries, so we have been forced to develop our own cyber defence mechanisms, of which CDIS is one example.

So, these two factors – digitalisation and the geopolitical situation – have dramatically changed the landscape. Unfortunately, what has not changed during this time is the inherent vulnerability of our IT systems. It is very difficult to secure them. Vulnerabilities are almost always the result of someone's mistake or flawed thinking. Often, a programmer somewhere made a mistake in writing a line of code. Yet, it turns out that small mistakes made by system administrators or developers often lead to catastrophic consequences and huge vulnerabilities. And these small mistakes happen regularly, because the IT systems being built and managed today are far too large for anyone to fully comprehend. I would venture that no single person understands the entire operating system contained within a mobile phone – it is completely overwhelming for us, to the extent that the companies that build these systems may not necessarily even understand their own products fully. In fact, I would go so far as to say that they do not. And, we know this, because we witness the constant stream of vulnerability patches pumped out by companies like Microsoft, Google or Apple every month. Microsoft usually identifies and pumps out 100 new vulnerabilities every month in its products. And the next month, and the next month. It never ends. And every time you make changes, there is a risk of new vulnerabilities.

So, these three things – digitalisation, which is on an upward trend, the geopolitical situation, which is on a downward trend, and ongoing vulnerabilities in our systems – led to the situation in which we find ourselves today.

VS: There have been some notable attacks over the years, such as NotPetya, in which attacks perpetrated by state-sponsored actors spill over and affect corporates as collateral damage. What is your view on this development, and what can you say about different state actors around the world?

PJ: NotPetya was a somewhat arbitrary attack. It was the Russian military intelligence agency GRU that was behind the NotPetya attack, aiming to disrupt Ukraine. The GRU as an organisation is a kind of cowboy operation where they shoot first and ask later. Operational security is not high on the agenda. Everyone is probably familiar with the poisonings behind which they have been. On several occasions, these have been traceable back to the GRU, simply because they are not very careful about covering their tracks, and do not really care about collateral damage. The rest of the world was collateral damage from the NotPetya attack. It was not Russia's specific intention for this to be the case, but the country simply did not care. NotPetya is particularly fascinating, because the vulnerability exploited was stolen from the US National Security Agency by some other Russians, so it was an unusually potent attack code that they found that made the attack spread so widely across the world.

But, we have not seen many other attacks of this type, as it is typically not the goal of state actors to aimlessly wreak global havoc. Instead, we have seen much more from cybercriminals, lately. Previously, there was a lot of focus on cryptocurrency mining, but it turned out to be much more lucrative to extort companies, which rapidly gained momentum in criminal organisations. The inherent characteristic of a ransomware attack is that the attackers have to make themselves known to the victim. They cannot sneak around – victims must know that they have to pay. It is a failed ransomware attack if the victim is not aware of it. When it comes to espionage, on the other hand, it is precisely the opposite. You want to stay unnoticed. A very large attack that occurred was the SolarWinds attack, which was carried out by the Russian civilian foreign intelligence agency SVR. It was a very advanced attack. China carried out a similar attack, CloudHopper, which was incredibly advanced. Both of these attacks provided access to a massive number of organisations, where they could dig around collecting information. But, we do not know what they got hold of, since they tried to hide their tracks, in this case.

Then, there are the state actors that actually try to create chaos. China does not generally have that ambition. It has other geopolitical goals. The country is most interested in spying, not least industrial espionage. North Korea, on the other hand, wants to steal money, targeting crypto exchanges and the like. North Korea is a very unpredictable actor, and what it does is not easy to figure out. The country used to be more interested in destabilisation, but nowadays is more concerned with making money. It is the only state we know of that is primarily a criminal actor. Iran is mostly interested in spying, especially in Sweden, where it is keenly interested in its own expatriates.

Then, there is Russia. Russia carried out one of the most eye-opening attacks ever when it targeted the US presidential elections in 2016. The country tried to hide it, but was ultimately discovered. Many believe that Russia, as an offensive cyber organisation, tries to gain access to various systems but not necessarily exploit that access in times when there is no war – instead saving it for when the need arises. We know, for example, that Russia has been rooting around inside US power systems and that it has had the opportunity to shut down parts of the power grid, but has chosen not to do so at this specific time.

China is far more powerful than Russia in many ways. So, if China decided to destabilise the Western world, it would have a greater chance to do so. This could mean destabilising the financial system or going after companies, similar to NotPetya. I think China will continue to spy and avoid destabilisation until the security situation deteriorates further, which we hope it does not. Taiwan could be one such trigger.

But, as to Russia, many wonder why it has performed so poorly in the war against Ukraine – across all domains – on land, in the air, at sea and even in cyber. There are many reasons for this. Ukraine has proven to be more resilient than anticipated and has received a lot of help from the Western world. The US has a policy called "Defend Forward," which involves sending out its Cyber Command to other countries and helping those countries disrupt their opponents. It is a rather offensive form of defence. Exactly what it means in practice is not entirely clear, but it may be the type of support that makes it difficult for Russia to achieve what we fear it could achieve.

The same goes for intelligence support from the Western world. But, when it comes to conventional military force, a cyberattack is not necessarily the best way to destroy something. It led to some spectacularly terrible repercussions initially, knocking out satellite communication systems to disrupt Ukraine's defence forces. It did this in a well-planned and synchronised way with conventional forces. But, once it is in there, instead of knocking out the power grid through cyberattacks, it can rain missiles down on power stations, which is something it is doing now and could explain why we don't see as much on the cyber front from Russia as we might have expected. I believe that as the situation in Ukraine evolves, Russia's priorities may change. It may find that its cyber capabilities are not the most useful in Ukraine and may be redirected to areas where grey-zone warfare and asymmetric methods are best – typically towards the Western world. There is certainly a good chance that Russia is focusing more on the West with its cyber capabilities.

VS: In your experience, or if you were to guess, are companies, governments or other organisations focusing enough on cybersecurity issues? Have they realised the importance of it or is there still work to be done to raise awareness?

PJ: Unfortunately, there is still a lot to do in the field of cybersecurity. As previously mentioned, Sweden is not at the forefront, but even the countries that are have a significant technical debt. There is an argument that could be made that we have digitalised too quickly, which has created very vulnerable systems. In the long run, we will not solve this problem unless system administrators and developers, as mentioned earlier, have better tools that enable them to build secure systems. A company such as Microsoft will not be able to build more secure systems just by being smart or throwing more money at the problem. It needs better tools – tools that we do not have today. Tools that make it harder to make mistakes. Better programming languages, operating systems, analytical tools, development tools, administration tools. It takes decades to develop such things, and even if we do, this is shrouded in uncertainty, in terms of whether we will catch up with the threats, which are also evolving. But, there is no other way forward for us than to try to achieve a situation where we can build much more secure systems. For as long as we are vulnerable, cyberattacks will be a massive issue.

My prognosis is that we will have to live with this uncertainty for several decades – at best. In the worst case, it will be longer than that. Given that we have so many vulnerabilities in our systems, we need to manage them. There is a serious shortage of qualified people, at present, and we need to educate many more. This requires a lot of effort from the education sector, and we need new initiatives, such as Cybercampus Sweden, specifically to address that question.

In the short term, we need to focus on what is called cyber hygiene and incident management, which is about not having weak passwords, updating systems, making backups, and other actions that everyone knows that they should do but for various reasons do not put enough effort into doing. I do not think it is irrational to prioritise cybersecurity. Yet, it can be difficult to do so in practice. Take the regional councils in Sweden, for example. They have to choose between investing their money in better IT systems or in new medical equipment or in increased staff to reduce waiting times. They want to help the patients. As long as they do not see cybersecurity vulnerabilities as a direct threat, it can be difficult to prioritise them.

The degree of awareness towards cybersecurity varies widely across sectors. The banking sector is a great success story when it comes to cybersecurity. It has been digitalised for a very long time and has large value to protect. The sector has had to deal with these problems for a long period and is actually doing so quite well. Then, there are other sectors, such as our public-sector municipalities, that have not yet done the same legwork in addressing cybersecurity. Even so, awareness is on the rise everywhere, as is the importance of tackling cybersecurity-related issues.

VS: Being mindful of the fact that cybersecurity is a very broad field and that there are many aspects of which to be aware, do you have any concrete tips that you would emphasise for corporates or private individuals?

PJ: It's very easy. You Google the top three best things to do to secure your cybersecurity. Then you get the same list from a thousand different sources. Review passwords, make backups, update systems and do not assign unnecessary permissions to people. The Swedish National Cyber Security Centre released a report one or two years ago that has just such a list of the top ten pointers to which to refer. But, it is very well known within society what needs to be done in the short term. Even for private individuals, it is a matter of assessing "what is the risk that I will be hacked" – just me as a private person. The fact that private individuals need to care about cybersecurity is a testament to the failure of us as IT people, in that we have built these systems that are so insecure that even the end user must keep track of hundreds of different passwords or use the same password in lots of different places – which you should not do – but this is natural, of course, if we are not conditioned to care about cybersecurity as we should.