PhD defence: Ahto Truu
On Thursday, 28 May 2020 PhD student of Deptartment of Software Science Ahto Truu
is going to defend his PhD thesis "Hash-Based Server-Assisted Digital Signature Solutions".
Supervisor: professor Ahto Buldas
- Ass. Prof. Andreas Hülsing (Eindhoven Univ. of Technology, Netherlands)
- Dr. Elena Andreeva (Catholic Univ. of Leuven, Belgium)
Thesis available in digital library:
TalTech Estonian Maritime Academy and the School of IT will establish a maritime cyber security centre
The Tallinn University of Technology (TalTech) Centre for Digital Forensics and Cyber Security and the Estonian Maritime Academy have received nearly 2.5 million euros from the European Union for the establishment of a maritime cyber security centre. This five-year project aims to develop cybersecurity in the maritime sector and increase TalTech's reputation by involving top researchers from around the world.
According to Dan Heering, one of the project leaders at the Maritime Academy, the maritime industry has not taken cybersecurity seriously for a long time and there is a lot to be done in this area. "As there is little publicly available information about "successful" cyber-attacks and incidents involving ships, shipping companies do not take the threat seriously," said Heering. He added that when researching the topic as part of his master's thesis, he found it surprising that most companies were indifferent to the problem. "This has been due to the lack of legislation that would compel shipowners to mitigate cyber risks and train their crews. However, from January next year, shipping companies will be required to implement cyber risk management in their safety management documentation," he added.
The lack of interest by shipping companies so far may also be due to a low awareness of the threat and the potential damage that a successful attack may cause. Also, companies currently see cyber risk management as an expense rather than an investment. However, according to Heering, several incidents have been publicised in the last 10 years. In 2019 there was the case of a cargo ship bound for New York having to contact the US Coast Guard due to a malware infection. This had affected the ship's computer systems significantly reduced its ability to manoeuvre safely.
In 2017, Campbell Murray, a cybercrime expert, demonstrated at a super-yacht conference that in a short time, it was possible to take over a ship equipped with modern technology using only a laptop. It took the IT professional 30 minutes to break into the ship's Wi-Fi network and access, delete, and even edit emails. In addition, Murray gained access to the financial data of the owner of the super-yacht and took control of the ship's security cameras, satellite communications and navigation equipment. Technically, it was possible to steer the super-yacht out of the harbour from the quayside.
According to Olaf Maennel, the professor for cybersecurity at the Centre for Digital Forensics and Cyber Security, the executives of shipping companies still cannot see the dark clouds gathering around them. Ships are increasingly dependent on technology and the Internet, with digital charts and manifests updated electronically, and satellite connections increasingly being used. "This means that ships' computer systems are vulnerable and the potential damage to larger companies can amount to hundreds of millions of euros," Maennel said.
In addition, he estimates that the number of autonomous machines connected to each other is expected to increase dramatically in the near future. It is therefore necessary to establish communication protocols resistant to cyber-attacks and to significantly increase crew awareness and preparedness for cyber incidents. To this end, the future cybersecurity centre plans to develop the existing master's and doctoral study programs, organise training events and conferences. For example, students studying to become helmsmen at the Estonian Maritime Academy next year will, for the first time, gain knowledge about cybersecurity and risk management.
In the autumn of 2019, the TalTech Estonian Maritime Academy and the Department of Software Science of the School of IT submitted a joint project application (MariCybERA) for the Horizon 2020 ERA Chairs programme, which received a positive funding decision in March this year. The aim of the ERA Chairs call is to help universities and other research institutions in the EU's convergence regions (including Estonia) and peripheral regions to significantly increase their competitiveness in obtaining research funding under the guidance of an outstanding researcher.
Article: Cybersecurity or Security Theatre? How OSINT and SocEng should be key in your approach
Author: Kieren Niĉolas Lovell TalTech Centre for Digital Forensics and Cyber Security project manager
Cybersecurity is all the rage at the moment. We all agree that securing our data is important, and the impact that it can have if we have a breach on personal, organisational, national and international levels, and have a huge emotional, financial or social impact on our lives. In some cases, all three.
However, the mode of attack that is most common and has the most effect, for the least amount of technical skill required, we practice the least. In this regard, we are talking about OSINT and SocEng, Open Source Intelligence gathering and then using this information to launch Social Engineering attacks.
First things first, Social Engineering is not new. Let’s look at it at what it is - scams. Establishing a level to trust to manipulate the person to unknowingly leak information, credentials, or run malware on your system or device. The first recorded case of Social Engineering goes back to the 17th Century, called the “Spanish Prisoner” scam. This was when you were contacted to say you have a long lost Cousin who has been captured by the Spanish. He is a very rich cousin, and if you pay his small bail, he will be released and you will be rewarded ten-fold on the return of your hero cousin. Of course, this was all social engineering and OSINT. At the time, they were collecting data from local village halls about your family tree, working out who was deployed to Spain during their conflict and then taking advantage of the poor communication channels to establish a level of trust that can be used to exploit the target. This is remarkably similar to the Nigerian Lottery scam, but on this occasion, we are talking about completely targeted attacks.
First of all, we must remove this myth that we have developed in the cybersecurity industry. That users click links because a) they are stupid and b) because they have not been trained. That is simply not the case.
In our research of existing incident data, and in the Tallinn University of Technologies OSINT and SocEng exercises, one simple conclusion has come out of our exercises, which we are presenting to Oxford and Cambridge College IT Conference and presented last year at the TalTech ICR. Every single person we have targeted in this fashion, of whom a) Ethically have been informed on the days that they will be targetted spearphishing communications and b) are told: “do not click the link” in our Exercise Neptune and Exercise Mercury projects, have clicked the link. 100%. Well trained cybersecurity professionals, have all done complied or fell for this. Why? Well, let’s break it down:
Cybersecurity advice #1: Never click links in emails
Unless if you are completely anti-social living without the internet, or don’t like to do any work whatsoever, this is impossible. Email has become central to everything that we do. We click links for Office 365, Google Docs, Mailchimp, Marketing emails, for company invoices, the idea that “you can’t click links in emails” whilst also at the same time getting login alerts from these services to “click this link to review your security information” kind of nulls the advice.
“Do as I say, not as I do” has never worked for bringing up teenagers, it definitely doesn’t work against the population
Cybersecurity advice #2: Two Factor Authentication will mitigate the problem
2FA mitigates it, it doesn’t stop it. Introducing the whole 2FA process within your attack profile is common, and can actually provide an approach to get the user to click the link, or to provide information.
Cybersecurity advice #3: Always check the originating email address for spelling mistakes
This, of course, works for general spam. This does not work for targeted attacks. In a recent challenge, we managed to spoof the email addresses of Jesus@God.com, Bill.Gates@Microsoft.com, your own email address, LinkedIn and Google Support. Since email is such an old technology, unless if you have set up DMARC, SPF, and DKIM correctly on your email solution, and everyone in your supply chain and friends and family network, this approach can be utilized and is highly unlikely everyone will do this anytime soon. A good example of how security protocols can be utilised in the attack vector can be seen with sending an email with a PGP Digital Signature. Outlook cannot decode and verify the digital signature in any way by default, but it does display a nice medal logo next to the email to say “it has been digitally signed”. Processes, procedures, and policies can be used against you on a targetted attack.
So, it is all hopeless?
No. Two areas need to be focused on though that we ignore. One is that we do this OSINT gathering ourselves. As individuals, as families, as organisations, we should check what we have publicly exposed online against us. Breached usernames and passwords, systems that are out of date and publicly exposed to the internet, personal data that can be used to craft a customised attack profile against you. Even the smallest amount of data can expose weaknesses in your armour. Is the goal to become completely cyber secure? No. On this occasion, you want to make it more difficult to exploit you than the person or organisation next to you. It isn’t a nice way of thinking, but it is the best thing you can do.
Remember all of your key services. It isn’t just the IT you. Facebook admin rights? Linkedin? Google Drive? If you are using free slack, for example, if a disgruntled employee has left your organization, do you have a process to make sure those rights are terminated before you terminate their contract? Do you google yourself to see what information there is about you? Do you stress test your processes and public policies to see how the information contained within could be used to find a way to break you?
So, how is a good mindset to use when conducting these exercises? Well, think from a disgruntled employee. From a very annoyed ex-partner that wants to hurt you. You cannot protect against state action anyway, but there is more chance of someone compromising your network or information from someone that really wants to hurt you. Remember, I can teach hacking, I cannot teach motivation. There is a wealth of information online, guides, processes, database breaches, malware as a service… However, it requires effort. Time. Knowledge of the target. Make that data collection harder, so only the most motivated could even attempt it.
And Finally, when it happens, don’t panic. Make sure you know how to report an incident just like you would know how to report a fire, a break-in, or a medical problem. The quicker it is reported to the right people, the quicker it can be identified and stopped. Most small incidents become large incidents not because they were intended to be, but because they weren’t noticed.
So, what can I do?
- Conduct OSINT checks against yourself. Regularly Google yourself, check haveIbeenpwned.com to see if you have any breaches.
- Utilize Shodan.io (an opensource vulnerability scanner) against your domain to see what is exposed, and see if you have out of date services running and ask the questions. Sometimes they can be false positives. Remember, that is good news.
- Make sure you have a security.txt on your website or an RFC 2350 (A document that has the security contact information and reporting procedure). This is a small text document that has the email address of your security contact, a telephone number, and a PGP encryption key to transmit any breach or supporting information from a fellow CSIRT/CERT or security professional. Make sure all of your supply chains also have a security.txt as well, or an RFC 2350. If they don’t, question it. As stated previously, the most important thing is getting the incident reported as quickly as possible to the right people at the right time for the right response. This basic .txt document has saved many an organization. The alternative is using your whois data against your website, which a) most likely hasn’t been updated since you got it and b) you have made it private with GDPR. So much delay happens in waiting in holding queues on telephones or conducting services desks, where on this occasion you want any security breach to go straight to the people that need it and to deal with it quickly. If they don’t have it, request it.
- Practice OSINT against yourself. Practice targetted email campaigns. Do not blame users when they do click it. Practice your response routine, and make sure you actually use your routine when it happens for real. Most organizations have great playbooks for incidents. The only time they never see the light of day is during an incident, and then you miss the obvious.
- When requesting penetration tests for your organization, don’t limit the scope. Hackers won’t. Nor should you when you check your defences.
- Read the CERT.ee and NCSC newsletters. Check for the latest trends.
- Check your logs. Most incidents end up checking their logs after the exploit and end up going around in circles because they don’t know what normal is. During all of our exercises, we have not been detected once. IDS, Firewalls, Apache Logging, Single Sign-on services, Syslogs are very effective… if you know where they are, if you know how to read them, and have the tools to do so. SpectX have just released a free desktop version. Work our what is your “normal”, then you can spot the problems. Trying to find the compromise afterwards when you don’t know what your network or system looks like puts you on the back foot, and will have you going down rabbit runs.
If you treat the problem as an organisational problem, and not an IT one, you will realise the “whole-ship” approach including all aspects provides a much better way of providing a security baseline. Remember, you have to protect everything in your organisation, a threat actor just needs to find one compromise, and they aren’t limited by scope, by law, or by time. Just their own determination.
This article was published in Edasi.org.
Article: Information, misinformation and disinformation
Author: Dr Adrian Venables, TalTech Centre for Digital Forensics and Cyber Security senior researcher
Bombarded by information
We live in an information age. Our waking hours are spent being bombarded with images, text and sound from multiple sources, all competing for our attention. Although much of this information may seek to educate, inform and entertain, some of it also seeks to influence our behaviour and decision making processes. This may be open, honest and accepted as part of everyday life and may even be useful with marketing being a prime example. Advertisments may try to pursuade us to buy items that we didn’t even know existed with the promise of making our lives easier or more fulfilled. They may also help us to make purchasing decisions on products that we already intend to buy, but have not decided on which manufacturer, specification or price to pay. This industry is well established and is expert in providing sophisticated ways to convince us to part with our money in favour of one product over another. As the target of advertising campaigns, we are both familiar with the concept and are to a certain extent protected. The European Advertising Standards Alliance (EASA) is a self regulating body that helps to ensure that advertisments are legal, decent, honest and truthful with the purpose of creating trust in advertising and in brands. We are also pragmatic in accepting that although the advertisements project an image of the product contributing to a perfect life, it doesn’t necessarily represent reality. However, although we may appreciate that buying a certain product may not immediately make us rich, attractive, successful or fulfilled, how believable is the other information that we may see?
Propaganda, misinformation, disinformation and malinformation
History has many examples of how information has been used by nations to subdue or alter the behavour of other countries. Being able to achieve dominance over an adversary without recourse to conflict is an attractive proposition and forms an integral part of a state’s forign policy. Variously called ’Information Operations’, ’Information Warfare’ or ’Information Superiority’, they all recognise its use as a means to achieve a specific effect on an adversary. Although the origin of the phrase is unclear, it is often quoted that ’The first casualty of war is truth’. The degree by which the truth is manipulated can vary according to the type of information and its audience. The term ’propaganda’ is used to describe the systematic dissemination of information in a biased or misleading way in order to promote a political cause or point of view. If deliberately false, the term ’disinformation’ may be used and is often associated with governments with the aim of influencing the policies or opinions of those who receive it. Often confused with ‘disinformation’ is ‘misinformation’. This is information, which although incorrect or wrong is the result of an unintentional mistake and not deliberately intended to mislead. Sometimes information may not even be false to achieve harm. Mal-information is based on reality but may be private or personal information that when made public causes embarrassment. This is a favoured tactics of computer hackers and is called ‘Doxxing’. This involves accessing an individual’s private data from online sources and publishing them online causing distress and potentially placing them in danger.
Whether or not information is deliberately incorrect, what matters is how it is interpreted. This not only affects current events, but rewriting history to suit a particular narrative is also common. A recent example of this was the Russian government’s attempt to present the Molotov-Ribbentrop pact in a positive light on the eightieth anniversary of its signing in August 2019. This revised explaination ignored the consequences of the collaboration between Hitler and Stalin until the former’s invasion of Russia in 1941 and its impact on the Baltic states and Poland. The pact is now portrayed as a natural result of the politics of the time and is promoted as ’a great achievement of Soviet diplomacy’. Fortunately, those countries that endured its consequences have been quick to criticise this view of history and counter Russia’s new description of the events of the time.
Information as a weapon
For over 70 years NATO has been the world’s most powerful military alliance and has successfully countered aggression in Europe and beyond. Its nations are also the most technologically advanced with nearly 90% of its population having access to an uncensored and free Internet. Unable to match the combined military strength of the western democracies, its adversaries have used information as a means to gain an advantage. It is in this respect that NATO is at a significant disadvantage as outside of the US and Europe, personal freedoms are more restricted, censorship is common, and the Internet is more tightly controlled. Exploiting the high levels of connectivity and an addiction to social media, western nationals have faced both cyber espionage and influence operations from a range of nation states. In this way, attackers have sought to reduce the western nation’s technological advantage by stealing intellectual property and to undermine their democratic institutions. The extent and sophistication of these operations reached public consciousness with the exposure of the Russian interference in the US Presidential elections in 2016 and Chinese spying activities in 2018.
When a nation directly interferes with the internal affairs of another, it is a breach of its sovereignty integrity under the UN charter. However, whereas activities in the physical domains would result in retaliation, cyberspace represents a grey area of law. This is due to disagreement over the issue of sovereignty in cyberspace and the difficulties in detecting and positively attributing actions within a reasonable timescale. It is for this reason that the information-based domain of cyberspace is an increasingly popular means for nations to conduct influence campaigns against their competitors and adversaries. Commonly known as ‘hybrid’ operations, these are variously defined as a mixture of coercive and subversive activities, conventional and unconventional methods, which can be used in a coordinated manner to achieve specific objectives while remaining below the threshold of formally declared warfare. Information is an ideal means to conduct a hybrid warfare campaign as when intelligently employed it can have a persuasive effect on a target audience equivalent to conventional weaponry. However, information cannot be regarded as a weapon in the same way as there is no direct destruction or physical injury. Its use can also be disguised by creating doubt as to its origin and by using users themselves to disseminate the information amongst a population; termed going ‘viral’. This is significant as information from those we know is more likely to be trusted and acted upon than from anonymous sources.
Countering information warfare
Although information is now widely used as a weapon, it’s effect can be reduced. We must learn to be more suspicious of what we read and not believe everything we see, particularly when its online. Fact checking and using multiple sources for our information is important – and not just from social media. Reading reputable news sources known for journalistic integrity will also help to defeat the impact of fake news and disinformation. Engaging with those with a range of differing opinions will provide a wider perspective of issues and will help to balance extreme views. Discussing issues with colleagues and friends and regarding what you have seen as opinion, rather than fact will also help raise awareness and debate. Most of all though is an awareness of the issue. We are all targets for those that wish to influence our behaviour and attitudes and knowing this and preparing for it is our greatest defence.
This article was publisehd in Edasi.org
Article: Automotive digital forensics
Authors: Andrew Roberts, TalTech Centre for Digital Forensics and Cyber Security analyst and Pavel Tšikul, TalTech Centre for Digital Forensics and Cyber Security early stage researcher
In 2014, 19.1 million crimes were committed in the U.S. Of this number 95% involved mobile phones and 80% involved vehicles. Due to the connected nature of modern vehicles, automotive digital forensics is a burgeoning source of evidence for criminal cases and accident investigation.
As drivers and passengers of vehicles, very few us consider how our behaviour and interactions are captured and recorded by our vehicle. Understanding how digital forensic investigation is conducted on vehicles is important both for your awareness and understanding how law enforcement use the digital properties of vehicles as a source of evidence.
What is Automotive Digital Forensics?
Automotive forensics is a branch of digital forensics relating to recovery of digital evidence or data stored in automotive modules, networks and messages sent across operating systems. The aim of automotive forensics is to provide evidence to support criminal cases, root-cause analysis and accident investigation.
In Estonia, the Estonian Forensic Sciences Institute (EKEI) provide automotive digital forensic services to the Estonian Police.
How does your vehicle store information?
The easiest way to understand how your vehicle transmits and stores information is to understand how you interact with your vehicle. When you start your vehicle with an electronic of physical key you interact with the on-board diagnostics (OBD-II) port. This port is the interface between the outside world or the vehicle as you see it (steering wheel, air conditioning) and the in-vehicle systems. The OBD-II port communicates using communication networks such as Local Interconnect Network (LIN), Controller Area Network (CAN) bus, FlexRay and Media Oriented Systems Transport (MOST). These networks connect with Electronic Control Units (ECU) which are microcontrollers that operate functions such as body control, engine control and telematics. The Event Data Recorder (EDR) and insurance black-box are two crucial automotive components for the forensic investigator. The EDR is continually recording information from the telematics and overwriting information about your journey. In case of accident or faults the recording is stored and the EDR data is able to be extracted. Some vehicles also have Video EDR’s which record footage from a camera on the dashboard.
A connected vehicles infotainment and telematics systems provides a wealth of information for digital forensic investigators. When you connect with your smart phone to your vehicle’s infotainment system, often using bluetooth, you enjoy the use of functionality from playing music through Spotify, using navigation apps, such as Waze, hands-free calling and playing or recording videos or images. You may also insert media players, USB drives and SD cards into the infotainment head unit. These connections transmit information such as phone related information (SMS messages, call logs and contacts), music files, image files, user voice profiles, car information, previously connected devices (through the Bluetooth MAC addresses of paired devices)) and wireless access points. The telematics system stores navigation data such as saved locations, previous destinations and track data. If navigation applications are built-in, then geolocation and timestamp data will be available. This information is stored, depending on the age and model of the infotainment system, either on a hard drive or a SD card contained within the infotainment system. Some newer model vehicles allow the ability to connect via applications such as Android Auto, Alexa Auto and Apple CarPlay.
Source: Skoda SmartLink
Self-driving, automated vehicles such as TalTech’s ISEAuto and Starship Technologies delivery robots are more advanced in that they use sensors and intelligent algorithms to assume the driving function of the vehicle. Machine vision creates 3D models of the environment from LiDAR sensors and cameras. The automated navigation of the vehicle is controlled within the logic contained in automotive software platforms such as Autoware through pre-programmed routes on maps or GNSS navigation and algorithmic constraints such as maximum speed levels and braking at a pre-determined distance before an identified obstacle. Communications through 4G/5G technology and wireless infrastructure are crucial for Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2X) communication. V2V is the communication network of the automated, self-driving car to communicate with other automated vehicles to inform each other of information such as speed, location, direction of travel. V2X comprises the automated, self-driving vehicle communicating with smart city infrastructure such as connected traffic lights, stop signs, and parking meters. The data from self-driving, automated vehicles can be stored as logs in the cloud, local storage, and within each of the sensors and smart city platforms it interacts with.
Source: TalTech ISEAuto, Blog 3/4: Building the Bus
How do Law Enforcement Conduct Digital Forensic Investigation on Vehicles?
The aim of the forensic investigator is to retrieve data and develop an event timeline to provide an accurate picture of the criminal activity or accident to legal authorities. The first step will be to understand the evidence source. This includes the original equipment manufacturer (OEM), make, model, architecture, software and physical components. A strategy will then be developed to determine what techniques and tools can be used to retrieve the data from the vehicle and how to achieve this without contamination or destruction of the data or physical vehicle component. Considerations that a digital forensic specialist needs to weigh are the amount of resources (personnel, funding, time) willing to devote to the investigation based on the degree of the crime. In vehicular forensics this is especially important as data extraction of the EDR and ECUs will require physical dismantling of the vehicle. For small scale crimes this may not be worth the effort.
The infotainment and telematics systems often provide the best source of data retrieval based on this criterion. Law enforcement use commercial products and providers such as Berla iVe and Envista forensics to gain data from infotainment (phone and connected device data), telematics (navigation data) and GPS (location data). These commercial products structure the retrieved data in an event timeline for the convenience of forensic investigators.
Source: Backlight Forensic Application with Berla iVe, Event timeline
Law enforcement can also work with the OEM to gain access to the EDR and ECUs. An OEM, such as Mercedes or BMW, retains proprietary tools for maintenance and troubleshooting that can access these systems. EDR data is used in criminal proceedings to prove drivers were speeding or purposely took driving decisions that caused damage, injury or fatality.
For self-driving, automated vehicles, recent cases in the United States involving accidents with Tesla and Waymo self-driving vehicles have demonstrated the use of code reviews and reverse engineering of automation logic as crucial for root-cause analysis. In 2016, a Tesla Model S, automation assisted vehicle, (The driver is still required to take control of the wheel) crashed into a truck, killing the driver. Reverse engineering of automation logic and sensor’s provided the root-cause as inability of the Telsa camera’s to recognise the Trucks trailer, due to positioning and its white colour. This resulted in the Tesla not initialising the brakes. This forensic investigation led Tesla to improve the implementation of its radar system.
Automated transportation platforms are one of the five areas of focus for the Smart City Centre of Excellence in Tallinn. To safely and effectively use automated transportation, Estonia need to build capability in digital forensics and cyber security to secure these connected platforms. Opportunities to build these skills are already available in Estonia and include the TalTech Summer School 2020 which is focussed on cyber security for transportation, the Master of Cyber Security program at TalTech and University of Tartu that offers forensic courses in the areas of network, systems, mobile, IoT, secure software design, and legal aspects. Digital Forensic skills are also able to be obtained in scenario-driven training available from Estonian companies; RangeForce, Guardtime and CyberExer. The European Horizon 2020 Project ECHO will also provide the ability for users to develop their skills using cyber ranges that simulate digital forensic scenarios across multiple sectors: transportation, medical, energy. Possible future careers include in Estonian Police and Border Guard, Estonian Forensic Sciences Institute and innovative self-driving, automated vehicles manufacturers; MILREM Robotics, Smartship Technologies and Cleveron.
The article was published in Edasi.org.
Article: National Power - it’s multifaceted, perishable and Estonia should not rely on past successes
Author: Dr Adrian Venables, TalTech Centre for Digital Forensics and Cyber Security senior researcher
The modern system of nation states is often traced to the Treaty of Westphalia of 1648 that ended an extended period of conflict in Europe. Since then, countries have sought to influence and exert their will over each other to achieve strategic objectives that benefit their populations. Control of territory, food supplies and access to natural resources have all been the focus of governments with the aim of being stronger, wealthier and more resilient than potential adversaries. Projecting national power employs a range of methods including the peacetime activities of diplomacy and persuasion through to coercion and low-level conflict, leading ultimately to high intensity warfare. The constituent components of national power were first proposed by the US military during the cold war and comprise Diplomatic, Informational, Military and Economic (DIME) attributes. More recently academics have proposed that Legal and Law Enforcement, Science, Technology and the Environment should also be added to include contemporary issues in world affairs. Together these combine to establish and maintain internal stability whilst persuading, deterring or resisting perceived external threats.
National power projection
How national power is exerted has been examined by the US political scientist Joseph Nye, who considered the concepts of Hard, Soft and Smart power. Hard power is regarded as the traditional means of influencing others at the state level and uses coercion through a variety of means including military action or payment. To be effective it draws on the potential economic strength that a population can realise as part of wider diplomatic and political engagement and is not subtle. The coerced party is both aware that it is taking place and from whom. Soft power however, aims to get others to want the outcomes that you want through the power of attraction. This includes non-material means such as agenda setting and the promotion of the positive aspects of a nation’s culture, political values and foreign policies. Smart power combines Hard power coercion and economic sanctions with the Soft power attributes of persuasion and attraction into a single coordinated approach. The strategic communications company Portland produces an annual report listing 30 countries that exert the most global soft power. Their 2019 rankings place France, the UK, Germany, Sweden and the United States top, with Brazil, China, Hungary, Turkey and the Russian Federation at the bottom of the rankings. No Baltic states make the list; however, Sweden, Norway and Finland are placed 4th, 12th and 15th respectively. Emphasising that size does not necessarily matter in soft power, the list also includes Switzerland (6th), Netherlands (10th), Belgium (18th) and Singapore (21st) in their rankings.
|Hard Power ||Soft Power ||Smart Power|
|Coercion – military force||Agenda setting – my priorities are also your priorities||Combination of hard and soft power|
|Inducement – payment or sanctions||Attraction - Promoting positive qualities to imitate||Emphasis changes with situation|
Types of national power projection
Although Soft power has a role in establishing a state’s international reputation, it does not necessarily correlate with overall comparative national power. In March 2019, Business Insider ranked the world’s most powerful countries. As expected, the United States as the sole superpower ranked highest. Also, there was no surprise that Russia and China followed demonstrating the importance of size and military capability and in China’s case, economic strength. Although the majority of the other 25 nations listed are western democracies, Middle Eastern countries are also prominently placed with Israel, Saudi Arabia and the United Arab Emirates the most powerful in 8th, 9th and 11th place. Iran and Iraq are also placed among industrialised first world countries due to their oil reserves. The realities of national power and influence demonstrate that what really matters is economic strength. National wealth is ultimately based on the ability to feed a population and maintain security in peacetime. In times of conflict it is measured through the ability to mobilise enough military capability to subdue and overcome an adversary. Soft power contributes to overall national power, but it is not everything.
Estonia’s national power
As a small country, Estonia’s Hard power will always be limited, but what about its Soft power? Following the March 2019 parliamentary elections, domestic politics became an issue of much discussion and has been the subject of numerous media articles. Some of these have raised concerns at how the wider global community now perceives Estonia. Essentially, has Estonia lost some of its all-important Soft power of being attractive country to others and is no longer worth emulating? To a certain extent, this does not matter as much as the commentators would have us believe as many countries have attributes that are not universally admired. China and Middle Eastern countries are not democracies in the western sense of the term and have cultural views on a range of issues that do not align to western norms. However, China attracts enormous levels of trade due to a highly sophisticated and efficient manufacturing base and visitors are drawn to its pre-communist cultural artefacts. Hotel resorts in Middle Eastern countries attract tourists for the climate and luxurious facilities despite restrictive social and religious customs. Even Spain, a European country favoured by holiday makers has a soft power problem due to its tradition of bull fighting, a spectacle that many find too distressing to witness.
Estonia’s overall national power is secure on many levels. Membership of NATO and the European Union provides military security and the conditions for free trade. Investors, visitors and tourists may not be overly concerned with domestic politics so long as the conditions for internal stability, low crime and financial security are met. It is these areas that we must concentrate. The current fourth constitution underpins the democratic order and a small, cohesive population with a shared cultural background and sense of national pride contributes to a low crime rate. Business relationships though are more transient and are built on reputation, levels of trust and economic stability. Estonia has much offer but can do more to actively promote itself as it continues to do well in international rankings. This year for example, we were ranked second only to Iceland in having the freest Internet in the world according to Freedom House’s Freedom on the Net index. The country’s robust economic governance was also confirmed with the Basel Institute’s conclusion that of 125 countries measured Estonia has the lowest risk of money laundering. Further promoting business and international investment, the Organisation for Economic Co-operation and Development assessed in 2019 that Estonia has the most competitive tax system in the developed world. These positive attributes should be strong promoted to Europe and the world.
|Diplomatic||Democratic institutions, seat at the UN Security council, international reputation|
|Informational||Free internet, mature digital society, e-estonia, e-residency|
|Military||Membership of NATO and allied troops based in Estonia reinforcing national defence|
|Economic||Membership of EU, free trade and movement, small national debt, low risk of money laundering, competitive tax regime, high literacy|
|Legal and law enforcement||Internal stability, low crime, cohesive society based on strength of national identity|
|Science and technology||High standard of education, reputation of universities, strong ethos of academic research, high number of start-up companies, culture of innovation|
|Environment||Low population density, unspolit natural environment, cultural richness, world heritage sites, free public transport for Tallinn residents, electrically powered transport|
Some of the many attributes of Estonia’s national power
Building on our successes
Culturally and economically, Estonia has much to be proud of when promoting itself on the world stage, but we must continue to build on our successes. The country’s reputation as being an exemplar of a mature digital society must also be maintained by prioritising investment in academic and applied research in engineering, computer science and cybersecurity. The conditions for continued technological innovation must be supported and those that bring skills and benefits to our society should be welcomed and encouraged to study and work. Estonia must not be regarded as one of the first country to digitally transform but was later overtaken by others. We must look to maintain our culture of innovation and continue to be the nation that others wish to emulate. Part of this will involve monitoring what our competitors in Europe and increasingly in the Far East are achieving and how we can adapt and improve on their advances. For example, with climate change increasingly on the world’s agenda, nations are looking how to harness technology to achieve a carbon free society and transport is high on the agenda. Free public transport for residents in Tallinn, hybrid buses and electrically powered trams, trolley buses, and the highly popular scooters provides a strong base on which we can build.
Supported by an environmentally friendly transport infrastructure, visitors and tourists will continue to be attracted by Estonia’s culture, the beauty of its environment and its historical and modern architecture. The recent tax reductions of alcohol have stimulated an increase in tax receipts from visitors whilst encouraging domestic purchases, further supporting the economy. The conditions are right for Estonia’s economy to thrive and national power to increase within the wider international community. To do so, we must look outward and how we can promote ourselves on the world stage and not inward.
The article was published in Edasi.org.
TalTech's Centre for Digital Forensics and Cyber Security brings together comprehensive cyber competence
TalTech's Centre for Digital Forensics and Cyber Security celebrates its fifth birthday this week. According to Rain Ottis, head of the Centre, the multidisciplinary research group today explores cyber security very broadly, from cryptography to monitoring systems, from the legal aspects of cyber security to digital forensics.
"This approach enables us to engage in high-level collaboration with both the public sector and private companies such as Cybernetica, CybExer, GuardTime and RangeForce," Ottis noted.
He said that in addition to cyber security research, the centre has many important activities for bringing new people to this domain, including an international Cyber security MSc program, the Cyber Security Summer School and CyberSpike competition. "By the time of our fifth birthday, the first PhD thesis associated with our centre has successfully been defended and 234 master students have graduated."
Cyber security is an international field, with staff from eight different nationalities, the centre today involves a total of 30 researchers and specialists.
In addition to Tallinn University of Technology, on 12 November 2014 the Ministry of Economic Affairs and Communications, the Ministry of Defense, the Ministry of the Interior, the Ministry of Justice, the Information System Authority, Estonian Police and Border Guard Board and the Estonian Forensic Science Institute signed the agreement to jointly develop cyber security in Estonia through the centre.
How to improve human performance in cyber security domain?
Authors: Stefan Sütterlin, Østfold University College/TalTech, Ricardo Lugo, Inland Norway University of Applied Sciences and Benjamin J. Knox, Norwegian Cyber Defence, Cyber Warfare Center/Norwegian University of Science and Technology
Cyberattacks are considered a major corporate and national threat. After the events of 2007, Estonia has very particular experience with the establishment and further development of cyber defence capabilities, consequently its cyberinfrastructure is one characterized by ambition and resilience in the indefinite race for technological dominance over one’s adversaries. While technological progress continues to produce more sophisticated threats that need to be matched by equally rapid developments in technical cyber defence capabilities, the humans in charge of defensive cyberspace operations face ever faster changing demands on their own cognitive skills to successfully master their own, and adversarial technological capabilities.
One fundamental element in developing and maintaining good governance of cyberpower in a cyber defence context is the education of future cyber operators. Cyber operators are computer science specialists at the frontline of cyber defence and embedded in a variety of civilian, military, private or public entities to ensure the integrity of sensitive networks. Amongst other tasks, cyber operators collect and process data from computer networks in order to exploit, locate, or track targets of interest. These experts navigate in networks, perform tactical forensic analyses, and are able to execute on-net operations with the purpose of securing their cyber terrain.
It is a widespread, but nevertheless fundamental misunderstanding, to consider cyber operators as being computer nerds solely requiring technical skills and knowledge that allows them to perform in for example malware analysis, penetration tests, or discovering irregularities in data traffic. Research on the “human factor” in cyber defence acknowledges that technology does not exist in isolation, but that interpretations, conclusions and decisions are made by individuals or groups of humans. As such, recent research conducted by TalTech’s Centre for Digital Forensics and Cyber Security and other research groups such as PACE-CybORG investigate psychological tools that are involved in setting the conditions for successful defensive cyberspace operations.
Amongst numerous ways psychological effects influence the outcome of cyber defence related decisions, the information exchange about recognized cyber threats is a particularly relevant one and prone to errors and inefficiencies. In areas such as aviation, acute medical care, and traditional warfare, the devastating effects of miscommunications are well documented and acknowledged. The Australian Ministry of Transportation revealed in an analysis that 70% of fatal aviation incidents resultat from human failure. While the understanding of the relevance of human failure, and more general, the human factor, as a predictor of performance is widely acknowledged in these safety- and security-critical sectors, our knowledge about the human factor in cyber defence is still rather limited. This may be due to the fact that “human factor” appears as a rather abstract term, despite its very concrete manifestations.
As an example, a lack of procedural compliance (users of technology not adhering to existing security protocols) can entail very serious security-related consequences and can be the result of guidelines and procedures that are formulated in a difficult to understand, highly technical and complex way. Other examples of situations promoting human failure are organizational cultures of hierarchy with low tolerance to criticism that can lead to younger or lower ranking experts withholding critical knowledge and observations; or interdisciplinary teams that were set up without prior knowledge of each others domain and resulting communicative difficulties when it comes to explaining a complex situation under time pressure. To identify these human-related sources of errors requires a systematic investigation of the circumstances that make people performing well or fail, and the development of teaching and training methods and material to reduce these risks.
Psychological research on human factors in cyber defence, however, has just begun. Frequent anecdotal evidence shows how young and highly qualified cyber operators with excellent technical skills are challenged by the need for communicating a significantly technical situation through the hierarchical chain for further decision-making by non-technical personnel. Particular technical characteristics that indicate an existing or potential cyber threat to computer network (often displayed and presented as a “recognized cyber picture”) are typically situations of high ambiguity. The lack of reliable information, vast amounts of available and potentially irrelevant or conflicting data, combined with a lack of immediately accessible knowledge or criteria for understanding how to distinguish one from the other, evokes individual differences in perceptions, subjective interpretations, and a partially intuitive sensemaking that gets passed upwards along the command chain in the organizational hierarchy.
At the receiving end, decision-makers, with less technically specific qualifications, have the responsibility for the strategic implications of the decisions made. As a result, both the perception and subsequent experience-based interpretation of a given technical status and the cyber operator’s communication skills with a third person, have a profound impact on the situational awareness of strategic decision-makers. It is not the technical situational status per se, but the result of its perception, interpretation, and communication by the cyber operator that shapes the decision-makers’ experienced reality. The decision-maker on the receiving end depends upon their understanding of the, most likely, a simplified explanation communicated by the cyber operator. Simplification always requires selection, weighting, and interpretation.
A successful communication between a cyber operator and a technically less specialized decision-maker therefore requires skills on both ends. To provide meaningful information in a concise, precise, and unambiguous way, requires cyber operators of a lower rank to be aware of the commander’s needs, skills, and momentary ability to process this information and conclude on it. The decision-maker needs to clearly instruct the operator about their own needs and requirements and communicate with clarity and humility when something is not understood. Both communication partners need some basic knowledge about each others’ “domain” and an awareness about different terms, languages and definitions, routines and generally cognitive styles. These skills are not self-evident, and practising these communication skills in situations framed by high uncertainty, high risk, time pressure, and complexity pose considerable cognitive and social demands. As such, the requirement for training becomes self-evident.
The described challenges are pronounced within teams along the axis of hierarchy, between individuals and teams of different disciplines and levels of affinity towards technology, between institutions within the same societal sector (e.g., Defence intelligence services and police intelligence agencies; between private entities, and between sectors (e.g. private economy and military cyber defence). The research network of PACE-CybORG has developed educational training methods in order to maximize training effects for improved communication of a recognized cyber picture, and unbiased situational awareness as a prerequisite of successful decision making. The outcome is the improved praxis of conducting defensive cyberspace operations. PACE-CybORG stands for “Performance and Cognitive Engineering - Cyber Operations Research Group” and describes an international research network including cyber defence educators, performance psychologists and cognitive scientists associated with academic, research and defence institutions. The aim is to improve human performance in defence cyberspace operations by analyzing the predictors of cyber operators’ performance and recommend teaching and training models, admission criteria and performance monitoring tools. The group is also linked to TalTech's Centre for Digital Forensics and Cyber Security.
In recent years existing knowledge on security-relevant psychological skills related to performance under pressure in complex environments, team functioning, educational methods, design of exercises and other applications have been transferred to, and continues to play an increasingly important role in developing approaches to cyber defence education, and cybersecurity in a wider sense.
The article was published in Edasi.org.
Cyber Security Student Brief
Looking for a master thesis topic or a supervisor? Cyber Security Student Brief will come again! This is unique opportunity to meet the team of TalTech Centre for Digital Forensics and Cyber Security and learn more about the research interests of our academic staff.
The Cyber Security Student Brief will take place on Friday 4th of October 2019 at 14:00 – 16:00 in TalTech IT College (Raja 4c) room ICO-316.
13:45 – 14:00 Gathering
14:00 – 14:15 Welcome and introduction of the Centre and the Cyber Security Research Excellence Course
14:15 – 15:30 Introduction of members of the Centre. Presenting research interests of supervisors and Master thesis topics. Q&A
If you have any questions regarding the event, please contact: martha dot jung at taltech dot ee.
Article by Dr Adrian Venables: Anti-social media – the rise in online censorship
Social media has been one of the defining technologies of the 21st century. Previously, Internet users had primarily been consumers of information, but these websites and applications enabled everybody to become content producers. The introduction of the iPhone in 2007 contributed to its growth by providing mobile Internet access and freeing users from the constraints of desktop and laptop computers. Combined with the launch of software optimised for mobile devices, numbers of users have steadily increased and is expected to exceed 3 billion by 2021.
The first decade of social media was a halcyon period in which the medium was regarded as harmless entertainment and was mostly free from state interference. However, as its power to inform, influence and alter behaviour became increasingly apparent, governments began to take a closer interest in the online behaviour of their populations. Although its exact contribution is still debated, Social Media played a role in the ‘Arab Spring’ of 2011. Popular with the younger generation, it enabled protesters to organise gatherings and spread news of events to a wider global audience. Initially caught unawares, affected governments responded swiftly by blocking access to social media sites and even temporarily severing Internet connections.
Whereas the result of mobilising populations in the Arab Spring were immediate, obvious and sometimes violent, another subtler effect was seen later in the decade. The 2016 Trump election victory is now infamous for the widespread and systematic online information campaign directed at the US population. This included what became known as fake news - outrageous news headlines designed to tempt readers to click on the stories and their embedded advertisements to generate revenue for their creators. More insidious though was the Russian government interference in the election, described by the 2019 Muller Report as ‘sweeping and systematic’. This was conducted through the St Petersburg based Internet Research Agency, which combined a range of techniques to generate a sentiment favourable to the Trump campaign. In addition to conventional paid advertisements, the Russians generated fake accounts purporting to be from US citizens. These online personas, termed sockpuppets, were used to comment on, promote or defend an issue. This was achieved by posing as a leader of a reputable group, reliable news source or trusted individual, which simulated grassroots support for Trump – a process termed astroturfing. These were supplemented with trolls; accounts set up to create disruption and division by posting provocative, misleading or pointless comments. In addition to the human operators, automated programmes termed spambots were also used to open accounts and generate traffic to develop online engagement. By clever use of hashtags, it was possible to manipulate the algorithms used by social media to dominate online discussion.
Although social media is a technology based medium, it harnesses some very human characteristics, which can be employed to manipulate and influence users. These were utilised in the 2016 US election and are now being widely employed to censor and control behaviour. The first of these is homophily, which is the tendency for people to have ties with those of similar beliefs. Social media users tend to self-censor by only associating with those of similar views and accessing news outlets that promote stories that do not challenge existing viewpoints. In time, this leads users to only be exposed to opinions that coincide with their own. This reinforces their opinions as being the ‘right’ or those of the majority and does not allow alternative ideas to be considered. This comfort zone is termed an echo chamber and can result in a very narrow perspective of an issue with social media and some search engines contributing to the process. First termed as the filter bubble by Internet activist Eli Pariser, this is the situation that occurs when website algorithms selectively provide information based on past browsing behaviour. This can be illustrated by comparing the returns from similar inputs to different Internet search engines and how Facebook’s personalised news stream differs from other news sources. As beliefs become more entrenched, confirmation bias can emerge. This is the situation in which individuals favour information that aligns with their preconceived knowledge, even if flawed, and choose to disregard alternative opinions.
Homophily, echo chambers and confirmation bias are human traits, and yet even for those seeking alternative perspectives, online censorship and manipulating is increasingly preventing access to some opinions. Recent research by Northwestern University in the US highlighted a potential bias in Google’s search algorithm that favoured predominantly left leaning news organisations in their rankings. This is particularly significant as online news sources are gaining prominence over traditional media organisations. Moreover, social media now often pushes news items to users, who may not actively seek other information sources. Combined with the prevalence, ease of access and convenience of online resource, consumers may be subject to unconscious bias and censorship without their knowledge.
For those who do wish to access alternative views and form their own opinions, the range of online resources available may be increasingly limited. Following the role that fake news played in the 2016 elections, governments and news organisations are increasingly citing it as the reason for censoring and removing material. Whereas attempts to verify and confirm the factual content of stories are admirable, there is a danger that their definition of fake news will spread to unpopular or divisive news. Some countries such as China are well known for its authoritarian control over the Internet within its borders, but others are also seeking to control what may be posted. Russia has recently introduced a new law that could effectively disconnect its Internet from the rest of the world. Justified as ensuring resilience in case of cyberattack from abroad, by directing all traffic through centrally controlled routers monitoring and filtering of information originating outside Russia could also be implemented. The EU’s new copyright laws, which applies to social media companies have also raised concerns. With 19 nations voting in favour with 9 including Estonia voting against or abstaining, the law is intended to bring existing regulations into the online age by making Internet platforms liable for content uploaded to their sites. Licenses must be obtained from rights holders for copyrighted works to be hosted with filtering used to remove unauthorised material. Critics have stated that this is impracticable and unworkable and will result in online expression and free speech being curtailed. Faced with prosecution some believe that internet companies will take the safe course of action and will remove the majority of images and media currently available online.
Freedom of expression and the issue of online free speech is becoming closely related to censorship and is an increasingly contentious issue in western democracies. Opinions and views vary but with the Internet’s infrastructure and websites owned by either governments or private companies, consumers have little influence over how it operates. In May 2019, Facebook removed a number of prominent conservative figures from its platform labelling them as ‘dangerous’. Critics were quick point out that several far-left activist groups openly advocating violence remained active. European governments are also active in policing online content. The UK is very active in this area with specialist units devoted to monitoring social media. Using the justification of investigating ‘hate crimes’ social media activity can be sufficient to attract police interest if a post causes someone to be offended on a range of issues. This has effectively muted many forms of debate and criticism on a range of contentious issues including gender and religion. Restricting freedom of expression and free speech may lead to what is termed a spiral of silence. Proposed by political scientist Elisabeth Noelle-Neumann in 1974, the term relates to the tendency of people to remain silent on an issue when they feel that their views are in opposition to the majority. Today, an individual may remain silent and feeling prevented from expressing an opinion online for fear of being accused of a ‘hate crime’. In doing so it deters others from stating a similar view and leads to the views of a silent majority being supressed by a vocal minority.
At the opening of the Estonian Riigikogu (Parliament) on 25 April 2019, President Kersti Kaljulaid wore a sweatshirt with the slogan 'Sõna on vaba' (the word is free). This commitment to free speech was again emphasised during a meeting with the European Federation of Journalists a month later. Freedom of speech is binary – you either have it, or you do not. With complete freedom of expression is the acceptance that those you disagree with, including extremists of all persuasions, will have a free platform. Once limitations are imposed, the challenge is where to draw the line and accept the risk that the restrictions may increase over time. It will be for future generations to debate whether the free speech permitting, pre-2016 Internet and its social media applications was better than what it subsequently became. That is of course, if they will be allowed to debate such issues online.
Author: Dr Adrian Venables, TalTech Centre for Digital Forensics and Cyber Security senior researcher
The article was published in Edasi.org.
PhD Thesis Defence: Bernhards Blumbergs
On Monday, May 27th, 2019 at 9:00 AM PhD student of Deptartment of Software Science and Centre for Digital Forensics and Cyber Security workgroup Bernhards Blumbergs (supervisors Prof. Rain Ottis and Dr. Risto Vaarandi) is going to defend his PhD thesis „Specialized Cyber Red Team Responsive Computer Network Operations“. The PhD defence will take place at TalTech ICT builidng (Akadeemia tee 15a) in room ICT-315. Find the thesis in the digital library: https://digi.lib.ttu.ee/i/?12015.
- Professor Dr. Hiroki Takakura, National Institute of Informatics, Tokyo, Japan
- Fregattenkapitän PD Dr. Dr. habil. Robert Koch, Bundeswehr University of Munich, Munich, Germany
Dr. Hayretdin Bahsi named Professor
We are happy to announce that Dr Hayretdin Bahsi from TalTech Centre of Digital Forensics and Cyber Security has been named Professor!
Dr. Hayretdin Bahşi received his PhD from Sabancı University (Turkey) in 2010. He was involved in many R&D and consultancy projects on cyber security as a researcher, consultant, trainer, project manager and program coordinator at the Informatics and Information Security Research Centre of the Scientific and Technological Research Council of Turkey between 2000 and 2014.
His research interests include critical information infrastructure security and cyber situational awareness systems.
TalTech CyberCentre partner in the European Commission’s ECHO project
TalTech Centre for Digital Forensics and Cyber Security started collaboration as a partner in the ECHO project (European network of Cybersecurity centres and competence Hub for innovation and Operations).
The ECHO project is one of four Pilot projects, launched by the European Commission, to establish and operate a Cybersecurity Competence Network. The project was officially launched at the Conference Hall of the Royal Military Academy of Belgium, on February 25th, 2019.
The ECHO project will deliver an organized and coordinated approach to strengthen proactive cyber defence in the European Union, through effective and efficient multi-sector collaboration. The Partners will execute on a 48-month work plan to develop, model and demonstrate a network of cyber research and competence centres, with a centre of research and competence at the hub. To make this vision a concrete reality in Europe, ECHO comprises 30 partners from 15 EU Countries plus Ukraine, representing 14 Industrial partners and 16 Research Institutes and Academic Organisations with 13 cybersecurity disciplines. The project is funded by the European Union’s Horizon 2020
Research and Innovation Programme.
Press release about the kick-off of the project, which can be read here: www.echonetwork.eu/downloads/press-releases/press-release-kick-off/
For more information about the project please visit:
- ECHO website: www.echonetwork.eu
- Twitter: @ECHOcybersec
- Linkedin: www.linkedin.com/in/echo-cybersecurity-556a6717b/
Alejandro Guerra Manzanares awarded at the Estonian Research Council student thesis competition
Alejandro Guerra Manzanares awarded at the Estonian Research Council student thesis competition in the category of science and engineering.
Our centre's PhD Student & Early Stage Researcher Alejandro Guerra Manzanares was awarded with third prize for his master thesis: “Application of full machine learning workflow for malware detection in Android on the basis of system calls and permissions" (supervised by dr Hayretdin Bahsi and dr Sven Nõmm)
Congratulations to Alejandro and to both of his supervisors!
Student Brief 2019
We’re offering a unique opportunity to meet the team of TalTech Centre for Digital Forensics and Cyber Security, learn more about the research interests of our academic staff, discuss internship options and introduce potential thesis supervisors and topics, as well as get detailed insight into the new Cyber Security Research Excellence Course.
Cyber Security MSc students are invited to join Cyber Security Student Briefing on 5th of November 2018 at 15:00 – 17:00. The briefing will take place in auditorium U01-202 in TalTech main building, Ehitajate tee 5 (located near the assembly hall).
- 14:45 Gathering
- 15:00 Welcome and introduction of the Centre by Prof. Rain Ottis
- Opening words for the Cyber Security Research Excellence Course by Prof. Olaf Maennel and Prof. Matthew Sorell
- 15:15 Introduction of members of the Centre. Presenting research interests of supervisors and thesis topics. Q&A.
- 16:30 Official launch and detailed insight into Cyber Security Research Excellence Course. Introduction of the objective, topics, and timeline. Q&A. Prof. Olaf Maennel and Prof. Matthew Sorell
People who might be interested in applying for the Cyber Security MSc program in the future are also welcome to join.
If you have any questions regarding the event, please contact kristi dot ainen at taltech dot ee.
Join us on the 5-year anniversary of ICR! Since 2015, the Tallinn University of Technology Centre for Digital Forensics and Cyber Security has been co-hosting the annual Interdisciplinary Cyber Research (ICR) workshop taking place at the Tallinn University of Technology.
The event brings together hundreds of participants from various academic backgrounds to share their research related to information and communication technologies. The ICR format is particularly appealing since the workshop promotes interdisciplinarity and therefore strives for the synergy between technical and other (such as law, political sciences, psychology, etc) research domains. Presentations for the event are carefully chosen via double-blind peer review process and the extended abstracts are published in ICR proceedings.
You can participate as a speaker (submitting an abstract+delivering a presentation) or simply join our wonderful audience. Speakers are requested to submit a 1000-word abstract. Abstracts should explain the relevance of the research, outline principle research questions, and expected or achieved results together with your research methods. In addition to young researchers and scholars, we welcome student submissions based on Master or PhD thesis research (and bachelor level students are very welcome to join in as audience). All authors will get feedback from our distinguished peer reviewers and selected authors are invited to present their ideas at the workshop. All selected abstracts will be published as workshop proceedings by Tallinn University of Technology (with an ISBN number). Selected authors are also invited to submit their research as an academic article for established academic journals, subject to additional review process.
- ICR2019 on the 29 June 2019
- Call for abstracts deadline: 15 April 2019
- Notification of authors: 6 May 2018
- Registration open until: 25 June 2019
From Battlewatch to civvy street: keeping your people safe from attack
There’s no such thing as cyber security, just security – and it’s everybody’s problem, says Kieren Niĉolas Lovell, keynote speaker at the Jisc Security Conference. After a career spent battling pirates of the watery kind, he sets out what university IT teams can learn from the navy’s approach to security.
What do extinguishing a fire on a naval warship and tackling a security breach at a university have in common? Quite a lot, actually, according to Kieren Niĉolas Lovell. He should know. While Lovell is currently incident management specialist at Tallinn Technical University in Estonia and spent three years as head of computer emergency response (CERT) at the University of Cambridge, in a previous life he was a Nato Battlewatch captain, charged with leading five warships against the pirate threat in Somalian waters.
“If we were ever practising a fire aboard a ship, if somebody were to turn up with a fire extinguisher within two minutes of that fire starting, the fire was dead. Ship saved, no harm done. If they take more than two minutes then that small fire becomes a complete inferno. Time is of the essence. Dealing with a fire quickly and firmly is how you get it under control,” says Lovell. In contrast, universities tend to take the opposite approach to cyber attacks, with security teams practising scenarios in which a small incident happens and slowly gets bigger for three or four hours, when there is a big crescendo and the exercise stops.
“That sounds logical unless you’ve ever done an incident,” says Lovell. “It’s actually the other way round. It starts off as a little incident but quickly gets massively huge and chaotic before becoming smaller and more manageable as you deal with it. If you practise it the first way, with the gradual incline, you don’t manage the chaos – you’re slowly getting yourselves organised just as the incident is ramping up rather than quickly taking control and reducing it.”
At Cambridge, Lovell introduced the idea that – contrary to the university norm that experts are called in one by one as needed – the military approach is taken and everybody is called in at once and then sent away again if not needed. It reduces process and bureaucracy and ensures that the emergency team are all in place at the most critical time.
The progress of incidents is not the only similarity between the military and academia. Both sectors are drowning in too much information and that, says Lovell, means that crucial command, control and communication – those fundamental leadership and communication skills – are getting worse.
“Every university, every college, every department, every research group, all the staff, researchers and students are generating so much information – on Facebook, on Twitter, on every other network – all day every day and the divide between personal and work life is non-existent,” argues Lovell. “It provides an excellent baseline for launching personally targeted attacks, for emotional attacks.”
He gives the example of the “sexploitation emails” many universities have experienced. The emails, sent to staff and students, were along the lines of “you were on YouPorn last night at 9pm, I hacked into your webcam and I recorded it. If you don’t pay me one bitcoin I will publish the photos online”. The emails were completely fake and they didn’t have much of an impact. But then the attackers changed one thing. Using databases that had been leaked online in various breaches, such as LinkedIn and MySpace, they sent the same emails but included the user’s leaked usernames and password in each case. The attackers’ revenues went through the roof, according to the evidence of the Bitcoin stack.
“We’re seeing more and more of these social engineering attacks, which do not require any actual hacking because it’s now a lot harder to do a technical attack,” says Lovell. “Organisations have detection systems and firewalls. But when it comes to the individual we really don’t help them at all. We may have firewalls on our university network but 90% of people are using laptops, tablets, phones – they are not always at the office. People are always working from home, airports, everywhere and none of these tools really help unless you’re helping to protect the individual. That’s what we need to change our mindset to – help the individual to protect their own data so that, collectively, our organisation is better protected.”
End-user education is, of course, the first line of defence – if it is done in the right way. Lovell suggests emphasising that it is a human problem, not a technical problem, and encouraging users to understand and research what information they have put online and is still out there – all those abandoned accounts, from MySpace to Friends Reunited, that may well contain embarrassing conversations and photos. At Tallin, Lovell also shows teams of researchers how easy it is to use the same intelligence gathering techniques against naval warships. While the actual cyber security on a ship is quite high, the exercise shows how you can get full compromise on an entire warship and track ship movements just by using Twitter, Facebook and Snapchat.
“When I went on a nine-month deployment in the navy it was much easier because you didn’t have so much connection on a phone – I had a phone to make phone calls, that was it really. But now your entire life is on there and you communicate entirely through Facebook, and Whatsapp. It’s against policy but it happens – you can’t expect sailors not to have that connection any more. But in doing that, because they are not entirely sure how this data can be used against them or against an armed force, they don’t know that they are sometimes unwittingly putting themselves and their fellow sailors at risk. It’s exactly the same issue we have in universities and organisations and blue chip companies,” warns Lovell.
His second solution to the human problem draws, again, on his naval experience: to get universities to share when things go wrong and not to be embarrassed by it.
“There’s a sentence within the IT security industry that is stolen from the military: the ‘need to know principle’. Unfortunately, that’s not the military principle at all – it’s half the sentence. The full military one is ‘need to know, responsibility to share’. That completely changes the whole dynamic. Yes, people should know and secure data and look after it but if anything goes wrong you have a responsibility to share with your industry partners, your friends, your colleagues, even your competitors, that this is going on,” says Lovell, offering a good example of what happens when such information is not shared.
“Around three years ago at the University of Cambridge we had a payday fraud. About six or seven months later I was at a conference in London and I was talking about this fraud. I could see faces dropping as other universities said, ‘we’ve had that’. Analysing the data it was as clear as day that it was the exact same people and the exact same approach but because we hadn’t told anybody about it, and they hadn’t told us, the attackers were just burning through from one university to the next and the next, stealing thousands of pounds.”
Lovell commends the work that Jisc has been doing with the community in this area and believes that, as a fear of loss of reputation is a key factor in the secrecy, “the only way I see us fixing it is having a safe space established within the Jisc community – and even within the international community as well in the university sector – to share information to better protect and better share from our collective experiences. It could be as simple as a Jisc web page where you report an incident that’s ongoing but you don’t actually say who you are. To be honest, I don’t really care who you are, I care who the attacker is and how they are doing it. That might be a way of getting over the political barrier and that mindset of ‘we can’t tell everybody that we’ve made a mistake’.”
This same fear of discovery is also frequently the attacker’s friend in social engineering scams such as the sexploitation emails or dating fraud. Even when victims do get up the courage to inform authorities what has been happening, the crime is often not taken seriously because it is ‘cyber’ crime, which Lovell finds aggravating. For him, there is no such thing as cyber security, only security.
“We like to add the word ‘cyber’ to everything and it’s annoying – it’s just stupidity. For example, if you were mugged while walking on a London street and somebody steals £100 out of your wallet at knifepoint you would go to the police station, report the crime and it would be treated seriously. If I steal £1000 out of your bank account you’ll report it to Action Fraud and you’ll get an email in two days’ time. The effect is just the same, you still go through the same emotional issues, the breach of trust, the loss of money but we’ve added the word ‘cyber’ to it and taken it less seriously. But it’s not cyber money, it’s money. It’s not cyber crime, it’s crime.
“We try to hide behind it being an IT problem, but it’s everybody’s problem.”