Is Cybersecurity Education the Key to Keeping Canadians Safe?
Guest blog by Rudolf Olah, Software Development Expert at NeverFriday.com
I work in the software development industry, and I have seen some serious breakdowns in security. I’ve seen software engineers and office staff respond to phishing emails, using their corporate email accounts. I’ve seen people narrowly avoid getting tricked into sending funds to companies that don’t exist. And on the technical side, I’ve seen email addresses left accessible through an API, even though the API in question was being actively worked on and had the engineering resources available to provide better security. Although features were delivered, bugs were fixed, and potential security issues were resolved, the email address problem existed for a few months, simply because no-one thought to look for it. What causes these failures, and how can we fix the problems?
Current cybersecurity education isn’t enough
At present, cybersecurity gets short shrift in computer science programs. Most include a course on operating systems, and students learn how to build pieces of an OS, how to build memory management systems, kernels and user interfaces, and how to manage permissions. But they never get to simulate an attack or learn how to defend against one. If there is a cybersecurity course offered, there is only one such course and it is optional.
Because it costs a lot — in both money and time — to defend against attacks, cybersecurity should be offered as a specialization within a degree program, or at minimum, as a standalone course. For university computer science programs, a cybersecurity course should be required rather than optional. For existing coding boot camps, such a course would be easily integrated. The course would offer real-world scenarios, perhaps by asking students to look at how to protect the code for an e-commerce site. Students would get a chance to put theoretical knowledge to practical use, performing the actions that are needed right now to keep websites, mobile apps and APIs safe.
In addition to curriculum changes, I’d also like to see improvements in commercial cybersecurity training. Too often it consists of telling people not to open emails with certain links or attachments. But this isn’t enough for software developers, when they are the ones developing the systems that could be attacked. We need more resources devoted to training, not just in education, but in industry as well.
Increase security with open source and peer review
In February 2018, the Canadian government announced the establishment of the Canadian Centre for Cyber Security. A key part of the Cyber Centre’s mandate is to “inform, communicate, and educate Canadians about cyber security issues by providing a clear, trusted, credible voice backed up by unique expertise and insight.”
This is a good start, but is it enough? In recent years the Ontario government, as well as several Ontario towns (including Midland and Wasaga Beach), have been hit by data breaches. I would therefore argue that an open-source peer review program is a critical step in keeping Canadians secure. With open source, people can see changes to the actual code and can see how other software employs cybersecurity defenses. This makes it easier for them to incorporate it into their own systems. Open source means transparency. Open source also means that work isn’t duplicated, which reduces costs. It also makes the best encryption strategies freely available. For instance, everyone relies on OpenSSL, an open source encryption program for enhanced security and encryption on the internet. This has increased security while at the same time greatly reducing the costs of implementing such security.
I’d also like to see changes at an industry level. Companies should be devoting more time and resources to training their employees. Smaller companies in particular could make use of the open source model, pooling their resources to conduct training and simulate attacks and sharing any source code improvements that improve security.
Cybersecurity education benefits everyone
Although mobile operating systems such as Android and web browsers such as Firefox and Chrome are open source, not everyone can run the latest versions. But users should still be protected. Applications must compensate for possible vulnerabilities in the operating system. Data should be encrypted, whether on the device or on servers. Apps should be able to identify key loggers, and prevent screenshots being taken of a password screen. Making these features open source makes them available to every developer, and online security will improve.
Users are responsible for installing an operating system, and installing applications. But should they be responsible for securing everything? Users trust that developers know what they’re doing. And this takes us back to the need for education. If app developers, backend software engineers and devops specialists thought about the security implications, and had the resources to use and improve free or open source libraries, then maybe security weaknesses could be mitigated earlier. Those preventative measures could then be shared more widely, and security overall would be much cheaper. Everyone would benefit by pooling resources to create and improve open source security code.
Cybersecurity for national defense
With the federal election approaching, what guarantees do we have that the election results will be solid? Can we trust that we won’t be affected by influence campaigns on social media? And of course, all of our business technology, our infrastructure, and even our energy grids could be better protected. Should we rely on individual communities to maintain their own cybersecurity defenses? How many of them will upgrade their computer systems every year? But what if there were tools and training available? This is the best way to secure our sovereignty against those interests that seek to attack us. By providing better cybersecurity education, whether through government programs or private educational institutions, we can ensure that Canadians are aware of cybersecurity risks. We can also ensure that software developers and others involved in the software development process can have the knowledge needed to consider security implications throughout the process.
Check out the CLX Forum blog and follow the CLX Forum on LinkedIn and Facebook to keep up-to-date with the latest happenings in the world of cyber security.
Interested in becoming a contributor? If you’ve got a topic which you feel is important to your peers, we want to hear from you! Get involved today by visiting: https://www.clxforum.org/get-involved/
