Our traditional image of a superhero isn’t a duck-wielding computer science professor in glasses and a button-down shirt. But, as it turns out, that kind of hero might be exactly what we need — and not just as a clever alter ego.
Not everyone thinks of cybersecurity professionals as superheroes, but what drew PLNU’s Benjamin Mood, Ph.D., to the field of computer science was the opportunity to protect the vulnerable — that, and because “it’s so fun.”
As for wielding a duck, well, Mood likes ducks (his office is filled with rubber ducks in various costumes). He uses them as examples in many of his favorite assignments for his computer science students, especially in his programming classes. Many of his lessons begin, “Now, for example, let’s think of a duck.” Students then learn new programs or techniques by creating or manipulating ducks.
In one such class, Mood asked his class to use ducks to demonstrate how “threads” work — these are small segments of programming code.
“Pretend you have one duck trying to make 100 cookies and trying to make mac and cheese at the same time,” he told students. “Except the duck can only do one thing at one time, and so it takes a long time. Now two ducks would allow you to have one duck do each of the tasks and improve performance. Switch threads in for ducks and cookies and mac and cheese with computer programs and tada.”
It may be quirky, but the duck approach makes what some people see as a complicated and intimidating field more accessible. This is crucial; with more and more of our lives and data existing in cyberspace, we need a new generation of computer experts and cybersecurity professionals to help protect us.
By re-envisioning the field as a place to shield the public against insidious enemies, it becomes clear how important it is to have knowledgeable, ethical people in our cyber-corner. When we think of cybersecurity professionals as protective superheroes instead of simply people with innate technical ability and big paychecks, we understand how Christians can impact people’s lives for good through computer science. When our cyber-heroes come from a place like PLNU, where students are urged to view the ethical, personal, and spiritual responsibility inherent in their work, all the better.
NOT SO NICHE
Cybersecurity used to be seen as a rather niche field, occupied by people like Mood, who has a computer science bachelor’s degree from PLNU, a master’s from the University of Oregon, and a doctorate from the University of Florida. But in a world where so many aspects of our lives are managed online and so much of our personal information is potentially vulnerable, cybersecurity needs to be considered by more people in more roles than ever before. While governments and organizations have a strong responsibility to protect the public, modern work culture means that more and more personal information resides in the hands of individuals who don’t have technical degrees or training.
Mike Leih, Ph.D., is an associate professor in PLNU’s Department of Mathematical, Information & Computer Sciences and director of PLNU’s computer information technology (CIT) B.A. degree completion program. Like Mood, Leih believes the work of cybersecurity is imbued with responsibility. He also recognizes that the responsibility for cybersecurity is not limited to those with technical degrees.
“With the PLNU community in general, we can look at so many of our alums being involved in business and being held accountable to the amount of data that employers keep on employees and customers,” he pointed out. “We need to ask: How do we become good stewards of that information? Particularly in the health care, finance, and marketing industries, what does that mean? There is an important ethical perspective that says, ‘I have been made steward of somebody else’s life, and how do I treat that appropriately?’”
Many people who maintain records of other people’s data electronically are unlikely to have formal training in cybersecurity. For example, teachers use online gradebooks. Service workers, cashiers, and restaurant servers rely on tablets to process payments and store information. Marketers maintain records of people’s buying habits and brand preferences. Schools keep records and information about their students and their families digitally. And the list goes on.
“Places like churches keep information on people,” pointed out Leih.
While churches, restaurants, and teachers may not each have enough information needed to steal someone’s identity, cybercriminals looking to impersonate an individual in order to gain access to their accounts might piece together disparate information they find in different locations — address, account number, security question answers. This approach is called “pretexting.” The idea is that, using gathered information, the cyber criminal invents a pretext for obtaining more information on the victim — the criminal might impersonate a legitimate business or organization, for instance — and uses the information previously gathered to appear genuine.
“For example, a hacker might call a company’s tech support to get someone’s user credentials using information they have gathered on that person,” Mood pointed out.
People with cybersecurity knowledge could make a big impact by volunteering to help their churches or schools if they don’t have an expert on staff. Within organizations, people who understand security can help protect everyone whose information the organization stores.
THE THREAT AND THE CHALLENGE
Cyber-heroes have a difficult job because their enemies are unseen and wily — sometimes they are just looking for money, but there are more sinister aims as well. Among the most serious threats are cyberterrorism and cyber-espionage. The sorts of threats against information and systems are many and include malware, phishing (which usually involves sending an email that looks reputable in order to trick recipients into revealing personal information, such as passwords and credit card numbers), and application attacks. Criminals use these and other methods in increasingly sophisticated and hard to track ways.
Although hackers and other cybercriminals do have increasingly advanced methods of penetrating systems, a large percentage of cybercrimes only take place when a person makes a mistake. The superheroes’ cyber-enemies love to prey on the weak, the uninformed, the overwhelmed, and the distracted. For example, Equifax’s CEO blamed human error for the company’s massive 2017 breach, which was estimated to have affected some 147 million consumers.
Equifax was just one high-profile example in a recent slew of corporate cybersecurity failures. The Los Angeles Times reported that “There have been nearly 8,000 known data breaches since 2005 involving more than 10 billion records, according to San Diego’s Privacy Rights Clearinghouse.”
While many consumers expressed fear, worry, and anger after the Equifax breach, many were equally confounded as to what, if any, actions they should take in response. Studies have shown that many consumers know little about cybersecurity and thus neglect to protect themselves and their information.
According to a 2017 Pew Research Center report entitled “What the Public Knows About Cybersecurity,” only one percent of Americans who took Pew’s 13-question quiz about security received a perfect score. The median respondent answered just five of the 13 questions correctly.
PREPARING SUPERHEROES FOR THE FIGHT
Whether because they assume cybersecurity is too complicated to be understood or the crimes too serious to be thwarted by individuals, many people assume they should leave concerns about cybercrime to others. Increasingly, however, this option isn’t effective. And the alternative, becoming educated about cybersecurity, can have benefits for individuals and their workplaces.
For those who want to specialize in cybersecurity, a large gap in the job market is predicted, meaning there will be fewer people qualified to fill thousands of high-paying positions than will be needed. This leaves great opportunities available for new graduates or those looking to make a meaningful, important, and lucrative career change.
A large gap in the job market is predicted, meaning there will be fewer people qualified to fill thousands of high-paying positions than will be needed.
Leih believes students who want to pursue cybersecurity would do well to learn more than just the technical side. Though PLNU’s CIT program does include a course on cybersecurity, it also gives students a wide base of knowledge.
“In our CIT program, I believe it is important for students to have a broader education,” Leih said. “We have business and ethics; we teach programming, database, and project management. We want students to have the capability of learning and understanding the context in which the technology exists. There are a lot of super technology programs that teach great skills but do not give students the context to understand the impact the technology could have. But students need to understand the responsibility involved.”
Learn More: Completing your Bachelor of Arts in Computer Information Technology will give you the practical skills needed to provide businesses and individuals with IT solutions — making a more connected world possible.
RALLYING THE MASSES
Beyond the individuals who decide to pursue computer science or cybersecurity as a career, organizations have their own responsibility in protecting the public. Leih emphasizes that a first step is for businesses to view their technical departments as partners; in the partnership, all employees and leaders are responsible for maintaining information security — not just the IT staff. This is especially important because, as noted earlier, many security breaches can be traced back to human vulnerability.
“You always have the human factor,” Mood said. “Social engineering attacks [tricking users into revealing security related or private information] are often what start cybersecurity breaches.”
Mood agrees with Leih that it is important to create a company-wide culture that values security.
“Large organizations should be following best practices,” Mood said. “To be secure, you have to be secure everywhere. The bad guys only have to get it right one time.”
Leih, who spent 20 years in industry, points out that there are incentives for businesses beyond the heroic nature of protecting people’s information.
“There is an impact on PR and liability as well as the bottom line,” he said. “Equifax affected potentially 147 million people. They are offering free credit reporting for a year — at 30 bucks a pop that adds up. When the Cambridge Analytics and Facebook story unfolded, the media was up in arms, suggesting Facebook users were being manipulated. At the time, Facebook’s stock was highly affected by a 16 percent fall in value.”
For smaller organizations without a tech department, Mood’s best advice is to use a well-known service, which requires research but ensures greater security. He pointed out that many smaller organizations, including churches, have websites that are not secure. This is another place where cyber-heroes can have an impact either as employees, contractors, or volunteers.
Cybercrime isn’t a risk that can be eliminated. Cybercriminals are constantly on the lookout for new vulnerabilities and human mistakes and oversights.
For individuals, Mood suggests striving for security online by following common good advice, such as not visiting unfamiliar websites or opening attachments from unknown senders; creating strong and unique passwords; and keeping computers up to date. He says people who are a bit more tech savvy can consider using “virtual machines,” which are mini-operating systems that are “sandboxed” off from the main computer, to visit new sites.
Meanwhile, Mood continues his own security-related research. He and some colleagues recently published their work on efficiently using data while it is encrypted. For instance, a person could take two lists of encrypted phone contacts and compare them to find out what contacts are in common while maintaining the confidentiality of the contacts that are not shared. Unfortunately, it is millions of times slower than comparing the data in “plain text,” which isn’t encrypted. This past summer, he and PLNU students conducted another project that involved testing the algorithm of a popular website (details cannot be disclosed at this time without potentially compromising the project).
GETTING ALL THE DUCKS IN A ROW
Cybercrime isn’t a risk that can be eliminated. Even if we were able to get all our virtual, ahem, ducks in a row, cybercriminals are constantly on the lookout for new vulnerabilities and human mistakes and oversights. But with the help of valiant cybersecurity experts and a commitment to do what we can, as individuals and organizations, we can minimize our risk. That’s why Leih, Mood, and their rubber duck army are committed to what they do.