Take Note: Peter Forster On Cybersecurity And Practicing "Cyber Hygiene"

Dec 27, 2019

Peter Forster talks with WPSU about why cybersecurity shouldn't be an afterthought in today's world.
Credit Min Xian / WPSU

Peter Forster is an associate professor who teaches security and risk analysis at Penn State’s College of Information Sciences and Technology. His research focuses on cybersecurity, counter-terrorism and social networks. Forster has worked on improving law enforcement’s situational awareness of issues such as drug and human trafficking. He also oversees a research project on better understanding of how extremist organizations recruit Americans in cyberspace.

He talks with WPSU about why cybersecurity shouldn’t be an afterthought in today’s world and how the cyber world and the physical world are inseparable. Plus, how to practice “cyber hygiene.”

Transcript:

Min Xian: Welcome to Take Note on WPSU. I’m Min Xian.

Peter Forster is an associate teaching professor who teaches security and risk analysis at Penn State's College of Information Sciences and Technology. His research focuses on cybersecurity, counterterrorism and social networks. Forster has worked on improving law enforcement’s situational awareness of issues such as drug and human trafficking. He also oversees a research project on better understanding how extremist organizations recruit Americans in cyberspace. Peter Forster, welcome to take note.

Peter Forster: Thank you very much. It's nice to be here.

Xian: Cybersecurity feels like one of those things where everybody's heard of it and has an idea of what it is about mostly, but hard to define because it covers such a wide range of issues. How do you define Cybersecurity?

Forster: Well, I would define cybersecurity in kind of a couple different domains. First of all, you have the very - more technical side of the cybersecurity - kind of what's going on in the computer? Who's trying to get in? Who are you trying to keep out? What information do you want to keep confidential? How do you protect the integrity of your data? And at the same time, how do you ensure that there's availability or accessibility to that data? Right? So that's kind of the inside the machine, understanding both what is the data and and what might be the vulnerabilities within the computer system or the computer itself. And then what are the threats on the outside? So that's one part of cybersecurity. But I think there's another part that is worth discussing, particularly in today's environment, and as we look ahead to the 2020 election, and that is how do we, in essence, protect ourselves against the information - or how do we understand the quantities of information - that we see in cyberspace? That if it makes sense to you, I can go out and I can find just about anything, right? Out in the cyber world. But how do I know it's true? And how do I know what's false? But also how do I understand how others might be using cyberspace and the accessibility to people that it affords, to change perceptions and to change ideas in order to plan and execute nefarious kinds of initiatives? And it's really in this area where I do a lot of my research.

Xian: Outside of the machine.

Forster: Right, right. That would be yes, it's outside of the machine. So the inside and the outside of the machine.

Xian: In recent years, especially after stories like Cambridge Analytica and how it exploits user data from Facebook were exposed, the discussion about privacy, security and accessibility has really grown. So what do you think is at the core of this conflict? And where do you see the conversation moving forward?

Forster: Well, I think it's a very good question, because part of the part of the issue I think we see in in this environment, particularly of is what is the expectation of privacy, and what is the reality of privacy that people see. That would be part one step. The second thing I would like to address a little bit is how do we, how do we create security or how do we make ourselves more secure in this environment? So let's talk first about the privacy side of things a little bit.

Xian: Sure.

Forster: So I think... I'm a little older than you and I think one of the things that we look at here is, I have a different perception perhaps of privacy, just because of the way I was brought up. The cultural upbringing, the way we interacted with technology, right? So if I would get on a phone call, once we got on a phone call, you had a certain expectation that there was privacy on that call. Today, those expectations may still exist, but are much less prevalent that so much of what goes on in cyberspace is really open to people, as the Cambridge Analytica thing showed us. All the time - you go to a website, you searching for an airline ticket, right? And during all of that time, people are collecting data on you and going back again to the case of Cambridge Analytica, they bought that data and then resold that data to others, and so, much of what is known about us today is significantly more, if that makes sense.

So the privacy expectation that we have, I think people need to be aware or more sensitive to what does it really mean to be private? A lot of what we talk about when we talk about cyber security is really raising awareness. Both of the privacy side, as I said, what is it that you're giving up? How often do you change your password? Now, you know, as I do, we work for the university. So they continually ask us to change passwords on a periodic basis. That's good cybersecurity. Do we use different passwords for different sites? So that's good cybersecurity. And that all speaks about cyber security kind of at the individual level, what are you and I doing to protect ourselves? At the corporate or enterprise level, there are other things that an organization may do. They should be monitoring their systems, they should have a good idea of what their daily workflow looks like and what the spikes and drop-offs may look like.

So, if we think about privacy, privacy is really about awareness and understanding and be careful what you're prepared to share in an online - in a cyber environment, right? So that's the privacy and then the security is do you practice what they referred to - at the Department of Homeland Security - is good cyber hygiene. Do you take account of the best ways to protect yourself in the cyber realm?

Xian: With this question about expectation on privacy with smartphones and mobile apps, people can do so many things on their devices. We are all pretty sold on the convenience that comes along with it and security just seems to be an afterthought. So if someone realizes today, “Oh, I need to practice cyber hygiene,” which feels like something that you know, you don't think about when you're signing up for those things. What do they need to do to catch up?

Forster: Well, as I said, I think look at how you're going to protect your data. Look at your passwords, a great thing to look at is, does your phone have dual authentication? So not only do you have to enter a six digit password, but you may have to use a thumbprint to get into your system. Again, we're using the Penn State example that both of us are familiar with. We have dual authentication on our system. So you sign in with a password. And that generates a request that we - through which we need to respond for additional data that let you in. So dual authentication, if you can put that on your on your device, that would be good.

You're absolutely right, that so often security is kind of a second thought. And so this is where it really becomes important. Think about the apps that you're using. Try to do a little bit of research around what's been created. Try to look at what security exist. Ask the provider what security exists on your app. So I think, again, awareness is really important. Where did the app come from? What is the app doing? What kind of information are you using in the app? My personal preference is, if I'm going to use an app for my banking, I want to make sure that, yes, it has dual authentication. I want to understand what's behind it. So I know how I'm interacting with my bank so that I know that that connection is secure.

Xian: And I understand that raising awareness among users could be very important, but to advocate on behalf of day to day users who rely on these online services, it could feel like we lost control once we're sharing the data, which is something that you probably don't even necessarily think about when you share things or use the services. And we can try to be vigilant, but it could get really frustrating because there's really no bar of signing up or starting to use a service. But then there's a bar to understand and keep up with all these cybersecurity kind of responsibility really.

Forster: Well, you're absolutely right. And we're going through a process now and we understand that cybersecurity law is evolving, really, as we speak. I often say to someone who says, “I'm interested in law and I’m interested in cyber.” Great, you're going to have a long career. And because the evolution of cyber law, which is ultimately your protection, right? How do I get compensated, if somebody misuses my data, or something like that is still evolving, we're not really familiar with it for exactly - or as familiar as we should be, is a better way to put it. Because for the exact reason that you said, that is because we've all been thrusted into this world. And it's convenient, and this is great, but you don't think of those ramifications.

So we do need to continue to have the development of cyber law and there are people in our law school here at Penn State that are very - far better than I am at understanding where this is going. But you do need to - you need to be aware of what it is and what are your rights, really, as a user. And what rights do you sign away?

Xian: I think going back to this expectation of privacy and security issue, what can we expect when it comes to accountability of people who handle our data? Because I'm thinking, one example: last year, there was a hack against the Marriott group, some millions of customer information was leaked. And it took the company more than two months to come out to the public and say, we realized this hack happened. And during that time, customer information, the users information were exposed and they could be used for God knows what. So what can we expect in that kind of situation? Who is going to take care of my data?

Forster: Well, that's a very good example. Now in the case of Marriott, what happened was they provided monitoring services. They went out to see, is your information on the web or on the dark web, even? And so they provide - and I think that's a reasonable expectation of you and me as an end user that if you've allowed my data to be compromised, you better then secure my personal information. So, monitoring, so you can know.

Some of the other things they changed. I believe they changed their interface, so that it was a more secure interface, so this wouldn't happen again. And ultimately, they may be financially liable for things. Providing you with periodic credit reports - another thing that actually came out of the Marriott, where they actually give you a credit report about once every three months that looks to see if there have been unauthorized access to your credit. And I think those are the kinds of things a company can do after the horse has left the barn, so to speak.

We talk a lot about the Target case and Target had to do similar things to that, when their system was breached. But what the Target situation ended up with was, they didn't handle it very well, because they delayed in coming out and saying what had happened. By the time they came out and said what it happened, people were - not just people but states were actually filing lawsuits against them. The CEO lost their job, I don't remember exactly, but they lost money, they lost retail income. They faced financial, significant financial lawsuits. So why I say this was a watershed in many respects, I think it's suddenly said to corporations, “Oh, this is our responsibility. And we need to be better at protecting our customers.”

And so I think we've seen a shift now, where security is becoming a bigger concern - doesn't mean things don't happen because as you said, Marriott happened just certainly since the Target event. But again, we're seeing steps that now Marriott needs to take to, in essence, compensate their customers. The ultimate goal would be, let's work on our systems, test our systems, use good practices and system development where we test systems where we do things such as maybe you have red teams that actually try to hack into your system to show you where your weaknesses are, and have the organizations need to begin to take responsibility.

Xian: So they need to believe that something that's going to happen, and that is, I am guessing, the first step of awareness.

Forster: Right, I would say absolutely right. I don't think we could any longer sit back. I think it sounds maybe a little paranoid. But I think you're foolhardy if you sit back and say, “Oh, this won't happen to me.” I think you need to be more aware of that. That's kind of the first step is that the likelihood is growing on a consistent basis just because of the way we've integrated technology into our life.

Xian: This is Take Note on WPSU. If you’re just joining us, we’re talking with Peter Forster, an associate teaching professor who teaches security and risk analysis at Penn State's College of Information Sciences and Technology. His research focuses on cybersecurity, counterterrorism and social networks.

And I think we have been talking more or less on this individual or corporation level of things.

Forster: The enterprise side. Yes.

Xian: Right. And I understand that you also study cyber terrorism, which by definition is an attack or disruption of computer systems that often happen to government agencies or institutes or databases out there. First of all, how widespread is cyber terrorism? And how much do you think the public is aware of it happening?

Forster: I want to define the definition of cyber terrorism maybe a little bit more, because we tend to think - when we talk about terrorism, we talk about actions taken by a non-state actor that are violent or threatening violence. I'm not talking in cyberspace, I'm talking generally, right? Violent or threatened violence in order to create fear in this society for some political, economic, social gain, right. So if we think about that now we transfer that into the cyber world. Certainly there are groups that have tried and will continue to try to intimidate and or gain information that are non-state actors. We’ve seen examples of Al Qaeda trying to hack into systems. We know of situations where ISIS has actually hacked into a US government system, wanted to get personal identifiable information, found that information and put that information out in the public sphere. Now, thank God all of that information was not - they didn't get into quite the right systems, much of it was dated information. But still, I think, obviously, their intent was there, and their intent will continue. Their capability at that point was lacking. Regretfully, their capability is improving. So we need to be aware that extremist organizations will be trying to exploit the vulnerabilities and systems for the things that they want.

So that's one side of the cyber terrorism. The other side that I think is - that is very concerning about, about how extremist terrorist groups use the internet is their ability to use the internet to promote their violent ideologies, to make sure their message is heard. There is the use of the Internet to recruit individuals. There is the use of the Internet to solicit funds and to fundraise either through - there are literally websites that you can go to that you may make a contribution to extremist organizations. Terrorist organizations are increasingly using the internet to plan operations, to share data. So there's this whole other side of the internet that extremist groups, the terrorist groups use. We saw it in the horror in New Zealand, right? Where the perpetrator actually live streamed his attack, things like that.

And I think it's very important that we begin to understand that's another side of what we might call cyber terrorism. We might define it slightly differently. It's not terrorism as we know the definition perhaps, but it is a cyber crusade being launched by terrorist organization - cyber Crusade, a cyber Jihad, a cyber neo-nazi movement being launched. And those are some of the things that we also need to be aware of and think about how we're going to combat those.

Xian: I know that's related to one of your latest research, and I want to ask more about that later. But right now, it sounds like cyber terrorism feels like this new front of more sophisticated old-school espionage or intelligence gathering, but also, it's really emphasizing, enhancing this very fractioned world.

Forster: I would agree that - It's not just cyber terrorism that's doing that, again, differentiating between the non-state and the state actor. Because we have, we have state actors that are also trying to promote those schisms. That was the issue in the 2016 election. What the Russians did was they wanted to go and grab data on people, then they understood where these people sat on the political spectrum. And then they went back to the echo chamber, in essence, and fed them a series of information, right, continue to feed them information - may have been absolutely false. So that was - that's a very sophisticated manipulation of cyberspace, if you will, of social media. But you also have this with the terrorist groups and terrorists and individual terrorist and they're getting better. They, you know, some of it is simply the bang or the thrill that the individual gets, like the person in New Zealand, the excitement of actually being able to do this, or the exploitation that ISIS has been able - was able to do in cyberspace, where they would actually show brutal killings of people - create fear, right, back to the definition of terrorism and attempt to intimidate people.

So all of these different sides. And it's a very complex in - what we really found in cyberspace is that these threats have really proliferated, and perhaps the vulnerabilities also. The old adage of, well, I found that on the internet, it must be true. We joke about that now. But how much do we really question? How much do we really step back and say, is that really true? We hear one thing, how much do we look to see is that really a true of fact? So part of this is being an intelligent consumer of information, as well as, as well as protecting your information. Be intelligent about how you're going to consume information.

Xian: You touched on this a little bit, but your latest research is about looking at Twitter accounts to identify patterns of radicalization or indicators or warnings of when people might become violent. Can you briefly talk about that and talk about what the team is hoping to achieve?

Forster: Sure. This is - I'm working with Dr. Squicciarini in the College of Information Sciences and Technology here at Penn State and also with some individuals at Texas A&M. Texas A&M has a large dataset - over billions, as I understand it, of Twitter accounts that they have been collecting from ISIS. These go, I think, from about 2015 to about 2018 - is the database. This is a very large database that we're looking at. It is being translated because many of these, as you would think, would be in or I assume would be in Arabic. And so what we hope to do is do what IST does as a college, and that is: bring together the technical side and the social science side to look at this. So why I was asked to be on it was more about because of what I knew about ISIS and what I knew about how terrorist organizations operate, but working then with Dr. Squicciarini, with Anna, she brings the technical skill because I can't sit down and read all of these tweets, so we have to begin to apply technology is to how do we understand? Where can we see indicators of radicalization? Where can we identify who are important people within the network? How can we identify the network all together? And it becomes very interesting.

One of the things I'm now looking forward to looking at is leadership, as we begin to talk about leadership within terrorist organizations. How much role does a - how much influence does a leader really have in what goes on on a day to day event? So there are a lot of things that can come out of this, but I think what we're really trying to identify is can we identify what led to radicalization? What led to propagandizing? Or exploiting events? What led to planning events? And what can we better understand about everything that goes on within a terrorist organization such as Daesh - ISIS. So that's going to be the exciting thing to see what went on in the cyber world? And how does that map against what's gone on in the real world because the belief is, and I've done a little bit of research on this, in other in much smaller, more contained events. But the connection is that there really is cyber world and the real world are connected, and we can't divorce those and look at them outside of the context and and that's what we're going to be looking at, we're going to be looking at how does ISIS spread its ideology? How does it tell its narrative of what it does? How did it deal with governing? What decisions were being - what decision making processes were there? So those are the kinds of things I think we hope to get out of this.

Xian: I'm thinking of all these topics about cybersecurity and cyber space that we're talking about. I think it really comes back to this idea, whereas people tend to believe that cyberspace is completely a different, virtual space. But I think more and more we're understanding and seeing that, even though you we can't really see it or it's hard to visualize, they are very, very much a part of our real world.

Forster: Absolutely. I think maybe with all of that, this is perhaps the most important thing and maybe to kind of give you a sense of that. Maybe in State College, it's true that you might leave your house unlocked. But certainly if you lived in New York City, you wouldn't leave your house unlocked. Right? Same is true: don't leave your devices unlocked. Right? So that somebody can get into them.

We can't talk about two separate worlds. These are definitely interlocking worlds, the cyber world and the real world, just because of the ubiquity of information, the way we use information today, the way we use devices to access our information, they're all - they're all connected and they - we've seen it in - we've talked about a number of different cases today. We've talked about the enterprise system where we talked about Marriott. We've talked about the national security side of things, where we've seen election interference and things like that. We've talked about the extremist side, where we've talked about the horror of having - of trying to create fear in society or trying to have sick individuals gain renowned for the horror events that they do. And so yeah, these are - they're not separate, we have to look at them together.

Xian: Peter Forster, thank you so much for joining us on Take Note.

Forster: Thank you. It was my pleasure.

Xian: Peter Forster is an associate teaching professor who teaches security and risk analysis at Penn State's College of Information Sciences and Technology. His research focuses on cybersecurity, counterterrorism and social networks. Forster has worked on improving law enforcement’s situational awareness of issues such as drug and human trafficking. He also oversees a research project on better understanding how extremist organizations recruit Americans in cyberspace.

You can listen to more Take Note interviews on wpsu.org/takenote. I’m Min Xian, WPSU.