Professor Capkun, you recently said in an interview: "A little paranoia doesn’t hurt when it comes to IT security." How paranoid should we be, ideally?
With regard to IT security, it’s a good idea to stay wary and constantly question the technology. But then the question arises, what do you do about it? You can only have full security by giving up some benefits, so you have to find the right balance between function and security.
But to question things you need to know something about IT systems.
That’s the basis, sure. This also applies to attackers. If you want to steal data, manipulate a car, drone or nuclear power plant, you need to understand exactly how the systems work. The question is, what do attackers want? Do they have a specific goal, or do they just want to create chaos?
So as a security expert, you have to always consider attackers’ interests?
Yes, you need to think ahead. Defenders’ abilities are always limited. Take a mobile phone for example - how do you make it secure? The chips in the device, the operating system, the apps - they’re all manufactured by different companies over which you have no control. It is very difficult to make the device truly secure without changing the operating system or hardware.
Has the way systems are attacked changed in recent years?
A new development is ransomware, which is used to encrypt data and then blackmail the victim. This is a well known attack, but thanks to virtual currencies such as bitcoin, blackmailers are now able to remain unidentified, as the ransom money can be transferred anonymously. Without this, such attempts at blackmail wouldn’t work.
What devices are particularly easy to crack?
There is a broad spectrum of devices that are attacked, since so many are poorly protected. It often depends on the price. If you want to produce a cheap wifi camera, you can’t invest much in security, which creates vulnerabilities.
You carry out research into the protection of medical devices, among other things. How well are our hospitals protected from attacks?
The situation is complex, For example, there are limitations on how you can distribute cryptographic keys for medical implants. That raises the question, who has access to these keys’ The doctor? What happens when they‘re on holiday’ How well protected are the devices that are used to program the pacemakers’ These are questions that we are currently researching.
A few months ago, several hospitals - particularly in England - were attacked by hackers. What was the problem there?
Medical devices in many hospitals are run using outdated operating systems, sometimes even Windows 98, although it hasn’t been supported for years now. If this software is to be upgraded, the devices might stop working due to software/hardware incompatibility. This needs dedicated software development, new certification - which costs both time and money. And simply replacing the devices is often not a solution.
So you have to compromise?
You can see how complex the situation is when you run a risk assessment. For example, how dangerous is it when a CT scan lands in the wrong hands’ This depends, among other things, on how healthcare is regulated. Again, protecting a hospital from hacker attacks might be a technical task, but that’s not all it is.
Another topic that has attracted a lot of attention recently is the question of whether cyberattacks have the ability to undermine our democracy. What is your assessment of the situation?
The problem isn’t just that elections can be manipulated; there is also the risk that people could lose trust in democratic processes. Swiss e-voting system is currently being developed by the Swiss Post. One can demonstrate that this system is cryptographically secure, but what does someone who isn’t familiar with cryptology do with that information? How do you convince people that there isn‘t something fishy going on when they vote’ It’s an exciting topic that I’m thinking about a lot at the moment.
ETH recently hosted the Cyber Risks Summit, which was organised by the Zurich Information Security and Privacy Center (ZISC). What were your conclusions?
I’m happy that the issue is resonating with so many people. The event also showed that not only is research in this area strong at ETH, but also that education in this area has tangible impact - many of our students are founding their own companies. This makes us proud, since it shows that ETH is doing a lot right in this domain.
How will the ZISC develop over the coming years?
We want to expand the Center. We were recently able to gain some new partners, such as Swiss Post, Zurich Cantonal Bank and Zurich Insurance. It’s remarkable that we can also implement exciting projects with companies that are active in more traditional business areas. These companies are also changing rapidly as a result of digitalisation, and encountering new challenges in the field of information security.
So research at the ZISC is becoming more focussed on concrete problems?
Not just that. We’re also conducting fundamental research by working on things out of curiosity, without knowing in advance whether they will work. This aspect is very important to us.
About Srdjan Capkun
Srdjan Capkun is Professor for Information Security and Director of the Zurich Information Security Center (ZISC) at ETH Zurich. His research focusses on the design and analysis of security protocols for radio and fixed networks.
Data in the spotlight
Data is playing an increasingly important role in our society, and is an issue on which ETH Zurich will focus more closely in the coming years. In a series of interviews, ETH News asks researchers at ETH Zurich about the specific topics they are focussed on, and how they see societal development in their field.
Previous interviews in this series:
- ETH President Lino Guzzella: "We have to seize this opportunity" - ETH News 20.06.2017