Accelerating education and research in cybersecurity

The Internet of Things (IoT) has become such an integral part of our world  that it’s easy to focus on the cyberworld’s benefits while neglecting the cyberthreats.

Complacency about cyberattacks is the biggest threat to IT security, says Chamseddine Talhi, professor of cybersecurity at École de technologie supérieure (ÉTS).

“Software applications have become indispensable, and it’s critical for them to be secure, yet 52 per cent of businesses are still not able to detect whether their IoT devices have been breached,” Dr. Talhi says. 

Across the cyber-spectrum, individuals, businesses and organizations are all prone to ransomware, attacks on critical infrastructure, state-sponsored threats and the use of disruptive technology. Keeping up requires research, resources and a pool of skilled and trained cyber-defenders. 

Ransomware, attacks on infrastructure, state-sponsored threats: the federal government’s 2023–2024 National Cyber Threat Assessment confirms that the situation remains concerning,  and constantly evolving.

While some cyber-dangers are common to everyone, many relate to particular industries or organizations, he explains.

“If you’re a company that provides networks, then protecting your networking and system and operating administration will be most important,” he explains. “If you’re a software developer it might be secure coding, and if you’re a financial institution working with blockchain, you look most carefully at maintaining the integrity of the data you gather.”

All of these matter to different degrees, he points out, and they all require skills.

“Finding and training people to have these skills is a big challenge,”  he adds.

New threats occurs as often as the daily news gets published or posted. For example, new, sophisticated state-sponsored cyberattacks have been on the rise since Russia’s invasion of Ukraine in 2022, according to the federal cybersecurity centre. 

Not everyone is aware of how fast these state-sponsored threats are evolving, the centre has warned, urging Canadians to prepare for potentially malicious cyberactivity, including possible disruption of our Canadian network by cyberthreat actors aligned with Russian interests. 

In the near future, artificial intelligence (AI) may also play a role in cyberattacks, Dr. Talhi says.

A huge challenge is recruiting and training people with the skills to prevent, combat and resist all these increasingly sophisticated cyberattacks, he says. 

“Canada is a leader among other nations in this area, but we still have to catch up just to keep up with the threats. Any delay has enormous implications,” he explains.

With cybersecurity in extreme demand, Canadian academic institutions are launching and running new courses to fill the gap. ÉTS is doing its part with programs that include graduate work such as a master’s in information technology and cybersecurity research projects. 

Future engineers can earn a specialization in cybersecurity through a collection of courses ÉTS offers that have been developed, along with teaching laboratories, in collaboration with cybersecurity professionals, says Dr. Talhi.

Research funding is supported by organizations that specialize in cybersecurity such as Mitacs, Alliance and Prompt; many of the cyber-related projects are developed and executed in collaboration with major industries.  

“We have a multidisciplinary team at ÉTS,” says Dr. Talhi. “We’re organized as a cybersecurity laboratory [LCSec] with five professors across three departments.”

The school also deploys resources from global organizations, such as the Open Worldwide Application Security Project (OWASP), a not-for-profit organization that produces free web security research tools and technology.

The need to train and deploy cybersecurity appears to be never-ending, Dr. Talhi adds. He points to a report on the skills gap by cybersecurity firm Fortinet that looked at 29 countries, including Canada, in 2022. The report found that 68 per cent of organizations say they face additional risks because of a shortage of people with cybersecurity skills, and more than 50 per cent are struggling to recruit and retain talent. 

Fortinet’s survey also found that eight out of 10 company boards think their firm should boost their headcounts of IT security employees, and 90 per cent would pay for employees to get cybersecurity education.

Up-to-date research and education are important because it takes such a huge effort to keep up with new threats, Dr. Talhi says. He points to new menaces such as a significant rise in “wiper” technology, which wipes a victim’s hard drives, and Ransomware as a Service (RaaS), in which cybercriminals rent out malware to other criminals.

As learning institutions such as ÉTS work to advance research and fill the skills gap, companies and organizations need to be vigilant, Dr. Talhi says. 

“Internet of Things devices [remote technology that shares data via sensors] should be part of companies’ total infrastructure protection,” he adds. “Make security a priority and keep up with the latest standards.”

This interview is adapted from an article published in The Globe and Mail in May 2023.