Dr. Arun Vishwanath, from Buffalo, New York is a leading expert on the “people problem” of cyber security.
His research focuses on why people fall prey to social engineering attacks and on ways we can harness this understanding to improve organizational and national resilience to cyber-attacks, and secure cyber space. In addition to studying the weakest link in enterprise security—users––Dr. Vishwanath also studies how various groups–-criminal syndicates, terrorist networks, hacktivists–-utilize cyber space to commit crime, spread mis-information, recruit operatives, and radicalize others.
Dr. Vishwanath is an alumnus of the Berkman Klein Center at Harvard University and also serves on a distinguished expert panel for the NSA’s Science of Security & Privacy directorate. His research has been widely cited and been featured on CNN, The Washington Post, Wired, USA Today, Politico, and other national and international news outlets. He is a sought after speaker and has presented his work in leading national and international forums to the principals of national security and law enforcement agencies around the world.
Many of his original ideas have led to new products, processes, and policies.
For instance, starting in December 2014, in CNN and other outlets, Dr Vishwanath called for the creation of 911-type system for reporting cyber breaches. Today, organizations in the US and abroad are working to build such systems.
In February 2015, in another CNN opinion piece, he called for a 5-star rating system for new apps and technologies, similar to the 5-star rating system we use to test the crash protections of new cars. In 2019, Consumer Reports launched a system to do exactly this.
In November 2017, he called for an open source breach reporting portal, where breach information was stored and disseminated, so people and companies knew of what information about them was compromised. In 2018, Mozilla Corp. introduced the Firefox monitor that is built to do this.
In January 2018, he wrote about how AI would detrimentally affect the American middle class, displacing truck drivers, retail workers, even local news reporters – almost 2 years before presidential candidate Andrew Yang made it his campaign’s central issue.
He presently serves as the CTO of Avant Research Group (ARG)—a Buffalo, New York based cyber security research and advisory firm—and also works as a Technologist, writing in the public interest to bring attention to cyber security problems and providing solutions to them.
Your work at the University of Buffalo brought you international recognition as an expert in cyber security. What are you doing now?
I still live and work in Buffalo, New York, and love the city! I was a tenured professor at the University at Buffalo (also called State University of New York at Buffalo) for close to two decades. I am currently the CTO of Avant Research Group (ARG)—a cyber security research and advisory firm based in Buffalo, New York, consulting for major corporations and governments on issues ranging from cybersecurity to consumer protection. I also currently serve on an expert panel for the NSA’s Science of Security & Privacy directorate.
Why is Buffalo, New York, emerging as a leading start up city?
It’s an exciting time to be in Buffalo, New York. We are seeing a resurgence on many levels. Part of it has been because of demographic shift, where younger people have been steadily moving back into the City. We also now have among the largest population of New Americans—immigrants and refugees—in the area.
This had led to many small businesses, start-ups, and entrepreneurial endeavors. We have always had the best schools and universities in the region, which have attracted students from the world over. But the students never stayed back because there weren’t good jobs. Now they can Because of this, we have hit a tipping point—where people can come here, learn here, stay here, and thrive here. It’s what has led to the boom in startups.
What should Buffalo, New York and other cities and municipalities be doing to better protect their digital infrastructure?
The starting point is knowledge. Buffalo, New York, and surrounding municipalities need to understand our exposure to cyber risk. This requires a cyber hygiene assessment of residents as well as within organizations. I have developed a Cyber Hygiene Inventory (CHI) that helps do this. It helps pinpoint the level of cyber awareness, knowledge, how well protected people are, and where the gaps exist. This is the only way we can pinpoint what is needed and then work on providing it.
The other area that needs more support is cyber access. With so much Internet use now occurring from home, the need is for affordable gigabyte speed Internet services. There exists limited competition in the City of Buffalo—and many others–so there haven’t been investment by for-profit cable or telecom.
I have written about this in Medium where I explain how Chattanooga, Tennessee, stepped in and created a municipal ISP. Buffalo, New York, can learn for this. But not just stop there. Buffalo can provide secure networks, help-desk services, and early warning systems that users can call-into to report online scams and attacks. This can equip us with technology and know-how for becoming cyber resilient.
How has the movement to cloud based storage and computing services affect cybersecurity?
I talked about this at the Digital Government Institute’s (DGI) conference in 2018.
Cloud computing, at least as it is being implemented presently, increases the surface area of vulnerability. Among the reasons for it: we are sharing more links that routinizes sharing of links; the current storage services have very poorly designed interfaces, making it easy to mimic as in spoof them and hard to detect issues in them; we depend on browsers for access, and browser are notoriously easy to infect and attack because they are also used to do many–arguably most–online activity.
And finally, more files and information is being stored on other people as in the external cloud service’s or platform’s servers, so we have to depend on some unknown entity for our data’s protection and integrity. When using the cloud, files can be hacked even if our devices are secure, if your browser is hacked or worse yet, the service providing the cloud storage platform is hacked.
What is one of the most interesting experiences you have had working in cyber security?
I have had many. One that stands out is how an organization asked me to assess the quality of their security training. They had done internal penetration testing using simulated phishing attacks, a sort of gold standard for cyber security user training, for some years and achieved almost complete resilience—as in no user, or few, if at all, would fall for the simulations. My job was to assess how even those few fell.
I did it with the caveat that I design the simulated attack. The organization’s IT sent the attack out and with hours it had netted more “victims” as in people clicking than in than all their multi-year simulations combined. I got a call from the company asking me how I had accomplished it.
This has happened in many other instances and it is always interesting to see how people in IT react to seeing the inefficacy of training they have been told and are convinced works. The reason why it doesn’t work, is because it never fully takes into account users — how they think, what they believe, and how they act. So the training does little more than teaching them how to spot a simulation, but not a real attack.
What is one of the most satisfying experiences you have had as an academic researcher?
It is being proved right over time, not once, but repeatedly in the face of push back from academics. This includes being questioned about why I “waste my time” studying phishing; why smartphone based social engineering should be studied; why Facebook might be an easy gateway for deception; and the ways in which trolling, misinformation, and hacking can be orchestrated into the Dark Triad to create a concerted attack on a nation state.
What has been your most satisfying moment in your professional career?
I have had many wonderful highlights including working with some of the smartest minds in national security, presenting at leading venues such as Blackhat, being asked to present my work more than a few times to audiences in the US Senate and House, presenting at the Army Cyber Institute and at Hopkins. These are just a few of the moments.
As I said earlier, when I began working on social engineering, there was no interest in my field in the area. In fact, a colleague even wondered why I was wasting time studying something so small. It is satisfying to see my work come to the public’s attention and be of value to people.
Much of my research work has been ahead of the time. I studied spear phishing before it became the cyber security problem it is. Likewise, I studied deception via Facebook and, what I term the Internet’s Dark Triad–the combination of organized trolling, social engineering, and misinformation campaigns–and tried to caution policy makers about it years before the DNC hack and the Russian interference during our last presidential elections.
I also wrote about the threats from social engineering being all the more pronounced on smartphones, another topic that I researched, and published papers years before the 2019 DBIR had data to prove it was actually the problem I had predicted it would be. Here, again, when I presented the original work on mobile based social engineering attacks at a leading academic institution, I had some researchers question whether it would ever be a problem. In 2019, the data proved it was, and I was asked by the Verizon DBIR team to write up the reasons for it based on my research.
What does the future hold for cybersecurity?
I think cyber security is going to be an issue because of the rush to commercialize more technologies, many of which aren’t really fault tested; innovations such as AI and inventions such as quantum computing that are making it harder to keep things safe using our present Turing-based computer systems; and the fact that we haven’t spent time or effort in correcting or improving the fundamental weakness in computing – its users.