Hossein Sarrafzadeh is a professor of cybersecurity at St. Bonaventure University. He is also the chair of the university’s cybersecurity department and the director of the Western New York Cybersecurity Center. LinkedIn profile
Key takeaways from the interview
- Dynamic nature of cybersecurity: He highlights the ever-changing landscape of cybersecurity, driven by the advancements made by hackers, necessitating continuous development of new technologies and strategies.
- Importance of AI and machine learning: Emphasizes the significant role of artificial intelligence and machine learning in the future of cybersecurity, leading to more robust security systems.
- Blurring lines between humans and technology: Discusses the integration of IoT and cyber-physical systems with human capabilities, leading to increased vulnerability and risks, especially in medical devices.
- Quantum computing: Points out the potential revolutionary impact of quantum computing on cybersecurity.
- Recommended reading: Sarrafzadeh recommends two books: “Social Engineering: The Science of Human Hacking” and “The Principles for Cybersecurity Operations.”.
So, why don’t you start off by telling us about how you got into cybersecurity in the first place? What made you curious about the field, and what was your early career like?
Well, when I was doing my Ph.D., we had a fantastic security team, which was well-known globally. And so, I was exposed to the importance of security and I was very interested. I almost decided to change my field of study from artificial intelligence to security, and that was in the 90s.
Fortunately, I didn’t because I went into security a bit later with a lot more preparation in another area, which is machine learning. So, I’m glad I didn’t switch at that time, but I’m also glad that I was exposed to the area of cybersecurity.
How did you eventually shift from machine learning to cybersecurity?
In 2007, when I was a professor in Auckland, New Zealand, I went to a conference, and I saw some of my friends who were Japanese, and they were world-renowned cybersecurity researchers. They were encouraging me to apply machine learning to cybersecurity data. So that’s when my career in cybersecurity really started. It was sparked a long time before that, but they promised to help my university establish a cybersecurity center, and they ignited me in terms of cybersecurity.
So, I started working on machine learning, applied support vector machines to cybersecurity, and that’s where my career in cybersecurity started. So really, in the 90s it was sparked, and in 2007 I [really] delved into security.
Can you tell us how you got from Australia to New Zealand, and then eventually to the US?
I did a Ph.D. at Wollongong University in Australia, and I got this job, which at that time was a dream job with a university called Massey University. I spent about nine years at Massey University, and I was recruited to head a school of computer science at Unitec Institute of Technology in Auckland. I was there for about nine years again.
This opportunity at St. Bonaventure came up, and the whole family thought America was the land of opportunities, so it was time to move. A lot of great opportunities exist in cybersecurity in the US, and it’s the best place to be if you want to grow in cybersecurity. So I moved to St. Bonaventure University.
St. Bonaventure was the right move for me because they created a great platform for me to create new programs, and put everything I had learned and experienced to date (which was June of 2017) together to create a fantastic program at St. Bonaventure University. Established a cybersecurity research center, a security operations center, and a whole group of young energetic men and women who want to learn cybersecurity.
It was the perfect opportunity for me to move to the US, and I’ve been at St. Bonaventure University since 2017. A great university indeed.
Can you tell us about what your current research areas are? Are you still doing research, or are you focused more on teaching and creating programs?
I wouldn’t stop my research. Although teaching is my passion, research is something that I do to keep myself up to date, and I take satisfaction in doing research.
So, the current research I’m doing is in the Cybersecurity Center at St. Bonaventure University, which I founded in collaboration with various partners. We are collecting data and performing darknet monitoring. The dark net address space is being looked at by our monitoring system, and we collect and analyze tremendous amounts of data.
What do you do with the data you collect?
We try to make sense of that data by mining the data and finding patterns within that data. For example, the interest of the hackers shifts from one month to the next, at every hour and every year. So, we put all that data together and we mine it and find patterns within that data.
We also apply machine learning e.g. a support vector machine and this is one of the areas of my expertise. The support vector is a plane in space. We create these planes that we call support vectors.
When a new piece of data comes in that cannot be classified on one of those thousands of planes that we’ve created in space, then it’s gold for us. It’s new data, it’s a new unknown piece of badware or malware or a virus or whatever it may be. We then do malware analysis on that data.
So, that’s the part of the research that I’m really enjoying. I’m also working with some of my students on intrusion detection, security operations, and also deceptive security.
What’s deceptive security? I haven’t heard that term before.
Honeypots are used to attract hackers. A honeynet is a collection of honeypots. A group of honeypots is put together to create a honeynet that you make accessible to hackers. It’s a see-through glass, hackers can do whatever they like while we study them. We provide them with data that they like to see. We look at what they do, and this usually helps us create more secure systems.
Okay. So is all that research you were talking about, is that all taking place on the darknet or on the more commercial internet?
We use the darknet just for monitoring and we use data mining and machine learning to make sense of the data collected.
Is one of your focuses primarily the darknet?
My other research is not happening in the darknet space. Yeah, so just a cloud-based honey net and a physical honeynet would be needed to do the deceptive research. We have a colleague from Japan at St. Bonaventure University who’s an expert in deceptive security. He’s been guiding the students. I also have connections to the Canadian Institute for Cybersecurity.
There’s a management board, and I’m one of five board members for the Canadian Institute for Cybersecurity, and they do a lot of fantastic work in deceptive security. So, I’ve got a lot of places to learn from and to collaborate with. St. Bonaventure is a great platform, it’s a fantastic place. I can’t tell you how much I enjoy working there.
Our audience is people that are maybe college-age students, or coming to cybersecurity for the first time.
They may be trying to understand what some of their options are in terms of academic programs, and certification programs, and that kind of thing. And it sounds like the program that you helped create is relatively new — two, three years.
So, maybe you could just explain the program a little bit: how it operates, what kind of students are coming there, what are they excited about, what are they learning?
Keeping the curriculum fresh is an absolute necessity in cybersecurity. I also like to keep the delivery hands-on because cybersecurity is not just a field that uses theory. It does use theory in a lot of places, but when you go to work, you want to be able to apply things that you learned.
So, we have created a program that is very applied, and hands-on. Students who come to St. Bonaventure University are very talented, I’ve found. And the quality of students has kept increasing over the three years I’ve been there.
Can you tell us more about who is drawn to the field of cybersecurity these days?
We’re attracting young men and fewer women, which is a shame — we’re not getting a lot of women coming into cybersecurity — this is across the globe. We are, however, getting some really talented women coming into our program, and what they like to see is more hands-on experiences with the curriculum. So that’s what we’ve done.
We’ve created a hands-on program with lots of opportunities to practice, and we are focused on the industry’s needs. So, every program we create — and we’ve created multiple programs, I will explain each of them — are all focused on industry needs. We’ve done a lot of market research. We have a lot of connections in the industry, and we’re going where the industry is going and where their needs are.
We’ve embedded a lot of industry certification materials into our curriculum. I’m working with a dean who’s young, smart and he is a great person. His area is not cybersecurity, yet he understands it so well. Students are encouraged to pursue industry certification and get industry certified while doing their academic work.
Can you tell us more about your undergrad curriculum?
What we teach at undergraduate level is offensive security as well as defensive security. The first thing we teach the students is how to hack. But we also teach them ethics. I believe St. Bonaventure University is the best place to do cybersecurity.
St. Bonaventure is a place focused on helping others. So, we do not only teach security and hacking, but we also teach them ethics, so that they know what they can do and what’s not ethical. Then we teach them defensive security. These are the two focus areas in our undergraduate program, and we also have a master’s program.
What does the graduate program look like?
In that master’s program, we teach both of those, an extension of the offensive security that they learn at the undergraduate level at a more advanced level. We teach them defensive security, but we also teach investigative security, so that you can investigate incidents. That’s the aftereffect after an incident has taken place: how do you investigate, how do you prove that a crime has been committed? And we have a brilliant FBI special agent teaching that course.
So, that’s what I mean by hands-on. Exams in this particular course are court cases where the student has to prove a case. They’re given a hard disk for instance, and they go away and come back with the proof of a crime. So, at graduate-level we also teach enterprise security. Something else that makes our program very unique is how you can apply machine learning and data mining to cybersecurity. Having invested in the New York Cybersecurity Center on campus, it makes a lot of sense to teach this.
We continuously review the program, and like I said I have a young energetic dean who works with me just like he was a part of the cybersecurity program. We look at the program over and over and make changes we find necessary. Through these reviews we created a new bridging certificate in cybersecurity, for those without prior knowledge or qualifications in computer science or cybersecurity. If you don’t have an IT background this program is for you.
You mentioned that you have a certificate program. Can you tell us a bit more about that track?
We decided to create a graduate certificate in cybersecurity, which is a bridging program, so you don’t have to have any preparation in computing, or in cybersecurity to go into that program. We give you some foundational courses, then we teach you computer networking followed by ethical hacking and pen testing. When you finish the courses you receive a certificate and you’re ready to get into our master’s program.
Anything new on the horizon for St. Bonaventure?
We continuously review and revise our programs, and recently we did another revision of the programs. We’re adding cloud security and blockchain technologies into the program. We’re changing the structure of the program and introducing new courses.
We’re also hoping to offer an advanced certificate in cybersecurity, which is for people in work. Those who are already in cybersecurity, but they want to upskill themselves and become, say, a blockchain expert, or become a cloud security expert. Through the advanced certificate, students also gain three industry certificates. The EC Council’s Certified Ethical Hacker certification, the Google Professional Cloud Security Engineer, and the EC Council’s Blockchain Professional certification.
We call our curriculum a living curriculum. It continues changing, evolving as the industry changes, and as the needs change. For example now with Covid-19, there’s a lot of new things that are developing, and we need to be able to cope with those evolving problems. So, the program is an evolving program and there is a living curriculum that supports it.
And before the COVID-19 stuff, were the courses all offered fully in-person and on-campus, or did you have an online component as well?
We do have programs that are fully online. Our master’s for example is fully online, the graduate certificate is fully online, a hundred percent online. And they have been very attractive, we started the master’s program in January 2019 with 19 students. We have over 70 students in the program today. In a little over a year we’ve managed to quadruple.
We’re very proud of it because word of mouth has been getting out there and attracting students. We hold seminars, we hold webinars all the time. For example today we had a webinar on the new challenge of Covid-19, and the security of online mediums that we use, like what we are using now, and how secure they are. What to do, what not to do. So, like I said, we keep our curriculum very fresh.
Yeah, excellent. And then you did mention the Western New York Cybersecurity Center, and how that’s based on campus.
Can you just talk more about that? Is that an industry partnership or what kind of work do you have with them?
Okay, the cybersecurity center is a collaboration between National ICT Japan. National ICT Japan is a huge institution in Japan that is responsible for cybersecurity in the country. They mainly do research in that area, they hold competitions, they produce new products for the country to use. A thousand people with Ph.D.s do research at National ICT in Japan. And that’s one of our partners.
The budget of ICT last year was 485 million euros. So, they’ve been my partner since 2007. Those are the people who encouraged me to do security, and they helped me set up New Zealand’s first cybersecurity research center. Now, they also helped us set up Western New York Cybersecurity Research Center.
Any other collaborations?
Another partner in that center is the Canadian Institute for Cybersecurity. We also have industry partners, which I cannot disclose. But we do work with those two huge entities who are very strong, and they have brought a lot into our cybersecurity center. Including software, they’ve donated hardware to us.
So, we established the cybersecurity center with almost no money upfront. It was all given to us by our partners. And the cybersecurity center is mainly engaged in monitoring the dark net space and doing machine learning.
We are exploring the idea of doing opinion mining in the center. This will be done after a hack has taken place, and to assess the societal reaction to a big hack.
Like sentiment analysis?
Yes, yes sentiment analysis on security after a hack.
You’ve been looking at security issues for a long time now. And you mentioned your curriculum is constantly evolving to adapt to how things are changing.
But I’m kind of curious how you would describe the mainstream understanding of cybersecurity, or just the awareness of our vulnerabilities when we’re interacting with one another online, and conducting business, and that kind of thing.
What have you seen change? Do you feel like cybersecurity is something that has become a mainstream concern, or do you feel like it’s still something that people haven’t quite grasped yet?
There are both problems and changes that are coming in that regard. There’s a lot to be done in the area of public awareness of cybersecurity.
When I was in New Zealand, I was working with an NGO called NetSafe. NetSafe is responsible for creating awareness in the New Zealand public about cybersecurity. They have schools, they work with schools, they work with elders, they work with different parts of the community in different ways to create the awareness of cybersecurity. And I believe it’s a fantastic model because the US is a much larger country, of course, there are many, many of those doing it, but it’s still not enough.
While I was in Olean over the last three years from 2017 to now, I’ve helped a lot of people. For example, a senior citizen who had lost over $60,000 to a hacker. It wasn’t just the money, the family was so frustrated, they couldn’t keep the man away from the hackers because he kind of was scared of them. They would call him, he would go out, buy a gift card, reveal the numbers, and they emptied his account by using even gift cards. And I’ve helped a lot of other people. Particularly the elders who are a target.
Do you think cybersecurity is more or less of a threat today?
At times like when we have pandemic now, [the threat] increases. Someone might email you and say, “Hey have you looked at the stimulus package, you’re entitled to this money. Click on this link to find out if you qualify.” And you click, and that’s where it starts, you shouldn’t be clicking. But people don’t know that, and they do, so we lose a lot to hackers.
And I believe it is a mainstream concern, thank you for raising this topic. It will become a bigger problem in the country and globally. It’s probably to an extent similar to global warming. A lot of attention needs to be paid, but it’s not. So, I believe it’s a huge problem not well understood.
Where do you feel like this is headed?
Business is affected, there’s military that is affected, future wars are going to be fought with it. And I don’t think you can cripple a country without militarily attacking it. You can create chaos in a country, and weaken them like that, without having to throw a rocket at them. So, the world has changed and unfortunately, there is not enough understanding in society, and so we’re not dealing with this.
Computers are becoming more powerful, hackers have access to those powerful computers, governments that have ill intentions towards us have access to those computers. So, as the power of computers increases the current security mechanisms that we’re using will not work. So, they crack our code with a powerful computer.
To solve a problem, if you have a more powerful computer, it takes you less time. So, to make machines secure we code things so that it takes a long time [to crack the] code. But if you have a more powerful computer, a computer that has, say 20,0000 processors all working in parallel, you can crack the code that was supposed to be cracked in 10 years in 10 minutes.
Yeah, so I think this will continue until breakthroughs come like quantum computers to change things. And as it stands there’s a gap of 3.2 million experts that we need in cybersecurity.
Salaries for fresh cybersecurity graduates are on average $95,000. An average salary of a cybersecurity expert is I believe around $120,000. What other area can you find, other than medicine, that pays that kind of money?
So, it is a big problem not well understood. The only way that we’ve understood it is that the industry is paying a lot more, so that shows the graveness of the issues. That people are willing to throw money at is because it is a very big problem. Long answer to your question.
No, it was a good answer. I appreciate that, and it’s interesting to try and understand the gravity of the problem. Let’s switch gears for a minute. I’m just wondering, in your career what do you think is the best piece of career advice you’ve ever received?
That’s a very nice question, I like that. Now, I’ll never forget Professor Hill who gave me the best advice in my life—well it was career advice, but it was the best piece of advice that I could ever get from anyone. I was an undergraduate student. I was doing civil engineering, and I was so passionate. I wanted to build buildings, build bridges, build large structures. I was fascinated with structures. Professor Hill was my advisor.
He told me one day, “Hossein, are you open to switching majors?” And I said, “Depends, I love the area that I’m studying, I love civil engineering.” He said, “Study computer science, Hossein. That’s the future, our future is going to be more and more digital.” And he convinced me to take a couple of computer science courses, and I did really well.
I got As in both those courses and I fell in love with computer science. And that’s the best advice anyone has given me. Otherwise, I’d be laying either brick, or getting people to lay bricks, which is not what I would enjoy probably.
If you have a favorite piece of career advice that you find yourself giving students, what is that?
The advice I want to give to younger people is — it’s a volatile world. The job market and jobs of the future are going to be less permanent and more difficult to get. But if they want job security, I ask them to do cybersecurity. If you do cybersecurity you’ll have job security for many, many years. And that’s advice I would give them. But if you want to do it, do it in a practical form.
Okay, excellent. And another question, this question is actually my favorite of all that I get to ask people. If we were to create a cybersecurity reading list that people could refer to, to do some learning on their own, I’m curious what your top two or three picks would be.
These could be books, they could be influential papers, or videos you’ve watched. And they don’t even have to be necessarily cybersecurity specific, but anything that would kind of orient you to the space a little bit so you can kind of understand some of the theories. What would you put on that list?
Human beings can’t be patched, so if you have a vulnerability, you have a problem in your hardware, in your software. We develop a system in our brains, we learn things, and if something is wrong you cannot patch a human being like you can patch a computer. You can’t upgrade the operating system of a human being as you can a computer.
So, the weakest link in cybersecurity is the human part of it. Humans can be deceived. And over 90 percent of the problems come from the humans being deceived. So, social engineering is an area that I love, I keep reading. There’s a book that I would really recommend, and I think it’s called, “Social Engineering: The Science of Human Hacking.”
Also, I have a friend Dr. Hettema, Hinne Hettema. He’s a great cybersecurity expert—I would say he’s the best in New Zealand in terms of cybersecurity. Hinne has written a book recently called, “The Principles for Cybersecurity Operations.” It’s not a technical book, and I think it’s all out of his own experience. I really enjoyed reading that book. It’s a very cheap book, eight or nine dollars if I’m correct. And I don’t think he wrote it to make money, he wrote it to just put it out there.
So, those are the two books: “Social Engineering: The Science of Human Hacking” is one and “The Principles for Cybersecurity Operations” is the second book I would recommend.
I’m kind of curious, when you’re talking to your students about the future, and the things that they should be preparing for, what kinds of things are you looking at, or keeping an eye on?
Cybersecurity is changing all the time. It’s a catch-up. Hackers develop things, and hackers pay quite well. Hacker organizations pay a lot more than good organizations pay. So, for example, if you’re a search engine optimizer, you might get a job for say, $100,000, $20,000, $50,000. Hackers will pay you $250,0000, $300,0000 to help them do search engine optimization so that they can attract people to their website. So, things change, and as we follow the hackers, as we try to counter their measures, we develop new stuff, and develop new technologies.
But one thing that is for sure is that machine learning and artificial intelligence is going to impact the future of these tools. If we use AI and machine learning, we can make far better security systems. In fact, any computer could benefit from machine learning and AI. So, I see the future in machine learning applied to cybersecurity. That is why I included two out of ten courses in machine learning and AI in our Master’s program, and we’re doing the same in our undergraduate program.
So those are the two areas. What differentiates us is I believe machine learning. And as we use IOT and cyber-physical systems, and we’re extending the capability of humans using augmented systems, so augment reality. And we’re even going to be extending human power and ability, using computers. So, that man and machine, you can’t differentiate them. Man and machine are kind of combined to create a capability. cyber-physical
What are the implications of that?
That’s when humans become more vulnerable. And it’s happening even now. So, if you’ve got a pacemaker in some patient’s body, that pacemaker makes that person more vulnerable because if it is connected, then that device is at risk. And if you’ve got a pump in the body that pumps insulin, that can be hacked. So we’re now augmenting, not for diseases, not for shortcomings of a person, but to add to their capability, and that is very dangerous.
So, hopefully, the future will be more secure by developing more secure systems that augment our bodies. And I believe students, or any cybersecurity person, should keep an eye on quantum computing because that is going to revolutionize the whole field of computing, especially cybersecurity.
And to end this conversation I want to repeat what I said before. If you want job security, look to cybersecurity. Learn cybersecurity, and be able to apply it to help others. And I think that’s where the future lies.