Dr. Indrakshi Ray is a professor at Colorado State University working in the general area of cybersecurity. Her research includes data and application security, software security, network and operating systems security, and cyber-physical systems security.
She is the director of the Colorado Center for Cybersecurity and she’s the site director of the National Science Foundation’s Industry University Cooperative Research Centers Program, Center for Cybersecurity Analytics and Automation. Faculty profile
Listen to the episode
Key takeaways from the interview
- Diverse student involvement in cybersecurity projects: Students at various levels, from undergraduates to postdocs, are engaged in a wide range of cybersecurity projects, catering to their interests, such as automotive security and privacy technologies.
- Industry-academia collaboration: The educational approach involves partnering with industry to offer students practical experience. This collaboration helps bridge the skills gap, as students work on real-world projects and receive both academic and industry insights.
- Educational focus: The emphasis is on teaching foundational knowledge over specific tools or techniques, which may become obsolete. The goal is to equip students with the ability to develop tools needed for future challenges.
- Cybersecurity skills gap: There is a recognized need for additional training in the industry. Students often require guidance to align their academic knowledge with industry needs. Personalized mentorship is key in this process, though it can be demanding for educators.
- Reading recommendations for cybersecurity: Ray suggests textbooks by Matt Bishop, Dieter Gollmann, William Stallings, and recommends IEEE Security and Privacy magazine for lighter reading. She also mentions academic conferences like IEEE Symposium on Security and Privacy, USENIX Security, and ACM CCS as valuable resources.
- Future of cybersecurity: Ray highlights the need for a developed ‘science of security’, pointing out the current lack of a systematic approach to cybersecurity. She emphasizes the importance of understanding the properties and relationships of different systems in cybersecurity.
Here is a full transcript of the episode
Steve Bowcut: Welcome to the Cybersecurity Guide podcast. My name is Steve Bowcut and I am a writer and editor for Cybersecurity Guide. I will be your host for today’s podcast episode. Thank you for joining us. We appreciate your listening.
We have a fascinating guest. Our guest today is Colorado State University Professor, Indrakshi Ray. Am I saying that right, Indrakshi?
Indrakshi Ray: Indrakshi, yeah.
Steve Bowcut: Indrakshi. Okay, thank you Dr. Ray. We’re going to be discussing Dr. Ray’s work as well as the cybersecurity educational opportunities that students could find at Colorado State University. So before we get into that, let me tell you a little bit about Dr. Ray. Indrakshi Ray is a professor working in the general area of cybersecurity. Her research includes data and application security, software security, network and operating systems security and cyber-physical systems security.
She is the director of the Colorado Center for Cybersecurity and she’s the site director of the National Science Foundation’s Industry University Cooperative Research Centers Program, Center for Cybersecurity Analytics and Automation. So with that, welcome Professor Ray. Thank you for joining me today.
Indrakshi Ray: Thank you. Thank you for having me.
That’s a pretty impressive resume and that’s just a condensed version of your resume that I read. So tell us what got you first interested in cybersecurity and kind of what was your path to getting to where you’re at?
Indrakshi Ray: So thank you for the compliment. So I was doing my PhD at George Mason University, which is close to Washington, D.C. and this was in the mid 1990s. And my research area was on, it was at the intersection of software engineering and databases. And by virtue of being at George Mason University, there was a lot of research grants and research happening at George Mason, which does ship on cybersecurity and some of the most pioneering works in cybersecurity back then, especially in data and application security, happened at George Mason.
So you sort of got drawn inside this circle, so to say. And so as I was saying that I was working on the problem and I found that the solution can also be applied to a cybersecurity problem. And that is how I got started in this area. And I presented my research in the topmost cybersecurity venue, conference, which was IEEE Symposium on Security and Privacy.
And I was very nervous because it was my first formal talk. And immediately after that I was hired, job positions. And so of course I didn’t take any because I was bent on completing my PhD. And then after completing my PhD, I started working as an assistant professor at University of Michigan-Dearborn. And this was in the late nineties. And at that time, electronic commerce was electronic commerce, electronic voting. We were hearing these buzzwords and then looking at these problems, I thought that the problems as they exist right now, they cannot be applied actually, because there are security issues.
So you start with a kind of an engineering approach, If I have to accommodate these security constraints, how will my solution look like? And then I got in more deeper in the area of security protocols, and this was of course, and with this was the funding from the National Science Foundation, which gave us some funding to do work on electronic commerce and electronic voting. And that sort of propelled my career in cybersecurity.
Steve Bowcut: That’s fascinating. I never would’ve guessed that. So in my mind, I was envisioning a high school girl who said, “Oh, I really want to be a pen tester.” And there goes your career in cybersecurity, but you didn’t really even start thinking about cybersecurity until you’re working on your PhD.
Indrakshi Ray: Exactly.
Indrakshi Ray: Actually, I’m working on a number of research areas and I’m almost sure all of which your audience will find very fascinating. Let me start with some of the most popular ones. I’m working on misinformation detection.
Steve Bowcut: Oh. Okay.
Indrakshi Ray: Identifying misinformation.
Steve Bowcut: That’s a big topic right now.
Indrakshi Ray: That’s a big topic, right? Identifying misinformation in Twitter data. And first of all, you’re looking at Twitter data and it appears quite authentic. It will appear more authentic because when you have a website, a reputable website, linked to a reputable website, associated with it, right? Now you’ll think, okay, whatever claim that this author is making in is backed by this link to the news article. We’ve checked at least 1% of those, the news article have nothing to do with the claims.
Steve Bowcut: Nothing to do with it. That’s terrible.
Indrakshi Ray: So, then how do we detect misinformation? How do misinformation spread? Who are the influencers and do they use different types of languages? So we are looking deep into those kind of things actually. So, that is one of my current research area. Another-
Indrakshi Ray: … Yes. Yes. I actually …
Indrakshi Ray: … We have a website, Rays Cyber Lab, but typically I try to publish our results in reputable journals and conferences in the related field and try to give them links through my website. And these days, what the ACM, which is Association of Computing Machinery, what it does is, that they feel that some papers are very impactful. So they try to explain the work in more user friendly form. So only the very of the best papers get selected for that. And our misinformation paper actually falls in that category. So it was very good to see. So, that is one area.
I’m also working on problems of fishing detection. Fishing means all of us, we get emails and emails or text messages, click on the link and then you go to a rogue website and you enter all your sensitive information and suddenly you find your bank account depleted. So now the question is how do we detect that some website is fishing and some is genuine.
So we are doing some work along those lines and it appears that and we’ve done quite a substantial amount of work along that area. We go into the fishing website and we are using machine learning actually to distinguish between which are good and which are bad. And so that is another of work that we are doing actually. And sometimes-
Steve Bowcut: Could the end result of that research be like an application that I would have on my phone so that-
Indrakshi Ray: … Yes.
Steve Bowcut: … When I get this email or that text message, I could use that app to help me-
Indrakshi Ray: Exactly.
Steve Bowcut: … Determine how safe that is.
Indrakshi Ray: Exactly.
Steve Bowcut: That would be very useful.
Indrakshi Ray: Yes. And these days the browsers give you some of these capabilities and we are trying to investigate whether we can do better actually, whether it could be better. And since you want it installed in your local machines and phones, so we want it to be not very high powered machine learning and so that’s also one of our more fascinating projects actually.
And then that brings us to another very theoretical work that we have these machine learning algorithms that are using up so much resources, can we come up with lightweight machine learning algorithms which can achieve the similar kind of results.
So that’s more, because our research is mostly student driven and some students are very interested in deep theory, some are interested in … The good thing about working in cybersecurity field is that you have a problem for everyone. You have a problem for all kinds of.
Steve Bowcut: Isn’t that true? Right.
Indrakshi Ray: Exactly. It is so interdisciplinary. So, that’s that. And then I’m also working on access control. Right now, all the policies, we see it in English language. From these policies, how can we come up with formal authorization models?
So using natural language processing, we are also working into how to make our critical infrastructure such as transportation and energy secure and what are the interplay of these different critical infrastructure and how can we detect attacks and make systems, not security proof. It’s like more cyber resiliency, knowing that attacks will occur, that systems will not cripple down, they will continue to function maybe at a diminished level until the system gets backed up.
So we are also doing some work along those areas of all. And also typical the information security, we are still working on those problems. And one of the most fascinating things that we are working on is the human mind and cybersecurity. You can never enough train the genuine user and you cannot. So how do our cognitive biases impact our defense and attack decisions? So, that is another … And here again, I do a lot of interdisciplinary work with various kinds of people, including psychologists and yeah.
Indrakshi Ray: Actually the underlying thread is how do we provide security assurance through system analytics or data analytics? So, that has been my kind of, the key thread. Either by analyzing large volumes of data, can we provide, first of all a security assurance or doing system analysis using formal methods. So these are the two chain of thoughts.
And we are also finding very interesting things that using, analyzing large amounts of data, can we not only find that there is an intrusion, but can we use that data to reconstruct some of the compromised things actually. So that is assuming that an attack has taken place and some things have been compromised, can we recreate the compromised values through some other … and we are getting quite interesting results in the area of heavy vehicles for that.
Indrakshi Ray: So, a few things actually. So first of all, the undergraduates. So in Colorado State University cybersecurity pretty much is present in many of the departments, like the computer science, of course, definitely, I would like to say that we are the leaders in cybersecurity.
But cybersecurity is also covered through our systems engineering department who does heavy vehicle security and maybe energy security. It’s also covered by the electrical and computer engineering department. Again, they’re in transportation security as well as biomedical engineering who are doing biosecurity as well as with the business end of things.
The college of business also has, how do we train the managers and the management professionals about cybersecurity issues, supply chain? So they also do, so if anyone is interested in cybersecurity research, Colorado State University is the place. Having said that, and also we give a lot of undergraduate paid research internship opportunities for the undergraduate students who want to specialize in cybersecurity. In the computer science department, we offer at the undergraduate level, a concentration in cybersecurity.
And we offer many courses like quantitative security, then hardware security, blockchain, applied cryptography, modern cryptography, and then through the math department, post quantum cryptography, digital forensics. So these courses are hardware security. All of these are offered. The college of business has a program through which at the graduate level they offer a certificate in cybersecurity. And in the computer science department, we are trying to come up with certificate as well as specialized degree programs in cybersecurity.
But one thing that makes us different from the many other schools that you’ve looked into, is we not only give educational, but we also give research opportunities. So how do next generation of cyber defenders, what kind of systems should they design? So training along those … What are the problems right now? And if I’m building a futuristic system, what are the things that we should have in mind?
Indrakshi Ray: Yeah, so actually all these projects are, the list of topics that I mentioned. In computer science, we heavily work with the students. So there’s a lot of students involved in all of these projects actually. And the range is from undergraduates to the post docs. Some are interested in the human minds, some are interested in deep theory. So all the students are involved in these projects. And the best part of being in cybersecurity, you can choose what you want to work on.
So you are interested in automotive, you can work on automotive security. You are interested in privacy, you can work on making things confidential and private and privacy preserving technologies. So whatever you are passionate about, we can frame a cybersecurity problem around your interest.
Steve Bowcut: That is fascinating. I’m just enthralled with this idea of focusing on the human mind or the psychology, because as we all know, the humans are the weakest link in our cybersecurity defenses.
Indrakshi Ray: Absolutely.
So as a writer, I’ve covered this many times and it seems to be a topic that comes up over and over again. So I would be interested in your perspective about, is there a skills gap for cybersecurity and have you seen evidence of that in your work? And what impact is it having on the educational programs, if in fact that shortage exists?
Indrakshi Ray: So on the educational front, we try to equip them with the knowledge, but as part of my NSF IUCRC, I work very closely with the industry. So what I’ve heard from the industry people is that a lot of training is needed before they can work on their problems actually. And part of the issue is that, especially, on behalf of the computer science, we don’t lay emphasis on one particular tool or technique, because today’s tool will become obsolete tomorrow.
So what we try to do with them is analyze the foundations and the fundamentals, and we do teach them some tools and techniques actually. But what the industry is looking for, I want them to use these tools right now actually and maybe perhaps the business school might be teaching them tools and things like that. But our job is to give them foundation so that they can build the tools that would be needed tomorrow actually.
So that gap that you’ve been hearing, that is there actually, and the way I personally try to bridge the gap is, I try to get students through our undergraduates engaged with some industry and we try to work on a project that is of interest to the industry as well as has some academic benefit to it. Like they’re learning stuff and come up with a more customized kind of plan actually. And that way, since they’re working with the industry, they will also give you some pointers and we teach them the theory and the industry also gives them some pointers and they get a very more well rounded educational experience.
As a result of which, students who have been working with our group for six, seven months, they end up with very lucrative job offers actually. And that has been working really well, but the individualized mentorship takes its toll. I’m personally very committed to cybersecurity as well as education, and I don’t have a life to put it happily.
So I’m always getting this matchmaking game, with the students interest, with what the industry need is, with the funding agencies need and playing this matchmaking game. And because students will be interested in what they love to do and sometimes they used to feel that the love is money, but that’s not really the case. They are oftentimes passionate about certain aspects, maybe some are coding, some are on the designing and some are … So I try to bring in cybersecurity in all of that and kind of train them well so that it meets everyone’s needs.
Steve Bowcut: So it sounds like maybe the industry is kind of clamoring for trained people as soon as they can get them.
Indrakshi Ray: Absolutely.
Indrakshi Ray: And sometimes some of the industries are wanting higher degrees-
Steve Bowcut: They love them.
Indrakshi Ray: …That is another thing I’ve noticed, even though if I say that this student is very good, sometimes they’re saying, “But he just has a bachelor’s at this point.” So I’m thinking that many of the industries are looking for a higher degree and actually even PhDs and things like that. They are really, but there is so much of a skill shortage
Steve Bowcut: The perception currently is that they’re looking for people right out of high school that’s man their sock. That’s what the perception is. So it’s good that there’s plenty of opportunity who wants to get, people who want to get a higher degree.
Indrakshi Ray: Plenty of opportunity at all levels.
Indrakshi Ray: So, basically for textbooks, I can give some recommendation. The book by Matt Bishop, Dieter Gollmann, William Stallings. These are the ones I would go. And because I’m in more of an academic setting, so typically I tend to look at conferences, cybersecurity conferences. For light reading, IEEE Security and Privacy magazine is kind of good. And for academic conferences, like IEEE Symposium on Security and Privacy, USENIX Security as well as ACM CCS. Those are kind of like my recommended list.
Steve Bowcut: Okay.
Indrakshi Ray: Yeah.
Steve Bowcut: All right. And I noticed you didn’t mention some of the more commercial conferences like RSA and Black Hat and DEF CON and …
Indrakshi Ray: Oh, DEFCON is a lot of fun. I mean, yeah, definitely.
Steve Bowcut: They’re not quite as studious, I guess, as the ones that you …
Indrakshi Ray: But I guess it’s my lack of time to be honest with you, but recently I’ve heard very, very good things about RSA, DEFCON and all these conferences.
Steve Bowcut: Have you? Okay.
Indrakshi Ray: Yeah, I did actually, but since I’ve never personally attended them, so I …
So what do you think the landscape for cybersecurity will look like in five years or 10 years? And more specifically what I’m trying to get at is what do you think students should be doing today to prepare for that future?
Indrakshi Ray: So, let me begin by giving you an analogy. When you are building a house, you build a house and you don’t bang onto the windows and walls and see whether it’s still standing or not. And that is what is happening into the cybersecurity today. So we have a product and people are doing best pen testing and trying to see whether it can be hacked. So in other words, the science of security is not yet developed.
So that is the major challenge that we are facing because you know that, okay, if I have this wooden plank, can I place this concrete structure on top of it? You are not going to place it and see whether it’s falling right. You know, because of the properties of the system, because of these relationship. But that landscape is not actually yet drawn out in the cybersecurity.
So every company is unique. It has to be unique, otherwise it won’t be sustainable. I mean, through the product they offer, through its supply chain. And right now it appears that for every company that there is, you need a cybersecurity professional to kind of analyze it and hack it and see what are the loopholes and things like that. So, clearly until we reach the science of cybersecurity, we’ll need people like that who needs to actually test out your system and see whether there are any vulnerabilities or whether the interplay can be exploited and things like that.
But, we also need researchers who sort of understand the different properties of these different systems that are being put together and seeing whether any bad things can happen, we can then formally analyze and say, “Okay, this is foolproof.” So until the science of security is developed, you need a lot of hacking, pen testers and things like that.
But once people try to lay down the properties, understand the interconnection, and this system has property A, this system has property B, or this system also has property A, when I join the two, does property A still hold. In very simple terms, is it compositional? So the question is, we don’t know these things as yet, so if I have A in property and property B, then I join them together. Not only A and B, something else emerges. So, that’s exactly what’s happening.
Steve Bowcut: So there’s a term that’s used in the industry, security by design.
Indrakshi Ray: Exactly.
Steve Bowcut: So it’s kind of that concept, I think that term is a little overused. Everybody says they have security by design, but that’s kind of what you’re talking about.
Indrakshi Ray: Exactly that.
Steve Bowcut: Let’s build things secure from the ground up as opposed to trying to bolt on security and make them secure later.
Indrakshi Ray: Precisely. Precisely. Yeah.
Those that have that interest, I guess should prepare themselves to be on the ground floor of building applications and systems that are secure by design and don’t have some of the inherent vulnerabilities that we build with today.
Indrakshi Ray: Exactly. And another analogy is previously when you had this camera, not the digital camera, prior to the digital camera, you used to put some thought in it before taking a picture, because it was expensive. Right? Now you can take any random pictures and you delete them. So in other words, whatever you have to think, it’s not just having a product and pushing it out into the market. You should spend a little bit more time thinking about it and analyzing the interactions. So, a little bit of more thought process and things like that will go a long way, absolutely.
Steve Bowcut: Business decisions that consider security. You see business decisions oftentimes they look at the product and what the result of the product is going to be, what the revenue’s going to be generated, and, “Oh yeah, by the way, we want it to be secure.” But maybe they need to talk about how it’s going to be secure in the beginning.
Indrakshi Ray: Exactly. Exactly. Yeah.
Steve Bowcut: All right. Well this has been absolutely delightful. Thank you so much. I appreciate your time today. That’s all the questions we have, and it looks like we’re probably out of time. So thank you Dr. Ray. I appreciate your input. There’s some fascinating stuff here and I’m sure that our audience is going to enjoy it. So thank you and thank you to our audience and our listeners as well for being with us. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.