Sanjiv Bhatia is a professor and graduate director in the Department of Computer Science at the University of Missouri, Saint Louis. One of his main research areas is in computer vision and he teaches courses on computer security. LinkedIn profile.
Key takeaways from the interview
- Importance of algorithm analysis: Bhatia emphasizes the necessity of algorithm analysis for those learning programming, especially for self-taught individuals.
- Understanding systems: He highlights the importance of understanding system performance, using the example of how memory layout can affect performance.
- Current cybersecurity information sources: Bhatia recommends reading popular magazines like Wired and daily newsletters such as those from the Wall Street Journal for current cybersecurity information. He also suggests utilizing platforms like Stack Exchange and Stack Overflow for learning and troubleshooting.
- Future preparedness in cybersecurity: For those entering the field, he advises a strong foundation in algorithms and systems to adapt to future changes and challenges in cybersecurity.
How did you first become interested in cybersecurity?
I was an intern doing research in India and I wanted to play some games to which I did not have access. So I went into the office when the computer was unattended and gave myself permission to play the game. And that was my first quasi-illegal thing I did. Then when I was a graduate student, we always played pranks on each other…things like anonymous emails was a major thing in the late ’80s.
What did that entail?
If you knew how to send an anonymous email, that was a good way to send pranks to other graduate students. Somebody will get an email from Debbie@tridelt. He would just keep on wondering, “Who is this Debbie?” Fun stuff… Harmless. We didn’t do any harmful stuff.
What did you learn from the pranks, besides how to mess with your classmates?
You start getting interested [in] how the system can be broken and as long as you are within the law, I think you are okay. So that is what we did, and that is how you tried to figure out how others can break the system and how to stop them from doing it.
So that is what I normally teach these days. And right now, if I teach my class, I tell them that you really can’t do anonymous email anymore because that has been plugged. There was a big security hole in Unix in late ’80s, and even in the ’90s.
What about people who aren’t breaking into systems for the right reasons?
There are some other issues … you can basically create harm in the system. But we try to tell the students, “You should never do it. Because if you do it, you’re going to be in big trouble. So you need to know [that] these are the security holes in the system. And unless you know the security holes, you don’t know how to plug them.”
Right. And are there examples of some of that innocent kind of pranking stuff that’s the equivalent of sending anonymous emails that people are doing today?
I guess there’ll probably always exist opportunities like that. Find the edges of the holes and then you can kind of …
Yeah, …those things are still there. A lot of holes have been plugged and the new ones keep on popping up.That is what people try to take advantage of. That is what the hackers try to take advantage of. I think you probably heard the news — it was yesterday or the day before — that Apple iPhone mail app has a big hole which it’s trying to plug.
I didn’t hear that.
Oh, yeah. If you’re using an iPhone, iPad, the mail app from Apple has a hole. It can cause harm.
Yeah, I’m sure a lot of people are using that app, so that’s a big deal.
I think Apple has it fixed, but they haven’t rolled it out yet. They should be rolling it out very quickly.
All right. Let’s talk about some of your current research. I looked at your background, and from what I understand, it seems like one of your main focuses is computer vision.
Maybe you can talk about some of your current research and how cybersecurity issues relate to what you’re looking at.
I’m fairly into computer vision when we are not dealing with cybersecurity. I have a student who is doing a lot of good work with indexing. She has already published one paper on that.
But in terms of cybersecurity… attacks on privacy are big right now. This morning, I heard about the news in Russia. And one of the human rights groups in Russia has already complained about the facial recognition stuff. Officially, it’s getting pretty big.
Can you say more about cybersecurity and privacy concerns?
Location sensing is huge. I think, whether you like it or not, the cell phone companies know where you are at any given time. And so that is pretty big. Even if you don’t share your location, they know just from the towers that you’re using where you are.
I’ve seen the hacking into cars in Hollywood movies. Angel Has Fallen had where they stopped the president’s car remotely. There was another one where they killed a guy by stopping his car on the railroad track with a train coming, and he couldn’t get out because they locked his car remotely.
Is that scenario closer to fiction or reality?
There was an article in Wired, I think two or three years back. They took control of a Jeep driving on Interstate 64 in St. Louis. Well, the driver knew that they were doing it, and they were trying to demonstrate that this can be done. So it’s possible these days that we can do it. And those are the hot things right now.
What has been a theme that you keep coming back to in the course of your career?
Well, obviously when you develop software, you have to make sure that software has to perform…you should not have many holes. So software security is big, especially if you are working in C/C++. You should be able to take care of software quality assurance. If you develop something, make sure that it works, and you can share and be able to take advantage of it in any way.
And do you think software development has this idea of building security in software? Or just being security-minded from the onset?
When I was an undergrad, we didn’t talk about these things. Obviously, in those days, I didn’t have access to the internet or anything like that. When all you did was make sure that you can write a program, and the program can do what you want, you didn’t have to worry too much about security.
But these days, now we have, of course, a lot of emphasis on software assurance and security.. You need to teach the students how to make sure that software actually is secure, and works the way it is supposed to. You make a conscious effort to make sure that the code is not easily broken into.
Let’s talk about some of the cybersecurity-related research and projects that you are working on with your students.
Okay. So we are trying to build a powerhouse in cybersecurity teaching and research. We started our program about five years ago and we got the designation of Center for Academic Excellence from the National Security Agency and Department of Homeland Security, and we are the first one in Missouri to get that. Once we started the program, we had good support from the university administration. So we were able to hire some pretty good people for cybersecurity research.
There are two recent hires we have. Abderrahmen Mtibaa is working on verifiable computing to secure edge computing resources against cyber threats or malicious intentions. These things have applications in almost every field you can think of healthcare, military, and automobiles.
And another new hire, Lav Gapta, is working on interdomain cybersecurity in next generation healthcare using deep learning models. And he’s also working on fair and understandable artificial intelligence (AI) in critical areas like finance, healthcare, aviation. With cybersecurity coming to the forefront in most of the applications, AI is also playing a big role in that. So we have to merge the two fields in cybersecurity to get decent results. That is what the big effort is on within our department over here. next-generation
So since you’re building out the cybersecurity infrastructure at the university, can students get a degree in cybersecurity?
I’m glad you asked that, for clarification. So we started with a certificate in cybersecurity. We started with undergraduate and graduate certificates in cybersecurity. And a couple of years ago, we got approval to offer bachelor’s and master’s degrees in cybersecurity.
So yes, you can get a complete degree in cybersecurity. And it’s already in place. In fact, it’s there on our website. You can apply and we do have students already pursuing the degree. I don’t think we have graduated anyone yet. We graduated people with the certificate but not with a degree.
Okay. So it’s pretty new then, I guess?
Yeah. We’re doing it right now.
Are there online degrees in cybersecurity? Is that the future?
As far as online is concerned, yes, we are working on online offerings. In fact, I believe next semester we will start offering online courses in cybersecurity. And the goal is to have a complete online degree in cybersecurity. So if you are starting in the fall, I’m sure you will be able to complete all the requirements online to get a bachelor’s and master’s in cybersecurity.
And I guess now given the current state of everything with COVID-19, there’s also increased motivation for universities to figure out how to make these courses available. Just because we have to now.
Yeah. We changed all our courses into online classes on two days’ notice. We are teaching everything online, giving tests online, office hours online.
What is the best career advice you’ve gotten? Or a piece of advice you find yourself giving your students frequently?
Well, if you are in computer science or cybersecurity, you obviously have to know how to code. So that is pretty much taken for granted. Now, the second part of that is how to understand things better. You should be able to do algorithms. And this is something— especially when I’m admitting people who have learned computer science, learned programming on their own—something they lack is the analysis of their code. Algorithm analysis is one of the fundamental things you need to work on.
And the second thing is, you need to know systems. In fact, the day before yesterday I was giving my lecture. And one of the things I showed is how the performance of the system can get affected if you have a large two-dimensional matrix, which is laid out in the memory as a row-major order or a column-major order. And it can change how you access the data and how it can affect the performance. You need to learn these things.
And if you know algorithms, and if you know the systems, and internal memory layouts, and data structures in the system, you should be able to tackle all of those. But a lot of these things these days are building on top of libraries, and all you have to do is effectively learn how to use the libraries. Like in computer vision, you need to know the concepts. But a lot of stuff happens using OpenCV, which is a publicly available computer vision library.
Cool. If we were to build out a cybersecurity reading list as a resource for people, what are your top picks? What would you recommend to add to a comprehensive cybersecurity reading list?
Well, things change pretty quickly. And something which is really hot right now will not be there two years from now. I’m sure right now we are talking about COVID-19. [At some point], it’ll be in the rearview mirror and we won’t think too much of it. At least I’m hoping. It’s giving so much trouble. And the textbooks typically are a little bit behind. By the time a textbook is written, published, things are already changed.
If you want to get information which is current, you need to look into the journals. And I look at popular magazines like Wired. Wired has good information about what is going on right now. There is a daily newsletter on cybersecurity from the Wall Street Journal. In fact, you get something new every morning. It’s about a 10 to 15 minute read.
But you get an idea about what is going on. I like the Stack Exchange and there is an information security group on Stack Exchange/Stack Overflow. If you do not know something, you can always ask questions. If you’re trying to figure out some concepts. Stack Overflow/Stack Exchange is a good place to start. 15-minute
This last question is geared towards students or people that are just starting their career: what do you see happening in the next five or 10 years in the cybersecurity field? What should be on their radar?
Again, I can’t really answer that. Things are very, very difficult to predict. However, if you are going to get into the field, you want to be able to adapt yourself to whatever comes. And the best preparation you can have is a very, very good grounding in algorithms and systems. Those two are extremely important in almost any field in computer science—cybersecurity is not an exception. If you know the systems, if you understand the systems, if you can understand the algorithms, you will be able to do well no matter what.