Singapore Management University’s Professor Robert Deng, a leading global authority and award winning researcher in cybersecurity, has been conferred the prestigious AXA Chair Professorship of Cybersecurity.
Professor Deng is the first named Chair professor at SMU’s School of Information Systems, one of only six AXA Chairs selected for this honour worldwide and the only one from Singapore, as well as the only AXA Chair in Asia to undertake research in the Data & Technology risks cluster under the AXA Research Fund.
The €800,000 funding from AXA Research Fund over a period of eight years will support Professor Deng’s research programme to systematically investigate a unified framework for protecting data in the new environment. The research is expected to yield new security models, algorithms, protocols, and analysis techniques which will provide new ways of protecting data security and privacy.
Another aspect of the research programme entails the integration of Professor Deng’s cybersecurity research with several of SMU’s larger scale projects in the Analytics for Business, Consumer and Social Insights Area of Excellence. He and his team will begin by working with SMU’s Living Analytics Research Centre, LiveLabs Urban Lifestyle Innovation Platform, and the Centre for Applied Smart-Nation Analytics. These centres will provide ample opportunities for Professor Deng and his team to test and demonstrate the new cybersecurity methods they will develop.
Professor Deng’s research interests include data security and privacy, multimedia security, network and system security. Over his 30-year career, Professor Deng has obtained 26 patents and published more than 300 papers on cybersecurity, creating impact through his pathfinding research to solve real world problems. In January 2016, Professor Deng was recognised for his long history of professional contributions to the field of cybersecurity when he was conferred the prestigious IEEE Fellowship.
In addition to being a Professor of Information Systems, Professor Deng is also the Director of the Secure Mobile Centre, and Dean of Postgraduate Research Programmes at SMU.
The AXA Research Fund is the science philanthropy initiative of AXA Group. It aims to empower innovative and impactful researchers tackling key societal challenges to help people live better lives. It provides financial and public engagement support for projects dedicated to improving the management of risks related to ‘Life & Health’, ‘Data & Technology’, ‘Climate & Environment’ and ‘Finance, Insurance and Regulation’. Since its creation in 2007, the AXA Research Fund has supported 531 projects in 34 countries, with a commitment of €166 million.
The AXA Chair scheme is intended to support the development of a research area and to make meaningful contributions to the development of that research area in line with the host institution’s long term strategy. It aims at creating a full-time academic position in the host institution and fostering the career development of the professor appointed by AXA.
The official conferment of the AXA Chair Professorship of Cybersecurity was held in conjunction with the inaugural SMU Cybersecurity Forum. Professor Deng delivered the keynote speech on ‘The State of Cyber Threats and How to Fight Back’.
In an increasingly digitised world, where the emergence of the Internet of Things (IoT) has resulted in the computerisation of everyday objects, everyone from individuals to government organisations must take threats to cybersecurity even more seriously, said Professor Deng. “With the integration of cyberspace and physical space, anything that goes wrong in cyberspace will not only have an impact on data and information systems, but also on the physical world – including human safety and critical infrastructure,” he cautioned.
In the cybersecurity arms race, defenders invariably find themselves a step behind, said Professor Deng. “We are fighting an asymmetric battle, which is to the advantage of the attackers,” he said.
He outlined several reasons for this. First, today’s commercial operating systems are extremely complex, comprising tens of millions of lines of code; this translates into an increased number of vulnerabilities. Second, many legacy systems, designed in an era when security was not a major concern, are still in use. Third, there are not enough qualified cybersecurity professionals to design and implement new security measures.
On top of that, the defenders’ job is inherently more challenging than the attackers’. “Defenders have to control all vulnerabilities, whereas attackers only have to exploit one,” Professor Deng pointed out.
“The entry barrier for attacking is also very low – you only need a few people with expertise to come up with the attacking code. The rest can just purchase or rent stolen data, malware and attacking services on the internet, where there is a huge trade in these things.”
What can the good guys do? “Most importantly, we need strong public and private collaboration,” said Professor Deng. “In cyberspace, government agencies, tech companies and private organisations are all on the frontline.”
The public and private sectors, he said, should continue to invest in cybersecurity research and training. Researchers at SMU School of Information Systems, for example, work on various aspects of cybersecurity, including applied cryptography, network security, data security and security management, often in collaboration with industry, he added. In addition, the School’s bachelors, masters and doctoral degree programmes all offer cybersecurity tracks.
It will also be critical to raise awareness among the general public, he said. “Today, 90 percent of security incidents are due to a lack of user awareness. Internet users should be able to recognise danger signs – for example, we should have enough basic knowledge to verify that we are not transacting with a phishing site.”
Following his speech was a panel discussion on cybersecurity by Professor Deng; Mr Jean Drouffe, CEO of AXA Insurance Singapore; Mr Chai Chin Loon, Senior Director of the Cyber Security Group of Government Technology Agency; and Mr Mock Pak Lum, Chief Business Development Officer of StarHub. The discussion was moderated by SMU Vice Provost (Research) Professor Steven Miller.
For Mr Chai, a key challenge is determining the appropriate level of security to enforce. “Security involves balancing three axes: how secure we want to be, how much budget we have, and how much functionality we want to deliver,” he said. “These run counter to each other – if you need more security, you pay more and lose functionality, for example. We help government agencies craft security profiles depending on how much risk they are prepared to accept.”
Drawing a parallel to the air travel industry, which greatly improved its safety record through sharing information about faults and incidents, Mr Mock said that the cybersecurity field would benefit from doing the same. “I think it’s imperative that we as an industry do more sharing,” he said. “Perhaps there could be a platform for people to share securely, without damaging the reputation of parties who have been compromised.”
Mr Chai agreed, but said that sharing had to be done carefully. “Over-sharing could let the attacker know precisely how much you know, and how good your sensors are,” he said. “But being a community, we still have to share. There are automated protocols that allow threats to be shared quickly, and we should continue to promote these.”
Mr Drouffe said that information sharing would also be useful for the cyber-insurance industry. “There is little public awareness about the consequences of cybersecurity attacks,” he said. “On the insurer’s part, we don’t have enough data to be clear about how to price products, and what to give as a cover. With more data, we can be clearer about the risk.”
“Instead of physical assets, companies’ value is now increasingly in intangible assets such as data,” added Mr Drouffe. As such, business interruptions are now more commonly caused by cybersecurity-related incidents, with small and medium enterprises being particularly vulnerable, he noted.
To defend against ever more sophisticated threats, new tools such as the use of deep analytics to understand internet traffic patterns and user behaviour are needed, the panel agreed.
With the IoT becoming more widespread, it is now also critical to protect data integrity, in addition to data confidentiality, said Professor Deng. “Confidentiality refers to keeping data private; integrity refers to making sure that it is not changed or delayed during transmission,” he explained. “If confidentiality is compromised, a company’s reputation could be damaged. But if data integrity is compromised, there will be an impact on the real world – driverless cars, for example, could be affected.”
Building security measures into the sheer number of devices predicted to make up the future IoT presents a huge challenge, said Professor Deng. “We cannot have piecemeal solutions, each operating in isolation,” he reasoned. “That is not acceptable –we need automation and a unified system.”