Cybersecurity Roundtable

A panel of cybersecurity experts delivers the lowdown on why cyberattacks are increasing, and how AI attacks will be fought with AI technology in a “fight-fire-with-fire” scenario.

In this installment of New Jersey Business Magazine’s continuing Business Roundtable Series, conducted in conjunction with the New Jersey Business & Industry Association, we present a discussion on cybersecurity. Five experts in the field discuss today’s common digital threats, the growing dangers of AI coupled with supercomputing, and why employees are still the best of line defense against cyberattacks. It is a frank discussion with experts who are passionate about protecting their organizations from faceless foes who lurk in the digital underworld.

David Bader

David A. Bader is a Distinguished Professor and founder of the Department of Data Science in the Ying Wu College of Computing and director of the Institute for Data Science at New Jersey Institute of Technology. Prior to this, he served as founding professor and chair of the School of Computational Science and Engineering, College of Computing, at Georgia Institute of Technology.

Matt Darlage

Matt Darlage joined Citizens in August 2017 as the director of security engineering and architecture (SEA). In September 2021, he assumed the chief information security officer (CISO) role for Corporate Security and Resilience (CS&R) at Citizens Bank. He is responsible for Citizens information security program, which protects enterprise IT data and assets from various threats.

Darrin Maggy

Darrin Maggy of Integris is a Certified Information Systems Security Professional who helps organizations connect to, and solve, their information security challenges. He is a founding member and past vice president of the New Hampshire (ISC)² Chapter and is the New Hampshire State Organizer for the Cloud Security Alliance (CSA) New England Chapter.

Barbara Romano

Barbara A. Romano is the first woman to take on the chief information officer role at South Jersey Industries (SJI). She provides strategic guidance, leadership, and direct oversight at the corporate level for all technology and business information system initiatives for SJI and its subsidiaries. Romano is also responsible for advancing and sustaining the corporate infrastructure and network for new technology initiatives at SJI.

Hussein Syed

Hussein Syed is the chief information security officer (CISO) at RWJBarnabas Health. With decades of IT experience, Syed joined Barnabas Health in 2002 as a security architect. He later established the system’s first security program and led the creation of the security department. He serves on advisory boards and leads internal security committees at RWJBarnabas Health.

What are the most significant cybersecurity threats you are facing today?

Darlage: The big things for me are phishing, spear phishing, and ransomware. However, what really scares me right now are third-party vulnerabilities and exploiting libraries [a collection of pre-written code used to reduce the amount of code a programmer needs to write] that are compiled into applications that a company uses. The other thing is the amplification of AI. The technology has provided a way for attackers to get faster and increase the blast radius. The way that we’re looking at that is very simple: integrate technologies with machine learning (ML) to help us manage it.

Bader: At NJIT, we’re doing research on securing the opensource software supply chain, and it becomes harder when an exploit is not just a single library or package, but a seemingly benevolent code that is inserted across multiple libraries that, when compiled together, become malware or malicious attacks. So, we are conducting research to try and discover those hard-to-detect vulnerabilities that could have a large impact downstream.

Maggy: From a threat standpoint, the thing I always see is human behavior. We’ve got malicious humans. We have careless humans. Statistically speaking, we have determined that 97% of all breaches can be solid-lined right back to a human action.

How often are businesses being attacked?

Syed: There are thousands, if not millions, of phishing emails targeted at people. It depends on the nature of it. Some of it could be just a wider phishing net, like sending a ton of emails, or it could be a targeted attack, which is also starting to become pervasive, where [a cybercriminal] scours social media to identify high value targets.

It may be a ransomware type of thing, compromising someone’s computer or trying to get money redirected into an offshore account, for example. So, we’re looking at thousands if not millions of attacks per day against organizations.

Darlage: With AI, the amplification of the attacks is spreading like wildfire. We cannot keep up with this unless we use the exact same technologies against the attacks.

Bader: According to Forbes, there’s been a 72% increase in data breaches in the last two years, and each data breach costs, on average, $4.88 million, so it’s quite substantial.

Syed: If you were to look at a 90-day period, it would be to the tune of 100 to 200 billion attacks that need to be taken, triaged, quantified, and processed down to actionable incidents. We’re fighting an adversary that plays by no rules. Anything is fair game for them, whereas we must follow processes, policies, and regulatory requirements.

What are the data risks in your specific fields?

Syed: If you look at an FBI report from last year, healthcare was the most targeted business sector, and that’s primarily because healthcare [information is] valuable. For that reason, there are lots of attempts to compromise systems. Then, there’s a preconceived notion that systems are not adequately protected, and that gives [cybercriminals] another incentive to attempt to compromise systems.

Romano: We’re a natural gas business, so our primary concern is protecting our customer’s Personally Identifiable Information (PII) data. We are heavily encrypted when it comes to storing that information. The other major concern is the pipeline. Our Supervisory Control and Data Acquisition (SCADA) systems are used to monitor the pipeline pressure throughout our entire system. That’s one of our primary concerns; just protecting that SCADA infrastructure.

Darlage: There’s been a sustained credential abuse campaign going against online banking websites for almost 10 years. It’s what we have to deal with. We’ve been focused on building a digital identity perimeter around that and docking that in with our applications.

One of the things important to me is the exploitation of elderly banking customers. My mom was subject to an elder abuse campaign. Thankfully in her case, the branch manager called me up because I was next of kin. They said, “We’ve got this,” but fraud here is absolutely out of control.

Syed: Regarding elder abuse, statistics from an FBI report last year revealed that the 50-to-59-year-old age group had $1.7 billion in losses and about 65,000 complaints filed: for 60-year-olds and up, it was $3.4 billion in losses and about 101,000 complaints. The 20-and-under age group lost about $40 million. So, it just proves that elder abuse is out of control. These people are losing their hard-earned money that they desperately need to live on.

Regarding AI, how smart could attacks become?

Bader: As we see with large language models – pick your favorite one, ChatGPT, Gemini, Claude, etc. – the sophistication that AI brings today takes phishing, for instance, from badly worded broken English emails to targeting specific individuals with carefully crafted messages that are taking in personal information, that may have been stolen in other breaches. Emails are being created that look perfectly unique and very realistic. We’re also now seeing audio, and in some cases video, which has been created through generative AI. These are sophisticated attacks. It’s very scary today and it is going to be quite a challenge for the foreseeable future.

Additionally, with AI, the rate at which [attacks] can be created has gone up exponentially. Rather than an individual being able to push one [attack] out every five minutes, they can now push a million every second.

Romano: We should also be thinking about AI in a positive way. AI can handle and understand data a lot faster than people. We can utilize AI to discover new threats that are coming in to advance our strategies and combat the bad guys.

How much would a small business pay to implement a cybersecurity strategy or technology?

Maggy: So much of it is based on the context of an organization: where we find them [in terms of operations]; is there any maturity to what it may have already implemented; was it cobbled together over time to react to things? There’s no hard, fast answer to the question.

What my team does first is gather the context of the organization. What does it do to remain commercially viable? Then, we look at the organization through the lens of risk. Once we understand your risk profile and the valuation of your assets … we rank things in order by their criticality. So, the first approach is always the same; we need to understand.

Are you experiencing a shortage of highly skilled cyber security experts?

Syed: Cybersecurity is still facing a talent shortage, and that’s going stay for some time – until we get to entice more people into the field. You may find a skilled professional who you can bring in, but it takes time for them to get to know your business and how to adapt to it. Growing talent from within your organization is the best way to cultivate that long-term retention.

Romano: For the longest time, I would agree that we were seeing a shortage. We’ve approached that by developing a robust intern program. Probably 50% [of our staff] have come through our internship program.

Bader: The US Bureau of Labor Statistics lists cybersecurity professionals as one of the most in-demand jobs, with average salaries over $120,000. At NJIT, we have a number of degree programs [for students interested in careers in the field]. We have a Master’s Degree in Cybersecurity and Privacy and a Master’s Degree in Information Technology, Administration and Security. We are one of the largest producers of computing talent in the tri-state area. Many students are getting great jobs in the region and around the world. In fact, NJIT is designated as a National Center of Academic Excellence in Cyber Defense by the National Security Agency.

What thrills you about your jobs?

Romano: I have spent 30 plus years in the technology field. I could not even have imagined all the changes that have happened over the course of my career. I look at this field optimistically, it is always evolving … I can’t imagine a day where it’s not evolving. It is very rewarding to work with a group of passionate individuals who want to come to work, solve problems, and meet our customers’ needs.

Syed: There’s never going to be any shortage of excitement in this field. A person [must] love change because change is the dynamic here. This is where passionate people come together, who love to work together, and everyone feeds off that energy.

https://njbmagazine.com/monthly-articles/cybersecurity-roundtable/

David A. Bader
David A. Bader
Distinguished Professor and Director of the Institute for Data Science

David A. Bader is a Distinguished Professor in the Department of Computer Science at New Jersey Institute of Technology.