Skip to main content

Deepa Kundur is a professor of electrical & computer engineering specializing in cybersecurity and chair of the Division of Engineering Science at the University of Toronto

Cyberattacks are nothing new. Threats have always existed. Defences have been devised. This is not due to the technology of the day. This is the dynamics of human nature.

But technology does prescribe the way in which attacks can be applied and their impact on our lives. Our development and dependence on information technology has enabled unprecedented opportunities for situational awareness, global connectedness and remote decision-making, while these same advances, as we witness daily, can be exploited by nefarious parties.

WannaCry: How to protect yourself, what's happened so far and what could happen next

For the foreseeable future, cybersecurity is a problem here to stay because technological innovation outpaces risk management. There is no single rapid fix and it is unrealistic to hamper the pace of advancement as a solution to protect ourselves. Cybercriminals are repeatedly proving to be more technically agile because they are not restricted by regulation. Cyberattacks today are stealthy, polymorphic and patient. This means that it is increasingly difficult to detect their deployment and track their propagation. They conduct reconnaissance, gathering critical data on the information systems they infiltrate for strategic execution. These forms of attack thrive on the siloed management of our infrastructures, exploiting our partial knowledge and visibility to propagate undetected.

Will cyberattacks continue to get worse? For the short term, yes. The threat landscape is ever-changing and risk-mitigation best practices are not mature. An attack-defense equilibrium will likely be established, but how we address cybersecurity in Canada now will affect where this equilibrium will lie – promoting an open proactive environment or one that is guarded and reactionary.

What should be done? Co-ordination is crucial. Innovation is critical. Education is essential.

There needs to be a cultural shift, in which all stakeholders view the integration and dependence of information technology in a holistic sense where cybersecurity is a necessary, ongoing process. This involves acknowledging that cyberattacks are not a matter of if, but when. Stakeholders must become comfortable prioritizing critical assets and developing strategies for protection, crisis management and recovery. A more concerted effort on the part of technological developers, consumers and legislators to achieve a common goal of security is essential. This involves empowering all stakeholders, especially private citizens, to understand how to protect themselves and help limit the spread of attack to others.

Moreover, we need to develop tools and techniques to more easily identify interdependencies among the cyber, physical and social systems as well as better understand, predict and mitigate the impacts of a cyberattack on these domains. The areas of machine learning and artificial intelligence show great promise for this task. The multidisciplinary field of cyber-physical-social systems engineering allows for a more comprehensive understanding of the cyber-rich critical infrastructures we depend on today to enhance their resilience.

Education needs to reflect these emerging needs. Students must be trained to tackle technical challenges that do not yet exist. We are witnessing a convergence of previously siloed domains including information, operational and consumer technologies, hence multidisciplinary perspectives are important. Our future work force should be educated to rapidly apply existing knowledge to different domains and acquire new information quickly.

From a personal perspective, I can say that this has largely informed the development and evolution of the Engineering Science program at the University of Toronto, where I currently serve as chair. We leverage broad institutional strengths and the thrust toward improving diversity within engineering at the University of Toronto to produce graduates with the knowledge, skills and vision to be technical leaders globally. Adding to our existing variety of multidisciplinary majors, we are currently developing a new specialization in machine learning and artificial intelligence.

In the same way, there are opportunities for Canada to successfully address cybersecurity on a national level by leveraging the growing investment in innovation, a culture that embraces diversity and an emerging artificial-intelligence community that includes Toronto's Vector Institute. It is human nature to overcome obstacles and thrive and I believe that we have the foundation to enter a cyber-resilient brave new world for Canada.