Tallinn University of Technology (TUT) opened a new Center of Digital Forensics and Cyber Security on November 12. The Center will offer technical advice, academic education and training programs, conduct cutting-edge research projects, and raise public awareness of cyber security risks. ERR news interviewed the center's co-leader, Olaf Maennel, to learn more about the newly opened center and the cyber security issues, as well as about his personal connection to Estonia.
Maennel is an expert in network security, active measurements and topology modeling. He took up the position at the TUT's Department of Computer Science in July. At TUT, he is responsible for the Master's program on cyber security, and is developing a new course in cooperation with the University of Adelaide, Australia.
You have previously worked in the UK and Australia and you have an excellent CV, which would allow you to work anywhere in the world. So why choose Estonia?
My wife is Estonian. In the long run, we wanted to go to either Germany or Estonia. But the positions that suit me, are not very widespread, and even though Germany is a lot bigger than Estonia, they are rare. So I chose for personal reasons, but Tallinn University of Technology is also a famous university in my field. Perhaps not like Stanford and Oxford and some others, but Estonia, and the university, have made quite a significant contribution to my particular area, so it is a very good place to be. I was very lucky and fortunate that it worked out both in the personal and professional sense.
You have been here for a few months now. Have you noticed any striking differences compared to the UK and Australia, where you have taught quite a lot? Something that immediately sticks out either in the university system or when you think of the students?
Many of the students here have professional backgrounds and they actually know what they are talking about. So that makes it rather more pleasant. You have a broad spectrum of students, some come straight from high school, but some of the students are also highly motivated. While in other places I had the feeling that people subscribe to a course without really knowing what they are getting into.
The new TUT Digital Forensics and Cyber Security Center that was just opened, aims to develop the cyber security field, according to the official endorsement. However, the field is really vast, stretching from individual devices to state systems. Does the center have a narrower focus?
The cyber security center is like a vehicle to enable research in this area. It is a vast field and we also want to grow a lot. And our time is certainly limited, we only have 24 hours in a day, so we cannot do everything, especially when you get to the research forefront, where making a real change takes a lot of time. But this gives us the space to explore and I guess all the researchers and collaborations we can bring here, contribute to this area.
I have worked a lot on network security, I will probably continue working on it. [Associate Professor] Rain Ottis has worked a lot on exercises, including tabletop exercises, strategic planning and also jointly with the military - these are all complimentary areas and fit into the center. Will it cover everything? No, there is more in cyber security to be done. We cannot do everything. But hopefully we will be able to grow, get postdocs and more people to work in here.
There is a state contribution to the new center, the authorities are clearly very interested in this field. Estonia is actively marketing itself as a prominent power in the cyber security arena. Looking from a purely academic perspective, do you find the talk of “prominent power” to be true? If you didn't have first hand connection to it, would you think that good research comes out of Estonia in this field?
Estonia is very famous for innovation and IT, not only in cyber but in a broader sense. This includes the digital lifestyle, digital society, the Estonian ID card and everything else that is innovative. I think this stereotype of Estonia as an IT country is well known; like the Germans are well known for drinking beer. I think the expectation that world-leading research comes out of Estonia, is also true. Our group is fairly small at the moment, we are only building up the center. Hopefully, as we get more people on board, we will also be able to produce world class, internationally recognized research, so we can fulfill the expectations of the Estonian government.
Cyber security is an internationally growing field and there are large amounts of money put into it, partly because there is a constant buzz going on about “cyber war” and “cyber terror”. Do you find that emphasizing this side of cyber security takes focus away from more mundane problems like digital identity theft?
I think there are lots of things being done in all areas. Yes, I agree that in some point the discussion about the cyber wars is the question of how people discuss it, especially after [Edward] Snowden and all that. And it is being discussed a lot. Certainly, real solid research is needed in all fields, but I think it is also happening in all fields.
Obviously there is the NATO center here and there is a lot of potential and expertize in Estonia in this area, but I think the government is still funding a broad spectrum. I can only talk about certain governments, I don't know about the others.
What in your opinion are the most pressing cyber security issues today? If you could start three projects here at TUT tomorrow, what would those be? Or your personal favorites, things that you would want to include in its research portfolio?
My personal favorite is obviously network security, which also links to computer security and operating system security, which, although not my personal favorite, is also very much important. I also agree that training is very important, especially for the university, and this is something that the center also tries to focus on - providing really strong training aspects. And I think a lot of innovative research that can also be done on the teaching methods. In a sense, the internet has revolutionized the way we communicate, so it should also impact how we teach. Those might be my three projects.
Talking about Estonia's experience again, since the first ever “cyber war”. It is common knowledge that the state websites, news portals and banks were taken down by relatively simplistic methods. Compared to 2007, how much more complicated would it be to stage a similar-scale attack today?
The methods at that time were very simple indeed. It might have been down to a bit of marketing to brand it a “cyber war” but still, today we observe the same things from all kinds of simple methods to very complicated things. Snowden has revealed what fancy technology is actually out there in this field.
Now we have reflective DDOS [Distributed Denial of Service] attacks and so on, they are more sophisticated and there are different forms of them but they still exist in the same way and they are unfortunately still happening.
Can you think of any systems, policies or strategies that Estonia could implement, that you, with the short time-period you have spent here, feel are lacking?
I think you have pretty smart people working here. I cannot say - right, there's a big flaw here. There are always little things but, as far as I can see, I think the people in charge are actually pretty smart people, who understand their field quite well. I think that is rather amazing. Given that Estonia is playing with new lifestyle digital ID card and so on, any time when you implement such a system on a country level, you take an enormous risk by it. To make it work that well, I think is actually something pretty astonishing. There are people working very hard to make it the best system there is.
Do you think that being so reliant on different digital systems in the everyday running of the state makes Estonia more vulnerable?
I think potentially yes, that might be the case. There are always some advantages and disadvantages. But yes, it's a question of who is going to attack and it could mean potentially more problems. But we don't know yet.
To be honest, I’m so involved these days with risks of IT systems, that I have completely forgotten how corrupt ‘traditionally operating’ governments can be. Even in some well-known European countries government have problems with the way they operate - corruption, etc. So yes, Estonia could potentially be more vulnerable from an IT perspective, but overall it could mean a less vulnerable government - or maybe it is “just” a vulnerability in a different way.