RHUL Cyber CDT Blog

 As those who attended the recent (December 2020) online Hewlett Packard Colloquium event at Royal Holloway already know, I had the great privilege of being awarded the David Lindsay prize for my Information Security MSc thesis, which I completed at RHUL last summer. As I begin my PhD studies at the Royal Holloway CDT, I must confess that I am honoured and this prestigious award is undoubtedly a wonderful encouragement for the future. Before saying a little bit more about the motivation and the challenges of my project, I feel that I have once again to express my gratitude to Dr Daniele Sgandurra, who was my supervisor and constantly supported me with invaluable comments and suggestions. My MSc thesis was focused on testing Linux-compatible anti-virus (AV) solutions available for desktop computers. This topic attracted my attention a long time ago when I realized that many Linux users consider AVs unnecessary , arguing that this operating system is “malware-free”. A more in-depth anal

Offensive cyber capabilities are among governments’ most closely held secrets. As such, a public speech by a former senior intelligence official about these capabilities is rare. It is even more unusual for such a speech to call for more open debate on the topic. On the 10th of November, Ciaran Martin gave a speech entitled ‘ Cyber weapons are called viruses for a reason: statecraft, security and safety in the digital age’ . Although he spoke in his capacity as a Visiting Professor at King’s College London, Martin had an illustrious career in UK government, including as the founding chief executive of the National Cyber Security Centre (NCSC) in 2016. The UK intelligence agencies have been moving towards greater public engagement. Sir Alex Younger, then the chief of the Secret Intelligence Service (SIS), gave what the service described as a “rare public speech” on the future of espionage at the University of St Andrews in 2018. His successor, Richard Moore, retained his personal Twitte

The messaging app has been advertised for use by people across the world during large-scale protests when normal forms of communication are down, for example due to a government mandated internet shutdown. The developers of the app reported increased uptake from several sites of protest such as Hong Kong, India, Iran, Lebanon, Zimbabwe, and the US. The academics from the  Information Security Group  (ISG) at Royal Holloway found that Bridgefy did not design and implement their application with security in mind and have proposed that Bridgefy should make use of an established cryptographic library. The main flaws found by the researchers in the ISG, Lenka Mareková (CDT student), Jorge Blasco, Rikke Bjerg Jensen and Martin R. Albrecht, were that Bridgefy did not implement some necessary cryptographic protections and some cryptographic protections were implemented incorrectly. They also found that the protocol wasn’t designed in a way to minimise information leaking, and its robustness ag

  As a young technical researcher starting my CDT, I was working on detection of synthetic bugs. All went well, but when presenting this work to my peers at Royal Holloway, I received an unexpected question: What is a "[computer] bug"? Even though the work I presented had clear boundaries to what I was searching for (SEGFAULT crashes), it alluded to the more fundamental question. When is something considered a bug, or a vulnerability? I had hoped for a quick and insightful Duckduckgo search but even Google did not have a satisfying answer. But how can we really understand these concepts if nobody succeeded to properly define them? A few brilliant pieces have been written around that time, referring to weird machines. Weird machines are conceptually the state a computer program is in when a bug or vulnerability is triggered. This notion was introduced to try and reason about the abuse of bugs more generally. The idea here is that a weird machine might be easier defined or mo

The Rise of the Cyber Women is a collection of non-fiction pieces from women in cyber security.  From personal stories of development to advice on entering the industry, the book provides inspirational accounts of determination and real-life career navigation in the field. CDT student Amy Ertan authored a chapter on ‘Postgraduate Study in Cyber Security’ to provide an informative and candid account on the journey through academia. Introduction: I recently had the pleasure of contributing to a book providing perspectives on women’s  journeys into cyber security. I was delighted to be able to shape my contribution towards an examination of academia and outline the journey through post-graduate programmes. I was motivated by the fact that academia can seem inaccessible to many and information is scarce if you do not know where to look. I wrote my chapter with the aim of passing on all the advice I would have loved to have been given, to hopefully encourage potential talent into the field

Looking back at my time in the CDT, I really couldn’t imagine doing my PhD anywhere else and I feel very grateful for the many opportunities it has presented to me. Not least that I was accepted me as a student in the first place! When I graduated from the University of Manchester with a Mathematics degree in 2013, I had no idea what I wanted to do. Having spent much of the next year failing to ‘find myself’ on a backpacking trip around Asia, I stumbled across cryptography and wondered if this might be a way that I could use the pure mathematics I had enjoyed in my degree in an applied context. I’d never done any formal work in cryptography and my computer science skills didn’t extend far beyond a cursory grasp of Excel, so I feel very lucky that the CDT was willing to take a chance on a student with a lot of enthusiasm but very little concrete experience. The CDT attracts students from a real mixture of backgrounds and areas of expertise, and the diverse cohort this creates is o

Once again, 2020 was a great year for CDT student participation in the Atlantic Council “Cyber 9/12 Strategy Challenge.” The third annual competition in London was the toughest to date, starting with a competitive entry process. Of more than 30 UK-based teams who applied, only 17 (including two teams from RHUL CDT) were selected to compete. One of our teams went on to the Final Round of this year’s competition, placing Third. Convened in different locales around the world, teams comprised of four students simulate the high-pressure task of analysing available information about cyber security threats, synthesising these, and briefing senior government officials with findings and recommendations. The competition relies upon information sources assembled into a briefing pack such as (real) research reports, (real and simulated) online media, (real and simulated) private sector threat analysis, (simulated) classified government intelligence reports, and even a (simulated) television news

From the training sessions in the first year, to the various industrial presentations and visits throughout, I found it invaluable to be exposed to a wide variety of areas within information security. Studying alongside peers focussed on a diverse set of interests---cryptography, systems security, programming language security, geopolitics and many others---provided an endless source of interesting discussions and viewpoints that, I believe, wouldn't have been available elsewhere. Another major benefit of the CDT, in hindsight, is the opportunity and, indeed, expectation to present one's work regularly, whether it be at the CDT Showcases, internal student seminars, or external events, such as conferences. Learning to shape presentations to diverse audiences has been invaluable following the conclusion of my PhD, where I have been required to present to a machine-learning expert one week and the Chief Technology Officer (CTO) the next. Frankly, I found presentations to be nerv

Partnerships between industry and academia are key to plugging the digital skills gap, says Professor Keith Martin in this article that was produced for ' The New Statesman' in May 2020. It is well accepted that the UK, and indeed the world, is short of cyber security skills. This shortage applies to everyone, ranging from the everyday understanding and practice of cyber security by the general public through to the more sophisticated degree of cyber security awareness necessary for policymakers and business leaders. I hope the pandemic has reminded us that society cannot function without experts, and also that we are short of them. This was recognised early by the UK government, which included among the many initiatives it launched off the back of the 2011 National Cyber Security Strategy, funding for two Centres for Doctoral Training (CDTs) in cyber security, one of which we have been hosting at Royal Holloway, University of London, since 2013. So what are CDTs, and how do