Sunday, December 27, 2015

Jorge Ramió: "There's a looming threat over critical infrastructures"

Jorge Ramió. Professor of security and criptography.

If there is an archetype of venerable university professor in Spanish computer security community, Dr. Jorge Ramió Aguirre is definitely that one, from the Department of Information Systems of the School of Engineering Systems at the Polytechnic University of Madrid (UPM). We may read on his personal website that he is just 64. His son is "also an engineer, MBA and deejay", as the doctor details via mail.

Small complexion, Dr. Ramió affectionately reminds us Speedy Gonzales because of the constant stream of energy he generously pours in the creation of interesting projects, which have put the UPM on the map of the Spanish hacker community. When George is not organizing a security conference, he is turning his crypto lab software into an eBook. Or imagining new multimedia lessons about who Alice and Bob were and what did they do with the keys. It's all public and free. Definately, it's really, really hard not to get passionate about this passionate man.

- How do you do to be always smiling?

- It Is the fact of being happy with what it's done. Knowing that you are contributing with something to the universal culture, even if slightly, something that will serve someone; being always with new projects to be thought and renewed. And obviously having a family that supports you, because they know that all this time dedicated to information sharing for free, makes me feel happy, helpful and fulfilled.

- Your most renowned project is Criptored.

- It was born on 1999 December 1, with the main objective of becoming a social network of computer security professionals, and a website to share information, not only in Spain but throughout Latin America. In February 2015 it reached over a thousand members, representing 23 countries, and in September a professional group on LinkedIn was created, up to 1,887 members in just three months.

During 16 years, Criptored has been leading various projects related security divulgation: 8 CIBSI congresses in different countries of Latin America, the visual encyclopedia of information security Intypedia, the first MOOC in Spanish Crypt4you, the Information Security Teaaching Map MESI, Thoth training pills, online training with leading experts as guest lecturers.It also has delivered for free more than 5 million documents on the Internet.

- Why did you turn it on?

- It waas born after a discussion via mailing list between several security proffesors in mid-1998, about which area of knowledge was most appropriate for teaching security and cryptography. I noticed that we were a good number of teachers excited and interested on exchanging our documentation, and I wondered why not to centralize all that effort on a webpage, since there were still no social networks.

Moreover, I saw that this could help many colleagues and friends from other universities in Latin America that were a few years behind Spain on issues like teaching information security. In recent years Dr. Alfonso Muñoz is colaborating with me, and from the beginning I'm so lucky that another university colleague, Mr. Daniel Calzada, is joining this project.

- What is the secret of that success?

- The love we put into things to go well, and something that has a very little value here in Spain: innovation. I show these three examples: The Intypedia project, born in 2010, was the first to teach security through videos with avatars and we are reaching 600,000 views on YouTube. We could not go on due to lack of sponsor. The MOOC Crypt4you 2012 was the first in Spanish and almost simultaneous with the start of the MOOCs in the United States, long before the MOOC's fever invaded the Spanish universities; it is an active project and we are also around 600,000 visits.

Finally, training pills Thoth with the financial support of Talentum Startups to pay interns and born in 2014, was one of the first of its kind and there is no other similar example in the Spanish language. Keeping the proper proportions, the closest would be Khan Academy, but the budget difference is astronomical. With over 30 published pills and 55,000 views on YouTube, the goal is to continue publishing at least one pill a month. These media scope in other countries could be considered worthy of an institutional support, but not here in Spain. Moreover, in the field of academic recognition this work is useless.

- When I talk to young professionals in computer security, college educated, they always tell me that they can only learn by practicing. Does that mean that college teaching is wrong?

- In security is very difficult to cover many aspects in two or three subjects, even in the best case that some college has those three subjects. And it get worse if we speak about practices. As there is not a longer route or expertise in security, in the end you have to choose to impart the basic knowledge on security, encryption, regulatory, security management, network security... and you can not give more, leaving out many other topics that are interesting for the performance of a professional security and, of course, most of those missing practices.

Due to the high demand for cybersecurity experts and interest of young people in everything about it, from a few years ago there should be a university degree in security, but no one dares to take the step, even when they are all crazy about security masters: there are already 26 in Spain, and growing up.

We have dozens of issues to make an excellent security engineering degree, but the trick is to have a dozen expert teachers, even more in the current situation of Spanish universities where there is no generational change. The young people and security experts can earn three to four times more in other sectors.

- Your projects Thoth, Intypedia o MOOC Crypt4you, using audiovisual and distance learning, are a sample of how you would teach security in universities?

- Yes, in fact the aim of Thoth project is to generate a large multimedia book that can encompass many issues of security and that, by itself, sets up a complete teaching tool. I usually use that material in my classes and is crystal clear that this is an added bonus. In fact, I know that there are teachers in Spain and Latin America who use Thoth pills and Intypedia lessons to start a topic and draw the attention of their students.

- You are also author of Information Security Teaching Map MESI. Is the security teaching well covered in Spain?

- We have made some huge progress in the last five years, reaching 229 subjects dedicated exclusively to security and 89 of them are required, what is already a great success, other 122 courses partially devoted to these issues and as I said 26 masters. There are always unfinished subjects to address current topics such as malware analysis, reverse engineering, machine audit, industrial security, forensics, pentesting, critical infrastructure security, APTs, etc.

- Each day we woke up with 3 or 4 serious security news. What are we doing wrong?

- Learn this maximum: security is never possible at 100% by nature. We talk about security as a dynamic process that adapts through continuous improvement, so nothing will ever be completely secure. On the other hand, it is much easier to destroy than to build.

The problem that lies ahead is the so-called cybersecurity environment, misnamed by some who confuse it with network and information technology security. Cybersecurity unites IT world with machines and industrial systems OT world. The main aspect is the control of equipment and systems from OT world by IT systems and devices. That's the origin of word cybernetics and therefore 'cyber'. That is the great threat on critical infrastructure, because we are not talking about my PC infected by a virus (80), or the corporate network destroyed by a worm (90), even not only failures in global networks and cybercrime (00 years), but the critical infrastructure of a country, whose damage can affect a large population and even cost lives (years 10).

Text: Mercè Molist


Post a Comment