Professor Valtteri Niemi has enjoyed a long career as an expert in information security at the University of Helsinki’s Department of Computer Science. With the increasing complexity of information security threats, close attention is required from technology developers, users and regulators alike.
New applications collect user data in ways that compromise information security. We do not know for sure what an application like the Chinese-owned TikTok does with the data it collects, which has raised concerns and even led to the app being banned in certain workplaces. Usually, companies claim to collect information to improve the user experience.
“We have no hard evidence that these services misuse data, but users should be aware of the risks,” says Niemi.
However, he believes that similar privacy violations through data collection may be committed by actors closer to our daily lives.
“It’s easier to prevent external applications from having access to sensitive information than to do so with service providers such as Google that are almost impossible not to use.”
Commercial companies have used the information they collect primarily to target advertising.
“They are good at making customers want things they don’t even need,” he remarks.
Post-quantum information security
Information security may be transformed with the development of quantum computers. They can easily crack current encryption techniques, as they are better than classical computers at solving certain mathematical problems, such as finding factors of a big number. If their use becomes widespread, quantum computers may render current technologies obsolete in an instant.
“Right now we aren’t in a massive hurry to update our information security to withstand quantum computing. Quantum computers are still far away, and few algorithms have been developed for them. They are able to crack certain encryption techniques, but for the time being we have countermeasures in place,” Niemi explains.
In terms of information security, Niemi thinks an even bigger problem than quantum computers is the fact that large systems have a great deal of legacy vulnerabilities.
“New solutions have been built on old technologies with the mindset of ‘if it ain’t broke, don’t fix it’. When encryption systems reach a certain age and updates are not extensive enough, people fail to notice in time how vulnerable their systems are to being cracked.”
Information security can also be jeopardised by untrustworthy technology. For example, AI-powered software can be misled, at least for now, with carefully selected data. Cybercriminals always seek to exploit weaknesses, and it is difficult to thwart all of their attempts.
“We don’t actually need special experts to analyse the threats of potential misuse. We just need to understand the functionality and usability of systems.”
It is also important to understand that no single solution can address all information security requirements. Information security requires our continuous attention and adaptation to changing threats.
Use of blockchain still in its infancy
Some people have been optimistic about the potential of the increasingly popular blockchain technology to meet the challenges of information security. Its complex cryptography would at least involve no weaknesses other than those potentially brought about by quantum computing.
However, blockchain cryptography has not fully delivered on its promise to enhance information security. Instead, it has been used mostly for other applications.
“The fundamental problem is that no one verifies whether the data entered into a blockchain are correct or if the copyright to, say, an image is respected. Once encrypted information is in the blockchain, it’s there forever,” Niemi says.
The use of blockchain technology is still in its infancy in terms of establishing the origin of information. Today, the technology is used extensively in illegal trading and other activities that do not bear closer scrutiny.
“But the most natural fit for the technology is financial transactions and currency management,” notes Niemi.
Another major problem is the environmental burden posed by the demands for more and more computing power. The continuous mining involved in blockchain technology consumes an ever-increasing amount of energy.
“The price of mining is too high to enable the technology to be developed properly.”
New networks require new kinds of authentication systems
The introduction of 5G and 6G wireless networks creates new challenges and opportunities for information security. Authentication plays a crucial role in the introduction of these networks by ensuring that the device or user connecting to the network is authentic and authorised.
“The user or device must first identify themselves to the network. But authentication is needed on both sides, and we should verify that the base station is genuine and protected and that no one is listening to or interfering with it,” Niemi says.
“With 5G, mobile devices can for the first time perform mutual authentication without first revealing their identity to the base station.”
One of Niemi’s particular research interests is the security of location-based services.
“Several applications and services continuously collect data on user locations, which raises questions about how these data are used and protected,” he says.
One way to protect the privacy of such data is to process them without revealing the details of individuals or their exact location.
“With differential privacy, it’s possible to generate a dataset resembling the original data at a general level, but not revealing detailed information on individuals or their exact movements. This way, geographic information can be collected and analysed usefully for the purposes of research or service enhancement, while protecting privacy,” he notes.
High demand for information security specialists
The most significant recent change in the cyber threat landscape has been the shift from individual hackers to states. Information security is under threat from all major powers, from Russia to the United States.
“Research doesn’t really focus on the source of the threat,” Niemi puts it.
What is more, the lack of IT experts poses a significant challenge. Many more experts are needed to plan and monitor cybersecurity and take appropriate countermeasures.
“Large corporations need experts, smaller ones need expertise,” Niemi concludes.
Recently the Finnish Ministry of Education and Culture awarded €2 million of funding for universities to educate more cybersecurity specialists. To meet the growing needs, collaboration between universities will be increased and training optimised.
As for Niemi, he is looking for someone to take over his professorship after he retires a few years from now.
“We’re trying to recruit my successor in good time before my retirement.”