Cybersecurity in the cyberisland
In Mauritius, We have 7000 people who work in the IT sector. There are many web developers, Enterprise software engineers, and Infrastructure engineers (sysadmin/netadmin). However, there are very few security engineers.
Most companies in Mauritius tend not to think about security of their infrastructure. Paradoxically, most are increasingly relying on their IT infrastructure to store/retrieve/manipulate their data, which is often sensitive. This has led to very few job openings for security experts. Many still think that security is an "add-on" that they buy. Few realise that security is woven into the development process of the software they are developing for their clients, until the client loses faith due to a security flaw.
Recently, 2 LUGM members and myself decided to organize a Security Contest. The goal was to defend and attack a server via the Heartbleed vulnerability to steal sensitive information, such as private keys.After doing a short presentation, on Heartbleed, we gave ample time to participants to come up with a working code, and a reasonable explanation. Heartbleed is fairly old: it happened in 2014.
2 months later, and we still didn't receive a single submission. I grew very worried of the current situation in Mauritius. The implications are far reaching: Most IT workers have little understanding of how vulnerabilities work. There are many self-proclaimed "Hackers" and "Security experts" in Mauritius. However, none of them are able to understand Heartbleed in a detailed manner. Most IT professionals are unable to distinguish between a security expert and someone who is not. In case of a cyberwar, Mauritius would be at an immediate disadvantage.
Developing local security expert talent pool is one of the key pillars of a "Cyberisland". The rise of the Internet of things, where almost everything can be hooked to the internet, has many implications in terms of security. A "smart" car can be hijacked, and people killed. We need security experts who can understand the small details of security flaws and come up with reasonable counter-measures to protect our CyberInfrastructure. This requires a LOT of mental effort & time investment. However, I get the impression that most students are more interested in Computer Security as a fashion trend . Few want to do the hard mental work.
Sadly, I noticed the same attitude with professionals working in the IT sector. Many prefer to copy, without any thought as to what is really happening underneath. They rely on work done by others, instead of making the mental effort needed. A good way to test a security expert is to show him a piece of vulnerable code, and ask him to write an exploit for it. The Contest that we designed followed this principle. It encouraged participants to think about the code that they are copying from the Internet.
The net result is that this has negatively impacted the image of Security Experts from Mauritius. I spoke with a friend who resides in Switzerland, and he told me that he read about the security experts from Mauritius. Upon taking a close examination, he wasn't impressed at all. The lack of skills is obvious, according to him. To be fair, I pointed out that at least 2 Mauritians did understand security to a very good level. On a global picture, we still got a long way to go to secure & protect our Cyberisland.