Evolving Threats

Sean O’Brien says cybersecurity used to be seen as a niche issue in many business sectors, but has become a central concern.

As high-tech businesses grapple with the implications of artificial intelligence (AI) — and workers worry what that might mean for their job security — those who work in cybersecurity may have reason for optimism, Sean O’Brien said.

“Even though we’ve seen a shift, certainly, in IT careers around AI — folks getting laid off and so on — cybersecurity is still humming along. It’s one of the hot industries, essentially,” O’Brien, director of Cybersecurity at Bay Path University, recently told BusinessWest.

A few days earlier, O’Brien had led Bay Path’s 13th annual Cybersecurity Summit, where he and other experts discussed how artificial intelligence is reshaping cybersecurity, education, and workforce development, and what all that means for career paths in this quickly evolving field.

Some young people might be scared off by what they perceive as the highly technical nature of cybersecurity, but he emphasized that the field, and the work being done within it, is strikingly diverse.

“One of the reasons I keep emphasizing the non-technical nature of cybersecurity is because I think that tech can scare people,” he said. “First off, we’re talking about things that are actually scary — things that keep me up at night. But also, people don’t want to feel like they’re going to be a code monkey, so to speak, sitting at a keyboard all day. So I try to emphasize the more exciting cases, the sort of weird and interesting stuff that we can do in cybersecurity.

“Cybersecurity is wide-ranging. There are people who analyze malware — they look at what’s in our software and how it spies on people and breaks their stuff and steals their info, or even drains their Bitcoin wallet, those kinds of things. There are folks who do digital forensics work — they may be looking at evidence and preparing it for a court case or even just an investigation or an audit of an organization.”

Then there are people who work at security operations centers like the one now located at the Richard E. Neal Cybersecurity Center of Excellence in Springfield, which help organizations detect, prevent, and respond to threats.

“When people talk about AI being a threat, what they really mean is generative AI being a threat, large language models being a threat. And just like AI had been used for defensive good purposes before, we can still take generative AI and use it for good purposes as well.”

“That’s a burgeoning field, being the individual who looks at a dashboard, sees all the information coming in, and makes conclusions and reports and even post-mortem analysis,” O’Brien explained. “Even after something has gone wrong, you need the individual who’s going to say, ‘well, here’s how it went wrong,’ and provide that report to the C-suite in an organization.”

Then there are individuals moving to cybersecurity from other fields — or vice versa — and incorporating it into other disciplines.

“I want to have folks who are managers, essentially, who are able to take all of this information, come up with security plans and risk management scenarios, and talk about security architecture and those kinds of things, because those don’t change no matter what goes on with the technology,” O’Brien told BusinessWest. “In my time — and I’ve been doing this since I was a kid, essentially — I have seen technology shift so much, but the fundamentals don’t change.”

In short, it’s a field broad enough to welcome people from any discipline or interest, and that, combined with the fact that it’s certain to remain important, makes cybersecurity an attractive career option.

“You’ve got to have the hunger for it, certainly,” he added. “That’s why it’s always fun to be around other cyber folks, because they’re always energetic.”

Future Shock

The keynote address at the Cybersecurity Summit was delivered by Scott Shapiro, a professor at Yale Law School. O’Brien met him years ago when he worked there, and the two of them co-founded a cybersecurity lab for Yale law students.

“We took folks who are non-technical, primarily — great legal minds, certainly, but not technical people — and we got them to use the command line. We got them to do hacks on their own,” O’Brien said. “We would say, ‘here’s why strong passwords are important. By the way, here’s how to crack a weak password.’”

Now in charge of Bay Path’s cybersecurity program, O’Brien is passionate about sparking that interest in young people.

Sean O’Brien (right) conducts a ‘fireside chat’ with Yale Law School Professor Scott Shapiro about advances in cybersecurity and AI during the recent Cybersecurity Summit.

“Bay Path, an amazing program, really has an innovative approach, which is one of the reasons they recruited me,” he told BusinessWest. “They said, ‘hey, you’re doing some cool and interesting things with cybersecurity, we’re doing cool and interesting things with cybersecurity, so let’s hang out.’”

Shapiro’s address — and ‘fireside chat’ discussion with O’Brien — touched numerous times on the role of AI in cybersecurity, and why it’s not all bad news.

“The first thing is to recognize that every tool can be used for good or for bad. A gun can be used either to defend yourself and your family in your home or to hold up a convenience store. And encryption — we love encryption when it protects our private communication; we hate it when it’s called ransomware,” said Shapiro, who is also the author of Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks.

He applied the same message to AI, after a quick history lesson explaining the difference between classical AI and generative AI, which is a much more recent phenomenon.

“AI has been part of cybersecurity for such a long time. You had very basic symbolic systems that helped detect for intrusions and exploitations. In the 2010s, you could not walk through a trade show without people telling you about their AI that protects everyone, and that was machine learning that tried to correlate usage with time, with location, and try to figure out the markers of a threat.

“Now, when people talk about AI being a threat, what they really mean is generative AI being a threat, large language models being a threat. And just like AI had been used for defensive good purposes before, we can still take generative AI and use it for good purposes as well.”

The bad purposes are plenty, Shapiro said, from deepfakes to malware. But in many ways, AI is simply sharpening the sort of threats that already existed.

On the traditional internet, O’Brien told BusinessWest, “we had things called botnets. These are automated computers that are being controlled by a command and control computer somewhere. So your grandmother’s TV set or set-top box or router can be controlled by some adversary somewhere on the other side of the world. You get enough of these machines talking together, they can attack websites; they can break stuff down. Those kinds of threats have been going on for a very long time.

“I would say what’s going on right now is AI is an accelerating force,” he went on. “We still have these threats; everything old is new again. But because AI is able to sort of think on its feet, it’s able to probabilistically change direction and try certain things very easily.”

During the Cybersecurity Summit, O’Brien talked about a botnet called Aisuru that was the most highly trafficked domain in the world during November — more than Google, Yahoo, Facebook, you name it — because of the ease with which it insinuated itself into everything from routers to cameras to gaming platforms. Its goal? Distributed denial of service attacks trying to take down websites.

That sort of threat takes cybersecurity out of the business realm and makes it everyone’s concern.

“Now that everybody’s online constantly, we have devices in our pockets which are basically supercomputers. We’re surrounded by devices, cameras, thermostats, all the stuff that’s connected to the internet. Cybersecurity is now a central topic. It’s encompassed so many aspects of our life,” he explained. “Chat GPT was released to the public a few years ago, and there is a real revolution in computing, and people are starting to see how these algorithms can do incredibly useful stuff, but also incredibly dangerous stuff.”

But AI can also be a strong weapon against those dangers.

“I remember old-style viruses. We had some Macs in our elementary school that got a virus, and everything went down. But then we started having virus detection engines — they look for signatures, and they react. AI is very good at this sort of signature detection and being very agile, being able to look at some things and say, ‘this looks like activity that shouldn’t be happening in the network.’

“So those detection tools, this ability to read through long logs of text, which is what people use ChatGPT and these types of technologies for anyway, are security tools that are speeding up the pace of action and analysis and giving cybersecurity analysts a lot more detailed information a lot more quickly.”

Always Watching

One reason O’Brien likes being an educator is seeing what students are actually interested in, and the way they think of new threats and new applications.

“The students are coming to us with scenarios that are interesting, their own ideas about unique hacks that could be happening. I had a student, for example, demonstrate for me a hack of a Roomba. I hadn’t thought much about a Roomba, but you think about a Roomba, it moves around, and it actually has a lot of data about the physical space,” he said.

“Having that surprise at this point in my life, after I’ve thought I’ve seen everything, is a really big part of this. I’m excited to see where things go.”

And that constant learning is yet another reason why cybersecurity careers will remain attractive — and why shepherding a new generation into that work is so important.

“I think it’s going to be hard to eliminate the need for cybersecurity folks, no matter what comes around the corner technologically,” O’Brien told BusinessWest. “We’ve got to stay on our feet. We’ve got to lock our things up.”