Q&A with Christo Wilson, a Northeastern Resident Expert On Cybersecurity

Written by Petrina Danardatu 

Computers, smart phones, tablets, and the Internet have now become pervasive and fundamental aspects of our world; they are essential to the way we work, the way we communicate, the way we live. The more our technology advances, the more cybersecurity and privacy is pushed on the forefront of our minds. 

By now, everyone knows the “my FBI agent” memes, and I’d argue that jokes like these actually reflect genuine societal concerns about cybersecurity and possible violations of privacy. 

To address these and other suspicions, I spoke to Dr. Christo Wilson, a founding member of the Northeastern University’s Cybersecurity and Privacy Institute and director of the BS in cybersecurity program. This is a transcript of our conversation, edited for length and clarity. 

Q: What initially interested you about this subject area? 

A: I’ve been a computer nerd since I was a teenager. I thought computer viruses were interesting, probably because my computer got infected with a ton of them. I got really interested in who was writing these things and how they work, and I got a whole bunch of source code for viruses and started taking them apart. Then in college, that kind of blossomed into a wider appreciation of the field, specifically looking at network and web security in tandem with the growth of the internet and all the security problems that it exposed in our infrastructure. When I became a PhD student, I always knew that security would play some role in my research. 

Q: What would you say to people who already are, or should be, concerned about their privacy? 

A: The unfortunate reality is that there’s not a ton you can do about it. So, I would recommend that everyone has strong ad-blockers in their browsers. The one I recommend in particular is called uBlock Origin. 

The thing with smartphone security is that there is almost none. It’s sort of the end of that story. Even just having it on you, your location is being tracked, and there’s nothing you can do about that. That part is fundamental to the way that cellular networks work...The minute you install an app, it can start reading personal data off the phone, and again there’s just very little that you can do about that. If you have the option of installing an app versus going to the website, go to the website; it’s much less privacy-invasive. 

All of this to say, this is why I believe that there should be more policy intervention because it shouldn’t be on you as a human being. Why do you need to be a cybersecurity expert and go through all this effort? The default should be that you’re secure and your information is not being exploited.  

Q: Many people believe that their social media — like Facebook, Instagram, or Twitter — is their “private space” for self-expression. What privacy issues  specifically arise from social media?  

A: The assumption that anything on social media is private is a fundamental fallacy. We built these systems very naively. We thought we were exporting democracy and free-expression, but instead we have imported psychological operations from totalitarian regimes. And there is something to be said about free online services. Maybe we are okay with the status quo: we pay in data and attention. But maybe we’re starting to not be okay with that, now that the side-effects are starting to be known to the extent that the big media platforms need to fundamentally change how they operate. They are the media now, they play a huge role in shaping our society.

Q: During any of your projects, do you find yourself running into any bureaucratic red tape or pushback from opposing third parties? 

A: I do a lot of work on online privacy, looking at how you’re being tracked on the web and in apps, and that often gets contentious. If we’re talking about major companies like Facebook and Google — they’re ad companies — they don’t want to have these discussions about privacy. 

I also worked on a project looking at whether apps on your phone are secretly listening to you through the microphone. It turns out that they’re not. To be clear, there were apps that did this, but they’re really rare. One thing we did find though, is that there were some apps that were taking videos, so that when you were on the app, everything you did on the screen was being live-streamed to this third-party company in Israel. So we contacted them, and they came back to us and they were pissed. They were saying, “We aren’t violating people’s privacy! This is slander!” So I showed them my evidence and I was thinking, “Do you want to consider revising those statements?”  

Q: What can you tell me about any of the projects you’re currently working on?

A: We have several grants all looking at public key infrastructures, so what that means for the ordinary person is something like Transport Layer Security (TLS) that’s the green lock icon on your browser. That lock icon means that your connection to the website that you’re browsing in that moment is currently encrypted. So say if the NSA is trying to tap your connection, they can’t actually see the messages you’re sending to the website. They may know you’re “talking” to the website, but they don’t know what you’re saying. So this is super important because we wouldn’t have online banking, or online dating, or healthcare websites or anything without this. It’s the first line of defense against you getting passably eavesdropped or getting all your credit card information stolen by some cybercriminal. 

But the problem with TLS is that it’s not perfect. We’ve done a lot of work in the past looking at problems in how browsers implement it; there are some problems within browsers that fundamentally reduce your security. There’s also problems on the website side of things. This is complicated technology, and people who build websites often don’t understand it either, so they make mistakes and that also reduces our security. 

Q: A lot of jokes and real criticisms have been made about the many Congresspeople who seem to know very little about the internet in general. How can we get these people in power to incite change in an area they seem to know nothing about? 

A: Yeah, it’s very “okay, boomer” [laughter]. Those congressional hearings are silly. They’re 90 percent grandstanding, that’s unfortunately not where real work gets done. There are definitely some people who get it — Alexandria Ocasio-Cortez was asking Zuckerberg some great questions. But you do get these people who don’t understand or haven’t been properly briefed on the technology, or it just becomes this partisan game. One side talks about privacy and thoughtful regulation, and the other side talks about the censorship of conservative voices impeding on the right to free speech, and the whole thing just doesn’t go anywhere. 

Q: Are there salient differences between American cybersecurity protocols and issues and those of other countries?  

A: America is unique in many respects, one being that the tech companies are here, so for better or worse we have jurisdiction over them. This leads to the second problem which is that our cybersecurity regulations and laws are woefully inadequate. That’s not to say that other countries are so much better, but we’re the natural leader and we’re not seizing that role. 

Q: In what ways are American cybersecurity regulations inadequate?

A: Our primary anti-hacking law is the Computer Fraud and Abuse Act, and it was written in the mid 1980s. The rumor is that it was written in response to the movie War Games (1983), about this fiction movie about a hacker breaking into nuclear sites; that tells you a lot about the minds of the legislators who wrote it. This law is super vague. To be fair, yes, there are some criminal hackers who get caught and prosecuted under it but it’s also used to go after employees who “break contract” or people who make fake accounts on websites. I’m party to a lawsuit against the Department of Justice that’s trying to get this law amended because it’s so bad. 

Q: What does the future of cybersecurity regulations looks like? 

A: There is a change afoot. In Europe, there is now the General Data Protection Regulation privacy law. It’s not perfect by any means, but it’s way better than what we have. California is months away from applying their new CalPrivacy law, which is modeled on the GDPR. California generally tends to lead in the nation in this way, and because this law affects the internet, it’s therefore going to affect all Americans.

Q: What do you hope that people can take away after reading this article? 

A: Everyone is fundamentally at risk, and I know that sounds scary. From the Snowden Revelations, we know that the NSA is collecting large amounts of internet traffic. But there are basic things you can do,like keeping your software up-to-date, using strong ad and tracker blocking, not opening attachments from people you don’t know, using a password manager, and other simple things like that. This is basic cyber-hygiene, so everyone should be practicing these. And beyond that, vote!