Professor Alptekin Küpçü: “The human factor determines cybersecurity”

Professor Alptekin Küpçü of Koç University’s computer engineering department discusses data protection in the ai era, the culture of cybersecurity, and the vital role cryptology plays in this landscape. 

How do you assess the major data security risks in the age of AI, and the protection mechanisms being developed to deal with them?

Most people are actually unaware of the risks in this area or the severity of the situation. There are serious problems regarding both the privacy of our data and the accuracy of the responses provided by AI. The defense mechanisms here remain a subject of research and the issues have not been fully resolved. New mechanisms are continually being developed, only to be targeted by new attacks, and this continues day by day. We’re working on both the offensive and the defensive fronts. Let me highlight a very interesting issue here. As cryptology and cybersecurity experts, our long-standing complaint has been this: Unfortunately, systems are designed without security in mind and attempts are made to secure them only afterwards. We see this repeatedly when designing anything for the internet. If you don’t incorporate security from the very beginning, ensuring safety and privacy later on becomes much more difficult. It’s the same story with AI. The approach is to start, saying something like “Let’s build the system first–enable it to perform artificial reasoning in some way and offer various solutions.” These are certainly critical areas of research but security and privacy are not built in from the very beginning. The result is that security specialists are forced to step in and patch things up further down the line. 

From a user’s perspective, we need to be extremely cautious when using these systems and we should assume that our data will not remain private. In other words, we shouldn’t be feeding these systems critical data. As an example, let’s say I’m conducting research in a particular field: I might want to find specific articles or understand a particular section of one better. I can use AI here. Why? Because these articles aren’t confidential data to begin with:–anyone can access them online. On the other hand, uploading a company’s undisclosed financial data to have it analyzed by an AI agent is not something we would recommend.

How would you define the role and importance of cryptology within the digital security ecosystem?

Cryptology is actually a very broad discipline. Generally speaking, what we call cryptography is the defensive side, while cryptanalysis is the offensive side. In my opinion, cryptology hasn’t found its rightful place within our cybersecurity ecosystem just yet. The reason is this: whenever you try to secure something by adding a cryptographic protocol, you inevitably introduce a slowdown to the system. It’s unavoidable. Security and privacy are often relegated to the background, both by individuals and by corporations. The mindset is usually “I don’t want any slowdowns; performance has to be the top priority.” Because of this, cryptology isn’t given the precedence it truly deserves. However users aren’t demanding this enough either. Perhaps they don’t realize what’s possible nowadays–or maybe there are other reasons–but the demand for better security and privacy definitely needs to come from the user side too. For example HTTPS used to be far less common. But after Edward Snowden’s revelations, people raised their voices saying “It turns out a lot of our data is being harvested; we demand more privacy.” In response, companies ramped up their adoption of HTTPS and that’s why it is much more widespread today than it was ten years ago. In other words, a significant responsibility falls on both service providers and on us as service users to demand greater data security and privacy.

What role do quantum computers play in the field of cryptology and how is this technology reshaping current encryption approaches?

Quantum computers have incredible capabilities. They can achieve serious speeds in many calculations. However, they can’t do everything. Our standard computers also have limits on their capabilities. Just as there are things they can never do, there are other things that can take them a very long time. The situation is the same for quantum computers though of course the limits are not the same. However there are still tasks which quantum computers will never be able to perform or which would take even them a very long time to complete. In the realm of cryptology, this has a specific implication: it will become possible to rapidly break certain known cryptographic protocols currently in use. We know this. However standardization efforts are already underway to address this. Methods are being developed that even quantum computers can’t crack and there is a substantial amount of research being done in this area. My prediction is that by the time quantum computers have developed and become widespread, appropriate cryptographic protocols providing security against them will have already matured.

In your view, what are the most critical components for building a strong cybersecurity culture within organizations?

The most important factor is actually the will to establish such a culture; that is, the willingness of institutions and managers to be aware of the issues and to demand cryptological security. In cybersecurity, the human element is both the most important and the weakest link. And this is why individuals must receive training on the proper use of cybersecurity and cryptology. From a researcher’s point of view, it’s crucial to create usable security solutions.

The cryptographic solutions we develop must be accessible; they mustn’t be overly complex or difficult. People are the most critical factor here and if we fail to design with the human element in mind, we’re getting it wrong. When we consider legal frameworks like Turkey’s Personal Data Protection Act (KVKK) and the European Union’s General Data Protection Regulation (GDPR), allocating resources to cybersecurity and cryptology definitely pays off. This is because in the event of a data breach, the legal, financial, and reputational consequences and losses can be severe. Taking precautions from the start can significantly mitigate such fallout.

One last question. What can you tell us about the work being done by the Cryptology, Cybersecurity, and Privacy Research Group at Koç University?

I originally set up the Cryptology, Cybersecurity, and Privacy Research Group at the university when I first joined the faculty back in 2010. We’ve been steadfast in our efforts ever since. We’ve put Koç University on the global map in cryptology. Our core focus is cryptography, security, and privacy but our areas of application are incredibly diverse. For instance, we conduct extensive work on cloud computing security. We also have ongoing projects dedicated to verifying the accuracy of computations in the cloud. On another front, we’ve developed a blockchain system for which Koç University has been awarded patents. In addition to our work on privacy and authentication in social networks like Facebook, we’ve developed another solution for systems of that nature. In 2006, a group of well-known cryptology and data security professors at the Massachusetts Institute of Technology proposed the idea that authentication could be performed through a known individual but they didn’t present any actual protocols for the solution. Social networks weren’t widespread back then, anyway. We began working on this in 2017. We developed the world’s first system for “authentication via a known individual” and we achieve this while fully preserving privacy. For example, let’s say I’m coming to visit you at your workplace. At the entrance, I need to verify that I know you–or at least three people in the building. But telling someone who I know actually reveals a great deal of personal information about myself. With the system we have developed, I can confirm that I know those three people without ever revealing their names. This system is able to perform this verification while ensuring complete privacy of everyone involved.