Serge Droz: "Is it legitimate to launch a digital counter-attack to an attack by hackers?"
- Math • Phys Alumni
- Alumni Portraits
ETH alumnus Serge Droz studied physics at ETH and obtained his doctorate in Canada, where he researched black holes. He has 20 years of experience in information security from time working in the private sector. He undertakes voluntary work in this sector and is the President of the "Forum of Incident Response and Security Teams". In this interview, he tells us how he found his vocation and what fascinates him so much about working in IT security.
When you were a kid, what did you want to be?
When I was younger, without even knowing what it meant I always wanted to be a researcher. I was fascinated by nature and following children’s magazines on the natural sciences, I conducted my own experiments. As I got older, I loved physics kits. I wasn’t a stand-out pupil at school but I always kept a research journal.
You studied physics at ETH Zurich and say that you very much enjoyed your time here. How did you come to study at ETH and what did you like particularly?
Since I had gone to school in Zurich and wanted to study physics, it was a no-brainer. I wanted to go to the place where the greatest role models in physics, like Einstein and Pauli, had taught. For me, that was super cool.
During my time at university, I particularly liked the fact that I got to study something that I was really interested in. I was also surrounded by people who appreciated maths and physics just like I did. At the moment, as we are all affected by covid, I really feel for those students in their first semester who only have limited access to such an environment. I loved the time outside of lectures, when we got to sit around, discuss things and study together.
However, at the time I didn’t realise just how good ETH was. I only really became aware of this when I went to Canada to write my dissertation. At ETH, there were perhaps one or two professors who weren't that great. But in Canada, I only had a handful who were any good at all. Comparing the two, I could see the quality of an education at ETH.
Why did you study for your doctorate at the University of Alberta in Canada?
When I was at university, we were always being told to gain some experience of studying abroad too. I wanted to write a dissertation so I contacted the authors of books that I liked. Even during my time at ETH, I was interested in the theory of relativity, which continued when I was in Canada. My PhD supervisor, Werner Israel, was a pioneer in black holes.
You studied what would happen to Major Tom if he jumped into a black hole. So what would happen?
If you look at the classic solutions of Einstein’s equations, which describe a black hole, these holes appear to contain a tunnel to another universe. Major Tom would fall out of a white hole, but there don't seem to be any white holes. But it gets worse, causality would cease to exist inside this tunnel and physics would lose its ability to make predictions. This is an unmistakable sign that something has been overlooked.
In fact, these solutions are not stable inside a black hole. Instead, there is singularity. If Major Tom were to jump in feet first, his feet would be drawn to the centre much more than his head. Major Tom would be pulled apart like spaghetti. He would be subject to forces acting on the sides too. In other words, he wouldn't survive.
What did you do next?
After gaining my PhD, I stayed in Canada and did a PostDoc on gravitational waves. My numerical simulations had a very small role to play in a Nobel Prize, which I was delighted about. After some time, I came back to Switzerland and the university in Zurich. Following another move to the Paul Scherrer Institute, I started work in information security. This was a great decision because I’ve always been attracted to computers.
A degree from ETH is of course great on your CV, after all it’s not that easy to get.Serge Droz
How did your degree from ETH help you get onto the career ladder?
A degree from ETH is of course great on your CV, after all it’s not that easy to get. I think what I really learnt from studying physics at ETH is not to give up simply because you can't see a clear route to your goal. I still benefit from that today: I’m not afraid of really difficult problems. Sometimes, you don't see a way through until you are almost there and that’s fine. I guess you could say that at ETH, the main thing I learnt was how to solve problems at the highest level. I no longer need my knowledge of physics in IT security but this ability is still central to what I do.
You have been working in IT security for 20 years. What is the most interesting aspect of your job?
IT security is quite similar to fundamental research: you need perseverance, and you continually encounter new and surprising things. Whenever I face a new problem, I stop to gain a quick overview. I develop a hypothesis and check it. I gradually work through the problem until I have a solution. It’s a bit like being a detective.
I really like the mix of technology and global collaboration with like-minded people. IT security cannot be ensured just on a local level. Once a week, I attend a telephone conference where people from various companies discuss problems and help one another find solutions. We are linked via our technical language and the common goal of protecting users the world over.
Amongst other things, you volunteer with the “Forum of Incident Response and Security Teams (FIRST)”. What motivates you to do this?
FIRST brings together security teams from more than 90 different countries. Our members come from industry, civil society and governments. We can help to build bridges and continually share our knowledge globally. In an emergency, we provide a platform, even if we are competitors. When major crises occur, such as in 2017 during the WannaCry attack, we spring into action and all work towards a common goal. I benefit from this on a personal level and so it’s important for me to contribute to the forum.
We have lively discussions about current problems. For example, hack backs: Is it legitimate to launch a digital counter-attack to an attack by hackers? I don’t think so. FIRST has developed a “Code of Ethics” to help specialists answer questions like this. After all, our work is primarily very technical. But how can we do our work to ensure that we reach the goal we want of creating added value? Looking back, this was something that was missing from my education at ETH. We don’t need to train ethicians. But we need to be aware that such questions exist, as is the case in biology or medicine.
For example, I now operate in the area of conflict between IT and international law. But that didn't even exist 20 years ago.Serge Droz
What tips would you give today’s students?
I think the most important thing is to pursue a subject that you enjoy. Something that you are passionate about as it will be something you are good at. I don't believe it’s right to do a job or study a subject simply because it’s good for your CV. But that doesn't mean you should follow the path of least resistance and that may mean that you encounter frustration.
Once I had graduated, I didn't put much effort into investigating opportunities other than fundamental research. I was rather scared of it. But if you head off in a direction that you are really interested in, you will find some very exciting opportunities. When I left university, I would have liked to have been told that with a degree from ETH, there was a good possibility of me finding something I enjoyed doing. You learn to solve problems that weren't even on your radar when you were a student. For example, I now operate in the area of conflict between IT and international law. But that didn't even exist 20 years ago. Don’t give up hope if your plans don’t come to fruition; there are so many exciting opportunities out there.