Three professors who are experts in cybersecurity discuss what's going on in the research field and where it's headed.
2016 was a banner year for cybersecurity events: the hacking of the presidential election by Russia; the theft of NSA cybertools; the revelation of Yahoo’s data breach with 1 billion accounts exposed between 2012 and 2014. This year is proving to be just as active, and that means cybercrime is becoming increasingly costly for industry and government.
The financial loss from cybercrime in the U.S. exceeded $1.3 billion in 2016, a rise of 24 percent, according to a report issued by the FBI’s Internet Crime Complaint Center. Worldwide spending on security-related hardware, software and services reached $73.7 billion, according to IDC, an IT research firm. That number is expected to hit $90 billion in 2018.
While private companies race to keep up with the latest cybercrime tactics, the nation’s universities are also doing their part, conducting research into the vulnerabilities that exist in current computers and systems. More importantly, they’re looking at ways to engineer the next generation of technology so that it’s easier to defend against attacks.
More than 80 universities around the country have cybersecurity degree programs, but a handful are conducting advanced research in the topic. Schools like Carnegie Mellon, Johns Hopkins, Indiana, Syracuse, Nebraska-Omaha and Florida State are among a cadre of top-tier universities that are attracting some of the best minds to delve into cybersecurity research.
To find out what is going on in the field of cybersecurity research and where it is headed, Government Technology spoke with three renowned professors who are experts in the field of cybersecurity: Deepak Khazanchi, associate dean of Academic Affairs for the University of Nebraska at Omaha; Professor Shiu-Kai Chin of Syracuse University; and Professor Xiuwen Liu of Florida State University.
Deepak Khazanchi, associate dean of Academic Affairs at the University of Nebraska at Omaha.
Khazanchi is the associate dean of Academic Affairs for the University of Nebraska at Omaha (UNO), a university that prides itself on its steadily growing cybersecurity program, technical prowess and applied research, not to mention being a National Security Agency Center of Excellence in both cyberoffense and cyberdefense.
For Khazanchi, there is no easy answer to what might come next with cyberthreats, only looming challenges presented in several different places. The massive web of connected devices known as the Internet of Things (IoT) is a major issue. It shouldn’t come as any surprise that IoT is under anyone’s microscope; but it’s the scale and complexity of IoT that concerns Khazanchi.
The sheer number of devices that make up the IoT are a cause for alarm, according to Khazanchi. Of particular concern are the devices and structures never meant to be connected, like older infrastructure, dams and power plants.
“Those act as a challenge for security in the future,” he explained. “There is so much computing that is being embedded into our infrastructure and into our lives, but the problem is that as everything gets more and more connected in terms of devices and people, security becomes even a bigger problem.”
The value placed on the data these devices put out is unquestionably enormous, especially where it comes to monitoring bridges or dams, where inspections might not be possible due to funding or staffing limitations. UNO is looking at how to secure the nation’s aging, and now connected, infrastructure, which was never designed to be connected to the Internet in the first place.
Keeping the bad guys out of critical networks is an obvious part of this discussion, but Khazanchi said the challenge is making sure hardware and software are engineered with security in mind. The old ways of building an application or entire system only to tack on security later allows for vulnerabilities from the start and is not sustainable.
UNO is focusing on how to build security assurance into hardware and software. Khazanchi has no delusions about the scope of this task, but he considers it critical. For this reason, the university is looking at developing some interesting new tools.
One area cyber-researchers are focusing on is the procurement and automation of software security compliance, or what the university calls “assurance-based software engineering.” The idea is simple: Design a system that not only knows the regulations, but also holds new software accountable before ever being implemented.
Researchers are also looking at where compliance automation can be applied to open source software code, explained Khazanchi. Open source libraries, many of which have NIST-recognized vulnerabilities, are a popular source for bits of code that ultimately make their way into the value chains of larger, more critical code.
By creating “systematic mechanisms” that coders can use during the software development process, university officials believe the security of open source code could be greatly improved. “Not all vulnerabilities are killers, but at least you know where they are,” said Khazanchi.
At New York’s Syracuse University, Professor Shiu-Kai Chin and his colleagues are also thinking about the implications and ramifications of IoT. He describes IoT security like blocks of Swiss cheese, with plenty of holes.
“The Internet of Things is really a global command and control and communications system without any security concept of operations. So, that’s the problem,” he said.
While there are obvious vulnerabilities in the system, Chin takes a somewhat optimistic view of the situation and explains that lining up all of the holes in IoT for some massive attack is not impossible, but highly unusual.
“The fear is that somebody could manipulate all of the blocks of cheese for a straight shot to the heart of society and that’s very difficult,” he said. “To get everything to line up at a particular place and time under a particular set of circumstances under somebody’s control — we can’t completely rule it out, but that’s like the government conspiracy: It requires a high degree of capability that is really quite unusual and unpredictable.”
As for the general state of cybersecurity, Chin described IT’s current cyberweaknesses like the shanty towns that preceded the big cities in New York, Hong Kong and San Francisco. There were no building standards or safety codes, and eventually a fire, earthquake or hurricane hit, forcing people to do things a different way.
Chin — whose area of expertise is mission assurance — agrees that cybersecurity needs to be included in the design process, as well as part of the organizational culture.
“I hate blaming users for problems they didn’t create because we did not design these particular systems with authentication and authorization in mind from the very start. Users are unprotected and they have to think at this level. That really can’t be the ultimate state of affairs,” he said.
Chin said cyberthreats are continually evolving with the technology, but are especially troubling when it comes to the increased focus on capturing what are called “root credentials” — basically, an organization’s master key. Whether obtained through social engineering methods, like phishing, or direct hacks, once those credentials are in the open, it becomes harder to contain the attacks.
“Once you have lost the guarantee of integrity, your entire organization is at risk,” he explained. “What that really means is people at the very top, if they get phished or harpooned or spearphished, however you want to say it, then an organization is in deep trouble.”
Syracuse is also researching “assurance by design” and how to make sure security is built into systems from the start. “There is no single tool that will make things go away, it’s a culture and a willingness to not only do the right thing, but the enforcement to see that the right things are done and an understanding of the standards as well as the technology, the education and training to do it,” said Chin.
Despite these harsh realities, state and local governments have options. Chin recommends organizations think long and hard about their mission, how they complete it and what the acceptable losses are. With those questions answered, he said, they can move forward in protecting the priorities and focus on accountability throughout the entire organization.
Xiuwen Liu, professor of computer science, Florida State University.
Florida State University is also looking at the relationship between the Internet of Things and cybersecurity — especially where it relates to critical infrastructure like the country’s increasingly connected power grid. While FSU Professor Xiuwen Liu acknowledged the danger of unsecured, connected devices, he takes a more measured perspective on the situation.
“I think sometimes people spin the story too far,” he cautioned. “For example, when you have a bridge, and it isn’t connected to anything, then the structural elements of the bridge are safe; whether it is connected or not is not going to affect the safety of the bridge. In order to affect the safety of the bridge, physics has to be involved.”
Where the power grid is concerned, FSU researchers with the Center for Advanced Power Systems study and test the power grid and equipment through simulations. When researchers conduct probes and analysis, they are better able to predict threats and defend the critical infrastructure.
Despite his focus on cybersecurity, Liu doesn’t believe in easy fixes, or even permanent fixes, for that matter. In no uncertain terms, Liu said that some things just cannot be done. “No matter what you do, cybersecurity in some sense has its own intrinsic limitations. In theory, you just simply cannot design a system that is secure,” he said. “Systems can be designed to prevent known threats and different kinds of threats, but you can never write a program saying this program can prevent all threats.”
There are options for making the Internet and all things connected more secure, but it would come at the cost of openness. For example, the Internet might become more secure if the government were to step in and take control, but he countered, “people do not want that.”
Given all the promising research taking place at major universities around the country, the sobering reality is that there likely never will be an end-all solution to the cybersecurity problem. While government could one day see artificial intelligence defend its networks and critical infrastructure, technology is not there yet. The evolution of new technology will continue to allow unintended access into guarded systems, and the best government can do is develop a culture of vigilance and awareness.
“Cybersecurity is an important area, but some of the problems are technical and some of the problems are in awareness,” said Liu. “I think many times, people who may not have the technical background … they may not realize they are connected to the world and others may have access. That kind of awareness is probably a bigger problem in terms of securing the Internet.”