Guest lecturer focuses on cybersecurity threats
2:36 p.m., Dec. 7, 2006--Eugene H. Spafford, professor of computer science at Purdue University and executive director of its Center for Education and Research in Information Assurance and Security (CERIAS), spoke Wednesday afternoon, Dec. 6, about the current state of cybersecurity in the United States and the shape of things to come if measures for better software and platform protection aren't developed and implemented.
Speaking to an audience of approximately 40 UD students, faculty and staff in Gore Hall, Spafford outlined various cybersecurity threats, talked about vulnerabilities in widely used softwares and likened the state of cybersecurity to an amber-level crisis.
“I'm going to talk about the crisis in cybersecurity,” Spafford said, “and if you're not aware of that crisis, perhaps this lecture will convince you that one exists. There are overwhelming vulnerabilities in most commonly used software applications, and well over 130,000 known viruses and worms.”
While there are no firm statistics on how much cybersecurity problems cost the economy, Spafford said a conservative estimate from 2004 indicated a global loss of more than $100 billion from cybercrime, and he added that this figure did not include passive losses, such as individual hardship incurred due to identity theft, or large-scale profit loss incurred through employee time wasted in weeding spam from valid e-mail.
“Phishing--trying to acquire personal information to use for purposes of fraud--has risen by 33 percent in the last year,” Spafford said, “and it's becoming more sophisticated, efficient and targeted.”
Spafford explained how even small departments within large companies can be targeted for e-mail scams, and how valid names and co-opted addresses can be used to fool even Internet-savvy employees.
“Sophisticated cybercrime is big business, often run by organized crime rings whose programmers get paid top-dollar, and it's fairly easy pickings for them, because we have not done a very good job of protecting ourselves,” Spafford said.
He touched on spyware, adware and malware, but said that a newer, bigger threat lies in botware (short for robotware), which can lodge in users' computers, run unbeknownst to them in the background, mutate regularly to skirt detection and eradication, and run all sorts of scripts that co-opt e-mail and use the host computer as a launching pad for outgoing scams.
“Detection is doomed,” Spafford said, “and the problem [of cybercrime] is getting worse, not better. Currently, two out every 40 individuals is a victim of identity theft, and [only] one out of every 10 e-mail messages is valid. That's a tremendous cost to all of us.”
Especially, Spafford said, as Internet use continues to rise. “There are currently 1 billion online users,” he said, “and by 2015, that number will have jumped to 2 billion.
“We're not simply users, we're victims. And yet we aren't seeing any significant action being taken by anyone who can do something about [cybercrime],” he said.
Spafford attributed much of this apathy to a lack of ownership (i.e., no one really feeling responsible for the Internet), part of it to the sophistication of cybercrime programmers and part of it to a lack of governmental funding for math and computer science education in U.S. public schools.
He also attributed the current state of vulnerability to antiquated security measures and likened the continued faith in these measures to a form of insanity.
“The definition of insanity is 'Doing the same thing over and over again and expecting different results,'” Spafford said, quoting the 17th-century playwright, John Dryden. “Firewalls are more than 10 years old and virus-protection software is more than 25 years old, and they're not working, and yet we expect them to work. That's insanity.”
Spafford concluded his talk by emphasizing the need for innovation in the field of computer security programming and by fielding questions from the audience.
One of the most senior and recognized leaders in the field of computing, Spafford is a fellow with the Association for Computing Machinery, the American Association for the Advancement of Science and the Institute of Electrical and Electronics Engineers (IEEE). He is a charter recipient of the IEEE Computer Society Golden Core recognition program and the 2000 recipient of the national computer systems security award, presented by the National Institute of Standards and Technology and the National Computer Security Center, and generally regarded as the field's most significant honor in information security research.
The presentation was part of the Distinguished Lecture Series sponsored by UD's Department of Computer and Information Sciences and Department of Electrical and Computer Engineering.
Article by Becca Hutchinson