Securing our cyberworld
So much of the Internet is useful, fascinating, collaborative and fun that it’s easy to forget about its treacherous, murky underbelly.
That’s a mistake.
As headlines and an endless crawl of news bulletins attest, cyberattacks are increasing—and increasingly are productive. An avalanche of woe is one ill-fated keystroke, one infected flashdrive, one clumsy misstep away.
The advances in technology have long outrun the guardrails. President Obama has called the situation a “national emergency.”
Some compare today’s cyberenvironment to the “Wild West” with no sheriff, but you might make a stronger comparison to guerrilla warfare. Bullets aren’t flying in and out of computers, but lots of malicious code is—and it often does its nefarious work, undetected, for months.
“We are seeing more and more complex attacks—highly sophisticated operations,” Dave DeWalt, EG86, and CEO of the cybersecurity firm FireEye, told Financial Times earlier this year. “On average, we are seeing attackers inside their target’s networks for about 200 days before they are discovered.”
No one is waving a white flag of surrender. Far from it.
Much work is underway, and the Delaware Cybersecurity Initiative (CSI), established at the University of Delaware last year, is emerging as a key training ground and staging area in the nation’s massive effort to batten down the hatches—virtual and otherwise.
Leading the way
The program will address perils that go far beyond passwords, encryption and virus definitions, looking into the circuitry and other hardware that control critical infrastructures, such things as power grids, transportation systems, communications networks and that loosely defined “Internet of Things,” where automation and no-humans-necessary work is done.
“[The Internet] is more than just a network of emails and passing information and documents,” says CSI’s founding director Starnes Walker, a nuclear physicist who spent more than three decades researching, developing and engineering strategies to protect national security. “It’s also how the nation’s critical infrastructure runs today.”
And there, you find cyberinsecurity in many cases.
“Current power management and security mechanisms provide virtually no defense against these novel and dangerous attacks,” says Haining Wang, professor of electrical and computer engineering, who joined CSI’s research faculty last year.
With the CSI program now rooted and growing, the University and its partners in government, business and military sectors aim to train students in state-of-the-art methods, provide internships and promote research on cybersecurity issues of all kinds.
The program leverages the University’s strengths in electrical and computer engineering, computer science and information systems, business technology, accounting, auditing and finance, corporate structure and public policy.
And it adds to UD’s already-extensive footprint in electrical and computer engineering, with faculty members David Mills (now retired) and David Farber both recognized as pioneering architects of the Internet.
A multibillion-dollar business
As a hub of corporate life, Delaware is an ideal place to develop, refine and standardize cybersecurity training and protocols for business, Walker explains. The state’s Chancery Court is a nationally recognized authority in business law, thousands of companies are incorporated here, and Delaware’s financial services sector includes many of the nation’s major banks and their credit operations.
“Cybercrime is turning out to be one of the major vulnerabilities of business,” says Bruce Weber, dean of the Alfred Lerner College of Business and Economics. “We have built a lot of systems around convenience and efficiency. Unfortunately, achieving those two goals has led to some security vulnerabilities, the costs of which are just now being established.”
Losses attributed to cybercrime are in the billions of dollars in the U.S., in the hundreds of billions globally. And the thieves are losing no ground in what Craig Young, chief technology officer at the Belgium-based SWIFT Institute, has called “an arms race between hackers and financial institutions.”
Security incidents rose by about 48 percent from 2013 to 2014, according to a study this year by PricewaterhouseCoopers. In all, companies that responded to the survey reported 42.8 million incidents—an average of 117,339 per day.
A Wall Street Journal report, cited by PricewaterhouseCoopers, predicted a global technology security investment of $76.9 billion this year. But many companies surveyed still do not include cybersecurity processes in contracts with external partners. And companies reported that most often, their perpetrators are employees or former employees.
While the National Institute of Standards and Technology has issued guidelines for security protocols, PricewaterhouseCoopers found that most U.S. companies fall woefully short of those standards.
There are promising technologies emerging and others will develop as work continues, but many are still decades away.
Building a network; Training a workforce
UD’s CSI will provide objective data and tested strategies to help decision makers, and much has happened in its first year:
- • More than 100 students are taking cybersecurity-related courses, and a certificate course is planned at the U.S. Army’s Aberdeen (Maryland) Proving Ground.
- • Twenty-five undergraduates from seven majors are pursuing a minor in cybersecurity, with 18 required credits.
- • The University’s first master’s level program went live this fall with an all-online option coming in the spring. The program offers four areas of concentration: secure software, secure systems, security analytics and security management, with a fifth planned to focus on human behavior.
- • Provost Domenico Grasso this fall announced $200,000 in competitive cybersecurity research grants to be awarded by the University—eight grants in all, worth $25,000 each.
- • Scores of partners and advisers have joined the effort, bringing strengths and insight from a wide array of business, government, military and academic institutions.
CSI has hosted several lectures and daylong events to give experts and others opportunity to think, learn and collaborate, including its inaugural Distinguished Lecture, delivered earlier this year by Michael Chertoff, one of the nation’s top security experts and former secretary of the U.S. Department of Homeland Security.
SWIFT, which focuses on transaction banking and supports research and collaborative events, partnered with UD on a spring conference that drew almost 150 people to the Newark campus.
And a new technical seminar series started this fall with a visit from Rajesh De, former general counsel of the National Security Agency.
The cybersecurity challenges are expansive and layered, requiring solutions not only in engineering and encryption but in law, public policy, human behavior, and in that delicate territory where an appropriate balance between security and privacy is struck.
But Chertoff says building a network of trusted partners who work together to identify and address the dangers—as the Delaware initiative is designed to do—is the way to go.
“The humans behind the systems”
Because the private sector is the most active online, says Chertoff, business leaders are essential to that effort. They must identify and share the attacks and threats they encounter.
That can be testy territory, with global reputations and proprietary information often at stake. But Weber, the Lerner dean, says he has come to the conclusion that those concerns are not a long-term barrier to resolving the security problem.
Often, Weber says, someone exploits an obscure part of a system that no one sees as a vulnerable spot.
“In the case of the breach at Target, it was some minor air conditioning/heating vendor whose access to internal systems was exploited,” he says.
The vendor shared his login details with someone who found a way to use that network connection to tap into customer credit card data at the checkout terminals.
It’s not the encryption that fails, he adds, it’s the humans behind the systems who are tricked or duped. Making it all the more important to educate leaders who will be in the vanguard of addressing this growing, vexing global challenge.
The United States alone has roughly 1,000 skilled specialists in the field when the nation needs as many as 30,000.
With faculty talent (including inventors of the Internet), growing student demand, alumni leaders in the field and a national defense expert at the helm, UD’s CSI is poised to become the go-to place for cybersecurity.
“Cybersecurity is serious business,” says Walker. “UD will be at the forefront of workforce development in this area.”
Article by Beth Miller
The images in this article were created by students in the University’s advanced Illustration Methods art course. Hired by the Messenger as freelance illustrators, the student collaboration combines classroom experience with real-world application. “As visual commentators, these students translate words into visuals, using methods and strategies for conveying information and telling stories that evoke ideas and emotion in the viewer,” says their professor David Brinley, whose own work has been published for conceptual covers, portraits, editorial spreads and spot illustrations in such publications as The New York Times, Rolling Stone and Washington Post.
Read about the rockstar of cybersecurity, Dave DeWalt, EG86
Read about the ethics of technology
