Hackers continue to steal identities, break into bank accounts and breach computer systems – and they get to the point of interrupting water or electricity service to targeted populations.
Along those lines, Sandia National Laboratories plans to increase cyber security research over the coming year through the new Cyber Engineering Research Institute (CERI) that will more closely coordinate with industry and universities and have a presence on Sandia campuses in New Mexico and California.
“The paradox is that even as we rely increasingly on computers to run our utilities, banks and basic security measures, the possibility of an adversary seriously damaging the increasingly complex programs that run these concerns has increased,” said , Rob Leland, Sandia Computer Science Research Center director during a two-day cyber security meeting
A key to developing strong cyber defenses is painting a realistic picture of the threats, said Ann Campbell, Sandia senior manager for cyber research. Firewalls and anti virus software are important but sophisticated adversaries are more devious. They may introduce malicious elements into the supply chain so they later can steal information, whether personal or relating to national security, or weaken an information system by degrading its performance or availability.
“The nation needs to find ways to share threat information without compromising sensitive information,” Campbell said.
The difficulties of defending against cyber attacks and what to do to change that situation, were major themes of the second University Partners Cyber Open House and Workshop led by Sandia researcher Ben Cook, manager of Cyber Research and Education.
“One of our overarching purposes for holding this workshop was to increase awareness of Sandia as a research and educational partner,” said Cook. “There are few places in the country where a student can come and work on real cyber security projects that have national impact.”
Attendees included 30 professors from across the U.S., along with cyber security program directors from the Department of Homeland Security and the National Science Foundation (NSF).
The meeting divided overwhelming macro-security problems into more workable pieces.
Another problem is stagnating student enrollment in cyber courses.
One way to solve that problem, and at the same time come up with radical security innovations, could be through the historically effective method of prize competitions, said Carl Landwehr, NSF’s program director for Trusted Computing.
“Evidence shows that a well-framed public competition can trigger innovation,” he said.
Landwehr highlighted the limited progress to date in building appropriate cyber defenses for large-scale computer systems. “I’ve been working on this problem for 40 years, and all I’ve seen are Bandaids,” he said. Then he provided a list of historical examples — one dating back to a 15th century design competition for a cathedral dome in Florence, Italy — to show how public competitions have led to technological breakthroughs, as well as significant public involvement.
A cyber security design competition with a particular target, prize and completion date, he said, could not only lead to radical technical solutions, but also help reinvigorate the research community and attract students to a field facing chronic talent shortages.
One reason for tepid student interest is that society rewards those who come up with imaginative, money-making programs, not cybercops, participants pointed out.
Also, university professors may find teaching the dynamic ins and outs of immediate response to threat less appealing than extensive investigations within specialty areas that lead to peer-reviewed publications.
As professor Ravi Sandhu of the University of Texas-San Antonio put it, “Academic incentives may encourage inertia, and inertia will not solve this problem.”
He said an effective cyber security curriculum might include computer science theory, principles and practice; security theory; STEM (Science, Technology, Engineering and Mathematics) instruction, principles and practice; and statistics, sociology, organizational theory, economics, game theory, laws, regulations, compliance, privacy, history, successes and failures.
“In a world of overwhelming complexity, with incomprehensible advances happening in every branch of computing every month, how do we train a cadre of enough students with enough incentives to learn so much that they can actively contribute before their [computer] knowledge is dated?” he said.