If you need any more reason to be concerned about security of the global online system that runs everything from the financial world to the airlines to the federal government, consider these headlines from last week:
“Apocalypse Now?: NYSE, WSJ outages spook Twitter"
“The Glitching Hour”
“Ladies and Gentlemen, It’s Time to Panic"
That outburst of outages may have been just technical timeouts, not malicious mischief. But last month’s intrusion into the federal government computer system – a widespread breach that swept up personal information on more than 21 million Americans, including fingerprints and Social Security numbers -- makes it clear that Webster University’s Cyberspace Research Institute is a timely initiative.
The man in charge, Tom Johnson, says the institute is designed to help companies, utilities and others dependent on secure information ward off the bad guys who try to infiltrate their systems. It also will help train the people who will be needed to come up with the right defenses to stay one step ahead of any attacks.
The institute, Johnson said, provides “a safe place to explore the limits of cyberspace without harming others. We put our people into an environment, a virtual laboratory, where we can permit our students to explore different forms of viruses and malware, and how to defend against a denial of service attack.”
Chris Blask, who heads an industry group that is merging with Webster’s institute, said the university can help bring together people from various sectors – academia, business and government – to share information and devise solutions to common concerns.
“Webster University is a fantastic example of where we are in all of this,” said Blask, who is executive director of the Industrial Control System Information Sharing and Analysis Center, or ISC-ISAC .
From trust to security
Johnson said the need for an institute like Webster’s shows a basic shift in the online world. He said that ARPANET, the precursor to the World Wide Web, was built on trust. Now, he says, because cyberspace is used far more widely, everyone has to pay much more attention to security.
“It was basically to try to and provide a communications mechanism,” he said of the origins of online. “It was done in such a way so that it was very difficult for people to use.
“Since we’ve gone to this very free, open approach, we’ve now seen so many people exploit the systems, the big problem is the penetration of our system, unwanted intrusions.”
A recent report from the federal government counted more than 640,000 incidents of security violations, Johnson said – nearly 10,000 of them aimed at the federal government.
And, he said, with the growth of mobile technology, the problems are only likely to get worse, making the cat-and-mouse game more intricate.
“As this technology advances,” Johnson said, “there’s going to be a variety of improvements. But bear in mind that with everything that is being done to secure systems, people who hack into systems are very, very creative, and they’re coming up with alternative ways to penetrate the systems.”
To keep up with those schemes, Johnson says, Webster’s institute aims to make advances in four areas with four separate laboraties: research, experimentation, collaboration and learning.
- The Cybersecurity Networking Laboratory is designed to be “a safe place to explore the limits of cyberspace without harming others.” It allows researchers to duplicate problems that may occur in the world outside without having a negative effect on any real operations. In a controlled environment, personnel try to control the variables in situations and see if repeated operations gain the same results.
- The Emanations Laboratory experiments with sound, light, and radio frequencies to exchange information and test the limits of communications, interception and interference.
- In the Knowledge Sharing Laboratory, research participants can explore the limits of collaboration, using information from a variety of organizations.
- The Web Services Laboratory supports teaching and experimentation and provides access to the other labs. Workers there develop applications in a variety of environments, including artificial intelligence environments, chat, gaming and game building and other special projects.
Johnson said about 60 students currently are enrolled in Webster’s cybersecurity program at its St. Louis campus, with others enrolled at other sites for the university.
Those four approaches, and the ability for various types of organizations to work together, can help solve problems now and prevent them later on, Blask said.
“The sensitivity of how we share information really is at the core of all of this,” he said. “What we find as we go through information-sharing exercises is that there is value to knowledge that can be shared, without in all cases compromising the interests of those involved.”
Phishing and other problems
That kind of collaboration will become even more important, Johnson said, as the cyberworld evolves. Today’s phishing techniques – online-speak for efforts to gain entry to sensitive information online – are likely to become more sophisticated as efforts to block them improve.
If you’re one of those people who tends to write your passwords down on a convenient Post-It note because you can’t remember them all, you may be glad to know that such requirements for entry into a system could become obsolete. Sites will encrypt your user names and passwords and change them regularly. But that doesn’t necessarily mean navigating cyberspace will become easier.
“Some of the phishing things that you see are very sophisticated,” Johnson said. “It’s very understandable why the elderly fall victim to it because someone will basically put up such a sophisticated website and indicate that it has noticed a lot of attacks on your system, please contact us immediately.
“They have a place for a person to click. Of course, once you do that, they can enter into your system.”
To fight back, Johnson said homeland security specialists have worked on three approaches.
The first, called Einstein, was an early warning system, designed to advise when possible intrusions are detected. Einstein 2 went a step further, issuing alerts when threats are found.
When Einstein 3 is completed, Johnson said, it will be able to do more than just detect attacks and issue alerts. It will be able to act to neutralize the threat, preventing it from causing any harm at all.
But even an Einstein won’t be able to have all the answers. Blask said there will never be such a thing as 100 percent safety, but there never has been such an ironclad guarantee. Instead, he said, as with systems such as utilities that have been operating for a much longer time than the Internet, the goal is reliability, and that is achievable.
Even low tech tools like wire cutters can cause temporary problems, he said, but not total havoc.
“We have a fantastic electric grid that keeps our lights running and so forth almost all of the time,” Blask said. “It’s not 100 percent. We have storm outages. We have cars hitting poles. We have hurricanes coming through causing significant damage. But it’s always survivable.”
Also on the horizon is the Internet of Things – those everyday conveniences like your refrigerator or your garage door that are increasingly dependent on computerized systems. It may be great to control your thermostat remotely with your cell phone but, Johnson says, that convenience carries with it a serious tradeoff.
“If you think there's a lot of problems with security today,” Johnson said, “hold on to your hat. Because the Internet of Things is going to introduce security challenges that are absolutely beyond belief.
“Anything that you want to use to access your home to make it a more customizable, usable, friendly thing for you, is fraught with potential hazards for penetration.”
In the end, Johnson said, “We can design and develop all these wonderful software tools, but one of the biggest vulnerabilities we have is that the people who are employed, either in the government or in the corporations and universities, become vulnerable to social engineering. That’s how hackers get into your system.”
He said graduates from programs such as Webster’s institute will help devise the defenses of the future.
“They’re in demand,” Johnson said, “because corporations in America have finally realized that, yes, we do have to spend more money and more engagement in trying to defend these systems.
“They can’t just look at the profit centers they’ve got now and look at those particular parts of their businesses that they think of as cost centers. They have to look at them as something to protect their entire corporation.”
For education coverage, follow Dale Singer on Twitter: @Dalesinger