ASU researchers: Technology access, convenience create cybersecurity holes
Your IoT (internet of things) existence is ripe for hacking.
It’s morning. You flick on a kitchen light switch. The pre-programmed coffeemaker drizzles the last drops of caffeinated perfection as you power up your cellphone. Apps remind you of a meeting and that the clothes washer did its job as you slept. Move the clothes to the dryer? Eh, you visit Facebook, instead.
Thousands of miles away (or down the street or in a cloud, no one really knows for sure), your habits are a data mass geared toward targeting ads for every Wi-Fi journey you take today, tomorrow and beyond. In another day, more data accumulates. Maybe you’ll shop for a car, find local sushi. The data pivots, adjusts to your decisions.
Unfortunately, your IoT (internet of things) existence, where devices use Wi-Fi to talk to one another (the washing machine, phone, coffee maker), are ripe for hacking.
“These things present vulnerabilities because they are always on and always listening,” says Jamie Winterton, director of strategy for ASU’s Global Security Initiative (GSI). We live in a world, she adds, where convenience and tech capabilities intersect — and it’s not always pretty.
“Now we have this issue where we have tremendous functionality, and security has not caught up with that functionality,” adds GSI Director, Nadya Bliss.
Trading privacy for convenience is one concern, but is our electrical grid safe? Can we stop hackers from influencing the 2020 election? At ASU, cybersecurity researchers look at the big and seemingly small concerns, and all will tell you, there’s so much more to the fixes than simply writing code patches for malware.
Know your enemy
Understanding a system’s vulnerabilities is one part of the solution, but understanding the attacker may be more important, says Paulo Shakarian, assistant professor in the ASU School of Computing, Informatics, and Decisions Systems Engineering.
Much of Shakarian’s research involves exploring the dark net — a world originally created to allow people like political dissidents and journalists who need protections to anonymously interact with others. However, there is a small but dangerous dark net underworld where drug and arms dealing can occur along with a hacker universe where code written to exploit software can be found, bought and sold.
His research challenges what has long been an “offense-dominated” cybersecurity philosophy assuming the defender is at a great disadvantage because he or she needs to protect an entire system while the attacker only needs to exploit one vulnerability. “That relies on the assumption you don’t have any idea of the capabilities of the attacker,” Shakarian says.
Shakarian also carries the distinction of Fulton Entrepreneurial Professor for his role in developing what is now called CYR3CON, a technology that in its earlier stages could scan 120, however today can scour up to 200, dark net sites. GSI originally provided seed money for the project, then public and private grant dollars followed. After only two years, CYR3CON is moving through business incubation stages as the technology effectively mines large amounts of dark net data and sifts out the meaningless pieces, something valuable for software developers needing to fix vulnerabilities.
How diversity helps
Cybersecurity is a global concern, so in order to understand the attacker one must also spot cultural differences and nuance. It’s a task that requires far more than computer minds. That’s why GSI brings to the table 40-plus faculty members from various disciplines, including engineering, social sciences, law, public policy, psychology, even supply chain management in the business school.
“Cybersecurity is not a computer science problem anymore. We have to pursue research challenges in the context of multidisciplinary methods, social aspects and human aspects,” says Gail-Joon Ahn, director of ASU’s Center for Cybersecurity and Digital Forensics (CDF).
However, while anthropologists and psychologists can theoretically walk a mile in a hacker’s shoes, gender and race diversity in the computer sciences workforce would also help matters. The current lack of diversity, Bliss explains, contributes to a problem known as algorithmic bias — where software code is written poorly, arguably the result of narrow cultural understandings.
“We are not exercising a significant portion of the talent pool. This is not just purely a theoretical contribution. … If you look at company boards with diversity, they perform significantly better. … It’s not just an echo chamber of the same type of thinking. … It’s why we focus so much on diversity in our programs,” Bliss notes.
More creativity in cybersecurity education is key, Bliss adds. Students need hands-on experience where they tend to real-world public and private sector concerns. GSI’s partnership with Allstate, for example, supports scholarships for young researchers to explore effectively managing sensitive data in insurance industry systems.
Steering more students into the field is also key. There are an estimated 200,000 unfilled cybersecurity jobs globally — a number that is expected to grow to 1 million by 2020.
ASU’s Cybersecurity Education Consortium (CEC), a partner of the Global Security Initiative, has developed a multipronged program to prepare ASU students to fill this talent gap. ASU has made the program a priority of Campaign ASU 2020, a comprehensive campaign to raise private support with community partners who share common concerns, like cybersecurity.
The grid, back to the consumer
Problems can also occur out of practical need. For example, electrical grid vulnerabilities are not simply because of software weaknesses, explains Ahn, whose team has done considerable cybersecurity electrical grid research with the help of Department of Energy, National Science Foundation and other grants. Accessibility to the grid, he argues, is the bigger problem.
“If many engineers and technicians can access the grid, those are the entry points for a potential attack,” Ahn warned.
As many are learning the hard way with identity or credit card thefts, in day-to-day life there is still far too much access granted to personal information in the name of convenience. That’s why Winterton discourages anyone from logging onto public Wi-Fi networks or purchasing a device with Wi-Fi capabilities unless it’s absolutely needed.
At the same time, she argues that code writing solutions need to involve regulatory changes to more openly spell out vulnerabilities to consumers, while also applying what we know about attackers at the software development stage.
“It’s about more thoughtful creation of technology, building in things like privacy and security in the design phase, instead of trying to bolt them on at the end,” she says.
To learn more about how ASU cybersecurity research efforts are making impacts locally and globally, visit the Global Security Initiative website. To support ASU’s work in cybersecurity, visit GiveTo.ASU.edu.
Originally published at www.azcentral.com on February 2, 2017.