Breaches in cybersecurity are so common that we’re becoming numb to the latest “attack-of-the-day” news stories. Complacency and turning a blind eye to the threats in our homes and all around us is not the answer to the growing problem of cybersecurity. Consider that a successful hack has already been demonstrated on a pacemaker; the influx of simple, weakly-defended IoT devices, not to mention vital equipment and services such as infusion pumps, utility companies with aging infrastructures, wearables, and connected vehicles all provide fuel for life-changing and, indeed, life-threatening attacks. At the discovery of the infamous Stuxnet computer worm nearly two decades ago, The Economist magazine declared it “a new kind of cyber-attack.” Now “new” isn’t remotely an adequate adjective and doesn’t even begin to describe the threats we face today — this is the challenge we’re up against.
Potentially life-changing technology has crept stealthily into our everyday lives, and hardly a day goes by without a story in the news about a data breach, hacking, or spying. Facial recognition, voice recognition, security cameras, sensors, and connected appliances — all the imagined technology of the science fiction cartoons, TV shows, and movies of the 60s and 70s — are coming to pass and now we’re left having to deal with not only the benefits of, but also the problems of a connected society. So, what is to be done about it? What is to be done when the threat of having a nation state hack a national election or take down a power grid is a very real possibility? How do we stay one step ahead of the hackers, and is it even possible? As systems become more abstract and less physical, the scope of trying to prevent a breach must change, and the opponent must be met on their playing field. If it is an arms race to artificial intelligence, the Internet of Things, and quantum information, likewise it is an arms race to defend it.
In a utopian society, The Internet of Things would provide a feedback loop to ensure the ultimate in customer satisfaction, efficiency, and security. We, however, do not live in a utopian society and the unnoticed but ultimately gaping, exploitable chasms in the fabric of IoT have been pounced upon like a lion hunting an antelope. The tiniest hole, the most miniscule aberration in code becomes a pathway to allow nefarious activity to ensue. Like it or not, our lives are out there and they’re vulnerable, and by all accounts, it’s getting worse. Patches and updates aren’t the answer. Systems must be built with security baked in, not provided by firewalls and add-ons installed after the fact. With that, systems become too cumbersome and every new application or piece of hardware becomes a potential entry point. With the proliferation of cloud computing services, organizations that host other companies’ data will find themselves vulnerable to the hacker’s idea of economy of scale. Why bother with a desktop computer when you can leverage an entire cloud’s worth of data for profit?
There are multiple challenges to overcome. It seems to have become human nature to automatically click on links. Therefore, one challenge is education and, along with that, awareness of social engineering strategies; education of the general public as to the schemes and advances of the cybercriminals, the compelling ways they get you to bypass common sense and click on that enticing link and share your information. Ransomware is the bane of cybersecurity and IT professionals and although random ransomware attacks are down in general, targeted, focused attacks still make the news. Holding data hostage is a particularly egregious type of extortion — the potential impact is mind-boggling, and many organizations still don’t have a reliable, responsive disaster recovery solution.
Lest you think it is all doom and gloom, there are significant bright spots on the horizon, not the least of which is the Annual CERIAS Cybersecurity Summit here at Purdue. The Center for Education and Research in Information Assurance and Security (CERIAS) is one of the world’s leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure. Its multidisciplinary approach to problem-solving includes faculty from six colleges and more than 20 departments across the Purdue campus. As one of the important events in the cyber security/infosec world, the annual CERIAS Cybersecurity Summit on April 9-10 attracts participants from all over the country for two days dedicated to all things information security. Ray Rothrock, CEO of RedSeal, Inc. kicks off the list of distinguished speakers with his keynote on Digital Resilience. Panel discussions on such topics as artificial intelligence, sustainability, space exploration, and health and longevity feed into Purdue University’s 150th Anniversary Celebration theme of “Giant Leaps.”
David Ebert, Interim Director of CERIAS and Professor of Electrical and Computer Engineering, commented on the upcoming symposium, stating “This will be the 21st CERIAS Symposium and the importance of security and trusted information over the past twenty years has greatly increased. Trustable, reliable information is extremely important in the development and all of the application uses of AI/ML – humans need to understand the factors leading to the advice from these algorithms and make sure there is no bias in how the algorithms were trained.” Ebert continues, “Cybersecurity and trusted information affects and integrates research across campus and disciplines including trusted microelectronics, secure and trusted systems with parts from across the globe, autonomous vehicles, advanced manufacturing, agriculture, as well as social and behavioral sciences and ethics.” The takeaway is that cybersecurity is no longer an ethereal problem of the future, it’s a very real threat that has the capacity to touch every aspect of everyone’s life. As a result, it is the cross-disciplinary research efforts of institutions like Purdue that will ultimately level the playing field between the desire for a useful, safe, connected environment and those trying to destroy it.
One area of Purdue excellence in security is privacy-enhancing technologies, and its importance is growing. For instance, blockchain technology has spread rapidly through finance and supply chains as an efficient, secure traceability mechanism, and Purdue leads the efforts toward improving its privacy. A blockchain is a distributed and replicated ledger of all transactions, where transactions are ordered in a form of a chain. Each ledger entry (block) can only be created after solving a time-consuming cryptography puzzle (also known as proof of work) before it is appended to the ledger, preventing adversaries from altering already-added blocks to the chain. However, all of the blockchain transactions are publicly known, and access control and privacy compliance is a huge concern. Over the last six years, Purdue Professor Aniket Kate’s team has been building and analyzing blockchain-based solutions for finance and supply chains. His projects include building automotive supply chains for Ford Motors and digital supply chains for Northrop Grumman. He particularly excels at analyzing and understanding blatant privacy vulnerabilities in the ad hoc blockchain-enabled traceability solutions in the wild, and developing privacy-enhancing solutions towards resolving those vulnerabilities.
This is a topic that will touch everyone eventually and I invite you to visit the CERIAS web site for more information. Please also check out the Discovery Park web site to see other exciting events we have scheduled this year. Stay safe out there in cyberspace.