Trust is at center of all cybersecurity work, DOD’s Shyu tells CERIAS crowd 

Eugune Spafford and Heidi Shyu
Eugune Spafford and Heidi Shyu

WEST LAFAYETTE, Ind. — Cybersecurity in defense comes down to one word: trust. That was the message from Heidi Shyu, undersecretary of defense for research and engineering, the fireside chat guest at the annual Center for Education and Research in Information Assurance and Security (CERIAS) Security Symposium April 2 at Purdue University’s Stewart Center.

“Cybersecurity is tantamount to everything we do,” Shyu told Eugene Spafford, CERIAS’ executive director emeritus and founder of the organization, who led the discussion. “If you can’t trust the system, you don’t want it.”

That is her message as well to businesses looking to work with the Defense Department, Shyu said, noting that traditional cybersecurity work continues even with the emergence of artificial intelligence’s influence throughout computing.

Trusted AI and autonomy are among the critical technology areas she oversees in her role, she said, and these technologies are frequently linked. But “the first time a user uses a system, and it does something you didn’t anticipate, you’ll lose trust in the system,” Shyu said. “I ask the researchers: How can I validate this potential path? How can I trust the model?”

Shyu said that the Defense Department is looking at what it can do to leverage AI, as many other countries also experiment with AI and autonomy. “What we are interested in is, because we use military systems, we need additional assurances in the system and that there is no method to hack into it and change its behavior,” including sensor attacks.

Sensor attacks were among many issues discussed among the more than 300 attendees at the April 2-3 symposium. This was the 25th anniversary of this annual event that gathers top experts in academia, government and industry to discuss the latest advancements and challenges facing cybersecurity. The event was founded by Purdue’s Center for Education and Research in Information Assurance and Security.

CERIAS is considered the world’s foremost interdisciplinary academic entity for cyber and cyber-physical systems security. Being interdisciplinary is one of CERIAS’ strengths, Spafford said. “If we had no computers, we would not have computer abuses,” he said. “But the same is true if we had no people. To really address the difficult problems requires examination of a spectrum of issues.”

As one can imagine, the thrust of CERIAS’ research has changed as much over the years as has the term “cybersecurity.”

“Cyber risks and vulnerabilities are far different today than 25 years ago,” said Joel Rasmus, CERIAS’ managing director. When the event started, “we didn’t even call it cybersecurity; it was ‘information assurance,’ and it was about protecting information on your computer,” he said.

Today, cybersecurity is far more than just protecting information. “It’s about connecting systems and making them do something they were not designed to do,” Rasmus said, “like injecting vulnerabilities into a manufactured component, shutting down a power grid or shutting down the nation’s agricultural supply chain.”

Indeed, these subjects and others made up the agenda for this year’s event. Drones are a notable example. At the end of 2023, there were more than 800,000 drones in the United States used in myriad applications, said Ashok Raja, assistant professor of cybersecurity, and computer information technology and graphics with Purdue. But, he noted, a sensor attack can exploit them, a stealthy strike on the unmanned aerial vehicle’s perception-based control that degrades its performance yet remains undetected.

“UAVs can be misled through a series of steps and ultimately led to crash,” Raja said. “Perception sensors can be leveraged by malicious entities as a channel to attack AI algorithms.” He said that to protect a UAV used for something like a bridge inspection, adversarial samples can be used to train the drone to resist attack.

Cyber also now is a warfighting domain, said Chris Cleary, vice president of global cyber solutions for ManTech and former principal cyber advisor for the Navy. In the past, officials did not discuss cyber because it was usually classified, “but we’re talking about cyber all the time” in defense circles, he said.

“This is not a secret to anyone. Some of our adversaries are intentionally building weapons to get into some of our infrastructure,” via environment preparation or degrading the ability to use capabilities, Cleary said.

“Cyber needs attention now,” he said. In any incident, a possible cyberattack must be investigated and ruled out “because the adversary now gets a vote,” he said. “The adversary can figure out a way around it” when exploiting vulnerabilities or technologies.

In addition to the presentations, students presented about 60 posters highlighting some of the current cybersecurity research projects under CERIAS.

“Over the lifetime of CERIAS, we have helped produce 300 PhDs in cybersecurity, along with thousands of graduates with undergraduate and master’s degrees,” Spafford said. “Our partners in industry and government are excited to support not only our research but our broad educational mission. They know that our greatest challenges require not only the application of innovative technology but the hard work of excellent people.”

“The one constant in 25 years has been that Purdue’s CERIAS has been at the forefront of identifying and mitigating these risks and vulnerabilities,” Rasmus said, “as well as educating the next generation of the workforce.

“There are big things here,” he said. “This is not your typical cybersecurity conference” because as many people from government and the commercial sector attend and present. We have, from the very beginning, had the underlying drive to solve real problems.

“Academia can’t stand in the ivory tower,” he said. “We must engage industry to change the world.”

Writer/Media contact: Evamarie Socha, ecsocha@purdue.edu