William Robertson got his first taste of how vulnerable the world’s cyberinfrastructure is during the 1990s, when he hacked into computer networks. He did it for the adrenaline rush, says the assistant professor, and out of sheer curiosity.
“I was interested in system penetration and doing remote reconnaissance just to see what I could find,” Robertson recalls. “I discovered that anyone with the requisite knowledge could uncover all kinds of fascinating data.”
For several years, he honed his hacking acumen, breaking into secure networks and poring over private information for fun, without any intention of doing harm. But the allure of aimless hacking eventually wore off, and he realized he could put his vast knowledge of Internet networks to use, finding ways to block people from stealing information and doing real harm.
Today, Robertson has dual appointments in the College of Engineering and the College of Computer and Information Science at Northeastern. A leading expert in detecting and preventing Web-based attacks, he is part of a contingent of interdisciplinary faculty uniquely qualified to train the next generation of cyberscientists to outfox even the most ruthless hackers and to build truly secure software.
A 21st Century Challenge
The urgency behind putting together these teams of cybersecurity specialists is very real. Consumer cybercrime costs the global economy $110 billion a year, according to one of the largest studies on the growing threat of hackers, online scams, “phishing” attacks, and exploitative malware. The report, issued by the security software company Symantec, also found that cybercrime affects more than 1.5 million people each day.
This threat extends well beyond the personal computer. In a speech last fall in New York, former Defense Secretary Leon S. Panetta warned of the possibility of a “cyber-Pearl Harbor,” citing the vulnerability of the nation’s water supplies, power grids, and passenger trains.
Stephen Flynn, professor and founding co-director of the university’s George J. Kostas Research Institute for Homeland Security, echoes Panetta’s sentiment. He testified on the point at a congressional hearing on cybersecurity last spring. “Many of the software programs that support our critical infrastructure are wide open for exploitation,” he explains. “We don’t just risk a disruption of service or identity theft, but also mass sabotage and mass loss of life.”
Stepping Up the Response
In 2008, the U.S. government began to heed these warnings, establishing the Comprehensive National Cybersecurity Initiative. In 2010, the Obama administration stepped up the response with an expanded National Initiative for Cybersecurity Education. The U.S. Department of Homeland Security followed suit not long after with the formation of a CyberSkills Task Force aimed at building a world-class cybersecurity team to combat the looming crisis.
Much work lies ahead. Some 700,000 new information security professionals will be needed by 2015, according to a 2011 study sponsored by the International Information Systems Security Certification Consortium.
Northeastern is helping to chip away at that ambitious workforce goal by producing top cyberscientists through its master of science in information assurance program, established in 2007. The interdisciplinary curriculum blends the latest theory on information technology, law, policy, and human behavior with Northeastern’s signature experiential-learning opportunities.
Designated by the National Security Agency as a Center of Academic Excellence in Information Assurance Research and Education, Northeastern recently earned a five-year, $4.5 million grant from the National Science Foundation to train 32 additional graduate students through the CyberCorps Scholarship for Service program. The grant covers students’ tuition, fees, and living expenses for two years and includes a generous annual stipend for academic and professional pursuits. In return, students agree to complete an information assurance co-op or internship and work for a national laboratory or federal agency for two years after graduation.
The Deep End
One of the reasons the university is recognized as a hub of information assurance education is that students learn to think on their feet. They’re immediately thrust into real-world situations—both in co-op and in the classroom—through Northeastern’s rare blend of experiential learning and academics.
The curriculum is centered around a series of complex laboratory and independent assignments, such as securing a closed-circuit server that has received 200,000 failed login attempts from a cast of fictional cybercriminals or assuming the mindset of a hacker and extracting cryptographic information from hardware. Using industry tools and commercial-grade networking equipment, students get inside the heads of these fictional hackers and come up with viable solutions.
Samuel Jenkins, MS’12, graduated in May with the second Scholarship for Service class. Jenkins, who has an undergraduate degree in German studies from Swarthmore College, returned to his childhood love of tinkering with computers and decided to pursue graduate work in cybersecurity. He now works as a security analyst with the Executive Office of the President of the United States, providing information technology services to the White House.
Jenkins liked Northeastern’s blend of technical and nontechnical courses. “When I began the program, I felt as if I had been thrown into the deep end,” he recalls. “And I wanted to be in the deep end. My professors were very responsive to my technical questions and extremely knowledgeable real-world practitioners. I applied to the program because its multidisciplinary approach to computer security fit well with my diverse interests.”
Thinking Like a Thief
Northeastern’s experiential approach also affords students a unique opportunity to understand the many scenarios cybersecurity specialists encounter every day.
One of the biggest challenges experts face in trying to shut down cybercrime is that cybercriminals continually morph their malware, making it virtually impossible to catch and prosecute them. Robertson likens the system to a global Internet mafia, with individuals sitting behind backlit screens in nondescript locations, coding their way into people’s sensitive data around the clock.
The key, says Robertson and others, is to think like the cyberthieves. He and his team spend their days studying malicious software, discovering how it is constructed, how it works, and how it behaves. With that background, they are able to cripple the criminals’ ability to operate.
This objective takes more than trained cyberdetectives. It requires cutting-edge technology that can detect, analyze, and prevent virtual attacks. For instance, Robertson uses machine-learning techniques to develop security programs that “know” what normal user behavior looks like. Then, when a threat presents itself by demonstrating anomalous behavior, the program can automatically intervene to end the threat.
He is also working with his colleague Engin Kirda, co-director of Northeastern’s Systems Security Lab, to make mobile phones more secure. Backed by a $2 million grant from the Defense Advanced Research Projects Agency, the duo is developing tools to identify and defend against malicious activity in Android applications.
DARPA, says Kirda, also the director of Northeastern’s Information Assurance Institute and the Sy and Laurie Sternberg Interdisciplinary Associate Professor of Computer Science, is particularly interested in blocking acts of cyberespionage. “If a mobile phone is compromised,” he points out, “then someone could potentially steal data by activating its camera or microphone.”
Agnes Chan, principal investigator on the NSF education grant, whose research expertise lies in cryptography and communication security, is developing a tool to hide information-retrieval patterns from cloud computing providers, some of which cannot be trusted. The real-world applications are many, ranging from protecting financial information to patient confidentiality.
Jenny Mankin, a doctoral candidate in computer engineering who conducts research in Northeastern’s Computer Architecture Research Laboratory, spent the last four years developing the infrastructure for analyzing and detecting malware, such as computer viruses, worms, and “Trojan horses,” which appear to perform desirable functions but instead facilitate unauthorized access to steal information or harm computers. Mankin hopes that computer security software companies will eventually incorporate her tool into products that ward off malware attacks.
But even with the introduction of sophisticated technology, the human factor remains essential. “We can have all the latest technology in the world,” Chan reminds us, “but if we don’t have the people to manage it, then [our networks] will be vulnerable.”
With the backing of the Scholarship for Service grant, Northeastern’s role in providing that human capital will continue to grow. In January, Robertson and David Kaeli, co-principal investigators on the NSF grant, attended the Scholarship for Service’s annual job fair in Washington, D.C. Students had a chance to meet with representatives of some 500 federal agencies.
“Congress talks about the Scholarship for Service program whenever it wants to fund a new cybersecurity initiative,” says Kaeli, a virtualization technology expert and professor and associate dean of electrical and computer engineering. “It receives the most credit for training the next generation of cyberexperts.”
Northeastern is also designated by the NSA as a National Center for Academic Excellence in Cyber Operations, an honor shared by only four universities nationwide. The designation, another part of President Obama’s cybersecurity education initiative, allows undergraduate computer science students to specialize in cyberoperations by taking high-level courses in software vulnerability, network security, and the fundamentals of information assurance.
“Honors like this indicate that our research is vibrant, our faculty is well-funded, and we are working on problems that are relevant to the intelligence and security community,” says Chan.
And they’re problems that aren’t going away anytime soon. As Mankin puts it, “Security researchers and malware writers are playing a game of cat and mouse. I think it’s possible that the race will never end.”