By Kate Hunger
It’s no secret that organized crime is flourishing on the Internet. Cyber thieves pluck bank account, credit card and identity information by hacking into vulnerable systems or using fake Web sites and e-mails to trick users into divulging sensitive information. What many people don’t realize is that their own computer could be used in a cyber attack against other systems or even critical infrastructure—and they wouldn’t even know it.
The detection of botnets—networks of hijacked, or “zombie,” computers used to carry out crimes while making them harder to source—is a significant research area for UTSA’s newly created Institute for Cyber Security (ICS). Under the direction of world-renowned expert Ravi Sandhu, ICS has as its mission the protection of the cyber infrastructure through research and its commercial applications, as well as through education and service.
“We’re not just commercializing what we have,” Sandhu says. “We have to develop some cutting-edge stuff. It has to be something new.”
UTSA last year won a competitive $3.5 million grant from the Texas Emerging Technology Fund to create the institute and hire as its founding executive director Sandhu, who left the information security faculty at George Mason University to come to UTSA. He also received a $1 million grant from the University of Texas System. The institute, which involves the departments of computer science, electrical and computer engineering, and information systems and technology management, has a half-dozen full-time-equivalent researchers. Reaching his goal of 10 to 15 full-time-equivalent researchers would make
UTSA’s cyber security program one of the biggest in the country among academic institutions, Sandhu says.
Securing the funding to launch the institute and attract someone of Sandhu’s caliber was a university- and community-wide effort that underscores the level of local support for the research and the problem-solving it will spawn, says Robert Gracy, UTSA’s vice president for research.
“It really gives us a giant leap forward,” he says.
The establishment of the institute at UTSA is a wise move for the university and for San Antonio because there is not yet a national leader in the academic field, Sandhu says. He adds that UTSA’s commitment to commercialization sets it apart from other cyber security programs because it moves beyond publishing and peer review by demanding real-world performance.
“I think our focus on commercialization is unique,” he says. “The ultimate test of a security technology is if it succeeds in the market. The ideas can be pretty, they can be elegant, they can be deep, but if they don’t see some practical application, they are just an ivory
tower. … Your research is a failure if not applied in the real world.”
To that end, research at ICS will fall into two tracks: academic and startup. The academic track will pursue traditional funded research and will take years—perhaps up to a decade—for some of its projects to realize their commercial potential. The startup track, meanwhile, will target rapid commercialization prospects with a much shorter timeframe of two to three years. Ravi Ganesan, inventor, technology executive and entrepreneur, will lead the commercialization effort.
Even with its lab and offices still under construction last spring at the Science Building and the Biotechnology, Sciences and Engineering Building, respectively, the institute had already won its first grant, to study assured information sharing for the Air Force Office of Scientific Research. The project is a collaboration with five other universities: the University of Maryland, Baltimore County; University of Illinois at Urbana-Champaign; University of Michigan; Purdue University; and the University of Texas at Dallas.
Information sharing is a key piece of the cyber security puzzle. After Sept. 11, when it became clear that U.S. intelligence agencies were not communicating effectively with each other, they made efforts to shift away from a need-to-know policy to a more open approach. However, shared information still must be protected, Sandhu says. UTSA’s share of the five-year project is $1 million, and the institute will use it to study the security aspect of assured information sharing as well as specific Department of Defense applications.
In all areas, ICS researchers will aim to answer two core questions. First, what does it mean for a system to be secure? And second, how do we secure it? In addition to the detection of botnets, ICS’s basic, foundational research into secure systems and how systems get attacked would have applications in a number of areas, including social networking sites such as MySpace and Facebook, and multimedia, Sandhu says.
Researchers also will study new developments in Internet technology and ongoing efforts to essentially redesign the way the Web functions. For example, the Semantic Web, which has been in development for several years, would allow Web sites to communicate and share user information. If realized, this would have significant security implications. Not only is personal and financial information vulnerable in today’s increasingly connected world, but the nation itself is also a target. “They are looking for knowledge, information, secrets,” Sandhu says of other countries seeking an under-standing of U.S. cyber space. Terrorist attacks are one concern, he explains, but cyber “information warfare” is also a threat.
Sandhu is excited by the opportunity to lead a well-funded and focused research center in a field that is essentially a frontier rife with challenges. Faster computers and advances in technology create new challenges in maintaining security, and therefore more opportunities for cyber criminals. In addition, innovations that appeal to users because of their open nature, such as social-networking sites, give criminals avenues to make an attack. And companies that cut costs by putting more and more of their business online are creating even more targets.
“Anything that goes online can be attacked,” Sandhu says.
Learning from the past
Even though it is a young field—consider the recent arrival, in historical terms, of the personal computer and, even more recently, the Internet—cyber security already has moved beyond its original focus on protecting business enterprises. Security may now also involve contending with the sometimes conflicting interests of a business, such as a bank, and its customers.
Despite the rapid evolution of computer technology, it’s important to understand the history of cyber security, Sandhu stresses.
“Today’s students are woefully inadequately informed about the history of computer security,” Sandhu says. “If you can’t learn from lessons past, you are going to repeat mistakes. Cyber security is an immature field. The state of the security today is pretty awful.”
For cyber security researchers, the only constant is change. No longer comprising mostly hackers intent on showing off their skills, the world of cyber crime is now highly organized, with its own economy, supply chain and outsourcing, Sandhu says. Bank account and credit card numbers are sold online, as are directions on how to hack sites.
And yet, many computer users are unaware of the implications of this increasingly interconnected world. A recent survey of 2,249 consumers by the National Cyber Security Alliance found that 71 percent of respondents had never heard the term “botnet.” The stealthy manner in which botnets operate means that users aren’t aware their computer has been compromised, Sandhu explains.
Online fraud is common, too. One form of cyber crime phishing—has grown to many thousands of reported cases each month, according to the Anti-Phishing Working Group (APWG). Phishing is carried out by using “spoofed” e-mails or Web sites,
often of known and trusted brands, to persuade users to share
their account information. Another form of phishing is to infect
computers with crimeware that intercepts passwords or other sensitive information. In December 2007, APWG received reports
of 25,328 unique phishing sites and tallied 144 brands hijacked
by phishing sites during that month.
“The stuff is amazingly authentic-looking now,” says Peter Cassidy, secretary general of APWG.
Phishers are essentially working a numbers game, he says,
because eventually, they will reach someone who is too tired or
distracted to recognize the trap they are falling into.
A tradition of service
Although the ICS is new, the field of cyber security at UTSA is not. The university’s Center for Infrastructure Assurance and Security (CIAS), established in 2001, has been working to raise awareness of cyber threats to critical infrastructure, including power grids, 911 service and transportation. The center has helped communities figure out how secure—or insecure—their cyber assets are, including vulnerable utility and emergency response systems. CIAS continues to develop cyber security training courses, funded by the Department of Homeland Security, that, once piloted and approved, will be available to communities nationwide.
Among the courses offered through CIAS are a basic security threat awareness course and a more technical voice and data security course for networking staffs. CIAS also has created a road map to improve security called the Community Cyber Security Maturity Model. This model details levels of security and the characteristics of each, from the initial stage of a community with unstable security up to an optimized stage, where a community is constantly working to improve its security and regularly tests it.
CIAS now is part of the institute. Prior to Sandhu’s arrival, “there [hadn’t] been anyone who was trying to bring the security researchers together,” says Greg B. White, CIAS director and associate professor of computer science. “What we have done in the CIAS is start to make a name for UTSA.” But the approach hasn’t been via the traditional route of research and publishing. “By going operational, we’ve started to address immediate needs.”
The first step has been getting the message out that terrorist attacks can happen at the click of a mouse, through manipulating key infrastructure systems via computers to create the same result as a traditional, physical attack.
“All they are there to do is cause chaos to try to implement fear in our day-to-day lives,” says Natalie Granado, assistant director of training for CIAS.
The cost of a cyber terrorist attack would be small in comparison to that caused by weapons of mass destruction, she says, but the results would be dramatic. “With cyber, it doesn’t have to be as much,” Granado explains. “You can do some impact just by doing some simple things. … You can find free tools on the Internet to use against other people’s computers.”
Sandhu says that he hopes that CIAS will expand into additional service areas, such as larger government entities and industry.
Local impact
The potential impact of ICS on San Antonio’s economy is significant, says John Dickson, an owner of the Denim Group Ltd., a San Antonio information technology consulting firm that builds and secures large-scale applications for clients. Dickson is a board member of the San Antonio Technology Accelerator Initiative, which was involved in the funding effort for the institute.
When it is firing on all cylinders, ICS will produce experts in the field who will be extremely attractive to employers, he says.
“We’re dying for people who are trained in secure coding, secure software development,” Dickson says, adding that “ultimately, if they do well, they are going to have ideas and intellectual property,” a circumstance that he likened to “the end of the rainbow.”
But even then, new challenges will arise that will demand action.
“There is no absolute security,” says Sandhu. “That means some attacks are always possible.” |
