Universities try to hone cybersecurity niche

[InfoSec News <isn () c4i org>]

http://newsobserver.com/24hour/technology/story/920816p-6411106c.html

By CHRISTINA DYRNESS
THE NEWS & OBSERVER OF RALEIGH
June 18, 2003 

(MN) - An Iraqi attack on U.S. computer systems leaves government 
agencies in disarray until a cybervigilante comes to the rescue. So 
goes the plot line of a first novel written by a cybersecurity expert. 
Its timeliness is making waves in the industry and comes at a time 
when the federal government is poised to boost spending on securing 
its computer systems. 

Called "No Outward Sign" (Writers Press Club, $18.95) [1], the book by 
Bill Neugent describes a covert computer attack that couldn't be more 
different than the stark visual image of burning twin towers of Sept. 
11 forever etched in the national memory. But the cyberthreat against 
the United States is real and has been for some time, experts say. 

Dave Morrow, deputy director of global security and privacy services 
at EDS, based in Cary, N.C., should know. During most of the 1990s, he 
served as a cybercrime investigator in the Air Force. Morrow bears 
witness to the fact that cyberattacks against U.S. government networks 
are frequent - though most of what he knows is classified.

"There's a lot," Morrow said. "And I can't talk about it. But there is 
quite a bit of capability out there."

The Sept. 11, 2001, terrorist attacks prompted the creation of the 
U.S. Department of Homeland Security and a new focus on personal and 
national security. With computer chips turning up in everything from 
tractors to video cameras and the Internet creeping into more areas of 
life - both wired and wireless - the securing of a nation can't happen 
without securing computer networks that run electricity grids, store 
confidential government secrets and control financial markets.

The promise of new funding is drawing much attention on the academic 
front toward cybersecurity study, and some North Carolina universities 
are studying better ways to protect systems from hackers and other 
cybercrime. The schools have an eye on grants from the government to 
fund this research, but also the job market for their graduates as the 
demand for computer security experts is slated to grow while other 
computer networking jobs have dried up.

For example, N.C. State University opened a Cyber Defense Lab in April 
as a way to showcase its research on related topics and, perhaps, 
score some new grants to support it.

The lab doesn't hold all of the university research related to online 
security, but it's a convenient way to showcase the work of four 
members of the computer science faculty and their graduate students. 
They are working on grant-funded research on topics that include the 
study of the software bugs exploited by hackers and security for 
wireless computing.

"The level of sponsorship is going up and we expect it to grow up 
quite dramatically in the next few years," said Douglas S. Reeves, 
professor of computer science at N.C. State.

And the message is coming through loud and clear to students who are 
piling into cybersecurity classes, eager to pursue an area of study 
with a good chance for employment waiting at the other end.

"Now that networking is in a slump, security is the bright area in the 
picture," Reeves said. "There is still a great demand and not enough 
supply in security."

At the University of North Carolina in Charlotte, the opportunity is 
furthered by a Federal Cyber Corps scholarship program.

Paid for by the National Science Foundation, Cyber Corps pays tuition 
for cybersecurity-focused graduate students, gives them a 
$1,000-per-month stipend and requires them to work for the federal 
government for a year or two upon graduation.

Fifteen universities across the country participate in the program. 
UNC-Charlotte, which has been offering the scholarship for three 
years, is the only one in the Carolinas.

"In this market, the guaranteed job turns out to be a tremendous 
attraction," said Bill Chu, chairman of the department of software and 
information systems at UNC-Charlotte. "The admissions bar is very 
high. A couple of years ago, you didn't see those students applying to 
graduate school."

Chu said UNC-Charlotte started building its cybersecurity research 
program five years ago with the support of the local banking 
community.

"Our collaboration with the financial sector is important," Chu said. 
"They take security very seriously."

Now that cybersecurity is a hot topic, Chu expects to see even more 
activity around education and research.

"So far, the disappointment has been that Congress has approved 
(additional research funding), but it has been tied up in 
appropriations," Chu said. "There's a lot of talk in Washington, but 
all this is still being shaken out. All this hasn't translated in big, 
huge programs."

Proposed bills in Congress would designate about $100 million toward 
cybersecurity research and education in the current fiscal year with 
hundreds of millions more in future years. The bills now wait for the 
appropriations committee to designate the money.

While additional money might stoke new research, myriad projects that 
fall under the cybersecurity label are already under way at Triangle 
universities.

"Cybersecurity is an umbrella term that means a lot of things to a lot 
of people," said N.C. State's Reeves. He explains that the term is 
invoked to mean the reaction to some malicious cyberactivity like 
hacking.

But cybersecurity can also mean simply the reliability of a network. 
"When we use the term, we mean that broad sense," he said.

Work at N.C. State's Cyber Defense Laboratory on Centennial Campus in 
Raleigh includes projects by Reeves; S. Purushothama Iyer, associate 
professor of computer science; Peng Ning, assistant professor of 
computer science; and Bin Yu, a research associate; in addition to 
graduate student researchers.

Iyer, for example, received funding from the National Science 
Foundation and the Army Research Office for research into methods of 
proactive network designs - looking at the bugs that hackers use and 
trying to eliminate them.

Reeves' work, in collaboration with Ning, has been in improving 
computer intrusion detection.

"How do you deal with massive amounts of information?" asks Reeves. 
"Right now systems are not good at isolating what you really need to 
worry about. Our work is about tuning systems to calibrate intrusion 
detection."

MCNC, the nonprofit economic development center in Research Triangle 
Park, N.C., has also positioned itself as a cybersecurity player.

Along with Duke University in Durham, MCNC is finishing a three-year 
project, called SITAR, for the Defense Advanced Research Projects 
Agency, or DARPA. SITAR stands for scalable, intrusion-tolerant 
architecture for distributed services. The challenge was to design a 
large computer network that provides online services to multiple users 
and not only steel the network against hackers, but also make it 
strong enough to continue to provide services if an intrusion occurs.

"It used to be that DARPA had a lot of projects sponsored for 
intrusion detection," said Feiyi Wang, principal research scientist at 
MCNC. "But often (hackers) will be successful. There's a class of 
mission-critical applications and under active attack, some of the 
system component was being compromised."

SITAR is just one of several research projects at MCNC, all of them in 
collaboration with universities, that have applications in 
cybersecurity.

Dan Stevenson, vice president of the MCNC Research and Development 
Institute, said that sometimes government-funded research can sit on a 
shelf and collect dust, but MCNC tries to ensure that research will 
see the light of day as a commercial project or in use by other 
government agencies.

"We're trying to make it happen for SITAR and other projects in the 
cybersecurity space," Stevenson said.

Amin Vahdat, a Duke University assistant professor of computer 
science, points out that North Carolina universities are not in the 
top tier of cybersecurity research institutions, a designation he 
reserves for schools such as the Massachusetts Institute of 
Technology, Carnegie Mellon University in Pittsburgh, the University 
of California at Berkeley, Purdue University in West Lafayette, Ind., 
and perhaps Stanford University of Palo Alto, Calif.

"We aren't in that league," Vahdat said.

But as interest in the topic has increased, so have the research 
efforts, with more and more grant proposals heading to Washington in 
hopes of getting financial support.

EDS' Morrow, who works with business clients to secure their networks, 
hopes to see government-paid research finding its way to his 
customers. "They do a lot of research and development for things that 
can develop into some really good products for the private sector," he 
said.

And one thing is for sure: Cybersecurity is the place to go for job 
security. "There is going to be, in the future, no letup in the 
requirement for people who know something about security," Morrow 
said. 

[1] http://www.amazon.com/exec/obidos/ASIN/0595257496/c4iorg



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.