Heinz College Makes Cybersecurity Recommendations That Washington Should Consider Now
By Scott Barsotti
Leaders are needed to tackle complex challenges in cyber that are more philosophical than technical. And they’re needed now.
In the years ahead, the online environment will be complicated by autonomous vehicles and the Internet of Things as much as cyber crime and cyber warfare, and we are headed toward a reality in which the digital world and the physical world will have flimsy boundaries at best.
“Think about the driverless vehicle driving down the road that needs to be connected to the Internet to get sensor data. If that shuts down, the car shuts off. That’s now a health and safety issue,” said Randall Trzeciak, director of the Masters of Information Security Policy and Management (MSISPM) program at Heinz College.
While technology plays a huge role in the development of cyber, there is an ever-widening gap between those advancements and the policies needed to secure the next generation(s) of the Internet.
Who will step up to define those policies? It could be you. (No, really, it could be you.)
Studies show that the cybersecurity field is facing a global talent shortage of some 1.5 million jobs by 2019. A major contributing factor to that shortage is a lack of awareness.
“77 percent of women said in a recent industry survey that no high school teacher or guidance counselor ever mentioned cybersecurity as a career,” said Trzeciak. The number wasn’t much better for men—67 percent. “Getting that knowledge at the K-12 level would be very important, to start creating the pipeline of cybersecurity professionals at the undergraduate and graduate levels.”
Trzeciak is playing the long game for a reason. Cybersecurity is the future. It’s a field that will touch every industry in every sector in a landscape that’s becoming more connected. More connections mean more vulnerabilities. More vulnerabilities mean more threats. As those threats grow and technology speeds ahead, the need for smart policy is evident if we’re to have any hope of keeping the world secure in the 21st century.
“We need laws and language around cybersecurity that are clear, specific, and easy to understand,” said Summer Craze Fowler, Director of Risk and Resilience for the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). “What do we mean when we say cybersecurity? What do we mean when we say cyber attack?”
Here are a few directions the law might be—or perhaps should be—headed in the coming years.
We need: international rules of engagement for cyber warfare
Fowler remarks on several infamous examples of a “non-kinetic” cyber action having a physical effect. There was Stuxnet, a cyber weapon used by the U.S. and Israel to sabotage uranium enrichment facilities in Iran about 10 years ago. There was the 2014 attack on a steel mill in Germany, which caused massive damage by manipulating a blast furnace. Then, in late 2015, hackers seized control of power substations in Ukraine, cutting power to nearly a quarter million Ukrainians.
She states that this is an area that the U.S. government, and in particular the Department of Defense, needs to be concerned with. And to lead.
“It’s a diplomatic effort…we need to get agreements written down,” said Fowler, adding that just as international rules and agreements exist regarding, for example, the treatment of prisoners of war, similar compacts are needed governing use of cyber weapons against critical infrastructure. “If someone hacks [our critical assets], should we be allowed to return with a bomb? What are the rules on this? And how do you get [different nations] to agree?”
Jennifer Urgilez, a second-year MSISPM student, says this area of policy could become even cloudier if private companies are the belligerents.
“Let’s say a foreign entity decides to take out its competition—steals an American company’s IP and then uses destructive malware to take out its systems…and the actors don’t target an entity with public safety implications, like an electric grid or something analogous. At what point would government offensive action or cyber warfare be warranted?” said Urgilez.
“It becomes very murky and we lack so many laws in this space.”
We need: national cyber breach notification and disclosure
Fowler advocates for a federal standard of notification following a breach of customer information. Currently, all 50 states have different laws in this area—or no law—creating inefficiency, confusion, and financial waste.
“If my organization has customers in all 50 states, and I have a breach in one of my systems, I have different notification laws in each state,” said Fowler. Those laws differ on type of data covered, timetable, and method of notification. With a federal suite of notification laws, both consumers and businesses would know what to expect, which Fowler says is a win-win.
Trzeciak thinks the field is within a few years of being able to analyze network data in real time, and to use machine learning to automate defenses, whether that be automated alerts or a self-healing network that could address anomalies without intervention from a human analyst. As that technology matures, consumer notification could possibly be part of that automation, especially if notification demands are standard across areas.
We need: to address privacy earlier in the lifecycle
“Right now, we only care about privacy when an incident actually happens,” said Fowler. “Why don’t we drive privacy into the designs of the systems and software we’re developing?”
Fowler cites UL listings, a certification of product safety that assures you as the consumer that, for example, when you plug something into the wall its battery isn’t going to explode. She says Internet-connected devices could have similar thresholds of safety.
“I don’t want to be heavy-handed with regulation and I want business to be able to thrive, but the Internet is part of our infrastructure now, and there’s going to have to be some regulation and standardization to get plugged in,” she said.
Trzeciak agrees, stating that in the current market, an unfair expectation is placed upon consumers to be security experts.
“A car can’t be released without safety inspections, but no such policies apply to the release of an Internet-enabled refrigerator,” he said. “When we have these IoT devices out there…how much sensitive data will the producers of the device be collecting and analyzing, and what will they use it for?”
Urgilez echoes similar concerns, and adds that she believes policy should mandate additional layers of privacy and confidentiality when the intended end users of a product are more vulnerable individuals, such as children.
Manufacturers can do more to design for privacy right now, Fowler suggests, such as requiring any functionality that shares information with the manufacturer to be explicitly turned on by the consumer, rather than the current state which expects consumers to discover and turn off such functions.
“We don’t train any of our engineers to think about this,” said Fowler.
Cybersecurity is for those who want to have impact—it’s not just for techies
The challenges in cybersecurity go far beyond technology. There are political challenges, social challenges, management challenges, design challenges. That means the field needs a diversity of thought leadership.
“There’s more to do than just computer programming if you’re going into security,” said Trzeciak. “We’ve had very successful MSISPM students with [undergraduate] degrees in finance and accounting, business, political science, international relations…when you get those folks into a room together and talk about the legal and privacy aspects of information security, it’s a great discussion. It’s more than just a technical discussion.”
Urgilez is a perfect example. She got a bachelor’s in political science from Yale, then spent several years working in the public sector before returning to school for her master’s degree. She admits to being hesitant at the time she applied, acknowledging CMU’s reputation as a computer science juggernaut alongside her own “soft” (her word) liberal arts background; she submitted her application to Heinz College on the last day of the admissions window.
She’s glad she did. At Heinz, Urgilez has come to see cybersecurity less as a hard science and more as an area where policy-minded people like her can do good in the world. She intends to take what she’s learned here back to the public sector after graduation, and to continue working to make the world safer.
“I see it as a way to give back to my country,” she said.
Jennifer Urgilez was on the CMU team that won the 2016 National Cyber Analyst Challenge; her teammates included fellow MSISPM students Sara Mitchell, Krishna Chirumamilla, and Daniel Widya Suryanata, along with Jennifer Burns from CMU's Information Networking Institute.