Can't hack this
Posted on: October 31, 2016; Updated on: October 31, 2016
By Dan Cook, dancook@mailbox.sc.edu, 777-7366
If you’ve ever received a call from your bank about suspicious activity on your credit card, you know that hacking can hit close to home. Imagine the stakes, then, when the target of a hack is not just personal financial information, but key infrastructure such as ports, dams, railway systems or nuclear plants. A successful cyberattack on a dam or a nuclear plant could mean not just loss of money, but actual loss of life.
Csilla Farkas, associate professor in computer science and engineering, has long understood the need for cybersecurity to protect against such attacks. Hired in 2000, she has led the development of cybersecurity education at the University of South Carolina and serves as director of the university’s Center for Information Assurance Engineering. The center is a National Center of Academic Excellence in Information Assurance and Cyber Defense Education (an achievement first earned in 2010 and bestowed jointly by the National Security Agency and the Department of Homeland Security); it earned the same designation for research in 2014.
As important as the NSA/DHS education distinction is, Farkas says it’s the research designation that truly sets USC apart. It’s bestowed upon “a much smaller number of universities and really requires nationally and internationally recognized research capabilities,” she says.
The academic foundation built by Farkas and her colleagues is now serving as a launching pad for a new venture: SC Cyber, a statewide cybersecurity initiative led by USC, funded by a $1.5 million grant from the state Department of Commerce and announced by Gov. Nikki Haley in February.
Housed at USC’s Office of Economic Engagement, SC Cyber is a consortium of partners from academia, business and government whose primary goal is to improve cybersecurity for South Carolina’s critical infrastructure. Closely related to that goal is promoting public awareness of cybersecurity issues and helping to build the workforce needed to build the state’s cybersecurity industry.
SC Cyber is not about duplicating the efforts of others, but rather about playing a crucial role as a connector, bringing cybersecurity experts together with the broader community in education, business, government, law and beyond. Implicit in SC Cyber’s mission is promoting an understanding of how cybersecurity relates to all aspects of human activity. It’s about “understanding the non-technical aspects of cybersecurity — the human aspects coming from business and economics, the psychology,” Farkas says. It’s about reaching that end user who might be unwittingly bringing malware into his or her office environment on a smartphone, she says, with the goal of “really providing a comprehensive defensive capability against malicious users.”
The power of partnerships
SC Cyber is not a large operation in terms of personnel. Les Eisner, deputy director of the Office of Economic Engagement, has been working on the initiative for about a year-and-a-half, along with Farkas and a part-time program manager, Kelly Truesdale, who left recently to study cyber law. The newest addition to its team is Tom Scott, SC Cyber’s first executive director and a veteran of cybersecurity efforts for the State of South Carolina.
It’s not SC Cyber’s size, though, that gives it strength. The power of SC Cyber lies in its ability to make connections between people and organizations that might not be made otherwise.
“One of the things we are proud of is that we have now built some level of trust among academia, industry and government in the state of South Carolina,” Eisner says. Take, for example, that other university in South Carolina, Clemson. As a statewide initiative, SC Cyber is “academically agnostic” even though it is housed at USC, Eisner says. The consortium includes Clemson University, the College of Charleston, The Citadel and Trident Technical College.
Operating as it does out of the Office of Economic Engagement, SC Cyber is also well positioned to link researchers to companies — connections that will help both compete for research grants. Combine that with Eisner’s background as deputy adjutant general for the S.C. National Guard and Scott’s decades of experience with state government (his last position was as the state’s deputy chief information security officer), and SC Cyber is poised to bring researchers together with government, too. (Governments are enormous spenders in the realm of cybersecurity; the federal government is projected to spend $17 billion on cybersecurity in 2017, according to Market Research Media.)
“One of the biggest contributions that SC Cyber will do for research is connecting the partners — to have academic researchers meeting with appropriate government agencies, meeting with developing industry technology, meeting with end users,” Farkas says. “There is a lot of money out there for cybersecurity research. However, so far what we have seen is initiated by individual researchers, bringing in what I would call small or medium-scope research projects. What SC Cyber will do in the future is really promote large-scale research projects — bringing in, say, critical infrastructure companies.”
Companies both small and large also have much to gain from research grants.
Take, for example, a small cybersecurity company that has an idea but lacks the resources to fully develop it. There are federal funds available for such ideas — often from the Department of Defense — but such efforts “usually require an academic partnership,” Farkas says. SC Cyber can help facilitate those connections.
Large companies can benefit from the same process. With many companies reluctant to pour money into basic research, “they are looking to partner with small companies after those companies have proven that their product is viable,” Farkas says.
Beyond IT
The basic mission of SC Cyber is clear — “to develop the talent, techniques and tools to defend critical, connected infrastructure within South Carolina and the United States,” according to its mission statement. SC Cyber is doing much to meet that mission, working with researchers, educators and government agencies to make sure efforts are moving in the right direction. What’s also clear, though, is that cybersecurity extends far beyond protecting critical infrastructure and that SC Cyber has a role in addressing the wider implications of technology, too.
“SC Cyber is not only about how we protect ourselves from the boogeyman, it’s also about how we turn the region and the state of South Carolina into an economic powerhouse.”
Les Eisner, deputy director of the Office of Economic Engagement
Sixty-four percent of Americans own a smartphone, according to the Pew Center, a proportion that has more than doubled in five years. Every one of those devices — along with every desktop and tablet — is susceptible to hacking. Add in the burgeoning Internet of Things (IoT) — the trend in which everything from your car to your refrigerator is collecting and transmitting data — and the scale of what the field of cybersecurity needs to protect becomes exponentially larger. Research firm Gartner estimates there are now 6.4 billion connected IoT devices in the world necessitating $348 million in annual cybersecurity spending.
Outside the technical work of protecting data moving back and forth on billions of devices lies a vast web of societal implications in such fields as law and insurance.
“If you got seriously hacked and someone stole your private information, where are you going to find a lawyer that understands anything about cyber?” Eisner asks rhetorically. With input from SC Cyber, the School of Law is working to address this murky, emerging area. The Law School has brought in experts on autonomous driving and IoT, for example. In February, the South Carolina Law Review held a symposium called “Cyber Attacks and Civil Liability,” with talks on the science behind cyber attacks as well as the legal framework surrounding them.
Questions of liability lead immediately to the insurance industry.
“Let’s say you bought a car that will drive itself, and I’m old-school so I am still driving my car: If your car happens to run into mine, what does my insurance company do?” asks Scott, incoming director of SC Cyber. “Normally they sue you or your insurance company because you were at fault. So now, who is at fault? The societal implications of cyber being interwoven through everything are pretty pronounced.”
Cyberinsurance is now a multibillion-dollar industry — but a somewhat problematic one, because of the challenge of assessing risk. “There’s not enough data for the insurance companies to write policies of a secure nature,” Scott says. Companies have plenty of actuarial data for writing life insurance policies — but not so with self-driving cars or cyberattacks.
Ultimately, Scott says, the insurance industry is a key one to watch as it relates to cybersecurity, because its need to mitigate risk has the potential to force both business and government to adapt their practices. “Go back to the 1970s when they put seat belts in cars,” Scott says. “They put seat belts in cars because the insurance companies didn’t want to keep paying for people’s injuries and deaths. In the 1980s we have airbags. So, you have the industry driving societal change for the better for all of us.”
In other words, cybersecurity could become the equivalent of a digital seatbelt — something you are required to have for your own good.
While protecting critical infrastructure is the guiding principle behind SC Cyber, the nature of the challenge — hackable devices being central to modern life and ever-present in the workplace — necessitates that the initiative consider the “softer” side of cybersecurity, too.
“If you look at cyber as totally IT or technology, you are missing a huge element of 21st-century cyber,” Eisner says. In developing the initiative, Eisner says, he was sometimes asked why its structure is so amorphous. His answer was that he couldn’t build it any other way. “It’s because we live in the 21st century,” he says. “We live in a global economy. There is a soft element of technology.”
The business of cybersecurity is business
As with a lot of things in life, money is the driving force in the world of cybersecurity. It’s not just the money required to protect critical infrastructure, however. Ultimately, it’s about maintaining both our physical security and our sense of security — our confidence in the broad web of technology and commerce that surrounds us.
The federal organization that sets guidelines for computer security, Scott points out, is part of the U.S. Department of Commerce. “So, it all comes down to business,” he says. “It all comes down to making a secure transaction so I make sure that if I am buying something from you, it is a fair trade. As soon as that stops, business stops, the economy stops — because I no longer have that confidence that I can make that transaction in a safe and secure manner.”
It can seem like a thankless task at times.
“Let’s face it: Cyberdefense is not glorious,” Farkas says. “Some of the most popular sites related to cyber are the ones that talk about offensive capabilities — about how exciting it is to hack into a system. It’s is much easier to hack into a system than to say we secured that system. Defense is boring. It’s tedious. Nobody rewards someone because their system deflected 10 million attacks — everybody remembers the one that actually succeeded.”
Eisner agrees — but also focuses on the economic opportunities that come hand in hand with building the workforce to combat all that risk.
“The cyber world is a world of convenience: It’s 85 percent efficiency and goodness, and we couldn’t go back to the 1960s,” he says. “But we tend to focus on the 15 percent boogeyman. So, SC Cyber is not only about how we protect ourselves from the boogeyman, it’s also about how we turn the region and the state of South Carolina into an economic powerhouse. All these things equal economic growth. So, that is really the construct of what SC Cyber does: It’s the power of partnerships.”
In building these partnerships, the role of SC Cyber is to be both connector and cheerleader.
“It’s really connecting the pieces to talk to the right people and talk to the right leaders to make things happen,” Farkas says. “Somebody needs to be the champion.”
Scott agrees, and is ready to fill the role.
“I’m the new evangelist,” he says.
An edited version of this story was first published in the September issue of USC Times.