ASEE Prism Magazine
High School goes High Tech
The Voice of Engineering
The Power of One
Teaching Toolbox
ASEE Today
Professional Opportunities - Classifieds
Last Word
Back Issues

By Dan McGraw

In March of 1831, a man named Edward Smith robbed the first bank in the United States. Using a duplicate set of keys, Smith walked into City Bank on Wall Street on a Sunday, and walked out with $245,000. He was arrested later in the week and spent four years in jail for his heist.

In May 2001, the FBI arrested two young Russian men for robbing the Nara Bank of Los Angeles and the Central National Bank of Waco, Tex., among other businesses. Using more than 50,000 credit card numbers they scammed from hacking into financial service company computers from an operation in Chelyabinsk, the two Russians not only stole money from the banks but more than 40 other businesses across ten states, according to investigators. The FBI estimated the pair accounted for more than $25 million in financial losses to the banks, the other businesses, and American citizens. The two Russians are now serving time in federal prisons.

From Jesse James to Butch Cassidy and the Sundance Kid to John Dillinger, the romantic notion of the bank robber has long been a part of American lore. But the case of the young Russians underscores the fact that modern-day thieves are more likely to be sitting in front of a computer, halfway around the world at that. The keys that rob a bank now lie on the keyboard of a hacker working to break down the computer code protecting the operating systems of businesses and banks.

“It used to be that an individual involved in robbing a bank or some other business could do a limited amount of damage,” says Ralph Merkle, professor of computing at Georgia Tech, and director of the school’s Information Security Center. “But now, with a replicating computer program, one person could rob all the banks on the planet. A small handful of people can cause huge economic damage. It’s not that there are more evil people in the world, it’s just the use of the computer has had a leveraging effect on crime.”

Information security—whether providing government agencies with protection against terrorism or private corporations the tools to prevent costly attacks—has become of paramount importance in this country and abroad. Engineering schools are responding to the need by providing research and programs to combat the threat of computer crime, which started as prankish hacking and has now emerged as a huge problem for law enforcement agencies.

The National Security Agency (NSA) has designated 50 colleges and universities—including Georgia Tech—as Centers of Academic Excellence in Information Assurance. The programs these schools are providing are diverse. Some focus on computer-aided forensics, others on terrorist hacking into infrastructure like electrical grids; and still others concentrate on preventing cyber thievery in private industry. The programs are interdisciplinary, utilizing faculty from engineering and computer science in conjunction with experts in business, law, ethics, and political science.

Quantifying the damage from computer crime is difficult. Identity theft, credit card fraud, damage from viruses and worms, child pornography, stolen laptops, hacking into the Department of Defense—all these offenses can be lumped into the computer crime category. That some private companies are reluctant to report some computer crime, fearing the exposed vulnerabilities might encourage more attacks and hurt stock prices, complicates matters.

According to a survey conducted by California-based Computer Security Research Lab in conjunction with the FBI, the number of intrusions into networks has increased every year for the past five. The average financial loss to companies reporting an intrusion was $2.7 million. The Tower Group Inc., a computer industry research firm, estimates identity theft costs the banking industry $1 billion a year. Incredibly, the research firm said that 10,000 identity theft victims had had home loans taken out in their names to the tune of $300 million.

Some put the tag at worldwide losses from computer crime at $30 billion every year. Others say it is double that. Government and private business have gotten the message and are starting to invest in the security of their systems. Infonetics Research estimates that spending on security in the U.S. private sector will grow from $4.5 billion in 2003 to $8 billion in 2007.

“We are just looking at a totally different kind of criminal,” says Sushil Jajodia, professor of information technology and engineering and director of the Center for Secure Information Systems at George Mason University in Virginia. “We have criminals trying to steal money, we have insiders corrupting software systems, but we also have nation-states and terrorists looking to bring our networks down, from telephone systems to electric grids to airplane traffic.”

Jajodia estimates that 80 percent of the 800 students studying information technology at George Mason are concentrating on information assurance. If software design was the hot major in the nineties, information assurance might be the major of choice in the new millennium. After creating the Internet world in the nineties, U.S. engineers are now increasingly working toward making that world safer.

The problem is that information assurance is a relatively young field. One of the early programs was the CERT Center at the Software Engineering Institute at Carnegie Mellon University. CERT was established in 1988 when the first Internet worm became a security problem. CERT is now a clearinghouse and research institution that monitors incidences and offers instant help in fighting viruses and worms. In 2000, 21,756 such incidences were reported to CERT. That number had grown to 137,529 by 2003.

Internal Flaws

One of the problems facing both private industry and government are the financial pressures to bring software products to market quickly, and the lack of security features in those products. “We continue to see the same types of vulnerabilities in newer versions of [software] products that we saw in earlier versions,” CERT’s director, Richard D. Pethia, testified last year before the House Subcommittee on Cyber Security, Science and Research, and Development. “Technology evolves so rapidly that vendors concentrate on time to market, often minimizing that time by placing a low priority on security features. Until their customers demand products that are more secure, the situation is unlikely to change.”

Eugene H. Spafford, professor of computer science and director of the Center for Education and Research in Information Assurance and Security at Purdue University, says part of the problem is the one-size-fits-all approach to software design and the reliance on the software patch system to clear up security problems. Spafford says that 4,000 software flaws were identified, and corresponding patches implemented, by companies last year.

Spafford likes to use construction analogies to illustrate his point: “It would be as if you had carpenters and roofers and electricians building a structure, and you gave everyone the same Swiss Army knife. They might be able to do their job, but they can’t do it very well. In the software industry, we need to customize the tools for the task at hand. We need good design methods for designing software for specific needs. That will help to provide security.”

A program for weapons systems at the Pentagon and someone using the Internet to cruise for recipes uses the same basic platform. The software is written to the lowest common denominator, which makes it easier for almost anyone with a cursory bit of knowledge to compromise these systems.”

James A. Davis, professor of electrical and computer engineering at Iowa State University and a faculty member of the school’s Information Assurance Center, says the problem facing educators is twofold. University information security professors must look at long-term changes in both hardware and software—the “next big thing,” so to speak—and at the same time advise private corporations and government on how to secure their systems on a day-to-day basis. And after years of sometimes sluggish responses from government and private industry, the recent spate of attacks is making security a pressing issue.

More and more schools are responding by offering majors and doctoral programs in information assurance, and commercial research possibilities for developing products in the marketplace are beginning to become available. “We are working hard with some companies to commercialize some of the applied solutions we have,” says Jajodia. “That is one of our goals. We have to do critical research, but the research has to get into the marketplace so it can be effective.”

Uncle Sam Takes Notice

The U.S. government is seeing the threat of computer crime as a very real one. The Department of Homeland Security is now providing a National Cyber Alert System that will issue warnings about worms, viruses, and Internet scams, and provide information on improving security warnings. The federal government is also funding a program called Cyber Corps, which spends $30 million at 13 of the NSA approved schools for 200 scholarships for students studying information security. In return, the students are obliged to work in a government agency for two years after graduation.

The Cyber Corps program has had some problems. The Federal Office of Personnel Management has had trouble placing some of the graduates, because some government agencies have been reluctant to hire what they consider inexperienced infosec administrators and place them in senior management positions. Despite the problems, most information security professors say the program is vital. “The government had decided they want to infuse some of these vital national agencies with young talent,” says Ray Vaughn, professor of computer science and engineering at Mississippi State University, and director of the school’s Center for Computer Security Research. “The current terrorist threat has increased the visibility of this program, and getting graduates who really know about security is vital to our national interests.”

One of the most discussed topics in the academic community regarding computer security is whether there is a need to teach students the ways of the criminal. In other words, do students need to know how to break down firewalls and to create Internet worms to know how to protect against them? “This is one of the hotly debated topics in the security community,” says Iowa State’s Davis. “We have a class in information warfare. We set up a firewall and we tell students to use tools to get through the firewall. Then we turn it around and tell students to find solutions to protecting that firewall.”

Purdue’s Spafford takes a different approach: “I wouldn’t teach students how to pour sugar into gas tanks and how to break into cars if I was teaching students how to create systems that protect against auto theft or vandalism,” he says. “We don’t teach hacking or how to create viruses. We teach how to make systems more secure and to do research that aids that goal.”

Regardless of the debate on how to teach information security, everyone involved—government, private industry, and academia—realizes that the key to getting a handle on computer security is the research being done at colleges and universities around the country, and getting more students into the pipeline to serve the needs of all the constituencies involved. “Five years ago, no one really cared,” says Georgia Tech’s Ralph Merkle. “But companies are getting burned and they’re now realizing they have to spend money for secure software. Our graduates are going into a variety of areas: government, law enforcement, and private industry. The greater the expertise we can provide, the better knowledge we can put into the workforce, the more we can lower the risk.”

Dan McGraw is a freelance writer based in Fort Worth, Texas

Contact Prism