How UMBC is pushing the frontiers of research and training in cyber security – and keeping its own networks safe from attacks.
Defending UMBC from web attacks is a more than a full-time job. It’s a 24/7/365 undertaking.
Earlier this year, for instance, Mike Carlin ’96, biological sciences, Ph.D. ’09 information systems, was driving to New York. UMBC’s assistant vice president of Infrastructure and Support paused to check his Blackberry at a rest stop in New Jersey when he received what looked to be an official UMBC e-mail, informing him that his UMBC account password was about to expire, and that he should log in and re-register immediately.
The missive had a UMBC logo. And the link at the bottom of the page seemingly took the recipient to a UMBC Web site. But Carlin, who oversees network security at the university, would have known if there was system-wide reset of passwords.
The spammers had sent their e-mail to one of the people at UMBC who knew definitively that it was a fake.
But Carlin also knew that thousands of other UMBC faculty, staff and students who likely got identical phony dispatches might not know. Some would take the bait, be led to a fake Web site and unwittingly submit their passwords and other information. The spammers could then log into these user accounts and send out millions of spam messages to the rest of the cybersphere.
Carlin and his department responded swiftly. First, they alerted all UMBC e-mail account holders about the fake notices, and followed up with a campus-wide blog post providing more information. They also blocked the Web address of the fake UMBC log-on, so people on campus couldn’t access the site – and alerted the university’s help desk to respond to incoming inquiries.
For Carlin and his colleagues in the university’s Office of Information Technology, this sort of fakery is nothing new. But each new attack is a bit more sophisticated than the one before, and each round of potentially devastating e-mails is more polished and more personalized.
“This has been going on throughout higher education,” said Jack Suess ’81 mathematics, M.S. ’95 operations analysis, vice president of information technology and chief information officer at UMBC. Suess and others in the division acknowledge that spammers see higher education as a prime target. Universities have open networks. They have good bandwidth. Universities also boast powerful servers and a fresh crop of new students each year who may know little of the spammers’ scheming ways.
The payoff for such scams can be immense. Andy Johnston, network security coordinator for UMBC, discovered that in one case alone, over six million e-mails were sent from a single account. It’s very doubtful that this was a legitimate use of this account, he adds.
UMBC is not alone in battling electronic intruders seeking profit, secure data, or even a bit of mischief. Network security has become a key demand for almost every organization – and the stakes for getting it right only grow.
As knowledge and the economy become more global and more connected via the Web, organizations and individuals grow increasingly reliant on computers for essential tasks such as online banking, shopping, and even basic information. Computer security has assumed a more critical role in civilization.
The good news is that UMBC is playing offense as well as defense in this increasingly critical arena. The university also helps government, business and other organizations keep the bad guys at bay through research and training that provide expertise and tools to secure the online world today and in the future.
The nascent but growing practice of electronic voting is just such a frontier. The benefits are manifold: ease, expense, speed of counting and even the potential to increase turnout by allowing voting from one’s computer or phone. The downside, however, is that the integrity of democracy demands that the system be foolproof. Every participant must have absolute faith that the system is immune to fraud. Witness the furor over the hanging chads in the 2000 U.S. presidential election.
UMBC associate professor of computer science Alan Sherman has been part of an effort to create such a foolproof electronic voting tabulation system. Noted cryptologist David Chaum originated the idea, and Sherman and fellow researchers from the Massachusetts Institute of Technology, George Washington University, the University of Ottawa and Waterloo University have all pitched in to try and make it a reality.
“The reason voting is hard is that you must have both outcome integrity and ballot privacy,” Sherman says. “If you drop either one of those constraints it becomes easier,” Sherman said.
In a functioning democracy, no one wants to make the choice between getting the count right and the right to cast one’s vote privately in the sanctity of the ballot box. But Sherman and his fellow researchers think they’ve cracked the problem. Last November, they tested Scantegrity – a prototype electronic voting system – in Takoma Park in a local election.
For a voter in Takoma Park or elsewhere, Scantegrity works almost the same as any other optical scan ballot. Voters mark choices by filling in bubbles on a printed form, which are then scanned into a machine for tabulation.
What’s different, however, is that the voter casts a vote with a special pen that holds invisible ink. A pen stroke reveals a unique code in the bubble where the mark was made. The voter can write down the code on a receipt. Later, in the privacy of their home, the voter can check the code on a Web site to verify that a vote with this code has been tallied.
The code doesn’t reveal the nature of the vote; only that it was properly counted. Through the use of encryption, voting officials and even third parties can audit the integrity of the vote count without revealing personal details – an approach known as zero-knowledge proof.
About 66 of the 1,700 Takoma Park voters who used the system checked their votes online. The next step is to try the system state-wide, Sherman says.
Voting is just one aspect of modern life that is being moved into the electronic realm. Banking, health records, online shopping, education and official record-keeping all have moved into the realm of cyberspace.
So it’s not surprising that the federal government sees network security as a matter of national security, and believes that attacks on our networks will be thought of as acts of war in the future.
Recently the search engine company Google found that its own servers were being attacked by computers in China, putting the search service we use every day at risk of being disrupted. Google’s corporate officers weren’t the only ones who were alarmed; U.S. Secretary of State Hillary Clinton also pressed the Chinese government for an explanation for the apparent attack.
Though the ultimate creators of the Google attacks remain hidden in the murk of cyberspace, the message is clear – aggression can be unleashed in virtual space as well as in real space. And the effects can be nearly as devastating.
“As the most wired nation on Earth, we offer the most targets of significance, yet our cyber defenses are woefully lacking,” wrote ex-National Security Agency (NSA) director Mike McConnell in a recent opinion piece in The Washington Post.
UMBC is lending a hand in this battle, as well. Though the university does presently offer a specialized degree in computer security, Sherman says that the fundamentals it teaches its students should give future security professionals the solid basis in computer science which will allow them to quickly formulate knowledgeable responses to future threats. “Computer science is evolving very rapidly,” said Sherman. “It is very important that our priorities are on the fundamental skills and teaching students how to learn to keep up with things.”
A UMBC education in computer science also offers students interested in the battlefields of cyberspace some experience with what may await them. Sherman is also the director for the UMBC Center for Information Security and Assurance, which seeks to bring together the best cyber security practices from across the school’s different academic disciplines. One of the center’s programs is the Cyber Defense Lab, which was set up with the help of a grant from the Defense Department.
The lab runs a mobile cyber defense exercise. Thirty laptops are loaded on a cart, which can be wheeled around from classroom to classroom. On the laptops are pre-configured scenarios covering many of the typical attacks of the day: buffer overflows and wireless intrusions. The students work through the exercises to get a better feel of how to handle an attack.
“Students learn more efficiently when they are in more hands-on exercises,” says Sherman.
UMBC students are also motivated enough to find those experiences for themselves. A group of undergraduates recently created a team to compete in various intercollegiate cyberwarfare competitions. Teams are assessed on their ability to reduce vulnerabilities to cyber attacks and to keep systems running, and UMBC’s contingent took first place overall in the qualifying rounds of the 5th Mid-Atlantic Regional Collegiate Cyber Defense Competition.
Proximity is also a UMBC advantage. The university is close to the headquarters of the National Security Agency (NSA) – an agency which is on the front lines of the cyber battlefield.
The federal government’s Base Realignment and Closure (BRAC) plan is helping to settle an influx of 60,000 military people moving into the area to work at the U.S. Army’s Fort George G. Meade. Among those reassigned will be those who will need to defend the country on its computer networks, both public and private. And last December, the state of Maryland awarded UMBC an $83,000 grant to help train this workforce.
The university will use the money to set up a Center for Cyber Security Training as an extension of UMBC’s Training Centers. The centers already offer technical, scientific and professional non-degree training programs to working professionals – and even specialized programs in information security and “ethical hacking.”
The new grant money will go towards expanding those offerings and developing 15 new programs that will meet the specific needs of the NSA and Defense Department, says Kent Malwitz ’92, information systems, vice president of the UMBC Training Centers. Some courses will be taught at UMBC. Others will be designed to allow employers the chance to offer the courses at their offices or other remote sites.
Already about 25 percent of the courses taught at the center are cyber security related. Thanks to this grant, that number will increase.
“You will see thousands of people coming into the area, people coming out of the military and looking to get retrained with the G.I. Bill and then go back into careers in the computer field – those will all be big drivers for us,” says Malwitz.
In order to train the most pertinent personnel – those on the front lines of cyber warfare – the center is also undergoing a certification process set up by the Department of Defense (DOD). This certification will allow the center to develop educational materials more specific to military cyber defense.
“We can really dive into addressing what is the mission you are ultimately trying to accomplish, not just what skills you need,” adds Malwitz.
The UMBC Training Centers are also gaining valuable input in this effort from a security advisory group made up of members of some of the largest Defense Department agencies and contractors who work closely with them – including Lockheed Martin and Northrop Grumman.
These days, such specified help is sorely needed. The military has a long backlog of workers who need to get security clearances. So those who do have them need to be trained on the latest cyber-security measures. Right now, one contractor will pilfer workers from another contractor, which keeps the entire U.S. military and security establishment weaker as a whole.
Whether it is cyber warfare, electronic voting or just making sure a university’s networks stay up so its students can continue to learn, the message is clear: Cyber security is becoming an increasingly vital part of the nation’s well-being. And UMBC is making sure that its students and the larger community have the tools and expertise to meet the challenges ahead.
Tags: Summer 2010