By Aditi Risbud Bartl
Networks of electronic information are embedded in nearly every aspect of our daily lives. From transportation and utility systems to telecommunication, everything from personal privacy to national security depends on maintaining the integrity of information in cyberspace.
And now an increasing number of smart objects are connected to the Internet so that they can communicate with us and each other, giving rise to what is known as the Internet of Things, or IoT. A 2014 report suggests that by 2020, 26 billion smart objects will be connected through the Internet, compared to 7.3 billion smartphones, tablets and laptops.
With this accelerating growth in connectivity, researchers in academia, industry and government anticipate a wide array of cybersecurity issues in the years to come. Serious breaches of cybersecurity have already occurred in nearly every sector of business and government; identity theft, viruses and other malware plague us on a daily basis. Unfortunately, experts say, current technologies to address vulnerabilities tend to be inadequate.
“One of the challenges we face is getting people to understand how serious the problem is,” says Matt Bishop, professor of computer science at UC Davis. “There is a lack of understanding of security technology by politicians and the law enforcement people who want to install it. Getting them up to speed on security so they really understand what’s going on is going to be the next big challenge.”
Making security a priority
UC Davis has one of the country’s oldest computer security programs, founded in the 1980s when Karl Levitt, now professor emeritus of computer science, founded the Computer Security Laboratory, or seclab. Levitt and Bishop later established the campus as a National Security Agency (NSA) Center of Academic Excellence in Cyber Defense, one of the first such centers in the U.S. Later, with computer science professor Felix Wu, the team was designated as an NSA Center of Academic Excellence in Research.
These faculty have pioneered work in network-based intrusion detection, and performed some of the earliest work in vulnerabilities research by developing formal models and testing of security breaches.
“The definition of security varies widely,” Bishop notes. “What the military considers secure is not the same as what Amazon considers secure, because the military would like to keep things secret, while Amazon wants you to know the price of their books. Part of security is understanding what it is you are protecting. That’s why it’s so difficult: people on the internet have different needs and requirements, and somehow you have to balance them all.”
Historically, computer security has been addressed through so-called perimeter defense, which uses “firewalls” to keep attackers at bay. However, these defenses can be penetrated or compromised fairly easily by experienced security hackers.
“While working in industry in the early 2000s, someone broke into a computer system that I had spent a lot of time setting up. I tried to fix it, but they kept getting back in despite by best efforts,” says Sam King, associate professor of computer science at UC Davis. “What originally motivated me to get into cybersecurity was my frustration about having absolutely no idea how this person got into my system and having a complete inability to keep them out. As a Ph.D. student and as a professor, the idea of protecting people’s computer systems has kept me engaged in this area.”
Today, Bishop, King and other faculty researchers at UC Davis are tackling cybersecurity from different angles. Bishop’s efforts focus on analyzing vulnerabilities and denial of service—when a website is flooded with bogus requests that cause servers to crash—along with intrusion detection and response.
“The major problem is that there are so many vulnerabilities, both in the technology and in how people interact with computers,” says Bishop. “What I’d like to do is try to uncover why these vulnerabilities exist, what underlying problems cause them, and how we can improve the state of the art to reduce or eliminate vulnerabilities.”
Understanding digital identity and user behavior
“One of the great things about UC Davis is our proximity to Silicon Valley—I go several times a month to chat with companies doing amazing things so I can learn what their problems are,” says King. “Companies have way more problems than they have people to solve them, and academics are looking for good problems to solve. Working together, my hope is we can take the way people naturally use products and add security.”
King, who builds systems for fighting fraud and previously led fraud-fighting teams at Twitter and Lyft, wants to rethink our notion of digital identity, which presents one of the biggest challenges in security. In today’s world, King notes, our notion of identity “usually boils down to a username and password.”
“There are four foundational questions that capture large swaths of modern day research and security problems,” says King. “Is this a script or a human? Who is this human in the real world? Is this the same human I saw previously? And, can you associate this human with a payment method?”
The research challenge in answering these questions lies in the tradeoffs between how much information you collect from users, versus how cumbersome it is for people to enter the extra information.
“You can never answer these questions completely, so the key is to answer them as well as you can without driving away too many users,” says King.
By collaborating with campus researchers in computer science, psychology and linguistics, along with companies in Silicon Valley, King and Bishop both recognize that the success of computer security hinges on understanding user behavior. If a computer security system is cumbersome, people are more likely to choose convenience and functionality over security. What’s more, these cross-disciplinary research collaborations are needed to understand how people interact with their computers, as well as what might be coming in the years ahead.
“There’s no way we can secure against all attackers—that’s a given. But we can make it very hard for 99 percent of attackers,” says Bishop. “And to a large extent, that’s our goal for most people. Block 99 percent and you get rid of a lot of malware and phishing. For the one percent who are specifically out to get a given site, they’re a lot harder to block. But that attack is not going to affect the average person. We’ve got to get into a more proactive mode and say ‘Look, what could go wrong? And how do we try to protect against it?’ We won’t get everything, but we’ll do a lot better.”