By Marlene Cimons, National Science Foundation
Imagine a large cyber-network with its own built-in “immune system,” one that can recognize and destroy foreign invaders, just like the human body.
“We no longer can afford to be reactive in our attitudes about cyber security,” says Shankar Sastry, dean of the college of engineering at the University of California at Berkeley. “Our current approach is bolt-on, rather than built-in patches, bolted on, like an afterthought. We need to be proactive.”
Sastry is principal investigator and director of the Team for Research in Ubiquitous Secure Technology (TRUST), a UC Berkeley led group focused on developing cyber security science and technology aimed at radically transforming the ability of organizations to design, build, and operate trustworthy information systems for the nation’s critical infrastructure.
One of its long-term major goals is to build a solid science base upon which to develop an inherent cyber security defense system. “We believe what is missing is the science of cyber security—-a science base, like the kind taught in medical schools, so as to enable doctors to treat and help patients,” Sastry says. “We want the legacy of TRUST to be the start of this science base, upon which an inherent defense system can be built that will operate almost like the body’s in the event of an attack.”
In recent years, enhancing cyber security has become a critically important issue with a growing sense of urgency. There has been an escalation in computer security attacks within the last decade, from so-called “phishing” scams that lure people into revealing sensitive and private information, to Internet attacks that crash popular websites.
Even worse, large-scale cyber attacks potentially could topple widespread systems, destabilizing national and economic security and paralyzing key resources, such as power and water. These can come from enemy foreign governments determined to attack U.S. networks, as well as from independent terrorist groups and hackers.
“We’re not just talking about crashing the Internet and suspending trading,” Sastry says. “This can cause serious danger to life and limb.”
The center is a National Science Foundation (NSF) Science and Technology Center based at Berkeley, with research partners at Carnegie Mellon University, Cornell University, San Jose State University, Stanford University and Vanderbilt University. There also are more than a dozen industry collaborators, including Intel, Cisco Systems, IBM, Symantec and Qualcomm. NSF supports the center with about $40 million over ten years.
The center has an ambitious research agenda to improve the state-of-the-art in cyber security, including the security of physical infrastructure, and preventing identity theft and privacy issues, especially with medical records. The center also is developing an education plan to teach the next generation of computer scientists, engineers and social scientists, as well as outreach programs to attract women and minorities in science and engineering.
Center researchers also are working on new technologies to combat phishing, spyware, botnets and other threats; and promoting legislation and policies to protect privacy.
For example, TRUST researcher and UC Berkeley law professor Deirdre Mulligan worked on California legislation that requires companies to notify individuals whose private information might have been compromised as a result of company actions. The California security breach notification law is believed to be the first in the nation, and more than three dozen states have since passed similar laws, according to the center.
TRUST’s recent policy work also is focusing on such issues as paths to identity theft, privacy in social networking and social media, and the use of web browser tracking technologies for targeted advertising. The center is working on technical and policy solutions that address both business functionality and privacy, Sastry says.
TRUST officials also have been advising lawmakers and regulators about the security and privacy aspects of proposed laws and policies.
In the area of medical privacy, the medical school at Vanderbilt University, a center research partner, has made patient records available to TRUST in a pilot project to research access and privacy issues, including medical and billing information. They want to protect the system against unauthorized entry.
“The school wanted our help in making the system secure,” says Larry Rohrbough, TRUST’s executive director. “We are providing the mechanisms to ensure that the portal is constructed consistent with all the privacy requirements, particularly with regard to who can have access: provider, doctor, patient, friend, relative.”
The Vanderbilt University Medical Center also is supporting a clinical trial of TRUST -developed technologies that will help medical professionals better treat conditions such as sepsis and congestive heart failure. “TRUST researchers developed these health information systems to both improve patient care and comply with rules and policies,” such as HIPAA, the health privacy information law, as well as the Children’s Online Privacy Protection Act, or COPPA, Rohrbough says..
Furthermore, TRUST’s healthcare work attracted the attention of the Department of Health and Human Services, prompting the department to create the Strategic Healthcare IT Advanced Research Projects (SHARP), a program to explore the potential uses of health information technology nationwide, and ensure they are secure.
Among other things, the federal SHARP program has awarded $15 million grants to each of four universities and/or health care systems to study how patients and physicians can use these electronic systems to improve care and involve patients, while protecting privacy, similar to what TRUST researchers are doing with the Vanderbilt project.
“We’ve embedded it with medical processes, which involve a fair number of treatment protocols—standards of care for doctors and patients,” Sastry says. “You have a system that pops up and says ‘this is what you are supposed to do,’ for a specific treatment. It tells a certain set of practices for doctors, nurses and patients, and all consistent with privacy.”
The center also is collaborating with the federal Departments of Treasury and Energy. At Treasury, they are advising officials on how to protect large banks and trading partners against financial crime, “which can be much more sophisticated than phishing, and can include such things as mortgage fraud,” Sastry says. At Energy, they are helping to protect the nation’s physical infrastructure against attack.
“In TRUST, we are working on ways to protect smart grids, water, power, gas,” Rohrbough says. “Some people want to cause blackouts, to, for example, deny Chicago heat during a snowstorm, or shut down traffic lights in Los Angeles. Sometimes these are insider attacks, from a disgruntled employee. How do you operate through attacks? How do you prevent these attacks? We’re looking not only at threats and vulnerabilities, but at existing and emerging standards, areas where security is not addressed or where it is addressed in a conflicting way, so we can develop, test, and deploy solutions.”
The goal is create networks where security is not an afterthought, Sastry says. “We are thinking in advance,” he says.
With that in mind, the center is pushing for a science base that will move computer security from a reactive stance to a proactive one “and beyond deploying defenses for known attacks to building secure systems in a principled way,” Sastry says.
“For example, how can we characterize security properties in a way that gives insight into enforcement mechanisms and verification approaches?” he adds. “What security properties can defenses support, and what attacks can defenses resist? This will require the architecture of the infrastructure to change, so that what replaces it, ultimately, will be more secure and resilient.”
Follow U.S. News Science on Twitter.