Patrolling the Internet:
By M. L. Lyke
UNIVERSITY OF WASHINGTON BOTHELL PREPS A NEW GENERATION OF CYBERSLEUTHS
Congratulations. You just received a $1 million estate settlement from some forgotten relatives in Nigeria. But oh no! Your good friend was mugged in Holland and needs you to wire money, now. Plus, your email administrator is threatening to shut down your over-quota account if you don’t immediately provide an updated user name and password account. You might as well throw in your credit card and Social Security numbers while you’re at it. It will cut down on work for the cyberthieves hacking your computer and phishing for information that can make them very, very rich.
Cyberattacks might have once been the work of a single techno-geek eager to show off his hacker chops. No more, say the University of Washington Bothell faculty members who are training a new generation of sleuths to go after the bad guys wreaking havoc on the Internet. “The problem has progressed from individual hackers to large organized efforts that are well-funded and supplied with sophisticated tools,” says Mark Kochanski, UW Bothell senior lecturer and owner of an independent IT consulting firm. “Nearly every organization now is at risk because of the sophistication that exists in the hacking community.”
Today, almost 30 percent of website traffic is tied to data extractors, hacking tools searching for sucker holes in a site, or “spies” collating competitive intelligence. And it’s not just grandma’s computer being compromised. Big businesses, small businesses, and government agencies are top prey, including the U.S. Department of Homeland Security, barraged with thousands of cyberattacks every 45 minutes.
Doing the dirty work, say FBI officials, are organized crime groups threatening financial sectors, foreign governments pilfering data, and terrorists groups looking for ways to disrupt our country.
“Today, our intellectual property and our defense as a nation are on the line,” says Lucas Reber, whose IT title recently changed from Information Architect to Information Assurance Architect, in charge of security and risk management at UW Bothell.
That title change is a sign of the times for the institution.
The Computing and Software Systems program is making bold, innovative moves that will put it in the front lines on cyber battlefields, with expanded curriculum, research, and exciting collaborations and programming. “We are committed to building out a comprehensive and rich environment for cyberdefense education,” says Mike Stiber, Computing and Software Systems program director.
Computing and Software Systems has always worked closely with local industries to bring a real-world focus to the classroom, to create new systems that have an immediate impact on industry needs, and to foster creative professionals who can lead company innovation. The UW Bothell faculty collaborates with companies on research, brings industry leaders into classrooms, and, always stays abreast of industry concerns.
Today online security tops that list of concerns. “We’re hearing that industry leaders are desperate for people who are savvy about making their systems more secure and dealing with penetrations,” says Stiber. “And it’s no longer a matter of trying to protect systems from being compromised. You can assume most systems are compromised. Then you have to figure out how to deal with that.”
To prepare those savvy new professionals, Computing and Software Systems has added a new cybersecurity course for undergraduates and will, in fall of 2013, offer a new undergraduate concentration in cybersecurity that will cross all three UW campuses: Bothell, Seattle, and Tacoma. Students can study classes on any campus or, in some cases, take coursework through distance learning.
Also in fall of 2013, the department plans to add a new master of science degree in cybersecurity. This summer, the faculty is working with an advisory group from industry to discuss development of the new program.
The existing master’s program already offers a course in secure software development – an area of research concentration for Kochanski. “One reason we have the problems we do today is because software developers did not do a good job of considering the significance of security threats in the first place. The question now is: How do we make it so that security is part of normal software development, rather than an add-on or an after-thought.”
The Computing and Software Systems department is also actively expanding links with the Northwest cybersecurity community, on campuses and off. “We’re trying to build connections to local professional groups and enthusiast groups, so students can have access to other thought leaders in the area,” says Reber. “We’re an innovative campus; we’re still building new programs, and those characteristics allow us the flexibility to bring in all these outside collaborators.”
"We are committed to building a comprehensive and rich environment for cyberdefense education."
- Mike Stiber, program director, Computing and Software Systems
Keeping up with online thieves, extortionists, and terrorists is challenging. Devious tactics can change by the day, the hour, the moment. “It’s always escalating,” says Reber. “Cybersecurity is a great industry for people who really like to keep learning.”
To help instill on-the-go flexibility and self-learning in students, the Computing and Software Systems program and its colleagues have set up a virtual environment for practicing cybersecurity skills. This virtual spy vs. spy world teaches students not only how to protect against the enemy, but how to attack it. Figuring out how an evil virus functions, they can duplicate it and throw it at an environment to study how it spreads, then use this knowledge to fortify security skills. “It’s a sandbox where students can practice new things,” says Stiber. “If it blows up, we re-set it, and do it all over again.”
UW Bothell was able to use these servers for the Pacific Rim Regional Collegiate Cyber Defense Competition in March, a two-day competition that requires teams to maintain Internet services for a fictional company, even as they are attacked by a “red team” trying to vandalize and break into their network. As they defend against attacks, they are bombarded with work tasks from bosses and requests for presentations from the board of directors.
It was the first year of competition for UW Bothell. The pace, says recent Computing and Software Systems graduate Don Wise, was intense. But the UW Bothell team was canny. At one point, the red team left a USB drive at each work station, says Wise, the team leader. “Some of the teams plugged it in, and it had a big voracious virus on it. Fortunately, we didn’t.”
The UW Bothell team was zealous in their defense – even a little overzealous. They not only blocked out the evil-doers, they blocked out the connection to the contest’s scoring mechanism. “We got hosed on that,” says Wise, an employee at The Boeing Company, who, like so many UW Bothell students, has worked full-time even with a full-time college workload.
The UW Bothell team finished a very respectable fifth out of 11 teams in the competition. “Our students did great,” says Kochanski, who advised the team. “We heard lots of remarks about how professional they were, how well prepared they were, that they were very wellrounded and could deal with all types of requests and issues. A key aspect was how they interacted with management, how they could translate technical matters into business terms.”
That ability to turn tech talk into plain talk is one of the hallmarks of the interdisciplinary Computing and Software Systems program, where students combine computer science classes with software engineering, project management, and technical communications classes that teach them management structures and how to assess the core needs of a company. “Being able to take highly technical information and present and summarize it in an accurate way that is accessible to the public is something our students will have to do in the real world,” says Stiber.
Computing and Software Systems students are already in training for the 2013 competition, under the coaching of Wise. He has formed a formal student group called the Gray Hat Society. The Gray Hats, unlike the evil Black Hats and the dogooder White Hats, are the professionals who hack into systems to try to understand security holes so they can fix them.
The 2013 team is looking strong, he reports. And the training they’re getting is invaluable. “Cybersecurity is the next generation of a cold war,” says Wise. “Hacking is big, and it’s important, and the skills we are learning at UW Bothell are very necessary for the near future.”