Milos Manic, Ph.D., and Carol Fung, Ph.D., with Leila Uginčius
In the cyber world, distance becomes irrelevant. Someone on the other side of the planet can monitor your online activities as easily as a nefarious criminal can quietly look over your shoulder at an ATM. What’s more, others can manipulate your activities. Almost daily advances in technology continue to make the world smaller and blur the differences between man and machine. Individuals, organizations — and even countries — must remain vigilant.
Milos Manic, Ph.D., professor of computer science, and Carol Fung, Ph.D., assistant professor of computer science, are Virginia Commonwealth University School of Engineering faculty members whose research addresses cybersecurity issues. Manic’s research focuses on machine learning applied to cyber security, critical infrastructure protection and resilient intelligent control. Fung researches smartphone security, as well as new network technologies to solve distributed denial of service (DDOS) cybersecurity attacks.
Manic and Fung spoke with us about their research and expertise on cybersecurity.
How do you define cybersecurity?
Fung: Cybersecurity is a broad field. These days, everybody has digital systems. For example, you have a laptop, you have an iPad and phones, etc. Those digital systems can be attacked by hackers because all the digital systems have to be connected to the internet, which opens the door for outsiders to get into the system.
Once through the network, outsiders can successfully get into the system and steal data. That’s the first type of attack. Attackers can also change the data. For example, they pretend to send fake data and they can get into the system, or they can switch files or make the files different, and that’s a second type [of attack]. And the third type is removing or deleting data. That’s even worse, I would say, in some cases. Cybersecurity is trying to address these issues and find technical solutions and design-of-process methods that can be used to protect computers and data. That’s a general definition of cybersecurity.
When did cybersecurity become an issue and what brought it on?
Manic: The internet has been around for many decades, from its very archaic early form to today’s fairly sophisticated form. Any time you have “machine talking to machine” or “human talking to machine,” you’ve already started having an issue. But really, the issue — the core of the issue, the way I see it — is the motivation of “adversaries.” An adversary can range from someone who’s working out of the garage or basement … to individuals in certain agencies that are part of other countries’ agendas.
Fung: In 1988 there was the Morris Worm. Why is it such a big deal? Before 1988, if attackers wanted to attack a system, they could only attack one system. They put in a lot of work to damage one system. But Morris automatically worked like a virus. It’s called the “worm” because it crawls over your whole network actually. [With] Morris, just one person successfully automatically compromised 6,000 computers. After the Morris Worm, many other worms and viruses came out, and the impact of those attacks increased exponentially.
Who’s at risk to become a victim of a cyber-attack?
Manic: We need to first distinguish what kind of risk. The everyday individual should be concerned about his or her own identity being stolen. This can cause a lot of heartache, but the consequence is pretty foreseeable. However, if the individual is part of a certain organization, this [breach] propagates to that organization. If a VCU professor’s identity is stolen and [that] VCU professor is also part of a project with, say, a large government “three-letter” agency, then it may propagate further. Cybersecurity risks go from an individual being hurt in many ways, to big organizations, to countries.
Fung: It would depend on the damage caused. Probably the government and companies get more damage, especially the banks. In terms of scale, it’s regular users, because we are less protected and a lot of people don’t have anti-virus [software]. There are millions of people who get compromised. In terms of damage and financial loss, those most at risk would be companies and institutions.
Manic: In the U.S., we are worried about critical infrastructures — basically, anything that’s crucial for everyday life. Typically people look at energy, because without energy pretty much everything else fails very quickly within hours or days. It can also be systems that control bridges or buildings. What people don’t think about frequently are sewer systems and freshwater supplies. When these systems go out, within hours you have congestion as well as unsecured and uncontrolled information. Infrastructure is where the risk is.
What can be done to keep our online activities secure?
Manic: Common sense is a very, very tough notion that has different meanings to different people. Adversaries prey on our human vulnerabilities. Cybersecurity work used to mean working in trenches on technical stuff — packet communications looking at bits or 0s and 1s. Now cybersecurity is actually looking at human factors, because it’s the humans that make machines attack or leave the door open for an attack. Machines don’t do this on their own. People started looking into human vulnerabilities and how humans can be fooled.
Tests (like phishing) were done in various environments — academic and government — and the results were scary. It turns out, regardless of the effort put into training of certain individuals, some still get tempted to click on links. At that point you open yourself to vulnerability and then, as much as we try to be preemptive, at that point we are switched into reactive mode because we cannot predict all the kinds of traps adversaries can set up for us. So that’s a problem.
Fung: There are many things we can do as regular users, like using an antivirus. Make sure you do not install software from the internet if you do not trust it. There are is a lot of free software, actually, and some works secretly behind cover. They are called Trojan Horses, a type of malware that actually opens the back door and starts to steal your information secretly, and you never know. So it’s better not to install untrusted software.
Another thing for the regular user: regularly upgrade your computer software. For example, if you are notified by the software manufacturer there is a patch for the operating system, then install the patch. A lot of patches are released because [software companies] discover a security loophole. It’s recommended that you keep your software updated.
How easy or difficult is it to track down cyber criminals? And how would you go about that?
Manic: Again, there are different types of cyber criminals, cybercrime, and different agencies are dealing with it. What is the job for counter intelligence? What is the job for the FBI and so on. For a long time, and definitely recently, the white hat community has been trying to look for mechanisms for trying to be in a proactive, as opposed to reactive, kind of mindset. This is the cat-and-mouse game. We try to foresee and predict all possible scenarios, and that is a problem right there because you can’t.
What people started doing, and we were doing the similar thing, we started looking at the holistic state of the system, the system as a whole, because smart adversaries will mask their tracks, mask their attempts. And the question is, how can you find the implicit consequence that otherwise would go unnoticed? So a simple example for this is you could have a server and a tech. Instead of looking at firewall communication or low-level packets of communication, a simple example is look at the activity hard drive. Is something overheating? Is something working harder than it should be? Why is it working harder? If this was a student server, is there a deadline for homework a couple hours from now? Not that the students wait for the deadline, but just hypothetically.
You can understand the ways of understanding the normal and anomalous behavior of a system looking at it as a whole as opposed to looking at the one because adversaries know which points in the system you’ll be carefully 24/7 monitoring. They know it’s not a secret. The trick is, what else can you look at? But it’s expensive. It’s expensive in terms of resources, time and algorithms, and everything you don’t want to do unless you have to. So how do you find this thin line that is still visible but it gives you enough assurance that you’ll get what you’re after?
Fung: The method for tracking cyber criminals depends on what kind of cyber criminal you really mean. For example, if you are trying to track hackers or people wanting to get into your system, a very common way is to find what IP address they’re using. But, the attackers are smart, too. They can get away from that. For example, they could use a proxy, which means they use another compromised or volunteer computer to hack you, and then when you find that computer, it’s innocent. So they can use a proxy or they just use fake IP addresses. But using the fake IP address to attack the system is limited on the type of attacks they can use. If they use fake addresses, they cannot receive responses from victims.
Actually, there are a lot of surveys in the works being done to deal with what can we do if attackers use fake IP addresses. We should be able to evolve to some other intermediate system. For example, the routers and the switches which they use to lay the traffic, if you can get the control of those devices to help you with identifying attackers, then that’s doable. As a regular user, we don’t have the privilege to access those routers, but I believe some people have the privilege.
What would you like to add?
Manic: Cybersecurity has been around and it’s a known story. There’s another story that started seven, eight, 10 years ago and it’s called resilience. And some of us have been trying to evidence the need for resilience and what resilience is. … There’s been many interpretations, but what we’re trying to say is, it’s not about recognizing the vulnerability and how to prevent it, it’s how to recognize it. It’s about how you make systems resilient, because these things will happen. There’s no question about it. The only question is, how do you recover after that? The traditional aspects have been named reliability and graceful degradation. How do you gracefully degrade a system to maintain mission critical functionality and sacrifice one that is not mission critical? But it doesn’t talk about the intelligent response to this and this is where this intelligence comes into play. How does our body recover after an injury? It’s not about necessarily us being really smart and dealing with it after the fact, it’s what happened in our body over the thousands of years that made it resilient to a point to some failures. What are the intelligent ways of dealing with cybersecurity issues? How do we bounce back? Government is looking more and more resilient.
There’s a lot of misunderstanding here. This is really just normal. And it’s been becoming fairly clear and crystallized over time that our nation really needs systems that are able to bounce back after something happens, because we do know that bad things have happened and will continue to happen. It’s just a question of are we ready to quickly bounce back? Cybersecurity is not the only aspect. It’s also acts of God and all kinds of Katrinas that are happening and what we learned through this. I had the honor to be in the presence of people that were leading the recovery efforts [after Hurricane Katrina in 2005] on various levels of government, some Homeland Security, some others, and the lessons learned were really scary with some of the initial efforts. We’re essentially like kids, we learn from experience and things are getting better now. But again the trend of relying on learning from experience means that you have to experience it first and we are really trying hard to avoid that and be smarter than that.
Fung: I think cybersecurity is still a very exciting field in these days. I have two Ph.D. students involved in this field and the one thing I want to add is I really want to see more female students getting involved in the cybersecurity field and in general in the computer science field.