Electrical engineering and computer science (EECS) Professor Farzana Rahman received a 2020 Google exploreCSR award to fund the development of an undergraduate student engagement workshop program, Research Exposure in Socially Relevant Computing (RESORC). The RESORC program will provide research opportunities…
Q&A: Shiu-Kai Chin on Cybersecurity
Shiu-Kai Chin, professor of electrical engineering and computer science in the College of Engineering and Computer Science, director of the Center for Information and Systems Assurance and Trust, provost faculty fellow for strategic planning and Meredith Professor for Teaching Excellence, is an expert on cybersecurity. He recently shared his thoughts on the spate of major cyberattacks around the world.
01There have been a lot of major cyberattacks in recent months. Is the world poorly prepared to deal with this sort of thing?
Most of our systems were not designed with security in mind. We are living in the equivalent of a shantytown in cyberspace, much like the shantytowns that were precursors to our major cities. Those structures were thrown up with little regard for the safety standards we now have and weren’t built to withstand the natural and human-made disasters that befell them. Once folks saw the need to build things that last, we got standards and enforcement, based on sound engineering and public policy. Cyberspace is still evolving from that shantytown into a modern city.
02Attacks against utilities seem to have come from enemies. What about ransomware attacks? Just a moneymaking scheme?
The ransomware attacks might be a smokescreen for something much more insidious: theft of root credentials, which renders authentication incapable of discerning between legitimate identities and fraudulent ones. This is equivalent to losing the plates for minting $100 bills.
03Should we have been better prepared for all these attacks?
I can point to papers written by the U.S. Air Force in 1979 about the very situation we’re in today. There is no plausible deniability. We are living with the consequences of inattention, failure of vision and poor leadership. We have valued short-term economic gain over long-term investments in safety, security and integrity.
04What needs to happen now to enhance our cybersecurity going forward?
In the U.S., we need to be willing to invest in it. For example, chip-enabled cards were introduced a long time ago in Europe, but U.S. financial services businesses deemed the cost of issuing new chip-enabled cards too expensive to justify—until the data breaches at Home Depot and others raised the cost of poor security. If costs continue to rise, then we might see investment in systems and new standards emerge where security—just like safety—must be rigorously required, justified and demonstrated.