Wanted: an eco-approach to cybersecurity
Cybersecurity is a thorny issue; just ask President Barack Obama and Chinese President Xi Jinping, who recently finished two days of high-profile talks on the topic without movement toward a solution.
Yet it’s a problem that desperately needs to be solved. National intelligence leaders cite “cyber threats” as a bigger danger to this country than terrorism.
The growing threat to the world’s information infrastructure posed by hackers, spies, identity thieves and social engineers is profound enough to spawn the USC Viterbi School of Engineering’s new Master of Cyber Security degree program and important research on the topic at USC.
Among the up-and-coming researchers: Ranjan Pal, Provost Fellow and PhD candidate in computer science at USC Viterbi. Pal believes that creating what he calls a robust “ecosystem of security” will be the key to defending against electronic attacks. He’s studying how to make that happen.
The ecology of security
To have a stable ecosystem, all players in the online security game must be satisfied with the system, he said. That means that Internet security software makers need to turn a profit, for example, while Internet users need real protection from online risks.
Unfortunately, there are roadblocks. A safe ecosystem depends on the level of security in each component of the Internet, from individual Internet users to vast corporations. And most common defenses used against cyber threats don’t address the entire security problem, Pal said.
“Technical solutions — anti-virus, anti-spam, browser mechanisms — won’t give you robust security,” he said. One reason: anti-virus product makers rush their products to market.
“One company competes with another company and wants to release a new anti-threat product quickly to get a competitive edge. The product isn’t perfect yet, but it’s released anyway,” he said.
Another important reason is that new threats evolve over time, and technical tools can’t detect and mitigate them all.
Meanwhile, computer consumers — most of the people who browse the Web — “don’t know how to use the features of these products in a proper manner,” Pal said. New inventions like smartphones are particularly vulnerable to attacks because neither protective software nor user-security behavior can keep up with the level of technology needed to counter cyber threats.
Everyone from high school students to the U.S. government is vulnerable. “Both President Obama and CIA officials say the government is being careless and is asking for a cyberattack. “The government has made it clear it wants a very secure system,” Pal said. But where will this robust security come from?
Interdisciplinary perspectives may be the way to go — a “people” ecosystem to protect the technology ecosystem. That means technology users big and small must partner with security companies, government and policy organizations to teach and practice safety, Pal said. Computer users must learn how to use protective tools; one suggestion, according to Pal, is requiring computer users to go through training before being allowed Internet access.
If every user pays attention to safety, Pal said, then the overall Internet ecosystem becomes safer.
Does insurance beget assurance?
The goal for Pal and others involved in cybersecurity is to create a system that minimizes risk in a way that everyone involved is satisfied. In many other high-risk economic systems, from health care to airlines, insurance can mitigate financial risk. Cyber insurance is a growing industry that aims to protect against the costs of cyber attacks (which can run up to $7 million for a corporate breach).
But Pal isn’t a fan of cyber insurance yet. If it’s impossible for insurance companies to have every important bit of information about a client, such as which websites its employees visit, then an insurance contract may not be suitable. It will be tremendously difficult to create a perfect system, Pal said.
Unless insurers can get better information, Internet users boost their security practices or other solutions are found, hackers can still cause havoc in the ecosystem, Pal said, and the Internet will remain a modern-day Wild West.
Pal is working with USC Viterbi faculty members Leana Golubchik and Konstantinos Psounis, as well as distinguished scientist Pan Hui at Deutsch Telekom. Take a look at Pal’s list of deal breakers for international cybersecurity in a related USC News article. And learn more about USC Viterbi’s graduate cybersecurity program online.