http://newsobserver.com/24hour/technology/story/920816p-6411106c.html By CHRISTINA DYRNESS THE NEWS & OBSERVER OF RALEIGH June 18, 2003 (MN) - An Iraqi attack on U.S. computer systems leaves government agencies in disarray until a cybervigilante comes to the rescue. So goes the plot line of a first novel written by a cybersecurity expert. Its timeliness is making waves in the industry and comes at a time when the federal government is poised to boost spending on securing its computer systems. Called "No Outward Sign" (Writers Press Club, $18.95) [1], the book by Bill Neugent describes a covert computer attack that couldn't be more different than the stark visual image of burning twin towers of Sept. 11 forever etched in the national memory. But the cyberthreat against the United States is real and has been for some time, experts say. Dave Morrow, deputy director of global security and privacy services at EDS, based in Cary, N.C., should know. During most of the 1990s, he served as a cybercrime investigator in the Air Force. Morrow bears witness to the fact that cyberattacks against U.S. government networks are frequent - though most of what he knows is classified. "There's a lot," Morrow said. "And I can't talk about it. But there is quite a bit of capability out there." The Sept. 11, 2001, terrorist attacks prompted the creation of the U.S. Department of Homeland Security and a new focus on personal and national security. With computer chips turning up in everything from tractors to video cameras and the Internet creeping into more areas of life - both wired and wireless - the securing of a nation can't happen without securing computer networks that run electricity grids, store confidential government secrets and control financial markets. The promise of new funding is drawing much attention on the academic front toward cybersecurity study, and some North Carolina universities are studying better ways to protect systems from hackers and other cybercrime. The schools have an eye on grants from the government to fund this research, but also the job market for their graduates as the demand for computer security experts is slated to grow while other computer networking jobs have dried up. For example, N.C. State University opened a Cyber Defense Lab in April as a way to showcase its research on related topics and, perhaps, score some new grants to support it. The lab doesn't hold all of the university research related to online security, but it's a convenient way to showcase the work of four members of the computer science faculty and their graduate students. They are working on grant-funded research on topics that include the study of the software bugs exploited by hackers and security for wireless computing. "The level of sponsorship is going up and we expect it to grow up quite dramatically in the next few years," said Douglas S. Reeves, professor of computer science at N.C. State. And the message is coming through loud and clear to students who are piling into cybersecurity classes, eager to pursue an area of study with a good chance for employment waiting at the other end. "Now that networking is in a slump, security is the bright area in the picture," Reeves said. "There is still a great demand and not enough supply in security." At the University of North Carolina in Charlotte, the opportunity is furthered by a Federal Cyber Corps scholarship program. Paid for by the National Science Foundation, Cyber Corps pays tuition for cybersecurity-focused graduate students, gives them a $1,000-per-month stipend and requires them to work for the federal government for a year or two upon graduation. Fifteen universities across the country participate in the program. UNC-Charlotte, which has been offering the scholarship for three years, is the only one in the Carolinas. "In this market, the guaranteed job turns out to be a tremendous attraction," said Bill Chu, chairman of the department of software and information systems at UNC-Charlotte. "The admissions bar is very high. A couple of years ago, you didn't see those students applying to graduate school." Chu said UNC-Charlotte started building its cybersecurity research program five years ago with the support of the local banking community. "Our collaboration with the financial sector is important," Chu said. "They take security very seriously." Now that cybersecurity is a hot topic, Chu expects to see even more activity around education and research. "So far, the disappointment has been that Congress has approved (additional research funding), but it has been tied up in appropriations," Chu said. "There's a lot of talk in Washington, but all this is still being shaken out. All this hasn't translated in big, huge programs." Proposed bills in Congress would designate about $100 million toward cybersecurity research and education in the current fiscal year with hundreds of millions more in future years. The bills now wait for the appropriations committee to designate the money. While additional money might stoke new research, myriad projects that fall under the cybersecurity label are already under way at Triangle universities. "Cybersecurity is an umbrella term that means a lot of things to a lot of people," said N.C. State's Reeves. He explains that the term is invoked to mean the reaction to some malicious cyberactivity like hacking. But cybersecurity can also mean simply the reliability of a network. "When we use the term, we mean that broad sense," he said. Work at N.C. State's Cyber Defense Laboratory on Centennial Campus in Raleigh includes projects by Reeves; S. Purushothama Iyer, associate professor of computer science; Peng Ning, assistant professor of computer science; and Bin Yu, a research associate; in addition to graduate student researchers. Iyer, for example, received funding from the National Science Foundation and the Army Research Office for research into methods of proactive network designs - looking at the bugs that hackers use and trying to eliminate them. Reeves' work, in collaboration with Ning, has been in improving computer intrusion detection. "How do you deal with massive amounts of information?" asks Reeves. "Right now systems are not good at isolating what you really need to worry about. Our work is about tuning systems to calibrate intrusion detection." MCNC, the nonprofit economic development center in Research Triangle Park, N.C., has also positioned itself as a cybersecurity player. Along with Duke University in Durham, MCNC is finishing a three-year project, called SITAR, for the Defense Advanced Research Projects Agency, or DARPA. SITAR stands for scalable, intrusion-tolerant architecture for distributed services. The challenge was to design a large computer network that provides online services to multiple users and not only steel the network against hackers, but also make it strong enough to continue to provide services if an intrusion occurs. "It used to be that DARPA had a lot of projects sponsored for intrusion detection," said Feiyi Wang, principal research scientist at MCNC. "But often (hackers) will be successful. There's a class of mission-critical applications and under active attack, some of the system component was being compromised." SITAR is just one of several research projects at MCNC, all of them in collaboration with universities, that have applications in cybersecurity. Dan Stevenson, vice president of the MCNC Research and Development Institute, said that sometimes government-funded research can sit on a shelf and collect dust, but MCNC tries to ensure that research will see the light of day as a commercial project or in use by other government agencies. "We're trying to make it happen for SITAR and other projects in the cybersecurity space," Stevenson said. Amin Vahdat, a Duke University assistant professor of computer science, points out that North Carolina universities are not in the top tier of cybersecurity research institutions, a designation he reserves for schools such as the Massachusetts Institute of Technology, Carnegie Mellon University in Pittsburgh, the University of California at Berkeley, Purdue University in West Lafayette, Ind., and perhaps Stanford University of Palo Alto, Calif. "We aren't in that league," Vahdat said. But as interest in the topic has increased, so have the research efforts, with more and more grant proposals heading to Washington in hopes of getting financial support. EDS' Morrow, who works with business clients to secure their networks, hopes to see government-paid research finding its way to his customers. "They do a lot of research and development for things that can develop into some really good products for the private sector," he said. And one thing is for sure: Cybersecurity is the place to go for job security. "There is going to be, in the future, no letup in the requirement for people who know something about security," Morrow said. [1] http://www.amazon.com/exec/obidos/ASIN/0595257496/c4iorg - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 05:29:33 PDT