University of Delaware
Michael Chertoff discusses cybersecurity to a packed house in the Roselle Center for the Arts.

Battling cyber attacks

Cybersecurity expert Chertoff says constant peril makes partnerships essential

TEXT SIZE

4:06 p.m., Feb. 11, 2015--As Americans slept last night, they were out there, trying this password and that, sending tantalizing links in emails that have recognizable return addresses, notifying recipients of huge sums of money just waiting for them to fill in a convenient deposit form, and hoping they will find that cat video irresistible enough to “click here.”

And what do consumers know about that "smart" refrigerator or the new GPS software they just bought? They're connected to the Internet now. Could they someday be wide-open doors to financial data or a vehicle's electronic controls?

People Stories

'Resilience Engineering'

The University of Delaware's Nii Attoh-Okine recently published a new book with Cambridge University Press, "Resilience Engineering: Models and Analysis."

Reviresco June run

UD ROTC cadets will run from New York City to Miami this month to raise awareness about veterans' affairs.

On Tuesday, Feb. 10, Michael Chertoff, one of the nation's top security experts and the former secretary of the U.S. Department of Homeland Security, outlined many such perils and left no one with a false sense of security as he delivered the first University of Delaware Cybersecurity Initiative Distinguished Lecture to a packed auditorium at the Roselle Center for the Arts. (A video of the presentation is available on the UD YouTube channel.)

Admirals, judges, college presidents, business and finance leaders, deans, professors and students listened as Chertoff described an unrelenting threat -- attacks at every level, on every institution and every Internet connection -- and said there is no fail-safe defense.

"One hundred percent protection is not possible," he said. "Chasing that leads to unproductive pathways."

But helping to solve difficult problems is the kind of challenge that appeals to many students, including Dylan Ross, an engineer and first-year doctoral candidate doing research in electromagnetics and photonics.

"What drives me is solving problems," he said, "and no one's ever cracked this one. No system is perfect, every design is going to have some kind of flaw.... But solving a specific problem -- for a lot of students in science and engineering, that is what drives them."

UD's Cybersecurity Initiative, launched last spring under the direction of nuclear physicist Starnes Walker, will connect many problem-solvers with backgrounds in defense, business and research.

And with its status as a leader in corporate law, Delaware is well-positioned between New York's financial hub and Washington's defense hub to contribute valuable resources to the effort -- unbiased research, proven protocols, a skilled workforce, standards for training, and expertise in legal and business practices, said University President Patrick Harker.

Managing the risk

The only sure defense against cyber attack is unplugging from the Internet, a step easier said than done, Chertoff said. But the cost of that decision is great. The Internet brings many benefits and has revolutionized how services are delivered and networks are developed worldwide.

The challenge, he said, is to build a strategy that allows access to those benefits while holding the line against intruders.

The smart strategy against cyber attacks, Chertoff said, is to recognize that breaches will happen and do what can be done to control, manage and mitigate the risk. The smart strategy is found in the kinds of partnerships now under construction through UD's Cybersecurity Initiative, where government, industry and academic leaders will work together to identify threats, share what they know about them, and develop effective defenses.

Chertoff's visit came on the same day President Barack Obama announced the creation of a federal Cyber Threat Intelligence Integration Center to collect and share intelligence, much as the nation did with its counter-terrorism initiative.

It is an appropriate triage, in Chertoff's opinion. He places cyber threats among the greatest dangers to the United States' national security, with consequences as paralyzing, destructive and deadly as the violence perpetrated by ISIS, Boko Haram, and other terrorist networks.

He noted several recent attacks by other nations, too, including the Russians' attack on the White House and the banking industry, a "persistent effort" by Chinese hackers to gain intellectual property including blueprints, manufacturing processes and clinical trials of emerging drugs, and North Korea's recent attack against Sony, done in protest of its movie The Interview.

From credit card fraud and ID theft to denial of access to Internet sites to crippling and destroying critical infrastructures such as transportation, communication networks and power grids -- the dangers are constant and pervasive.

"How do we not feel overwhelmed and throw our hands up?" Chertoff asked the audience.

You beat one network by building another network, he said, in this case, a network of trusted partners who work together to identify and address the dangers.

Because the private sector is the most active online, Chertoff said, business leaders are essential to that effort. They must identify and share the attacks and threats they encounter.

That can be testy territory, with global reputations and proprietary information often at stake. No one -- no industry, no university, no bank, no government agency, no nonprofit or small business -- wants to be named in headlines as the victims of such an attack, lest readers conclude they are unworthy of trust or the unwitting disseminator of sensitive personal and financial information.

But even the Pentagon has been hacked. UD has been hacked, major banks and corporations have been hacked, those with enormous security budgets and protective protocols have been hacked. Human error is a factor, software problems are a factor and, Chertoff said, no institution is immune.

It's essential to share "indicators of compromise," said Chase Cotton, professor of electrical and computer engineering and director of the Center for Information and Communications Sciences. "The IP address, the email, the file name it leaves behind in your machine -- so you know that if you get attacked, you will see these."

Breaches sometimes aren't discovered for months, though, and not all are quickly disclosed. Some went "radio silent," he said, and some choose not to make problems known until they file Securities and Exchange Commission reports.

"But we've seen a sea change in the way industry is behaving this year, especially after the Target breach," Cotton said.

Human error

Ralph Begleiter, longtime CNN correspondent who now is director of UD's Center for Political Communication, noted that research in human behavior -- the natural tendencies people have that sometimes result in disastrous decisions -- must be part of the equation.

Chertoff said that is an under-considered element of cybersecurity. People make mistakes, he said, as a mid-level employee in the Department of Defense discovered. He inserted a thumb drive into his computer and unleashed a major intrusion into the network.

Those portable memory sticks apparently are hard to resist, Chertoff said, citing a study that showed the majority of people who find a thumb drive lying in a parking lot will put it into their laptop or computer to check it out, unaware or unconcerned that it may be delivering a payload of malware and viral code. If that same thumb drive has a logo on it -- an Eagles logo, perhaps -- studies show 95 percent of people will insert that thumb drive into their computers, he said.

That's like picking up a hamburger lying in a parking lot and eating it, Chertoff said. He often likens cyber threats to those the human body faces every day. The human body is not immune to all illness but it has ways to identify and fight intruding bacteria and viruses.

Chertoff said he sees good news in the increasing amount of cooperation and urgency developing around cybersecurity.

Difficult decisions must be made, including where to strike the delicate balance between civil liberties and public safety, protecting the values that define the nation.

Asked about efforts to make encryption a crime -- forcing developers to include anti-encryption access to its clients' data -- Chertoff said he has reached the conclusion that government should not make such requirements. 

Chertoff said that would just make U.S. products less attractive around the world, where they will be seen as vulnerable. It also would mean only "bad guys" would use impenetrable software, leaving only law-abiding citizens with the vulnerable products, he said.

"I'm not minimizing the security challenge," he said, "but as a society we probably don't want to go that far."

Asked how to respond to a business executive who wants to "attack back," Chertoff was strong in discouraging such a response.

"It's very dangerous and risky to retaliate against an attacker," he said.

There are legal implications, he said. Even if you know the burglar who broke into your home, you're not allowed to go break into his, he said.

Managing responses to cyber attacks probably should be left to the federal government, he said.

David Wunsch, director of the UD-based Delaware Geological Survey and state geologist, asked how agencies can be open for public use -- inviting the public to explore data and other interactive information online -- without inadvertently creating portals for cyber attacks.

Chertoff said it is a challenge to strike the right balance between openness and security, especially on systems that are not strategically developed but are pieced together over time. 

The risk can be reduced by controlling access and privileges, he said, but many places are "way behind the curve" in addressing those issues.

Issues of relevance to students

The lecture raised many issues of relevance to students, said Michael Vaughan, associate dean of the College of Engineering.

Vaughan said he is excited about the educational and research opportunities UD's Cybersecurity Initiative brings.

Bringing Chertoff to campus was "quite a coup," Cotton said, and he hopes to see cybersecurity programs expand through other disciplines.

Other partners in the UD Cybersecurity Initiative are Delaware Technical Community College and Delaware State University, and their students will be part of the cybersecurity training "pipeline," said Delaware Tech President Mark Brainard.

Chertoff's lecture demonstrated the importance of those connections, he said.

"It really does put an exclamation point on what everybody's thinking about," Brainard said.

Article by Beth Miller

Photo by Evan Krape

Video by Ashley Barnas

News Media Contact

University of Delaware
Communications and Public Affairs
302-831-NEWS
publicaffairs@udel.edu

UDaily is produced by
Communications and Public Affairs

The Academy Building
105 East Main Street
University of Delaware
Newark, DE 19716 | USA
Phone: (302) 831-2792
email: publicaffairs@udel.edu
www.udel.edu/cpa