Kevin Du

It鈥檚 a mentality that has served Du, an electrical engineering and computer science professor in the , well as he has carved out a decorated career as a global cybersecurity expert. His labs have been used by more than 1,100 institutions and universities across the world, and it all started with the launch of the , which developed hands-on instructional laboratory exercises known as SEED labs for cybersecurity education.

But at the time of its creation in 2002, the experiences Du wanted to provide to his students around cybersecurity education didn鈥檛 exist in a practical fashion. He set out to create a virtual training tool that could help prepare cybersecurity experts on how to handle the pressing issues they would face in the future.

The initiative launched thanks to $1.3 million in funding from the National Science Foundation (NSF). The SEED project鈥檚 objectives are to develop an instructional laboratory environment and accompanying laboratory exercises that help students comprehend the practical security principles, concepts and technologies associated with cybersecurity issues; apply those principles to designing and implementing security mechanisms that can counter cybersecurity attacks; analyze and test computer systems for potential security issues; and apply these security principles to resolving real-world cybersecurity problems.

鈥淚 designed the SEED project so students can actually walk through those attacks by themselves on their computer,鈥� says Du, who is a fellow of both the Institute of Electrical and Electronics Engineers and the Association for Computing Machinery. 鈥淣ot just talk about the attack, but now they can actually see the attack and think about what they would need to do to stop the attack.鈥�

Since its founding, the open-source (software that is made freely available to interested parties) SEED project, which operates by having the students access the lab work through virtual machines, has accomplished the following:

• Developed more than 40 labs exploring computer and information security topics like software security, network security, web security, operating system security and mobile app security, and
• through its SEED emulator, users can replicate the internet on a single computer, introducing students to hands-on cybersecurity research activities related to the internet, Border Gateway Protocols (the internet鈥檚 routing protocol), Domain Name System (the internet鈥檚 directory), and Blockchain, Botnet, the Dark-net and more.

鈥淲e are not teaching students to carry out these attacks, but if you don鈥檛 know what鈥檚 happening behind the attack, you won鈥檛 know what to do when you encounter an attack,鈥� Du says.

Kevin Du (second from right) has carved out a decorated career as a global cybersecurity expert. His labs have been used by more than 1,100 institutions and universities across the world. (Photo by Jeremy Brinn)

A Safe, Hands-On Environment for Resolving Cybersecurity Attacks

Before Du created these virtual labs, cyberattacks would be explored on paper, with professors describing how a theoretical cyberattack could be carried out. While it is important for students to understand the theoretical workings of cyberattacks, Du says this approach leaves out the equally important practical application, the actual stopping of a cyberattack as it is happening or once it has happened.

Professors would discuss cyberattacks in theory, but gaining hands-on, practical experience was very limited, for one very good reason, according to Du. Working through cyberattacks represents a security threat, one that can鈥檛 be tackled on a normal University-issued computer, because some of the cyberattacks being studied could bring down the entire internet if they were successfully carried out.

The solution, according to Du, was to build virtual machine technology that would allow 黑料不打烊 students鈥攁nd students in classrooms all across the country鈥攖o access and run the cybersecurity software on their own personal computers.

At the time, virtual machine technology was still relatively new on college campuses. Du fine-tuned the project鈥檚 goals and objectives, focusing on educating students about the dangers of the different kinds of attacks while emphasizing ways to keep these attacks from happening.

鈥淭here was a huge gap between the theory and the practice of a cybersecurity attack. We needed to fill that gap,鈥� Du says. 鈥淭he big achievement with the SEED lab is we brought the ideas that students were learning about in their research and we simplified those ideas and made this hands-on component that compliments the theoretical teachings.鈥�

Becoming a Global Leader in Cybersecurity

Since starting as a professor at the University in 2001, Du鈥檚 research papers have been cited 17,800 times, and he has won two ACM Conference on Computer and Communications Security Test-of-Time Awards.

In 2015, Du, who was always interested in hands-on learning, began offering training workshops funded through a $1 million NSF grant for interested cybersecurity educators at colleges and universities across the country. Each summer, approximately 80 instructors converge on Link Hall for a weeklong intensive training workshop where they learn the ins and outs of Du鈥檚 open-source software. Since offering the sessions, Du estimates that more than 400 college professors were trained on the software and are now teaching their students many of the same cybersecurity awareness and prevention lessons Du teaches through his labs.

鈥淚鈥檝e found that many instructors share my teaching philosophy that they want to have hands-on practice with their classes, but they鈥檙e finding there weren鈥檛 many opportunities,鈥� Du says. 鈥淣ow, my SEED lab can fill that gap and it鈥檚 very easy for the instructors to use. Because I put a lot of thought into designing this SEED lab, it makes it easier for other professors to bring the teachings back to their campuses.鈥�

Du has also written a textbook based on the SEED labs, 鈥淐omputer and Internet Security: A Hands-on Approach,鈥� that is used by nearly 300 universities. Knowing the source material can be a bit dry when digested only in a textbook, Du built a recording studio in his basement and produces video lessons complete with hands-on demonstrations to accompany his lectures. The videos are posted online and available at a cost of $10 per class.

鈥淭he videos certainly help enhance the teachings through demonstrations of the attacks or the lessons we鈥檙e learning and have helped more people benefit from my SEED labs,鈥� says Du, who hopes to one day introduce artificial intelligence topics into his SEED labs鈥� educational environment.

Why are government agencies more at risk when it comes to cyberattacks and operational vulnerabilities?

Lee McKnight

is an associate professor in the 黑料不打烊 School of Information Studies (iSchool) whose research specialty includes cybersecurity. He provides written comments that can be quoted directly. He is available for interviews on future topics related to cybersecurity practices in the public and private sectors.

McKnight says:

鈥淲ith state-sponsored actors taking advantage more frequently of outdated to non-existent听water supply security practices, it is refreshing -like a glass of (clean) water – that the EPA and CISA have begun to raise the alarm. The fact that 70% of water systems upon inspection failed to demonstrate their ability to maintain basic cyberhygiene is regrettable, but far from shocking.

鈥淚t is overdue for the public and private sector organizations supplying and supporting water systems to take these threats seriously. Even if the nightmare worst case scenarios have not happened at scale, the entire sector has to prioritize cybersecurity, just as oil pipelines belatedly did after the successful ransomware attack on the Colonial Pipeline several years ago precipitated.

鈥淚n the case of water supplies, the risks are more local but can be no less devastating if their operational technology is breached.

鈥淪ending the sector’s IT workforce back to school 鈥� or at least scaling up online sector-specific training programs 鈥撎齣s听long overdue. Beyond ‘IT’ workers, the wider workforce must have more opportunities for training in basic cyberhygiene as well.

鈥淪ince now that it is widely known that cyber-attackers have a 70% probability of finding a soft target when going after a water system – unfortunately, we know the most recent successful cyberattacks on water systems will not be the last.鈥�

To request interviews or get more information:

Daryl Lovell
黑料不打烊 Media Relations

M听315.380.0206
dalovell@syr.edu |

黑料不打烊

Hoque has received the National Science Foundation (NSF) CAREER Award to research context-sensitive fuzzing for networked systems. This grant supports early career faculty with their professional development and will build upon Hoque鈥檚 research on computer networks and systems security, program analysis and software engineering.

鈥淢any big tech companies like Google and Microsoft have been investing in fuzzing techniques and have seen the importance of finding bugs in existing software,鈥� Hoque says. 鈥淭he National Institute of Standards in Technology also endorses fuzzing as an automated technique for security testing. This project will push boundaries within the field and have an impact on cybersecurity.鈥�

Endadul Hoque (Photo by Alex Dunbar)

Hoque鈥檚 project has three research goals. The first goal is to create a language that can encode complex structures of inputs that change depending on the context and develop algorithms that can quickly generate correct inputs based on this language. The second goal will create techniques that can mutate these inputs without losing their context sensitivity, which is essential for the process of fuzzing. The final goal is to create mechanisms that ensure the internal state of a protocol is accurately maintained. This will allow each fuzz input to be tested in a suitable state for the protocol being tested.

鈥淚n this area of research, people tend to focus on strengthening the system by finding flaws in the existing system that we use in our day-to-day life,鈥� says Hoque. 鈥淗ow can we find loopholes in real-world security-critical systems? This research award falls under that category to advance the limitations of existing methodologies.鈥�

As part of his project, Hoque plans to improve cybersecurity courses and hold K-12 workshops to promote cybersecurity awareness, integrating his research findings into these initiatives. The project will also encourage undergraduate and graduate students from historically marginalized communities to get involved with educational and research activities.

Additionally, Hoque will form a team for cybersecurity competitions such as capture-the-flag competitions, where participants search for hidden text strings in vulnerable websites or programs. These gamified competitions are also an effective way to improve cybersecurity education.

鈥淭his project has the potential to significantly enhance the robustness of protocol implementations and cybersecurity education, benefiting society. I鈥檓 happy to have received this prestigious award,鈥� says Hoque.

In the photo (from left): Representative from FBI, Joon Park, representative from NSA and representative from CISA. (Photo courtesy of the Center of Academic Excellence)

黑料不打烊 has been designated once again as a National Center of Academic Excellence in Cybersecurity (NCAE-C) through the academic year 2028. The program is administered by the National Security Agency (NSA) with a goal of promoting and supporting quality academic programs of higher education that help produce the nation鈥檚 cyber workforce.

The combination of required elements for the designation assures the institution meets the desired characteristics of a Center of Academic Excellence (CAE) institution and that the academic delivery to students is producing a qualified workforce needed by the nation.

Students attending CAE institutions are eligible to apply for scholarships and grants that require the CAE designation status.

As one of the 18 elite academic institutions that received the original CAE designation in 2001, 黑料不打烊 has continuously maintained its CAE status through re-designations. Meanwhile, the CAE criteria has been updated with more rigorous requirements and multiple review rounds. The new criteria includes the new NSA PoS (Program of Study) Validation, evidence of sound cybersecurity posture/plan, sustainability, professional development, outreach activities as well as others.

According to the new criteria, the University received the NSA PoS Validation in 2022 with the bachelor of professional studies program in cybersecurity administration at the College of Professional Studies. This CAE re-designation reaffirms the University鈥檚 commitment to high-quality education and related activities in cybersecurity.

, a professor at the School of Information Studies, served as the point of contact 听and led the efforts for the NSA PoS Validation and CAE designations with other faculty, staff members, program directors and students in the cybersecurity area across the following schools and colleges in addition to the iSchool:

• College of Arts and Sciences
• College of Engineering and Computer Science
• College of Law
• College of Professional Studies
• Maxwell School of Citizenship and Public Affairs

Park attended the CAE designation ceremony at the National Cybersecurity Education Colloquium in Chicago in September.听鈥淒espite the rigorous demands, serving as the point of contact brought about gratifying experiences as I collaborated with our dedicated colleagues and students with honors and privileges, guided by the support and directives from the CAE program officers,鈥� says Park.听鈥淭he designation signifies that the University has the ability to meet the increasing demand for the protection of the National Information Infrastructure with our top-tier achievements in cybersecurity education through the courseware quality, faculty engagement, students鈥� learning outcomes and administration. Moving forward, we will continuously contribute to the national cyber strategy with our cybersecurity education!鈥�

The prepare learners for in-demand fields including cybersecurity, data analytics, IT support, project management and UX design鈥攚ith no experience required. This offering will equip students with job-ready skills as they pursue their degree, while also connecting them to career resources and a network of over through the program鈥檚 employer consortium.

鈥淭he certificate programs from Google are structured to address the skills gap being experienced by a number of employers,鈥� says Arthur Thomas, executive director of the Office of Professional Acceleration and Microcredentials in the College of Professional Studies. 鈥淲hat we鈥檝e created is a hybrid learning experience that builds on the excellent foundations established by Google by adding a dimension of live online sessions with instructors, specific readings, additional videos and discussion groups guided by our faculty. This added perspective and interaction will give our students a distinct advantage as they approach the job market.鈥�

The certificate in cybersecurity is the first of six Google Career Certificates that will be available through 黑料不打烊.

Students who enroll in the Google Career Certificates through 黑料不打烊 will unlock access to 黑料不打烊 services, including personalized student support, career services and one-on-one instructor support. Additionally, students will have the opportunity to directly discuss course content through virtual live sessions that offer moments to engage with classmates and learn from industry experts who help illustrate how concepts are applied in real-life experiences.

When taking a Google Certificate through 黑料不打烊, students get the full Orange experience. The Google and 黑料不打烊 partnership brings together two industry leaders to create a fully immersive professional development experience.

Originally designed and taught by Google employees, 黑料不打烊 has added perspectives and information from both faculty and practitioners to build an even more comprehensive foundation in these areas. Each certificate program includes over 150+ practice and graded assessments, quizzes or writing assignments to ensure rigor and mastery. To help prepare learners for jobs, the program provides resources including resume templates, coaching from Career Circle and interview practice with Big Interview. Graduates are also connected with an of over 150 companies鈥攊ncluding American Express, Colgate, T-Mobile, Walmart and Google鈥攖hat considers them for relevant roles.

鈥淕lobal interest in cybersecurity jobs among job seekers has reached an all-time high on Google Search this year, yet businesses continue to report a large cybersecurity skills gap,鈥� says Lisa Gevelber, founder of Grow with Google. 鈥淭he data is clear: we must create more pathways for people to enter the cybersecurity field and build a lasting career. Google is combining our industry-leading expertise in cybersecurity with our proven approach to training people for in-demand jobs to help create a solution. The Google Cybersecurity Certificate will help businesses fill cybersecurity roles and enable people to earn an industry-recognized credential that will qualify them for a great job.鈥�

A Prior Learning Assessment (PLA) will be available for students who complete the Google Career Certificates through the University. This assessment awards college credits based on prior learning and experiences by identifying direct course overlaps in a specific for-credit program at 黑料不打烊 to which the student is applying. The PLA allows students to personalize their learning pathway into a for-credit degree or certificate program.

Since Google launched the original Grow with Google program in 2018, over 200,000 people have graduated in the U.S. Seventy-five percent of them report a positive career impact鈥攕uch as a new job, higher pay or a promotion鈥攚ithin six months of completion, and over 50% of graduates identify as Asian, Black or Latino.

To learn more about this program, visit .

Shiu-Kai Chin

The Biden-Harris administration recently unveiled a new aimed at protecting America鈥檚 digital infrastructure. It comes as high-profile attacks continue to target both government agencies and private companies.

is a professor of electrical engineering and computer science at 黑料不打烊. He is affiliated with the university鈥檚 Institute for Security Policy and Law and is an expert in computer security.

Here, Chin helps break down the new strategy and looks at the roles government and corporations will play in securing critical infrastructure.

Just how big of a problem is cybersecurity, and why is it important to tackle it at the federal level?

Safety and security in cyberspace is a global wicked problem.听 That is, a problem that cannot be solved once and for all because of the myriad of stakeholders with differing views of what is adequate safety and security. Each stakeholder views the problem differently. The root causes evolve and are interconnected.听 This is very similar to other wicked problems such as climate change.

The federal government plays an important role in convening stakeholders nationally and internationally to gain consensus and international agreements on standards and acceptable behavior and minimum safety levels.听 Think about air travel and commerce. Think about arms control.

Safety and security in cyberspace is a global wicked problem. That is, a problem that cannot be solved once and for all because of the myriad of stakeholders with differing views of what is adequate safety and security.

Shiu-Kai Chin

What do you see as some of the key components of the administration鈥檚 strategy?

Important elements of the strategy include coordinating regulations, procurement, economic incentives, and R&D with the specific goal of making cyber-systems and cyberspace safe and secure as a realm of operations for people, business, and governments. For example, tech companies such as software and semiconductor manufacturers often focus on minimizing 鈥渢ime to dollars.鈥� This type of thinking rewards companies who rush products to market with new and exciting features without worrying about cybersecurity. This effectively transfers risk to users while setting up de-facto standards for new products without much thought to security. 鈥淟eveling the field鈥� means finding ways to reward companies and innovators who think about security from the start so that products with cybersecurity built-in from the start (much like safety is built-into to all our electrical appliances with UL certification) become the norm not the exception.

Do you feel the current strategy will have a measurable impact on future cyberattacks?

Yes, but it will take time.听 We didn鈥檛 arrive in this place a minute ago.听 Our problems started when, for understandable reasons, personal computers and the chips that powered them had all the security we used to have on mainframes stripped out of them (personal means only the owner has access, right?) and we networked PCs with the Internet. This invalidated an important design assumption in the development of PCs.

The emphasis on 鈥渮ero trust,鈥� i.e., all access and actions must be authenticated and authorized by enforcing appropriate policies, has 鈥渟ecurity by design鈥� as a goal, as opposed to 鈥渂olt-on security鈥� after a product is built with inherent security flaws that cannot be fixed. There are a lot of so-called legacy systems with poor security in operation.听 Things will get better to the extent that these systems are phased out of critical infrastructure and replaced by systems where security is part of the conceptual design of the system from the start.

What are some of the biggest challenges you foresee with implementing the strategy?

The emphasis on R&D leading to better authentication (identifying the source of requests and integrity of information) is good start to the problem of attribution in cyber attacks.

The harder issue is the balance of privacy and attribution.听 This is inherently an authorization or policy problem where the appropriate 鈥済ood enough鈥� policy is a trade-off among stakeholders.听 This where many difficult conversations will occur.听 Do we want a total surveillance state or the wild west?听 That鈥檚 a false dichotomy. We want something in-between where the trade-offs are made based on mission or situation.听 Protecting access to a biolab with pathogens that can trigger the next pandemic probably won鈥檛 value privacy as much as a public library giving internet access to people who cannot afford their own computers.

What else can/should be done to prevent attacks and mitigate damage to critical infrastructure?

Engineering exists to support society. Our profession exists in large part to provide critical infrastructure that is safe, secure, and operates with integrity and equity in mind.听 Our profession excels when we realize that 鈥済ood enough鈥� safety, security, integrity, and equity have no universally agreed-upon definitions for all cases, applications, and missions.听 It involves precisely and accurately identifying unacceptable losses to stakeholders for each mission and/or purpose. Once that is done, so-called 鈥渁dult conversations鈥� can happen where 鈥済ood enough鈥� is defined through trade-offs.听 Engineers, planners, folks in leadership know that it鈥檚 impossible to maximize all parameters simultaneously, e.g., you cannot simultaneously get the biggest, heaviest car with largest engine, while simultaneously maximizing fuel efficiency.

An adult conversation the US Government will have to have is the use of COTS 鈥� commercial off the shelf 鈥� products in mission critical systems and critical infrastructure.听 COTS products are built for the commercial market, often for home users (e.g., PCs).听 They are designed for benign operating environments, not military ones. Using COTS is like a SEAL team going to Best Buy and picking up someone from the Geek squad to deploy with them on a mission.听 The question is for any critical infrastructure system is should we prioritize cost over safety and security?

and , both professors of electrical engineering and computer science in the , and , professor of physics in the , have been elevated to that designation.

Wenliang (Kevin) Du

IEEE is the world鈥檚 largest technical professional organization dedicated to advancing technology for the benefit of humanity. It has 409,000 members in more than 160 countries who are engineers, scientists and allied professionals whose technical interests are rooted in electrical and computer sciences, engineering and related disciplines.

The Fellow designation is the IEEE鈥檚 highest level of membership, attained through nomination by peers and approval by the IEEE Board of Directors.

Du is being recognized for contributions to cybersecurity education and research. Phoha is being honored for his work developing attack-averse active authentication in computing systems using behavioral patterns. Plourde鈥檚 Fellow status comes in regard to his contributions to the integration of qubits into future practical quantum computing systems.

University Vice President for Research says that election as an IEEE Fellow recognizes the extraordinary accomplishments of these faculty members. 鈥淚 congratulate Professors Du, Phoha and Plourde,鈥� Brown says. 鈥淭his award demonstrates the high impact that their research has had in the scientific community. Election to an IEEE fellowship shows that these faculty have made important advances in engineering, science and technology. Their accomplishments underscore 黑料不打烊鈥檚 continuing commitment to and its reputation as a top-tier research institution.鈥�

Du鈥檚 research focuses on system security for web, mobile, smartphone/tablet and Android operating systems. He has also developed improved access control for mobile systems. In the area of computer security education, work that he began in 2002 to develop hands-on labs for student computer security education, is now used by more than 400 universities and colleges in more than 30 countries.

This year, he also received the IEEE Region 1 Technological Innovation (Academic) Award. Du also recently was named principal investigator for a National Science Foundation grant of $399,000, 鈥淏uilding and Internet Emulator for Cybersecurity Education.鈥�

Vir Phoha

Phoha鈥檚 research in systems security involves studying malignant systems, active authentication, machine learning, decision trees and statistical and evolutionary methods. He looks at large-time series data streams and static data sets and anomalies and optimization of computer networks to build defensive and offensive cyber-based systems.

Phoha was named a Fellow of the National Academy of Inventors in 2020 and a Fellow of the American Association for Advancement of Science in 2018. He has achieved 13 patents for inventions in machine learning, biometrics, user identification and authentication, data decision-making and cybersecurity attacks. He is currently an associate editor of IEEE Transactions on Computational Social Systems and two other journals.

Britton Plourde

Plourde is a leading expert in quantum computing and is working to develop new computers capable of generating solutions to complex problems using qubit computing systems. His work examines ways to improve superconducting quantum circuits. He and his research partners recently received a $5.6 million Army Research Office grant to investigate processes that deposit energy in solid-state qubits, which can lead to correlated errors in quantum computers.

Plourde has served as principal investigator or co-principal investigator on more than 15 federally funded grants. At 黑料不打烊, he has been awarded more than $10 million in research funding from a number of government sources and national research foundations.

Du and Phoha were nominated for Fellow status by Distinguished Professor , of the department of , who was himself recognized an IEEE Fellow in 1997.

Two other professors of electrical engineering and computer science at 黑料不打烊, (2015) and (2019), have also been named IEEE Fellows.

The AT&T 鈥機use Digital Experience is designed to encourage more underserved and diverse students to enter the field of technology, an industry that has long faced a pervasive diversity gap. The program provided more than 120 underrepresented students from the 黑料不打烊 City School District in fourth through eighth grades an opportunity to gain critical digital literacy and readiness skills through unique technology focused immersive experiences, while encouraging them to explore a STEM and technology educational and career paths

Over the course of the program, the students learned a vast array of digital literacy skills, including cybersecurity, positive social media uses, analyzing search engine results, computer coding basics, keyboarding skills, artificial intelligence, 3D printing disciplines, digital animation, robotics, computer-based design for civil engineering and public space projects, and skills for finding factual news online.

The students also learned how technology can be used for good and community building by creating solutions and discovering creative uses to address issues impacting youth of the region, such as digital citizenship, while also learning the dangers of cyberbullying, cyberscams and digital footprint issues that hurt children鈥檚 reputation later in life.

Deborah Nosky

鈥淲e are grateful to AT&T and our collaborative partners for allowing us to introduce digital citizenship to so many local students. During our time together we were able to learn more about safety and how to protect our personal information in the digital world,鈥� says Deborah Nosky, professor of practice in the School of Information Studies. 鈥淏y expanding the students鈥� understanding and use of digital technologies, students were better able to understand how the skills we learned applied to careers they were already familiar with and new ones that they may wish to explore.鈥�

鈥淭echnology innovates and transforms our world, and it creates boundless opportunities for those who know how to unlock its potential.听This is why I am so excited for the 120 黑料不打烊 City School District students who participated in the first AT&T 鈥機use Digital Experience summer program.听They learned valuable skills that will surely be the foundation for their future success鈥攁nd the economic prosperity of our community,鈥� says Jennifer Tifft, director of strategic initiatives for the City of 黑料不打烊. 鈥淚 am deeply thankful to AT&T, the Museum of Science and Technology, Tech4Kidz and 黑料不打烊 for offering such an impactful program to our kids. Partnerships like this make it possible to create more inclusive educational and economic opportunities for families of all backgrounds.鈥�

Digital knowledge has become the new literacy and is the driver of all new global technology. With the growing demand to innovate, organizations across various industries struggle to fill skilled positions. It’s听projected听that there will be 3.5 million听STEM and digital jobs听in the U.S. by听2025, underscoring the importance of providing the youth the tools and skills necessary to compete in this innovation economy.

The urgency for more diverse technology trained employees is accentuated by the low percentage of diversity make-up of the technology industry. This alarming diversity shortage in the tech industry and the growing STEM job market emphasizes the importance of providing programing like the AT&T 鈥機use Digital Experience for youth of all backgrounds and economic situations.

鈥淚t鈥檚 been a pleasure teaching and learning from these energetic local students about technology and digital citizenry. Thank you to AT&T for making it possible,鈥� says Laurie Ferger, teaching professor in the School of Information Studies.

Laurie Ferger

The free program was made possible by financial support and programing collaboration from AT&T as part of the company鈥檚 from 2021-2023 to help bridge the digital divide and homework gap.

鈥淚t has been an honor to collaborate with the MOST, Tech4Kidz and 黑料不打烊 to offer this innovative experience to these students, as it further enhances our commitment to providing resources for digital literacy educational programming throughoutnd builds upon our vigorous efforts to bridge the diversity gap in the technology industry,鈥� says Kevin Hanna, director of external affairs, AT&T. 鈥淚 am so impressed by these remarkable students and proud of their determination throughout the summer working hard to gain critical digital literacy skills, they all have great futures ahead of them.鈥�

If you have not done so already, you can complete your annual training via MySlice:

• Go to MySlice
• From the Employee Home page, choose the Employee Resources tile
• Click the Security Awareness Training tile to access the training

To receive credit for completing the training, you will need to enter a code provided at the end of the video, as well as take a brief quiz.

is an associate professor in the 黑料不打烊 School of Information Studies (iSchool) whose research specialty includes cybersecurity. He provides written comments that can be quoted directly, and is available for interviews as well as this situation unfolds.

McKnight says:

鈥淯.S. cybersecurity leaders for private companies and in government have been on alert for weeks as President Putin telegraphed his intent to invade Ukraine鈥檚 territory, information systems, and infrastructure. Russian cyberattacks on critical infrastructure, falsely claimed to be provoked by Ukrainian attacks to which Russia was responding, and hacks of Ukrainian government websites, were all sadly to be expected parts of this operation.

鈥淔or average Americans, there is also a need to be extra alert both to the Russian disinformation campaign and its domestic witting or unwitting partners鈥� efforts to confuse and to deny the truth of what is happening. Everyone should also be aware of an increased likelihood of incoming phishing emails, and perhaps a little more skillful than average deep fakes. These are professional state-sponsored attempts to infiltrate and distract.

鈥淭he main thing for everyone to know now is this metaverse of real and unreal actions and actors is not going away any time soon. Everyone needs to boost their information security awareness, with training, and not just new services or hardware. Since the weakest link in cyber-defense is everyone鈥檚 鈥渃yberhygiene鈥�, it makes it easy to infiltrate and wreak havoc.鈥�

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

M听315.380.0206
dalovell@syr.edu |

黑料不打烊

黑料不打烊鈥檚 Information Security team within Information Technology Services (ITS) has not detected any marked increase in activity over the past week but continues to monitor for and prevent attacks. One of the most effective paths for an attacker to gain a foothold on the 黑料不打烊 network is through phishing emails and other social engineering techniques.

ITS encourages all members of the University community to be mindful of and prepared to respond to cyberattacks. The tips below will help community members identify phishing emails and attempts to bypass multi-factor authentication (MFA). Additionally, there is information relating to taking the University鈥檚 required annual Information Security Awareness Training for faculty and staff. Please take a few moments to review the critical information below.

Don鈥檛 Fall Victim to ‘MFA Fatigue’

Attackers have been forced to shift their strategy since the University adopted multi-factor authentication to access key resources. Once an attacker compromises a 黑料不打烊 NetID/password through phishing or other attacks, they repeatedly attempt to log in to University resources generating multiple MFA requests on the compromised user鈥檚 phone or mobile device. This is done in an attempt to 鈥渨ear out鈥� their victims and cause them to approve the MFA request to silence their phone or device. This, in turn, allows the attacker access. If you have not explicitly attempted to log in to a system, do not accept an MFA request from your phone or device. Contact your IT Support Staff or the to report fraudulent MFA requests.

When in Doubt, Don鈥檛 Click

To protect yourself from phishing attacks, ask yourself these questions the next time you receive a suspicious email:

• Was I expecting the document or link? Be suspicious of unexpected emails sharing documents and links you are not expecting. If you are not sure, contact the sender (preferably via text message, phone or an alternative email address) and ask if they shared a document with you.
• Do I know the person sharing it? Consider the message suspicious if you do not know the sender. Remember, phishers often use compromised accounts to send their messages. They also can forge the sending address. If you feel at all unsure, call the sender at a known number to confirm they sent the information.
• Can I identify the attached document before opening it? Is it clear from the document title and message what the document is and why it is being shared? Phishers often send vague messages stating a document has been shared with you. They rely on your curiosity to open the document. Do not open suspicious shared documents if you are at all unsure of what it is or who sent it.
• Does the product or offer seem too good to be true? Beware of emails promising financial gain, quick fixes or easy solutions, as these are likely phishing attempts.

Take Required Information Security Awareness Training for Faculty and Staff

Taking the University鈥檚 required annual Information Security Training is one of the best ways for faculty and staff to increase their knowledge and protect their own and the University鈥檚 information. The training is available through March 31 and can be accessed by logging in to MySlice, selecting the 鈥淓mployee Resources鈥� tile and then selecting the 鈥淪ecurity Awareness Training鈥� tile. The training is self-paced and takes approximately 30-40 minutes to complete.

All 黑料不打烊 faculty and staff must complete mandatory information security training in accordance with New York State requirements. Employees now can complete their annual training at any time. To do so:

• Go to MySlice
• From the Employee Home page, click the Employee Resources tile
• Click the Security Awareness tile to access the training

鈥淓ven in the last few months, we have seen bad actors adapt to new security measures,鈥� Chief Information Security Officer Christopher Croad says. 鈥淭hese training sessions are essential to discuss best practices and to learn how to protect against new threats.鈥�

To receive credit for completing the training, employees will enter a code provided at the end of the video, as well as take a brief quiz. The expected time required to complete the training is 30-35 minutes. The deadline to complete this training is March 31. Employees with questions can contact Information Security IT Analyst Sarah Marciniak at smlittle@syr.edu.

鈥淲e know everyone has a lot going on right now,鈥� Croad says. 鈥淲e appreciate everyone鈥檚 investment of time and energy in protecting the University鈥檚 data. It really is up to all of us.鈥�

Screenshots of what the multi-factor authentication process will look like for users of the Microsoft Authenticator app on a computer (left) and mobile device.

MFA is an excellent method for enhancing user account security. With MFA enabled, a prospective thief would need access to both your password and a phone you’ve configured to steal your information. Number verification will enhance MFA鈥檚 ability to prevent the unauthorized use of NetIDs and passwords.

For more about the upcoming change, including detailed log-in instructions, visit the on Answers. If you need to configure your MFA settings, you can find instructions for doing so on the on Answers.

If you have听questions, please contact the ITS Help Desk by calling 315.443.2677 or by emailing help@syr.edu.

If you have questions related to these changes, please contact the ITS Help Desk by calling 315.443.2677 or emailing help@syr.edu.

Kevin Du

Electrical engineering and computer science professor Kevin Du wanted to up the production value of the cybersecurity instruction videos he has been posting to YouTube and decided to construct a studio inside his lab space.

鈥淚 used to have one in home at my basement but that one has a problem because my family just walked around,鈥� says Du. 鈥淪o I decided I鈥檓 just going to build one in the corner of the lab.鈥�

The program focuses on developing essential skills for a career in information technology. Students will explore important topics like cybersecurity, machine learning, AI and cloud computing while expanding their skills in leadership, project management and business. Upon graduation, students will also have an extensive knowledge of data science and information systems.

鈥淲e鈥檝e seen increased demand for this type of program over the past few years,鈥� says Bruce Kingma, director of undergraduate programs at the iSchool. 鈥淲e want to welcome as many different types of students as possible to the iSchool, and the addition of this flexible online program will help us do that.鈥�

Students from various backgrounds and levels of education are invited to apply for the program. Up to 90 transfer credits from community colleges or other universities can be accepted but they are not required to enroll. The program offers options to combine online and in-person classes depending on the student鈥檚 schedule and preferences.

For more information about the program and instructions on how to apply, visit the or contact one of our advisors at startnow@syr.edu.

Chin comments on SU’s outreach and cybersecurity education programs, targeted specifically at military students, stating “[Cybersecurity] is a critical infrastructure that our modern society depends upon.鈥�

How can universities and colleges position cybersecurity students to be ready for the growing threat of ransomware attacks?

Ryan O. Williams

is associate dean of academic affairs at 黑料不打烊鈥檚 University College. He is responsible for researching, developing and launching new market-sensitive undergraduate and graduate programs.

Williams says:

鈥淎s recent ransomware attacks against Colonial Pipeline and JBS demonstrate, the digital world has created an unprecedented need to protect information systems.听Preventing, detecting, and responding to attacks is essential to every individual and to corporate, governmental, and non-governmental organizations worldwide.听Victims of cybercrime are often faced with an impossible decision 鈥� to give in to cyber extortion or forever lose mission-critical data.听Ransomware attacks can be both targeted and random.听No one is immune.听The decentralized and market-oriented US economy remains especially vulnerable, particularly in industries critical to national security, such as energy and agriculture.听The federal government has a role to play here, in setting the rules of engagement with criminal actors, communicating threats to the private sector, and in coordinating an appropriate response.

鈥淢ore than ever, companies need highly-trained, competent cybersecurity specialists fighting on the front lines of this effort.听Our听听prepares students with the necessary skills and expertise to protect systems and infrastructures 鈥� a key, transformative career for the 21^st听肠别苍迟耻谤测.鈥�

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

T听315.443.1184 听听M听315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 4^th Fl., 黑料不打烊, NY 13202
news.syr.edu |

黑料不打烊

Michael Fudge

is a professor of practice in the School of Information Studies (iSchool). His areas of study center around digital transformation and the impact of information technology on society.

In this Q&A, Professor Fudge provides tips for password creation and advice on how to keep them safe and discusses extra safety steps you can set up on your devices today to better protect your digital identity.

Q: What are some of the most common mistakes people make when setting passwords?

Fudge: There are two common mistakes users make when deciding on which password to use.

First: using the same password for more than one account. When you re-use the same password on multiple websites, if one of those websites gets compromised and an attacker gets a hold of that password, they can use that password to gain access to the other sites. This is usually automated through an approach called credential stuffing. You should always use a different password for each account.

Second: using too simple of a password. When a website has password complexity requirements (must be at least 10 characters, one uppercase character, one digit, etc..) we sometimes resort to approaches that do not necessarily ensure good password complexity. For example, you might think using your middle name as a password (mine is Alexander) and then to meet the complexity requirements add the current year with a question mark (Alexander2020?). Automated attacks can take this into account nowadays so while at one time this was a good choice it no longer is. The more characters in the password the harder it is to guess, but to meet the length requirement we tend to do some really foolish things like:

• Repeating the password pattern: Alexander2020?Alexander2020?
• Adding the name of the site to the password, to make a unique password for each site: Alexander2020?google or Alexander2020?syr.edu

These password choices offer little additional complexity. They are predictable and provide insight into my algorithm, or process for creating a password.

The best choice for a password is a truly random sequence of characters that satisfy the complexity requirements. So how do you remember hundreds of randomly generated passwords? You don鈥檛鈥攗se a password manager to do it for you.

The password manager is a personal database of your passwords. It will generate random passwords for you and store them securely. Some password managers will recall the password for you when to return to the site.

Q: So that leads well into this question鈥y iPhone offers me the option to create a complicated password and save it so I don鈥檛 have to remember it. Sounds like that is a good idea?

A: This is Apple鈥檚 keychain password manager. The Google phones have one as well. These options are better than you coming up with your own passwords. The risk is you are trusting Google or Apple to securely store your passwords, but it鈥檚 better than Post-It notes under your keyboard! There are third-party password manger services: Lastpass, 1Password, Dashlane, and RoboForm. They do the same thing but are not tied to just your phone or Apple/Google devices. The important thing to remember is that when you use these services, we are trusting these organizations to store the key that decrypts our passwords. If you wrote all your passwords in a notebook and locked that notebook in a safe, it would be like giving Google, Apple, Lastpass, etc. the keys to that safe. This is necessary for a password manager to function.

Q: How often should you be changing passwords? Are some accounts more important than others to update regularly?

A: With my passwords randomly generated, I do not change my passwords unless the service requires it.

What is really important is to enable two-factor authentication. This adds an extra layer of security, requiring you to not only know your password but also have a device that can verify your identity, most of the time this device is your smartphone. Two-factor might send SMS TXT to your phone each time you log in or use a special Authenticator app. For example, each time I log into my bank, I must reach for my phone and allow it to read my fingerprint. That way if my bank password does get stolen an attacker would also need my phone (and fingerprint) to log in to my account.

Two-factor authentication also gives you peace of mind as I get a notification each time someone tries to use my password to log in. If that person isn鈥檛 me, I need to change my password.

If the service supports two-factor, I turn it on. If you use a password manager to store your passwords, enable two-factor to protect your passwords!

Q: What are your thoughts on other types of security measures connected to biometric technology, such as facial recognition and fingerprint security?

A: These technologies work well as part of a two-factor strategy. For example, facial recognition paired with a pin on your phone is a good idea.

Q: With many of us living in the digital world now more than ever, what do we neglect or not know about when it comes to passwords and our digital security?

A: The ways attackers can attempt to obtain our passwords are numerous and varied. Some things we can control, like only installing software from trusted sources, and never clicking on links in an email. For the times the company gets hacked and the password exposure is not your fault, I suggest checking the email used when you signed up for the service on . When you enter your email, it will check to see if that email account was used with a service where your data was leaked. For the companies appearing on that list, change your password on that company鈥檚 website and set up two-factor if allowed.

As a reminder, faculty and staff have free access to IdentityForce鈥檚听UltraSecure Plus听identity protection, credit services and recovery services until March 2022. To access coverage, employees need their personalized access code which was emailed from Karen Morrissey, associate vice president, human resources, on March 19, 2021. If you need assistance in obtaining your personalized code, contact HR Shared Services听补迟听315.443.4042.

Effective immediately, employees can now purchase additional coverage and add one other adult directly through the IdentityForce secure portal using a credit card. This will allow for immediate access to upgraded coverage through IdentityForce.

Visit the HR听听for more information and to learn how to enroll. For any questions, contact听HR Shared Services听补迟听315.443.4042听辞谤听IdentityForce Member Services at 877.694.3367.

How secure is this type of payment method? And what could be the future implications of a company like Amazon having this sort of biometric information?

Professor Vir Phoha

Vir Phoha is a professor of electrical engineering and computer science at 黑料不打烊. His expertise areas include biometrics, cybersecurity, machine learning, and smartphone and tablet security. Professor Phoha answers a few questions about biometric technology and some of the challenges it presents.

He is available for interviews and additional questions.

Q: What are your initial thoughts about the use of this sort of biometric technology?

Phoha: Typically palm prints are based on characteristics of the palm, such as the length and width of the palm, fingers, bone structure, and surface area of palm; and lines and ridges on the palm.

They can be contact-based such as placing the hand on a scanner. Placement may be guided by positioning pins that align the hand correctly for the camera or it can be contactless such as through a camera.

Some form of a scan or picture is taken of the palm, although different people have different palm structures (and palm veins). Privacy and security will be an issue because there is a lot of overlap in the structure of hands of different people, so this biometric is easy to spoof 鈥� identity theft may be a bigger problem as compared to a face biometric 鈥� it will relatively be easy to spoof or claim the identity of an individual. It can be a concern if the palm biometric is linked to credit cards and the information is stored on the Cloud. And the Cloud is under the control of Amazon.

Benefits of this technology: Sturdy and user friendly鈥� ease of use is high; Changes in skin moisture or texture do not affect the results. There are not many studies that examine whether there are differences in palm structure for different ethnicities etc.

Drawbacks of this technology: There is a lot of overlap in the structure of hands of different people, so it is easy to spoof. Thus, the security of these systems is not as high as say a fingerprint.

Q: How would someone spoof a palm print?

Phoha: Typical ways to spoofing a palm are silicone glove; building a mold of a victim through replicating the palm prints (or image) from a picture of an individual鈥檚 palm or from palm prints left on glass, etc.

Q: What are some safeguards that should be put in place to prevent misuse?

Phoha: In addition to cryptographic and secure computation methods, I think palm biometrics should be combined with some other forms of biometrics or identification technologies including some form of second-factor authentication.

Q: Should we be concerned of having a large retail/tech company like Amazon with access to this kind of biological identifier?

Phoha: Yes, because unlike the face, one has to depend on algorithms to refute any false positives. Your face is visible so one can refute any allegations in a straightforward way. For example, in the case of facial recognition, the persons accused were able to refute because they saw the face of the real person who was to be charged and said that is not them.

Q: Similar to facial recognition software, how should companies navigate the use of this sort of technology by law enforcement agencies?

Phoha: To a large extent palm print is similar to fingerprint because an image (picture) is taken and just a visual inspection does not identify a person (unlike face). Algorithm matching has to be done. I feel that there are fewer chances of implicit bias because of palm print as compared to facial recognition.

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

T听315.443.1184 听听M听315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 4^th Fl., 黑料不打烊, NY 13202
news.syr.edu |

黑料不打烊

As a follow up to the message we shared earlier this week regarding fraudulent unemployment benefit claims filed on behalf of New York State residents, we are writing today to share more information about identity protection services.

To help provide peace of mind to our community, the University has engaged IdentityForce, a leader in the identity protection industry, to provide services to faculty and benefits-eligible staff. Beginning Friday, March 19, eligible faculty and staff will have one year of free access to IdentityForce鈥檚 identity protection (including fraud, change of address and dark web monitoring); credit services (including credit freeze and reporting assistance, credit bureau monitoring, and monthly credit reports and scores); and recovery services (including white-glove remediation assistance and up to $1 million of identity theft insurance). Employees will also have free coverage for their children and the option to purchase additional coverage for themselves and one other adult at a reduced price.

Next week, you will receive a welcome email from IdentityForce that includes a link to access its secure portal so you can activate the coverage and begin using its services. Enrolling in these services is optional. When you activate the coverage, you will decide the level of information you wish to provide to IdentityForce. No personally identifiable information will be provided to IdentityForce by 黑料不打烊. You will also receive a brief survey from the Office of Human Resources that will ask you if you want to elect additional coverage for yourself or another adult. If you complete this survey, the Office of Human Resources will transmit that information to IdentityForce on your behalf.

Please contact HR Shared Services (HRservice@syr.edu or 315.443.4042) with any questions about this new benefit.

Sincerely,

Andrew R. Gordon
Senior Vice President and Chief Human Resource Officer

Steve Bennett
Senior Vice President for Academic Operations and International Programs and Chief of Staff to the Provost

We write to you today to update you on the continued occurrence of fraudulent unemployment benefit claims filed on behalf of New York State residents. Many states across the country are reporting similar widespread unemployment fraud schemes, taking advantage of an increase in legitimate claims due to the pandemic.

Starting in February, the University experienced a rise in fraudulent unemployment benefit claims filed in the names of 黑料不打烊 employees. Know that when this occurs, the University is identifying the fraudulent claim to New York State and working with affected employees. 黑料不打烊 is also in contact with state and federal authorities.

In addition, our team has been communicating regularly with peers across a range of industries, including other colleges and universities throughout the state, who report that they are experiencing the same phenomenon. The University has also engaged leading global cybersecurity experts, who confirm the number of fraudulent claims we are receiving is similar to other organizations.

Our peers have indicated that they are unaware of any breach to their systems related to these fraudulent claims. Based on extensive testing of our own systems, we have no evidence that this comes from a data breach at 黑料不打烊. To verify this is the case, 黑料不打烊 has engaged EY鈥檚 cybersecurity services to assess whether there are any indicators of compromise in our systems. Furthermore, as other organizations have done in response to this wave of fraud, to provide peace of mind to our community, 黑料不打烊 will offer as an additional benefit to all faculty and benefits-eligible staff one year of identity theft protection services, free of charge. Information on how to register will be shared later this week.

If you believe that a fraudulent claim has been filed in your name, please visit the for step-by-step guidance on reporting fraud and protecting yourself. Any additional questions or concerns can be directed to HR Shared Services at 315.443.4042 or by emailing hrservice@syr.edu.

Sincerely,

Andrew R. Gordon
Senior Vice President and Chief Human Resource Officer

Steve Bennett
Senior Vice President for Academic Operations and International Programs and Chief of Staff to the Provost

Shiu-Kai Chin

Around half of states typically considered battleground states are facing cybersecurity challenges that put them at increased risk of a cybersecurity breach.

Shiu-Kai Chin, Ph.D., is a professor of electrical engineering in the College of Engineering and Computer Science and the Laura J. and L. Douglas Meredith Professor for Teaching Excellence. Professor Chin鈥檚 research interests include cybersecurity, systems assurance and formal verification.

Dr. Chin offered his perspective:

鈥淭he primary mission is to maintain the integrity of the voting process, particularly in terms of (1) assuring access by all registered voters to cast votes in a timely fashion, (2) ensuring each legitimate vote is counted without undue delay and (3) being able to provide an accurate accounting of the process to demonstrate trustworthiness.

Certainly, cybersecurity plays an important role and I would assume that all jurisdictions have contingency plans to mitigate loss of power, computers and networks. That is, the voting process does not depend entirely on one technological aspect, in this case one particular set of computers or networks.

For a relevant example, the financial services industry, particularly the use of consumer credit cards, demonstrates that a reliable and trustworthy service can be delivered using a combination of imperfect technology (e.g., a three-digit verification number on the back of a credit card), surveillance (e.g., consumers being able to monitor their accounts 24/7) and policy (e.g., questionable transactions being removed from customer accounts pending investigation). I would imagine that the voting process has all these capabilities in place and more.鈥�

Two 黑料不打烊 professors and cybersecurity experts offer comments on the latest developments.

Shiu-Kai Chin is a professor of electrical engineering at 黑料不打烊鈥檚 College of Engineering and Computer Science. His research interests include computer security, cybersecurity and systems assurance. He says now is not the time to play the blame game. Instead, officials should do a system-wide assessment to match safety and security expectations.

Chin says:

鈥淗ospital operations epitomize mission-critical functions.听There is a real danger of unacceptable losses happening in terms of patient injury and death.

鈥淭he key to preventing future losses is to adopt a mission-assurance mindset combined with systems thinking. 听What a mission-assurance mindset means is: Avoid the blame game, which focuses on finding the one person whose head will go on a platter, or the single component responsible for the entire denial of access to patient records. Safety and security emerge out of the combined efforts of all involved. Safety and security cannot be created by one component or subsystem. At a minimum, it requires a controlled process and a controller operating together within system-wide constraints that match the safety and security expectations of the system鈥檚 stakeholders.

鈥淲e need to stop admiring the problem, i.e., stop focusing entirely on ransomware. Fixing ransomware alone will not assure the hospital鈥檚 mission. We need to identify mission-essential functions, e.g., timely, accurate, and precise knowledge of patient and hospital status, identify scenarios where these functions could be compromised, i.e., wargame the scenarios, and devise mitigations and/or adjust operations and decision-making processes prior to the next attack or accident.

鈥淢oving forward, necessary questions are: What circumstances combined with hospital operating conditions can bring about the loss of mission-critical functions leading to unacceptable losses?; What are early indications and warnings that we are operating in a hazardous state that could lead to unacceptable losses; And based on wargaming, what mitigations or plans do we have to manage ourselves out of a hazardous state to prevent or minimize unacceptable losses?鈥�

is an associate professor at the 黑料不打烊 School of Information Studies (iSchool) whose research specialty includes cybersecurity. Prof. McKnight, who will present at the Oct. 14-16, says architectures and new community awareness efforts are needed to build cyber-physical security resilience.

McKnight says:

鈥淚 felt sick to my stomach when I learned of the Universal Health Services ransomware attack.

Turning hospitals back to 1950s paper-based operations, during a pandemic, will cause people to die in spite of best efforts ad back-up plans.听UHS is a huge operation with 90,000 employees now working on their penmanship.

鈥淭he need for a new secure cloud architecture approach for security, privacy, rights and ethics cloud to edge as we have been developing in public-private partnership with City of 黑料不打烊, NIST, and many firms and community organizations nationwide and worldwide, becomes more obvious every time poorly architected (for 2020)听legacy systems without access control and least privileges by design bring down a company.

鈥淭he consequences of non-compliance with ransomware attackers鈥� demands are growing more extreme. Even as Universal Health Services struggles to restore systems, the Clark County (Las Vegas) School District is also suffering a ransomware attack. Students’ grades and personal information has been released to the Dark Web as punishment for the District not complying with their financial demands.

鈥淔ortunately, data backups of medical information limit the damage in the UHS case. And patient records are kept in a separate system that was not accessed, so their systems do have some cyber-physical resiliency by design. But that鈥檚 not enough in the UHS case to regain control of key healthcare systems from hackers.

鈥淪ince for both schools and healthcare systems like听Universal Health Services, as well as city governments, and small and large businesses, cyber-business as usual is just too easy for the hackers to take over. New architectures and new community awareness听efforts are听needed to build cyber physical security resilience.鈥�

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

M听315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 4^th Fl., 黑料不打烊, NY 13202
news.syr.edu |

黑料不打烊

is an associate professor in the 黑料不打烊 School of Information Studies (iSchool) whose research specialty includes cybersecurity.

McKnight says:

鈥淭ik Tok has been guilty of being a fast-growing phenomenon, which exposed its sloppy technical practices to scrutiny, as happened with Zoom. The list of Tik Tok听vulnerabilities and flaws patched or not (yet?)听patched properly over the past months is long. Whether they were just sloppy like typical Silicon Valley companies, or malicious, would require access to classified information to say for sure one way or another.

鈥淕oing forward, the separation of U.S. user data from control of the ByteDance parent through the Oracle acquisition is a听significant change; but of course, we don’t know yet how Oracle will treat U.S. consumer data. If no better than say听Facebook or Google….user (still)听beware.

鈥淭he issue of control of the software coding highlighted by Senator Rubio is 鈥� sort of 鈥� a true concern. But since the bulk of the software would be in Oracle’s data centers, presumably Oracle can detect anomalous data flows back to China; or encrypted data exiting their data centers for points unknown. So, not a serious problem at the infrastructure level. For data flows from user devices, similarly, Apple or Google’s Android OS could detect anomalous encrypted data flows exiting user devices, so that is also not necessarily a serious concern. If we can trust Google and Apple to protect users over their Chinese market positions.

鈥淏ut clearly the biggest security threat to Tik Tok user data remains the Chinese Communist Party, and the People’s Army, which even if they cannot come in through an open backdoor, have shown no hesitation to steal听and/or censor听data and information to听suppress dissent.听ByteDance the parent corporation, and its founder and CEO Zhang Yiming, are always subject to pressure and control of the CCP, which can make even the CEO of the most valuable startup in the world, disappear. In 45 seconds.鈥�

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

M听315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 2^nd Fl., 黑料不打烊, NY 13202
news.syr.edu |

黑料不打烊

All students with an appetite for challenges (and pizza) are invited to the CyberStart launch party on Friday, Feb. 14, at 3 p.m. in 200 Falk College. Attendees will have the opportunity to demo the CyberStart video game and talk with cybersecurity experts from 黑料不打烊.

黑料不打烊 is one of just nine universities selected by the SANS Institute to participate in the CyberStart program. Chief Information Security Officer Chris Croad and Professor Shiu-Kai Chin from the College of Engineering and Computer Science have partnered to bring CyberStart to campus.

鈥淚鈥檓 excited that we鈥檙e able to bring this opportunity to all of our students,鈥� Croad said. 鈥淐yberStart will help students across all majors learn about a field that effectively has negative unemployment.鈥�

In addition to career opportunities, CyberStart offers a chance to think about the 鈥減romise and pitfalls of cyberspace,鈥� according to Chin.

鈥淥ur society is increasingly a cyber-physical one, where how we live and what we can do depends on decisions made by electronic systems,鈥� Chin said. 鈥淧eople who understand the cyber nature of the world can help shape it to become a more positive version of itself.鈥�

The CyberStart program offers students across all disciplines an opportunity to learn more about the cybersecurity profession, test their problem-solving skills and learn new technology. The first round (CyberStart Go) consists of unscored gameplay. At the end of the first round, interested students will have the opportunity to move on to the competitive round (CyberStart Game) in March. CyberStart Game offers more advanced challenges and is scored by ITS. The top scorers from the second round will be recognized at a champions鈥� reception and will receive access to CyberStart Essentials, which provides a deep dive into cybersecurity technology equivalent to roughly 70 hours of professional training.

鈥淢y hope is students from all academic areas will give this a try,鈥� Croad said. 鈥淎lthough they might lack the classic 鈥榗yber skills,鈥� students who excel in critical thinking and problem solving could discover that they want to further explore the cybersecurity discipline.鈥�

is an assistant professor at 黑料不打烊鈥檚 College of Engineering and Computer Science. As a general precaution, he encourages users to close accounts they鈥檙e no longer using and to regularly audit which applications have access to your data.

Micinski says:

“Situations like these are good reminders that we’re only as secure as our weakest link.

“Once we give our private data to an institution, whether a hospital or just an app, we must implicitly rely upon that institution to secure our data in perpetuity. One tangible way we can prevent this is to close accounts we no longer use.

“As a concrete example, many people using sites such as Facebook, often, perhaps unknowingly, give third-party apps permission to use their data from Facebook (e.g., dating apps, Netflix, etc.) We must take proactive measures to cut these ties such as in the case of Facebook, Google, and other sites. Each network has the ability to remove apps that were previously installed.

鈥淭here鈥檚 a link to a that will help you audit and understand what apps have access to your data.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

T听315.443.1184 听听M听315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 2^nd Fl., 黑料不打烊, NY 13202
news.syr.edu |

黑料不打烊

The workshop was attended by representatives from the National Security Agency, the U.K. Ministry of Defence, and the National Counterintelligence and Security Center, as well as the U.S. military, academia and industry.

Cyberattacks happen every day. From Equifax to Facebook, even the biggest companies struggle to protect our data, and they often fail to do so. But breaches that expose personal and financial data are only part of the problem. There are cybersecurity systems around the world that protect people鈥檚 very lives.

Earlier this month, 黑料不打烊 hosted its second annual Enduring Assurance Workshop. The three-day, invitation-only meeting convened a team of experts who are devoted to thwarting attacks on the systems that military and intelligence agencies rely on to carry out their missions safely and effectively. Attendees included representatives from the National Security Agency, the U.K. Ministry of Defence, and the National Counterintelligence and Security Center, as well as the U.S. military, academia and industry.

A collaboration between the (ECS) and the (OVMA), this year鈥檚 workshop followed the theme 鈥淢aking Mission Assurance a Reality.鈥� The attendees addressed cybersecurity risks to U.S. Department of Defense missions; the architectural, functional and security requirements that impact data flows; securing the U.S. Air Force鈥檚 software-centric electronic warfare operations; and mission assurance and security by design.

鈥淚 am proud to say that the majority of people who attended are either 黑料不打烊 alumni who are now working in government, industry or academia, or cyber experts who we have collaborated with extensively,鈥� says , professor of electrical engineering and computer science in ECS. 鈥淓ach participant is invited because they are grounded in both the theory and practice of mission assurance, risk management, and cybersecurity.鈥�

鈥淭he OVMA is proud to support this important cybersecurity work which offers significant value to our country鈥檚 national security,鈥� says OVMA Executive Director Ron Novack. 鈥淭his initiative aligns well with the University鈥檚 commitment to serve veterans and speaks to the authority and caliber of the University as a recognized leader in this emerging field.鈥�

Cybersecurity is a 鈥渨icked problem鈥濃€攁 problem that is unstructured, open-ended, systemic, multi-dimensional and operates in an evolving environment. By bringing leading cyber experts in this crucial field together, the University further establishes its reputation as a leader in cybersecurity and military affairs.

鈥淭ogether, we are working to ensure that truly trustworthy systems are conceived, designed, tested, verified and operated, and that all stakeholders鈥� needs are addressed,鈥� says Chin. 鈥淲e鈥檙e protecting those who protect us.鈥�

Kevin Du, right, has trained thousands of educators from around the world on the latest cybersecurity techniques using his custom-designed labs

A cyberattack is happening right now. At every moment of every day, increasingly sophisticated hackers are trying to gain access to the networks of businesses and institutions around the world. To combat them, College of Engineering and Computer Science Professor Kevin Du says learning how to protect a network is not enough. To fully understand cyberattacks, you need to think like a hacker and know how to break in.

鈥淎s educators, what we are actually trying to teach students is鈥搘hat are the problem areas? How the attacker can attack. We don鈥檛 just teach them on paper, we really say you have got to do it because otherwise, you don鈥檛 know how to defend,鈥� says Du.

Since 2002, Du has trained thousands of educators from around the world on the latest cybersecurity techniques using his custom-designed labs.

鈥淪tudents learn better from doing but to actually do that is very hard so this lab serves that purpose,鈥� Du says.

In his workshops on campus funded by the National Science Foundation, participants can safely attack and defend networks without the risk of doing any harm.

鈥淲hat I provide is a contained environment. They launch an attack inside their own computer. So inside their computer, they have multiple computers actually,鈥� says Du. 鈥淪o they are attacking from one computer to another which sometimes we simulate some of the servers for example google.com but they actually on the inside of our computer.鈥�

锘�

The goal is to boost the next generation of computer scientists and cybersecurity students鈥搈aking sure they have are ready to adapt in the rapidly changing online security landscape.

Professor Dan Bennett from Edinboro University came to the 黑料不打烊 campus to participate in Du鈥檚 workshop. He says his opportunity to work with a worldwide leader in cybersecurity education will benefit his students at home in Pennsylvania.

The goal of Kevin Du’s workshops are to boost the next generation of computer scientists and cybersecurity students.

鈥淚 hope to take some stuff that I can take and put in the class pretty directly,鈥� says Bennett. 鈥淥ne of the things that is going to be wonderful is that we teach them techniques but then when they see these they will understand much better why we teach them software techniques.鈥�

Educators say the material in Du鈥檚 workshop can benefit students across several tech disciplines since all need to be thinking about security.

鈥淚n your computer, there are a lot of doors, and many doors are not locked,鈥� says Du.

Du just published the second edition of his computer security textbook that is currently being used by more than 80 schools.

During the podcast, Dr. Du spoke about “the importance of hands-on training in cyber security.”

Cybersecurity specialists work on the front lines and are responsible for implementing and overseeing networks that are required to run specific portions of a security program. The BPS degree provides the applied skills, breadth of knowledge and professional competencies needed to manage people and the technologies required to protect information systems and infrastructures.

According to , the national average salary for a cybersecurity specialist is $90,239 year. In 黑料不打烊 and the surrounding area cybersecurity administrators make on average $85,756 per year.

鈥淭he online bachelor鈥檚 degree in cybersecurity administration was developed to address rapidly evolving global information security needs,鈥� says Michael Frasciello, dean of University College. 鈥淲hile the online program is open to anyone who qualifies, it was designed to align with security and assurance specialist training in the United States military.鈥�

Active duty military, New York State National Guard members and U.S. Reserve Component Military admitted to the online degree in cybersecurity can use their or New York State RIRP tuition benefit to cover 100 percent of the tuition.

鈥淥ffering our online bachelor鈥檚 degrees at the TA rate for active, guard and reserve members is another example of 黑料不打烊鈥檚 unwavering support for our veterans and those currently serving,鈥� adds Frasciello.

Pursuing a college degree online allows students to manage the ever-increasing demands of personal and professional commitments while beginning or continuing their education. For more information on how to get started, call 1.866.498.9378 or email parttime@syr.edu.

This fall, the听Cybersecurity Semester (CSS)听returns to 黑料不打烊 to teach computer science and computer engineering students from institutions across the country to become leaders in cybersecurity.

Designed by the and the , the CSS is an 18-credit semester in which students gain technical expertise from cybersecurity leaders and practitioners through hands-on experiences. Participants learn to identify and analyze system vulnerabilities, assess risks, develop countermeasures and secure systems, and deliver software that has verifiable assurance properties.

The CSS is open to qualified 黑料不打烊 students, as well as ROTC scholarship cadets from听other colleges and universities. This year, SU is offering the CSS on a cost-neutral basis for up to 10 ROTC candidates from academic institutions outside of 黑料不打烊. SU鈥檚 cybersecurity programs have been .

Participants will attend a leadership development seminar, gain priority access to an internship with the U.S. Air Force, attend retreats and visit the Civil War battlefields of Gettysburg, Pennsylvania.

鈥淪tudents in the CSS learn the theory, tools and practices to verify the security and integrity of operations formally. This capability is the basis for assuring missions in cyber physical space no matter the application.听There is no other program like this in the nation,鈥� says Professor Shiu-Kai Chin.

The CSS consists of a core course load, electives and professional development. Core ABET-accredited courses include CIS 400: Certified Security by Design, CSE 484: Introduction to Computer and Network Security, and CIS 487: Access Control, Security, and Trust. Electives are tailored to individual student needs and interests. Professional preparation includes an internship and leadership development.

Students must be seniors or juniors in a computer science or computer engineering undergraduate program with an appropriate level of prior coursework and a preferred GPA of 3.3 or higher. They must also have experience with Discrete mathematics, programming experience in a high-level language and familiarity with Linux at the command-line level. It may also require a U.S. citizenship or permanent resident status to be eligible for internship opportunities, an optional part of the program.

Applications will be accepted until 11:59 pm EST on March 17, 2019. To apply, please send the following in a single PDF file to听cyberengineering@syr.edu:

• Resume
• Unofficial college transcripts (including transfer credits)
• A 100-word biography (include hobbies, interest and goals) with a recent headshot photograph

A letter of recommendation from an academic advisor or faculty member must also be sent to 听cyberengineering@syr.edu听directly from the reference by听the deadline. For ROTC cadets, a letter of reference from ROTC detachment leadership is also acceptable. Admission notifications will be sent in April.

The Enduring Assurance Workshop was an invitation-only opportunity to help set the research and development agenda for the U.S. Air Force (USAF) in support of cybersecurity. To support mission-essential functions, the Air Force needs to be sure its systems can maintain the necessary security, integrity, and stability.

鈥淭he workshop brought a diverse group of people from industry, government, military, and academia together to discuss cybersecurity applied to all areas of technology, administration, and human endeavor,鈥� says Oh.

The research and development ideas generated will inform the research and development agenda put forth by Kamal Jabbour, USAF senior scientist for information assurance. Jabbour is the principal scientific authority and independent researcher in the field of information assurance, including defensive information warfare and offensive information warfare technology.

is a professor of electrical engineering and computer science at 黑料不打烊鈥檚 College of Engineering and Computer Science. Professor Du, who teaches internet security courses, says phishing attacks are not new to the cyber world. But the move of attacks into the political world is.

Du says:

鈥淚n general, this is called 鈥榩hishing attacks.鈥� Attackers trick victims to visit their sites, which looks similar to听a legitimate site. The attack has been used against banking, financial institutes, companies,听and universities. To my knowledge, using it for political purpose is something quite new. Technically, however, they are similar attacks.

鈥淚 do remember one incident that is related to this most recent attack. In the 2004 presidential debate between John Edward and then U.S. Vice President Dick Cheney, Cheney said the following: 鈥榃ell, the reason they keep mentioning Halliburton is because they’re trying to throw up a smokescreen. They know the charges are false. They know that if you go, for example, to FactCheck.com, an independent Web site sponsored by the University of Pennsylvania, you can get the specific details with respect to Halliburton.鈥櫶齌he debate was broadcasted live and within a few minutes, the website of FactCheck.com received a tremendous amount of traffic.

鈥淯nfortunately for Cheney, the actual website should have been FactCheck.org, a politically neutral web site, not FactCheck.com. George Soro, who did not like Bush, immediately capitalized on this mistake by somehow (he might have paid the owner of FactCheck.com for doing so) redirecting all the FackCheck.com-bound traffic to his own website, where the top item was an article by Soros entitled 鈥榃hy we must not Re-Elect President Bush.鈥� In essence, Cheney had launched an attack against himself by using an incorrect website name and Soro capitalized on that mistake.听In spirit, the attacks we see today are similar to this incident.

鈥淭o protect against this attack, customers just have to be very careful telling the difference between the real website and a fake website. It is quite hard.鈥�

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Communications and Marketing

T听315.443.1184 听听M听315.380.0206
dalovell@syr.edu |

820 Comstock Avenue, Suite 308, 黑料不打烊, NY 13244
news.syr.edu |

黑料不打烊

is an electrical engineering and computer science professor at 黑料不打烊鈥檚 College of Engineering and Computer Science. Chin says the strategy of 鈥渞obbing Peter to pay Paul鈥� to address cybersecurity funding leaves us vulnerable as a nation.

听

Chin says:

鈥淲e鈥檙e all in the same boat when it comes to cybersecurity. The apparent strategy of robbing Peter to pay Paul still leaves us vulnerable as a nation. The fact is that much of the nation鈥檚 critical infrastructure, much of which depends on the correct operations of computers embedded in that infrastructure, lies outside the government, i.e., power, telecommunications, financial services, and transportation.

鈥淭he National Institute of Standards and Technology plays a crucial role in setting the bar for what鈥檚 good security practice, how to assess security, and how to implement computer security. NIST is working hard to address the root causes of our national cyber vulnerabilities by providing guidance on how to build trustworthy systems by building security into systems from initial conception through deployment.

鈥淵ou cannot build a house on half a foundation. Cutting NIST is short sighted.鈥�

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Communications and Marketing

T听315.443.1184 听听M听315.380.0206
dalovell@syr.edu |

820 Comstock Avenue, Suite 308, 黑料不打烊, NY 13244
news.syr.edu |

黑料不打烊

Passages from Professor Shiu-Kai Chin鈥檚 testimony to New York State Senate Public Hearing on Cybersecurity:听

Shiu-Kai Chin

鈥�If you treat each item of information as if it were a $100 bill, then you will know what to do.听Security and integrity must be built in from the initial concept of a system, into its design and throughout its deployment and operation. This is no different than building and operating any business with the financial controls, constraints and policies to assure that every transfer of funds is authenticated and authorized. The same holds true for information. The gold standard is every transaction must be authenticated and authorized with assurances that if something was done, then whatever was done must have been authenticated and authorized because of the controls and constraints that were built into the system from the start.

There is no integrity or security without audit.听What we are talking about is accountability. Information and information operations must be treated with the same care and diligence as we treat money and financial operations. We need to mimic the routine business practice of annual financial audits to assure the public that public statements of a business鈥� information operations are accurate and reflect reality.

Math is essential.听Financial audits rigorously answer the question whether a business鈥� balance sheet and policies are accurate statements of its financial state and operations. Evidence is gathered, and numbers are crunched. Compelling proof of integrity requires that everything adds up and is balanced. The same is true for information operations. Math is essential for compelling assurance of security and integrity.

What I am saying is not new. The following passage is part of a paper written by Lieutenant Colonel Roger Schell describing remarks by a KGB officer:

“Comrades, today I will brief you on the most significant breakthrough in intelligence collection since the ‘breaking鈥� of the 鈥渦nbreakable’ Japanese and German cyphers in World War II鈥攖he penetration of the security of American computers. There is virtually (if not literally) no major American national defense secret which is not stored on a computer somewhere. At the same time, there are few (if any) computers in their national defense system which are not accessible, in theory if not yet in fact, to our prying. Better still, we don鈥檛 even have to wait for them to send the particular information we want so we can intercept it; we can request and get specific material of interest to us, with virtually no risk to our agents. 鈥�

“They are aware of the potential for a computer security problem, but with their usual carelessness they have decided not to correct the problem until they have verified examples of our active exploitation. We, of course, must not let them find these examples.”

The above comments are in Roger Schell鈥檚 paper “Computer Security: the Achilles鈥� heel of the electronic Air Force.” The paper was published in Air University Review, in 1979! The paper was reprinted in the 2013 issue of听Air & Space Power Journal听because of its historical significance.

One takeaway is this: cybersecurity is a known problem, and we have known about it for over听40 years.

Schell wrote his paper in response to the cancellation of his computer security research program by the Air Force in 1979. Our answers to the question “What did we know and when did we know it?” reveal we have no plausible deniability when it comes to cybersecurity. We knew early on this would be a strategic vulnerability and we chose to ignore it. I deliberately say 鈥渨e鈥� not 鈥渢hey鈥� because even though 鈥渨e鈥� were not in command in 1979, 鈥渨e鈥� collectively set the market and the national expectations of what is reasonable, now.

We can no longer ignore the problem. Business as usual will lead to disaster.

The overarching guidance from Schell鈥檚 1979 paper still applies today:
“Do not trust security to technology unless that technology is demonstrably trustworthy, and the absence of demonstrated compromise is absolutely not a demonstration of security.”

The implication is this: penetration testing, while very useful, is insufficient alone for assuring trustworthiness. We need to do the math much like auditors do the math to provide compelling evidence of trustworthiness. We need to verify that the controls and constraints are appropriate for the intended mission. We must verify the controls and constraints are correctly implemented and used properly.

The good news is we have made a lot of progress since 1979. Mathematical verification of computer systems was once thought to be too hard. Semiconductor companies such as Intel routinely integrate formal mathematical verification, simulation and testing to verify their microprocessor chips are correct. Companies, such as Rockwell/Collins, that manufacture onboard flight control computers for commercial airliners do formal mathematical proofs to assure flight control computers are secure.

黑料不打烊, in partnership with the Air Force Research Laboratory in Rome, New York, since 2003 has offered the ACE (Advanced Course in Engineering) Cybersecurity Boot Camp. ACE has graduated over 500 ROTC cadets, civilians and active duty personnel from over 50 universities in the U.S. and United听Kingdom. ACE provides compelling evidence that rigorous approaches to mission assurance and cybersecurity are feasible and practical at the undergraduate level in engineering and computer science.

As the B.S. degree sets the baseline capabilities for the engineering and computer science profession, it is essential that secure system design and engineering be routine at the B.S. level. I am proud to say that this is the case at 黑料不打烊.

I end my testimony by pointing out a looming problem we need to address now. We must address the need for trustworthy online and electronic identities. Social security numbers are fatally compromised. They must be replaced.

The thing about online identity is this: our identity is not who we say we are; it is who others say we are. Who are we going to trust with that authority? How will we know that the foundation for establishing identity is trustworthy? How will authorities trusted with certifying identity be audited to verify their trustworthiness? Authentication technology alone is insufficient. It is just one component in a system that requires policies, practices, norms, rules and regulations.

It is worth pointing out what happened to Roger Schell after 1979. Schell would go on to be regarded as the 鈥渇ather鈥� of the National Security Agency鈥檚 Trusted Computer Security Criteria. It is the foundation of the current National Institute of Standards and Technology security standards. In 2012, Schell was inducted into the inaugural class of the National Cybersecurity Hall of Fame.

Schell is an example of what individuals can do. Our democracy, with all its well-publicized frustrations, is a workable system that enables engaged citizens to keep debate alive; shape the terrain of expectations, standards, policies and practices; and thereby move all of us to a better place.

Start the discussion and debate now on what minimum standards and expectations are required when it comes to establishing, maintaining and verifying the trustworthiness of systems, corporations and government entities entrusted with our safety, information and our identities in cyberspace.鈥�

Passages from Associate Professor Steve J. Chapin鈥檚 testimony to New York State Senate Public Hearing on Cybersecurity:听

Steve Chapin

鈥淢y invitation to testify requested threat assessment, information on best practices in the face of cyberattacks, and concrete solutions to cybersecurity. I will address each of these points, but let me say in advance: the future is bleak. The path we are on will only see an increase in attacks and losses unless we make significant changes in how we do business (and by do business, I mean both how we conduct commerce and design, build, and operate cyber-systems).

Risk Assessment
In many ways, the Equifax breach is just the most recent and spectacular in a long string of security failures that put our citizens鈥� privacy and fortunes at risk. A list of data breaches just in 2017 includes more than 35 major data breaches in industries ranging from finance, internet services, retailers and telecommunications to health care and higher education. Last year鈥檚 Dyn DDOS attack using the Mirai botnet gave us a glimpse into what we can expect in the future if we continue to deploy insecure and in-securable devices in the Internet of Things. Mirai鈥檚 descendant, IoT Troop/Reaper, is estimated to have already infected devices on a million networks. In short, there is no natural upper bound to the damage that cyberattacks can do鈥攁ll of our information, personal and financial, that is on commercial, off-the-shelf computers听connected to the Internet, is at risk.

This threat is not confined to e-commerce, but has already put our elections at risk. In 2003, a panel of experts at the IEEE Security & Privacy Symposium described the state of the art in electronic voting machines. They pointed out multiple flaws with the machines being installed in multiple states. In 2017, experts at DefCon broke into state-of-the-art voting machines in < 90 minutes. Some of their attacks were over WiFi and were able to change vote tallies without any trace. Other (white-hat) hackers have demonstrated how they can, with only the aid of a USB memory stick, change vote tallies while in the voting booth. In the words of Calvin and Hobbes, 鈥淟ive and don鈥檛 learn. That鈥檚 us.鈥�

When Best Practices Aren鈥檛 Good Enough
Twenty听years ago, Gene Spafford, one of the luminaries of cybersecurity, wrote: 鈥淪ecure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights and there are no police.鈥�

Sadly, that is still a largely accurate description of the state of security on the Internet. It doesn鈥檛 matter how well-protected the transport is if the computers at the ends of the transaction are not secure. Having a secure connection to a web server doesn鈥檛 help if the database that the server stores customer information in is vulnerable. It doesn鈥檛 matter how good the security controls on a system are if they鈥檙e not turned on and properly configured.

There is a fundamental lack of accountability for cybersecurity. As a private citizen, I would like to share my personal information with the smallest number of entities鈥攂ut in modern society, I must share with my bank, my credit card company, my utility, my health care professionals and my employer, to name but a few. I have little insight and no control over with whom they share my information. My only choice is to withdraw completely from society, which is a Hobson鈥檚 choice. One factor that sets the Equifax breach apart is that most of the people whose data was stolen never directly consented to have Equifax hold it鈥攖hat was done by the industries that use Equifax鈥檚 services to make credit decisions. When breaches happen, there is significant finger-pointing, but in the end, it鈥檚 the public that bears the true cost, through identity and financial theft. One of the breaches I referred to earlier involved a contractor leaving 9,000 documents containing personal information on holders of top secret security clearances on an unsecured Amazon server for six months.

We must move away from systems that conflate identification and authentication. There is nothing wrong with using a Social Security Number as an identifier; there is nothing right about using it for authentication. If I chose to have my SSN tattooed on my forehead it should make no difference鈥攊t is not a secret, and never truly has been. Treating it as such has given the illusion of security. Similarly, my birthday is a matter of public record. My mother鈥檚 maiden name has been in newspapers鈥攏ewspapers that are now searchable on the Internet.

Recommendations
I have four recommendations to improve cybersecurity in New York State. Some of these are actions business and industry can take unilaterally; others may require regulatory or governmental support.

1. Adopt technologies that enable secure auditing and logging of data. Blockchain (the technology behind Bitcoin) provides the potential for secure, distributed logging of actions. This will enable full auditing of information handling and improve accountability.
2. Develop a true citizen-focused form of secure identification. Such a form of ID would allow secure authentication without relying on security through obscurity. This is not to be conflated with REAL ID, which does not provide real, nonforgeable, digital authentication and attestation.
3. Require security as a first-class element of system design. This security must be end-to-end, holistic and part of the system from day one. No more cardboard boxes and park benches!
4. Trust 鈥� but verify. We must stop trusting that systems are designed and implemented properly. Rather, system designers and builders should use formal modeling tools (i.e., math and logic) to prove that their systems perform as advertised and correctly implement authentication and authorization.

Conclusion
I know that it is difficult to define the proper role of government in modern life, particularly in complex technical areas with broad reach. I leave you with another quote from Gene Spafford, which reflects the fact that in 1956, GM advertised styling and performance while Ford emphasized the availability of seat belts. 鈥楶eople in general are not interested in paying extra for increased safety. At the beginning, seat belts cost $200 and nobody bought them.鈥� GM outsold Ford by 190,000 cars in 1956, almost three times the gap from 1955. Sometimes we need a nudge.鈥�

鈥淔or many years, Congress has considered data breach notification legislation to regulate who must be notified, when, in what matter, and by whom after specific types of data are hacked or stolen.听 In 2009, the Obama administration posted a draft federal data breach bill on the White House website.听 Congress has not passed any data breach legislation.听 In the meantime, more than forty states have passed such laws,鈥� said Prof. Snyder.

鈥淗ere in New York, both the State and New York City have data breach notification laws, which are somewhat inconsistent. This patchwork approach fails to protect consumers or the economy, and it makes it very difficult for organizations conducting business or other activities in cyberspace to comply with the law,鈥� says Snyder.

鈥淎t the federal level, the Securities and Exchange Commission has imposed data breach notification requirements for publicly traded corporations within their jurisdiction, and the Federal Trade Commission has attempted to impose liability upon a few dozen companies for failure to adequately protect data, but Congress has not passed any national data breach notification law.听 Perhaps this enormous and dangerous breach of the confidentiality and integrity of data at Equifax will spur Congress to take long-awaited action,鈥� says Snyder.

Prof. Snyder is available to speak听to speak to media via phone, email, Skype, or LTN studio. Please contact Ellen James Mbuqe, director of news and PR at 黑料不打烊, at听ejmbuqe@syr.edu or听315.443.1897听or听Keith Kobland, media manager at 黑料不打烊, at听kkobland@syr.edu or 315.443.9038.

听and his students developed the that include cybersecurity exercises, research and software that is provided at no cost to other schools.

鈥淔rom my background, I learn much better when I do something. So then I decided, I should get the students to work some exercises. But at the time, there was not much going on, on the internet. So I decided I would just develop my own for my own class at 黑料不打烊,鈥� says Du.

Du developed labs where students could simulate cyberattacks and then identify security flaws and software errors.

鈥淚t turns out students liked that very much and they are very passionate about this. So then I decided maybe other people will like that,鈥� says Du.

鈥淭his lab itself sometimes takes some learning. So I also got a grant from the National Science Foundation to train other professors鈥攅specially professors who are new into this area鈥攖o teach them how to use that. So they come to 黑料不打烊 for four days and the training and they take what they learn back to their class,鈥� says Du. 鈥淪o far 600 universities worldwide and in more than 30 countries are using my labs鈥�

High-profile cyberattacks have shown hackers can exploit even small mistakes.

鈥淚n the past, just one computer is maybe open to the outside. Now 10 devices are in your home鈥�10 doors open you don鈥檛 even know,鈥� says Du.

Using secure computers inside the College of Engineering and Computer Science, professors can mimic attacks on networks and programs. Professor Megan Thomas from California State University Stanislaus was grateful for the opportunity to participate in exercises that can only be done in a controlled environment.

鈥淚t would be tough to do with limited resources and it would be almost impossible to do safely,鈥� says Thomas. 鈥淚t is very kind of folks at research universities like 黑料不打烊 that they share what they have developed with the grad students and all that kind of thing, and public universities that don鈥檛 have the resources.鈥�

Daniel Ragsdale from Texas A&M University uses Du鈥檚 labs in his classes. He believes the program offers practical experience that could help secure countless devices and networks we rely on every day.

鈥淲e continue to see, if you want students to understand what this is all about, they have go to do hands on. They have to work directly with the software, see the vulnerabilities, understand how those vulnerabilities could be exploited and you can only do that in an environment such as this. What Kevin and his students have done is really an incredible resource for people that are teaching in this space,鈥� says Ragsdale.

鈥淲e are trying to educate our students so when they write a program, they know an attacker is going to attack in such a way so they don鈥檛 make the same mistake,鈥� says Du. 鈥淎s a result, their system is going to be more robust, more secure.鈥�

For more information on using online versions of the SEED labs, .

For his work on the Seed labs, Du received the 2017 Academic Leadership award from , a leading computer science conference that brings government, academia and industry together.

This was the first time that Military Times evaluated cybersecurity programs. The rankings are based on academic rigor and efforts to recruit and work with veterans at colleges and universities.

鈥淭he strength of cybersecurity education at 黑料不打烊 stems from our belief that technology, policy and people must work in tandem to keep America safe鈥攖he theme of the interdisciplinary curricula in our听,鈥� says Teresa Dahlberg, dean of the College of Engineering and Computer Science. 鈥淭he men and women that defend our country are ideally suited to master the skills needed to protect us from devastating attacks on our computing networks and infrastructure.鈥�

黑料不打烊 is routinely recognized for its work to welcome veterans to its campus and programs. In 2016, the College of Engineering and Computer Science earned the from the American Society of Engineering Education.

Currently, the Military Times鈥� Best for Vets: Colleges 2017 ranking places 黑料不打烊 as the No. 1 private school in the country for service members, military veterans and their families.

鈥満诹喜淮蜢� has a 100-year history of providing opportunity and empowerment to veterans,鈥� says Mike Haynie, vice chancellor of strategic initiatives and innovation, executive director of the Institute for Veterans and Military Families (IVMF) and Barnes Professor of Entrepreneurship at the Whitman School. 鈥淭hrough IVMF education and career training programs, and their military experience, our students are uniquely qualified, particularly in this critical cyber defense field, to pursue successful careers and make immediate impacts in one of the most highly sought-after careers in the country.鈥�

Cybersecurity at the University addresses an acute need in the military, government and industry sectors for specialists in key aspects of cybersecurity. The programs challenge students to develop solutions for today鈥檚 issues and future threats.

The cybersecurity programs include the undergraduate Cyber Engineering Semester in partnership with the Air Force Research Laboratory to immerse students in cybersecurity training. About half of the students are ROTC cadets. Additional programs are the , and in cybersecurity in the College of Engineering and Computer Science.

Cybersecurity is a rapidly developing field. A recently estimated that the market will grow from $75 billion in 2015 to $170 billion by 2020. In 2015, about 209,000 cybersecurity jobs in the United States were unfilled, according to the Bureau of Labor Statistics

In creating the list, Military Times weighted academic performance as one of the top factors for the ranking. The remaining factors included the number of Accreditation Board for Engineering and Technology (ABET)-accredited computer science programs, the number of Centers of Academic Excellence designations, and the proportion of degrees awarded at a school that fall under computer science and computer security, respectively.

Data was provided by schools in the survey, as well as federal data and public information specific to computer science and cybersecurity. Federal data came from the U.S. Departments of Defense, Education and Veterans Affairs.

To see the full rankings and survey methodology, click .

This fall, the听听returns to 黑料不打烊. Designed by the and the , the CES educates computer science and computer engineering students to become cyberwarriors. In a single, 18-credit semester, students will learn to identify and analyze system vulnerabilities, assess risks, develop countermeasures, build and verify secure systems, and deliver software that has verifiable assurance properties.

鈥淪tudents in the CES learn the theory, tools and practices to formally verify the security and integrity of operations. This capability is the basis for assuring missions in cyber-physical space,”听says Shiu-Kai Chin, professor of electrical and computer engineering in the College of Engineering and Computer Science. “There is no other program like this in the nation. It is one important reason why Air Force Research Laboratory partners with SU in offering the CES.鈥�

The CES consists of a core course load, electives and professional development. Core courses include CIS 400: Certified Security by Design, CSE 484: Introduction to Computer and Network Security, and CIS 487: Access Control, Security, and Trust. Electives are tailored to individual student needs and interests. Professional preparation includes an internship and leadership development.

Students must be seniors or juniors in a computer science or computer engineering undergraduate program with an appropriate level of prior coursework and a GPA of 3.3 or higher. They must also have experience with Discrete mathematics, programming experience in a high-level language and familiarity with Linux at the command-line level. It may also require a U.S. citizenship or permanent resident status to be eligible for internship opportunities, an optional part of the program.

Applications will be accepted until 11:59 pm EST on Sunday, April 30. To apply, please send the following in a single PDF file to听cyberengineering@syr.edu:

• resume
• unofficial college transcripts (including transfer credits)
• a 100-word biography (include hobbies, interest and goals) with a recent head-shot photograph

A letter of recommendation from an academic advisor or faculty member must also be sent to 听cyberengineering@syr.edu听directly from the reference by听the deadline. For ROTC cadets, a letter of reference from ROTC detachment leadership is also acceptable.

To the extent possible, admission decisions will be made on a rolling basis.

The presentation will be led by Kamal T. Jabbour, senior scientist for information assurance, Information Directorate, Air Force Research Laboratory, Rome, New York. He serves as the principal scientific authority and independent researcher in the field of information assurance, including defensive information warfare and offensive information warfare technology. He conceives, plans and advocates major research and development activities; monitors and guides the quality of scientific and technical resources; and provides expert technical consultation to other Air Force organizations, Department of Defense and government agencies, universities and industry.

Enduring assurance seeks to create a cyber domain that assures information across all stages of conflict, leading to friendly missions with no vulnerability in peacetime, denying the impact of cyber threat in escalation and exploiting at will adversary missions in wartime. This requires developing dual-purpose science and technology to create provable mission assurance through disaggregation and composition of untrusted components, and divorcing the adverse impact from cyber threat through Byzantine fault analysis.

鈥淎pple鈥檚 resistance to an FBI demand to unlock the iPhone of one of the San Bernardino terrorists has created a heated debate about the privacy rights of citizens versus the needs of police and intelligence agencies to collect information to understand and possibly prevent terrorist or criminal acts,鈥� says , associate dean for research at the iSchool, who is organizing the panel discussion. 鈥淎 wide range of individuals and organizations have defended either Apple or the FBI, from tech industry leaders to presidential candidates, from intelligence experts to privacy advocates.鈥�

With such a complex issue that has ramifications for individuals, companies and governments in the U.S. and around the world, the discussion is, 鈥渙ften uninformed, biased and even inflammatory,鈥� notes Dedrick.

Dedrick has convened a panel of 黑料不打烊 experts who will gather to provide knowledgeable perspectives on the technical, legal, policy and privacy concerns that are raised in Apple鈥檚 tussle with the FBI. They will engage in a lively discussion and conversation with the audience.

Panelists will include , professor at the , , visiting assistant professor at the , and , assistant professor at the iSchool.

The panel will take place at 3 p.m. on Friday, Feb. 26, in 347 Hinds Hall (Katzer Room), and is open to all campus and community attendees. The panel can also be viewed live online via Adobe Connect with the following link: .

Yet legal, policy and technological means for countering cyber espionage are not always clear. In order to examine the state of domestic and international approaches for controlling鈥攁nd to offer recommendations for policymakers and practitioners who are addressing鈥攖his postmodern form of economic, military and industrial spying, the Institue for National Security and Counterrorism (INSCT) is joining with the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) to host 鈥淐ontrolling Economic Cyber Espionage,鈥� an interdisciplinary workshop to be held at the College of Law June 18 and 19.

The workshop convenes cyber espionage and cyber warfare experts from around the globe, including: Michael Schmitt, director of the Stockton Center for the Study of International Law at the U.S. Naval War College; Joel Brenner, former Inspector General, U.S. National Security Agency; Herb Lin, senior research scholar for cyber policy and cecurity, Hoover Institution; Xiaofeng Wang, researcher, Center for American Studies, Fudan University, Shanghai, China; Gregory Nojeim, senior counsel, Center for Democracy and Technology; and Liis Vihul, Law and Policy Researcher, CCDCOE, who was a project manager for the “Tallinn Manual on International Law Applicable to Cyber Warfare.” Representing a cross-section of 黑料不打烊 schools and colleges will be William C. Banks, director of INSCT; Shiu-Kai Chin, professor in the College of Engineering and Computer Science (ECS); Nathan Sales, associate professor in the College of Law; James B. Steinberg, dean of the Maxwell School; and Laura Steinberg, professor in ECS. A complete list of participants鈥攁s well as the schedule and list of topics鈥攃an be found at .

In exploring the state of contemporary cyber espionage, panels will ask who is doing the spying and by what methods, what is the current thinking of government and industry about the problem, and what methods of protection鈥攕uch as identity assurance鈥攃urrently exist. The workshop also will analyze the domestic and international law and policy landscape to ascertain what reforms and actions are necessary as cyber espionage鈥攁nd cyber war in general鈥攅volves.

Answers will be drawn from the disciplines of foreign and domestic law, public policy, international affairs, defense strategy, law enforcement, computer engineering and finance. Selected papers from the workshop will be gathered for publication by NATO CCDCOE and others in a special edition of the Journal of National Security Law and Policy, which is jointly published by INSCT and Georgetown Law and available at .

鈥淚 feel that it is important to acknowledge the vital role that these educational institutions play in the rapidly expanding field of cybersecurity,鈥� says Tyrone Taborn, chairman and CEO of DiversityGPS.com and publisher of U.S. Black Engineer & IT, Hispanic Engineer & IT and Women of Color. 鈥淥ur nation needs more outstanding programs that develop talent in the fields of computer science and research to expand our cybersecurity workforce. Equipping our young people with the knowledge to pursue careers in cybersecurity should not only be viewed as a goal of our nation, but as a matter of national security.鈥�

Thousands of jobs in cybersecurity are created each year throughout the nation, illustrating the necessity of these positions. However, of the 2.5 million men and women currently employed by the United States Armed Forces, relatively few are qualified to pursue careers in cybersecurity. There is a clear demand for qualified individuals within this field, which includes people of all backgrounds, to ensure the protection and prosperity of the nation.

鈥淭he excellence of our cybersecurity education program is a result of the dedication of internationally renowned faculty members, such as professors Shiu-Kai Chin, Stephen Chapin, Wenliang Du and Heng Yin, who have advanced the field in multiple new directions,鈥� says professor Chilukuri Mohan, chair of the Department of Electrical Engineering and Computer Science in LCS.

The Department of Defense, National Security Agency, CIA and armed forces are a few of the many organizations actively recruiting well-trained individuals from these outstanding institutions.

DiversityGPS.com is honoring LCS and other outstanding colleges and universities as part of 鈥淢inorities in National Security and Cybersecurity Awareness Week,鈥� which takes place during the week of Dec. 5. The awareness week will serve as an opportunity to recognize the innovative leaders in cybersecurity and defense as they serve as role models to the minority cybersecurity workforce of tomorrow.