This is the summer of our cyber-discontent: earlier this month, the federal Office of Personnel Management (OPM) disclosed a hack attack, believed to have originated in China, that raided personal data on 21.5 million Americans who had been subjected to government background checks in the last 15 years. That breach, believed to be the largest ever of US government systems, led to the resignation of the head of OPM and followed a related attack last month that stole information on more than 4 million federal workers.
On July 8, a BU expert met with government staffers to talk about cybersecurity. The OPM hack was not the subject of the discussions, says Azer Bestavros, director of the Rafik B. Hariri Institute for Computing and Computational Science & Engineering. But the Departments of Defense (DOD) and Homeland Security (DHS) are interested in several Hariri initiatives, including the Modular Approach to Cloud Security (MACS), a $10 million, five-year, National Science Foundation–funded project to help develop information systems with several layers of security measures.
A professor of computer science at the College of Arts & Sciences, Bestavros also briefed officials on the Massachusetts Open Cloud (MOC), a computing cloud Hariri is developing that he says will be more secure than other clouds. (In cloud computing, users have on-demand access to shared, massive, off-site computer resources.) The information on BU’s projects was “very well received” by the officials, he says.
BU Today spoke with Bestavros about his meeting with government officials and the recent cybersecurity breaches.
BU Today: How did your meeting with DOD and Homeland Security officials come about?
Bestavros: These meetings were organized by our federal relations team as part of our ongoing effort to evangelize BU’s computing and data-driven research, especially as it relates to research at the nexus of big data, cybersecurity, and cloud computing.
At the DOD, the discussions focused on how our MACS project and the Massachusetts Open Cloud might provide operational cybersecurity capabilities for [supporting] the IT infrastructure for the DOD, and also on opportunities to better engage with the Army, Air Force, and Navy basic research offices. At the DHS, the discussion focused on the challenges associated with applications that require sharing of big data assets across agencies and corporations, including support for data security and privacy.
Were you surprised by the theft of government information on Americans who’d applied for security clearances?
It did not come up in our discussions, and this incident does not surprise me at all. The problem with this approach to securing our systems is that it is reactive: we wait until antiquated systems are compromised, and then offer some remedies. [Two-step] authentication is certainly better than good-old passwords on sticky notes. Improving a system after a breach may make us feel good, but we would be in a far better position if we realize that cybersecurity has its costs and that it is far better to pay for cybersecurity at the outset, as opposed to paying for it after significant damage is done. Stolen information cannot be “un-stolen.”
That hack and a previous one are believed to have originated in China. Is that nation the major source of hack attacks, and are they committed by the Chinese government or private hackers?
I don’t know, and even if the sources of such attacks could be traced to a specific country, it is not easy to ascertain if the perpetrators are operating from that country, let alone government-sponsored. And which government? For example, botnets operating in China could be used by hackers in Russia to attack targets in the US. Likewise, hackers in the US could be using botnets in—[name] your favorite country—to attack targets back in the US.
Tech companies and others are worried about a proposal to give the government a “back door” to their online data.
This did not come up, since the officials I met are concerned with operational challenges at the DOD and DHS, as opposed to intelligence capabilities. That said, I have strong opinions about this! It is a really bad idea for many reasons.
First, “back doors” have a way of becoming “front doors.” If we don’t want the bad guys to break through our cyber-doors to steal our data assets or listen in on our communications, then the [fewer] doors we have, the better. Besides, distinguishing good guys from bad guys is subjective. Today’s good guys may be tomorrow’s bad guys, and there are always the occasional bad apples in the mix. Here I note that even the discussion of this subject hurts the US tech sector—especially in the cloud services space—since they risk losing on international contracts if it is perceived that there are sovereignty risks.
In order to talk about alternatives, we have to make sure that our laws are caught up with the times, and for that to happen, our society has to be informed so as to push lawmakers to do the right things, as opposed to letting technology people effectively dictate the laws of the land, by virtue of the software they develop, without society weighing in.
Have private companies and individuals done more than the government to protect themselves? Is there something we can learn about cybersecurity from other governments?
It is not entirely clear to me that the weaknesses in cybersecurity that were uncovered in government systems are necessarily worse than what was and continues to be uncovered in privately operated systems. Unlike breaches of government-operated systems, which we eventually learn about, breaches of privately operated systems may be hidden from the public or remain unknown. Also, in cybersecurity, it is always the weakest link that matters. In fact, breaches of government-operated systems could well have started with breaches of a privately operated system, or a personal mobile phone of an employee, etc. Cybersecurity is not a problem that can be addressed piecemeal.
Our MACS project recognizes the importance of a disciplined approach to cybersecurity that allows the security of a system as a whole to be derived from the security of its components. It is an ambitious goal because such a holistic approach must leverage a wide range of expertise from pure and applied cryptography and theoretical computer science, to low-level hardware, networking, operating systems, and distributed systems.