Cybersecurity Experts Go to Washington

Sharon Goldberg briefs Congressional staffers on internet insecurities

h_butoday_AOB_0065Expert panelists at a recent Capitol Hill cybersecurity briefing sponsored by BU and the Congressional Cybersecurity Caucus: FTC Office of Technology, Research, and Investigation research director Joseph Calandrino (from left), Center for Democracy & Technology chief technologist Joseph Lorenzo Hall, and Sharon Goldberg, a CAS associate professor of computer science. Photos by AOB Photo.

Officially, it was a cybersecurity briefing on Capitol Hill hosted by Jean Morrison, Boston University provost, and the Congressional Cybersecurity Caucus, but it felt a little like a college freshman-level computer science seminar. Sharon Goldberg, a College of Arts & Sciences associate professor of computer science, was explaining some of the deep insecurities built into the internet, and why they matter. Her students were a group of Congressional aides and interns and other Hill staffers. They had crowded into a room in the Cannon House Office Building recently on their lunch hour and were taking copious notes so they could better inform policymakers, who are scrambling these days to catch up with technical reality.

“The internet was designed several decades ago as a network for universities, for graduate students to send each other emails, to do scientific computing—not for what it’s doing today,” said Goldberg, one of three cybersecurity experts who addressed the briefing. It was a time, she added, “when basically everyone on the internet believed they could all trust each other because they were all graduate students playing with computers.”

Therein lies the problem. Many of the internet’s protocols and algorithms, which were created during an era that has long since vanished, “are baked into the architecture, and it’s very, very hard to change them,” Goldberg said. The result, she said, is a system vulnerable to attackers. Not only can attackers eavesdrop undetected, but they can also intercept, manipulate, and change internet traffic—the flow of email messages, calls, texts, internet searches—unbeknownst to users. The risk is not just to something as simple as buying a book on Amazon, said Goldberg, who is also a Rafik B. Hariri Institute for Computing and Computational Science & Engineering faculty fellow, but to vital global systems such as air traffic control or the running of trains.

“Anything that runs on the internet is subject to all these attacks,” she said. “It’s not just about interception and eavesdropping. It’s about tampering, changing the traffic.”

v_butoday_AOB_0036 (Sharon Goldberg)Sharon Goldberg, a Rafik B. Hariri Institute for Computing and Computer Science & Engineering faculty fellow and a national expert on cybersecurity, described some of the deep insecurities built into the internet (photo to the right).

For some three quarters of an hour, Goldberg and the other two speakers, Joseph Lorenzo Hall, the chief technologist for the Center for Democracy & Technology, and Joseph Calandrino, research director for the Federal Trade Commission (FTC) Office of Technology Research and Investigation, talked about security risks, and what can and cannot be done to fix them—from BGP (Border Gateway Protocol), the glue that holds the internet together, to IP addresses to the Internet of things (IoT).

These kinds of discussions are long overdue in Washington, Hall said after the briefing. He recalled a moment, made famous on YouTube, from a Congressional debate five years ago about a bill that was ostensibly designed to thwart online piracy. After dressing down his colleagues for “trying to do surgery on the internet” without bringing in a “doctor to tell us how the organs fit together,” Congressman Jason Chaffetz (R-Utah) declared: “We need to bring some nerds in.”

Five years later, said Hall, Washington is bringing in the nerds. “Members of Congress and Congressional staffers recognize that they need to know their way around these concepts—network security, internet routing, cryptography, and simply how software works on computing devices,” he said. “Increasingly, to make decisions they have to have technical advice they can trust. There are plenty of people who can give partisan or biased technical advice that might skew decisions you make one way or the other, and government agencies and policymakers recognize the value of cutting through the hype with their own technical staff.”

Nick Leiserson, a staff member for Congressman Jim Langevin (D-R.I.), the cochair of the Congressional Cybersecurity Caucus, said there is now a recognition among policymakers and staff “that any talk of security, whether it’s economic or national security, needs to have a cybersecurity component to it.” With a dearth of staffers on the Hill who have technical backgrounds, Leiserson said, there is a need for experts, like Goldberg, Hall, and Calandrino, “who can translate technology in ways policymakers can understand.”

“We’re all grappling with this,” said Morrison, in opening the briefing. “The internet now plays a dominant role in everyone’s life. With all the capabilities it affords, it also creates a lot of opportunities for data theft and manipulation, and while there’s a general awareness of the hazards of the internet, the true scope of concerns and threats is not widely appreciated.”

Hall told the audience that technologists know how to “patch up and fix” some aspects of internet infrastructure and that overcoming these existing barriers involves collective action—getting everyone to switch to the secure versions of these technologies. However, citing Goldberg’s work on a technology called BGPSEC, he explained how in other areas it’s unclear if switching to a secure version would cause more trouble than it would fix.

He gave a quick primer on what he called “one of the dirtiest secrets of the internet—the domain system.” Hall described how the domain name system (DNS) translates internet domains such as www.bu.edu to internet addresses like 128.197.26.3. He characterized the current system as insecure, meaning that unlike in web browsers, where you can trust the little lock icon to indicate that you’re talking to your bank and not a cybercriminal, it’s relatively easy for malicious attackers to forge DNS responses, meaning you could be talking to, say, 6.6.6.6 (a potential criminal) instead of 128.197.26.3 when you want to visit www.bu.edu.

During the question-and-answer period, Leiserson, who has a bachelor’s in computer science from Brown University, asked about what he called that “great buzzword” in Washington—”the Internet of things.” He wanted to know whether the same sort of infrastructure mistakes that had been baked into the internet would end up being repeated with the IoT.

Calandrino said the FTC has been making an effort to encourage IoT product developers to consider security. “We reach out to developers—we say, ‘Here’s what you need to think about,’” he said.

“That’s truly the $60,000 question,” Hall said in response to the IoT question. “There are some really new, really sexy Band-Aids we’ve put in place to patch things over.” There are plenty of potential problems, he said. “You have people who have a Kickstarter idea. They get the cheapest bidder to build the board, the electronics software, they put it out in the world. They haven’t thought about all the vulnerabilities.

“Band-Aids and forethought are about as good as we can do.”

Click here to find out more about this event

Author, Sara Rimer can be reached at srimer@bu.edu.

Photographer, Allison O’Brien can be reached at AOB Photo.

View all posts