In today’s digital, data-reliant world, cyberthreats can take many forms, including hackers conducting cyberespionage, troublemakers hijacking electronic highway signs, and globe-spanning cybercrime rings perpetrating bank fraud.
IEEE Senior Member Greg Shannon’s job is to help the United States stay at least one step ahead of increasingly sophisticated cybercriminals. He is chief scientist at CERT, part of the Carnegie Mellon University Software Engineering Institute, in Pittsburgh, which is funded by the U.S. Defense Department’s R&D center. At CERT, he partners with government, academia, law enforcement, and industry to develop methods and tools to deal with cyberthreats.
In November, Shannon was named chair of the IEEE Cybersecurity Initiative. Launched in January 2014, its mission is to advance the field through education, conferences, and standards.
CERT was formed in 1988 to counter the Morris worm, the first computer worm distributed through the Internet. That incident “brought the Internet as it was then to its knees,” notes Shannon, who joined the organization five years ago. “CERT was part of the response team to get it back online.”
Responding to cybercrime by providing analytical support to federal law enforcement agencies remains an important part of CERT’s mission, but the explosion of the Internet has far expanded its scope.
safety in LAYERS
Cybersecurity today involves much more than defensive measures, Shannon points out. It is vital for organizations to build secure foundations and anticipate security challenges. That includes designing secure code, finding software vulnerabilities, putting management structures in place to deal with risks, and identifying possible threats from inside a company.
Organizations regularly fail to incorporate strategies for reducing software vulnerability and risk, Shannon says. He intends to start changing that by delivering inexpensive, practical solutions to government agencies. CERT researchers have, for example, developed malware analysis tools and secure coding techniques that help software developers reduce glitches in their systems and find defects in applications. Although they are produced for government clients, many of the tools are available in open-source formats for the general community, Shannon says.
But even if organizations implement better strategies, no defined metrics exist for gauging software security. “If you can’t measure something and provide feedback, then you can’t help people improve their systems,” Shannon says.
His research focuses on developing cybersecurity metrics and effective ways to analyze them. He says he expects to have useful metrics and measurement techniques in the next two years.
But building security into code from the get-go is safer and more economical than finding and fixing bugs later on, Shannon notes. He has led the development of secure coding guidelines for software that includes C and C++, Java, and the Android platform. Cisco, Oracle, and other companies have adopted CERT’s guidelines.
Shannon is also trying to understand how organizations can integrate security technologies throughout the software development chain. “Today, developers can find a lot of open-source projects and tools and pull them together to create different technologies,” he says. “But that compromises security and privacy.”
The IEEE Cybersecurity Initiative gives Shannon an ideal platform for furthering his cybersecurity mission. He points to IEEE’s important role in promoting security research, its substantial membership, and its position in the engineering community, as well as its “amazing” standards development program.
He also aspires to bring the security and privacy communities together. Too often, data security and privacy concerns are perceived as adversarial, he says, and he wants people to see that they are complementary.
A WINDING ROAD
Shannon earned a bachelor’s degree in computer science from Iowa State University, in Ames, in 1982. For three of his undergraduate years, he worked at the school’s Ames Laboratory, programming computers to analyze mass spectrometry data. That gave him a strong sense of the computer’s role in science.
After earning his Ph.D. in computer science in 1988 from Purdue University, in West Lafayette, Ind., he became a professor of computer science at Indiana University in Bloomington.
He soon realized that teaching was not his calling, however, and he moved on to Los Alamos National Laboratory, in New Mexico, in 1993, to work on fraud detection and security. He left a year later to launch Spanning Tree, which developed technology for network scanning and vulnerability assessment. After a Canadian network company bought Spanning Tree, he joined Ascend Communications in Dublin, Ohio, as an engineering manager, working on firewalls and other security software.
Lucent Technologies acquired Ascend in 1999, and Shannon became a technology and business strategist there. He designed and tested network security tools, worked on security policy and standards, and headed company-wide security initiatives.
But entrepreneurship beckoned again, and in 2003 he became chief scientist at the startup CounterStorm, which focuses on network-based detection of cyberthreats and malware. “Building enterprises from scratch has always been a big part of my career,” he says.
When CERT approached him in 2010, he knew it was the perfect opportunity to not only apply his varied experience but also have a big impact on cybersecurity. He spends half his time at CERT in Pittsburgh and a quarter of it in Washington, D.C., in meetings with government agencies including the National Science Foundation, the Defense Advanced Research Projects Agency, and the Department of Homeland Security. The rest of the time he’s on the road, traveling to conferences and government labs. “A big part of what I do is travel,” he says. “My workdays are often unpredictable.”