In the face of growing computer security breaches, it makes little sense to be cavalier about cybersecurity and cyberprivacy. Just ask the European Central Bank, Korea’s Hydro and Nuclear Power Co., Microsoft, or Sony Pictures—some of the recent cyberattack victims. Credit-card payment systems have been raided. Floor plans of sensitive facilities have been posted on social media. Gaming services have been disrupted and employees’ personal information leaked. Companies’ reputations have been damaged, customers have fled, top executives have been fired, and hefty fines incurred.
What’s more, the financial impact of an intrusion is growing. Last year, the average cost per incident increased 15 percent over 2013 to US $3.5 million, according to the annual Cost of Data Breach Study sponsored by IBM and conducted by the Ponemon Institute, of Traverse City, Mich. The study surveyed 250 companies in 11 countries and found that the cost incurred for each lost or stolen record containing sensitive information increased more than 9 percent compared with the previous year, to $145.
Attackers gain access in many ways, including through viruses and malware, stolen passwords, and personal information stored on publicly accessible directories. As has been the case for decades, hackers find their way in because of engineering and operating mistakes. The IEEE Cybersecurity Initiative wants to change that.
“It has become clear that, generally, engineers have not had sufficient training nor been encouraged to have a mind-set that considers how an adversary might thwart their system, whether it’s on the security side, the privacy side, or the vulnerability side,” says the initiative’s chair, IEEE Senior Member Greg Shannon. He’s chief scientist for the CERT Division at the Carnegie Mellon University Software Engineering Institute, in Pittsburgh. The initiative was established in January 2014 by the IEEE Computer Society and the IEEE Future Directions Committee.
Not enough investment is being made to ensure that sufficient security and privacy controls are implemented, Shannon says, adding that the R&D community has not given engineers the tools they need to understand all the possible threats against their systems and how to mitigate them.
The initiative is accelerating innovative research and developing cybersecurity privacy technologies to protect commerce, innovation, and freedom of expression.
“Now is the time not only for better defensive measures but also for cybersecurity standards and best practices that consider the entire technology life cycle,” Shannon says. “It is IEEE’s responsibility to emphasize strongly the things that can improve security and privacy, and this means not ignoring the engineering mistakes made in developing and operating software systems. These may be less noticeable but can prove just as harmful.
“Alone of any professional society, IEEE has been involved in cybersecurity from soup to nuts,” he adds.
IEEE has been helping engineers recognize, resist, and recover from cyberattacks for more than three decades. The annual IEEE Symposium on Security and Privacy, for example, marked its 35th anniversary last year. And IEEE offers conferences, publications, standards, and other services. But many in the cybersecurity field are unaware of the breadth, depth, and longevity of IEEE’s work, according to Shannon. The initiative plans to change that, too, along with adding new offerings to the field.
SECURITY: FRONT AND CENTER
About half of all security breaches are possible because of flaws in the software’s architecture and design. The rest result from bugs in the software’s implementation—the overall design may appear sound, but some aspect of its execution fails. The security industry has been focused mostly on finding and eradicating bugs; it has virtually ignored the fact that design flaws may also be the subject of attack. Unfortunately, not much reference material exists on how to avoid these types of flaws.
That’s why the initiative established the IEEE Center for Secure Design. It focuses on identifying and preventing software design flaws. The center was formed by such organizations as Athens University of Economics and Business, Cigital, EMC, Google, Harvard, Twitter, and the University of Washington, Seattle. The CSD released a report in August detailing the top 10 most widely and frequently occurring software security design flaws, as well as recommendations for avoiding them.
GUARDING MEDICAL data
Wearables, smartphone apps, portable diagnostic units, and other personal health-monitoring devices are gaining in popularity. More gadgets are sharing health and medical information electronically, which puts the privacy and security of the data at risk.
“People don’t want just anybody to be able to access their health profile and related information,” Shannon points out.
“Because these devices are in low-power, low-bandwidth environments, they present challenges from an engineering point of view,” he says. The hurdles include ensuring that data from wearable trackers are being uploaded to an authorized device and the platform uploading the data is getting it from the correct sensor. “A solution to this challenge that works on the desktop might not work for a wearable device,” Shannon adds.
And larger medical devices come with their own set of security concerns. The medical community has generally been unconcerned about the possible theft or manipulation of its data because medical devices have traditionally been ensconced in hospitals and medical facilities. But once the machines become portable and common in homes and their information is increasingly shared, the data could be manipulated in ways the original engineers never considered, Shannon cautions.
“Many of these devices use vulnerable components and operating systems, and patching them is a concern,” he says. “Engineers have to be very careful about whether the patched product will still be certified by agencies that oversee them, like the U.S. Food and Drug Administration, and whether the update causes something else to malfunction. If it’s your pacemaker, you care a great deal about that.”
To that end, the initiative is developing “building codes” for medical devices similar to those used in the construction industry.
“Security and privacy issues—what is important and what is reasonable or what is not—are still being defined by society,” Shannon says. “Part of a broader aspect of the initiative is to help understand the decisions that must be made, as well as larger issues such as who has a right to what data, and what can and can’t companies be allowed to do with personal data. We know that IEEE will help inform that conversation.”