Cyber Security News / Security Talk Column

Studying the 'Wicked Problem' of Cyber Security

Cyber crime has been referred to as a “wicked problem,” and its solution may well lie in stronger education.

Frederick R. Chang, a recognized national expert in cyber security, recently joined Southern Methodist University to develop a multidisciplinary program to tackle the most pressing cyber challenges facing individuals, business and government today. Chang previously served as the director of research at the National Security Agency in 2005-2006, where he was awarded the NSA Director’s Distinguished Service Medal. He has held several senior executive positions at SBC Communications, positions at both the University Texas at Austin and the University of Texas at San Antonio, and was most recently president and chief operating officer of 21CT Inc., an intelligence analytics solutions company.

 

A recent report by a Google security executive said that “passwords are dead.” Do you agree with that?

Studies of user password use continue to reveal disturbing trends:

  1. passwords are not “hard” enough,
  2. passwords are reused between different user accounts, and
  3. passwords are not changed often enough.

Combined with the fact that computer processing power continues to improve, these trends mean that passwords represent an ever growing security risk. Cognitively, passwords are too cumbersome: it has been said that the best password is the one you can’t remember. The human memory problem is compounded by the fact that we are now entering our passwords from our multiple mobile devices. We are growing weary of passwords. Passwords aren’t going away any time soon, but I’m eagerly looking forward to the many new technologies that are being developed that will provide supplemental/additional authentication methods.

 

What type of program are you going to develop at SMU, and how will it be different from other programs?

My particular research interest is in the area of information assurance – defending and protecting critical systems and data. I’m looking forward to working with my colleagues at SMU and beyond on a wide range of topics such as software assurance, social sciences and security, insider threat and hardware security. First, we will conduct broad programs of research aimed both at helping to create a science and engineering of cyber security and addressing national cyber security priorities. Second, we’re going to apply an interdisciplinary approach to problems, incorporating elements from disciplines outside of the traditional technical areas associated with cyber security such as law, business and the social sciences. And third, we are going to help close the skills gap in cyber security by educating SMU students to meet the demand for trained cyber professionals. The key to our program at SMU is that it will be multidisciplinary.

 

What is the single most pressing issue with regards to educating people about cyber security?

It is the fact that the cyber security problem is proving to be extremely resistant to solution. As a result it has been referred to as a “wicked problem.” Research in computer security dates back to more than 40 years ago. I’d like to teach a foundations course for students of all majors that lays out what every educated person should understand today about security and privacy to be a responsible citizen. It’s not just how the technology works that’s important, but the consequences of that technology that you may not know about. How do I make myself safer in cyberspace? How do I afford myself more privacy? Hopefully it will be an opportunity for community outreach.

 

How can this program at SMU have a national and global impact and reach?

Cyber security is an economic security issue. If someone has an idea for a better mousetrap, and another country steals that information and starts developing that product, what should have been good U.S. jobs will now get created somewhere else. So methods and technology we develop at SMU to protect business interests will have widespread economic impact for the country at large. We intend to seek research partners to develop methods to protect and defend our national interests. Our charge will go beyond research – to the nuts and bolts of educating strong, innovative engineers who can take jobs to stop sophisticated cyber attacks against our government, our critical infrastructure and businesses. We expect the men and women we teach to be on the frontlines, protecting our economic and national resources.

 

What can security executives do to educate themselves?

There are two types of companies: those that are compromised and know it, and those that are compromised and don’t know it. You should work hard to implement a rigorous and robust defensive regime, but just because you’ve done that doesn’t mean you’ve prevented all forms of compromise. You can stop the vast majority of attacks with a strong defensive posture – and you should do your best constantly to improve your defense, but you also have to accept the reality that today, your defensive posture may not be enough. So in addition to your investment in defense, think through your investment in monitoring, analysis, incident response and recovery.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.