Frederick R. Chang, a recognized national expert in cyber security, recently joined Southern Methodist University to develop a multidisciplinary program to tackle the most pressing cyber challenges facing individuals, business and government today. Chang previously served as the director of research at the National Security Agency in 2005-2006, where he was awarded the NSA Director’s Distinguished Service Medal. He has held several senior executive positions at SBC Communications, positions at both the University Texas at Austin and the University of Texas at San Antonio, and was most recently president and chief operating officer of 21CT Inc., an intelligence analytics solutions company.

A recent report by a Google security executive said that “passwords are dead.” Do you agree with that?

Studies of user password use continue to reveal disturbing trends:

1. passwords are not “hard” enough,
2. passwords are reused between different user accounts, and
3. passwords are not changed often enough.

Combined with the fact that computer processing power continues to improve, these trends mean that passwords represent an ever growing security risk. Cognitively, passwords are too cumbersome: it has been said that the best password is the one you can’t remember. The human memory problem is compounded by the fact that we are now entering our passwords from our multiple mobile devices. We are growing weary of passwords. Passwords aren’t going away any time soon, but I’m eagerly looking forward to the many new technologies that are being developed that will provide supplemental/additional authentication methods.

What type of program are you going to develop at SMU, and how will it be different from other programs?

My particular research interest is in the area of information assurance – defending and protecting critical systems and data. I’m looking forward to working with my colleagues at SMU and beyond on a wide range of topics such as software assurance, social sciences and security, insider threat and hardware security. First, we will conduct broad programs of research aimed both at helping to create a science and engineering of cyber security and addressing national cyber security priorities. Second, we’re going to apply an interdisciplinary approach to problems, incorporating elements from disciplines outside of the traditional technical areas associated with cyber security such as law, business and the social sciences. And third, we are going to help close the skills gap in cyber security by educating SMU students to meet the demand for trained cyber professionals. The key to our program at SMU is that it will be multidisciplinary.

What is the single most pressing issue with regards to educating people about cyber security?

It is the fact that the cyber security problem is proving to be extremely resistant to solution. As a result it has been referred to as a “wicked problem.” Research in computer security dates back to more than 40 years ago. I’d like to teach a foundations course for students of all majors that lays out what every educated person should understand today about security and privacy to be a responsible citizen. It’s not just how the technology works that’s important, but the consequences of that technology that you may not know about. How do I make myself safer in cyberspace? How do I afford myself more privacy? Hopefully it will be an opportunity for community outreach.

How can this program at SMU have a national and global impact and reach?

Cyber security is an economic security issue. If someone has an idea for a better mousetrap, and another country steals that information and starts developing that product, what should have been good U.S. jobs will now get created somewhere else. So methods and technology we develop at SMU to protect business interests will have widespread economic impact for the country at large. We intend to seek research partners to develop methods to protect and defend our national interests. Our charge will go beyond research – to the nuts and bolts of educating strong, innovative engineers who can take jobs to stop sophisticated cyber attacks against our government, our critical infrastructure and businesses. We expect the men and women we teach to be on the frontlines, protecting our economic and national resources.

What can security executives do to educate themselves?

There are two types of companies: those that are compromised and know it, and those that are compromised and don’t know it. You should work hard to implement a rigorous and robust defensive regime, but just because you’ve done that doesn’t mean you’ve prevented all forms of compromise. You can stop the vast majority of attacks with a strong defensive posture – and you should do your best constantly to improve your defense, but you also have to accept the reality that today, your defensive posture may not be enough. So in addition to your investment in defense, think through your investment in monitoring, analysis, incident response and recovery.