The connection of one computer network to another in the early 1990s created the internet, laying the early framework for what has become our main means of telecommunication today. With this innovation more than 20 years ago, however, came a host of personal and corporate issues most of us hadn’t considered: how to keep data stored on computers and servers safe.
Suddenly, passwords needed to be created, memorized or saved, and sometimes recreated every 90 days or less. Workers in every industry had the daunting knowledge when logging into a computer terminal hooked up to a corporate network that one weak password, one poorly configured software setup or one accidental click on a faux, malicious hyperlink might allow hackers access to corporate intellectual property, sensitive financials or internal systems storing personal medical information. Insecure networks have led to a spate of recent big-name data breaches including Sony, Equifax, Yahoo and local voter records, suggesting cyber security may long be an issue.
For how to ensure a more secure cyber-connected world, we went to Matt Bishop, professor of computer science at UC Davis and a security advocate pushing for more resource allocation to train the next generation of cyber-security experts on how to keep hackers at bay. All industries are vulnerable, said Bishop, but the next generation of people who work in cyber security must learn the interplay of security issues between fields and obtain this knowledge through hands-on practice. Those people should also learn how existing cyber-security laws and regulations are upheld in certain industries and how new legislation should be shaped to protect companies and individuals — as well as to better prosecute hackers.
Because security was largely an afterthought until the late ’90s and early 2000s, after many software programs companies already used were written, incorporating secure programs — and security in general — into existing and new systems has become a constant challenge. “Very often people who write software weren’t taught to write software that is security aware,” said Bishop. “Writing good code takes a lot of time, and it costs a lot, but that increases your time to market. So the question is: Will companies and customers be able to wait the extra time? The answer in most cases is probably going to be no.”
Indeed, technology still relies on humans, but the negative effects of cyber-security threats inevitably trickle down to the bottom line. If a large retailer’s website is hacked and rendered unavailable, for example, that could cost the retailer thousands of dollars in sales per day.
While students are taught cyber security at universities and colleges now, not enough people know security best practices, and, equally important, students don’t yet have enough opportunities to get personal experience writing and developing security-aware software, Bishop said. This is partially because computer science has multiple subtopics to study including programming, data structures, computer architecture, networking, graphics and logic, among many others.
“If you study algorithms, that’s your area of work. You will probably not be an expert in security programming,” said Bishop. “The problem is the entire structure of the software ecosystem.”
What remains is the need for universities and other schools to provide students the theory and also the real-world experiences necessary to understand cyber security; one way is by working with their own university’s information technology security group, said Bishop. At UC Davis, students often work with the information and educational technology department, he said. The computer science department also offers a class on research that discusses security problems related to government and other industries.
In addition, students need to learn experientially how and why keeping networks secure strongly relates to fields such as medicine, law and ethics, said Bishop. In health care, medical devices that connect to the internet, such as pacemakers and insulin pumps, are part of a new frontier for cyber-security threats; their systems may be vulnerable to exploitation, and that could affect how a device works, according to the U.S. Food and Drug Administration.
Finally, the next generation of cyber-security professionals would benefit from a deeper understanding of the legal side of the industry in order to better advise businesses and clients. In particular, in national and international jurisdictions, cooperation between authorities is necessary, but identifying the culprits of cyber-security crimes can be difficult the farther afield the networks are based, said Bishop.
“There are almost no laws relating to network security; prosecution is not very granular,” Bishop said. “Even though it’s obvious someone has done something wrong, they’re hard to prosecute.”