Major data breaches, hacks and identity thefts have become disturbingly commonplace, with origins both at home and from abroad.
The theft of personal data from the U.S. credit-reporting agency Equifax, discovered in summer of 2017, was just one shocking example. More than 145 million Social Security numbers, 10 million drivers' licenses, hundreds of thousands of credit card numbers, and an unknown number of tax records appear to have been stolen. News of the thefts sparked widespread concern and prompted a New York Times columnist to declare "Get Rid of Equifax."
Numerous other recent hacks have succeeded in stealing financial, personal or medical data from Chase, Target, Yahoo, Chase, Anthem — even the U.S. government's own NSA and CIA systems.
As the threat continues to escalate, however, academia and industry are fighting back — and Stevens Institute of Technology is helping lead a global effort to anticipate and defend against the next waves of cybercrime.
Fifteen years leading the way
In 2002, professor Susanne Wetzel was recruited to the university to create a leading-edge undergraduate program and center that would make the university a powerhouse in cybersecurity research and education.
"At that time, cybersecurity was just beginning to be in the public eye, to be taken seriously by industry and the government, and I was given wide latitude by Stevens leadership," recalls Wetzel, who remains director of the program as well as Stevens' CASSIA (Center for the Advancement of Secure Systems and Information Assurance) research center. "That's the power of our size and agility, which made all the difference. We were able to move quickly."
Within two short years, Stevens had received an important federal designation as a National Center of Academic Excellence in Information Assurance Education by the National Security Agency (NSA) and the Department of Homeland Security (DHS). The university also won National Science Foundation (NSF) grant support that would help enable the creation of a new bachelor's degree program in cybersecurity.
That program, which began accepting students in 2006, was one of the nation's very first for undergraduates.
Over the next several years the university would receive highly competitive grants enabling the outfitting of a high-tech CySec lab in the Babbio Center; add a master's degree program in cybersecurity; secure funding to establish an on-campus CyberCorps program that educates future cybersecurity professionals to confront cybersecurity challenges; launch CASSIA; and become a founding participant in INSuRE, a multi-institutional effort in which students tackle unclassified cybersecurity problems.
Today, more than 20 Stevens faculty members work in some area of cybersecurity.
"I think it's fair to say we are among the nation's top programs in the field now," notes Wetzel.
Hacking in a sandbox, thinking on the fly
How is a Stevens cybersecurity education different? It teaches students to think outside the box.
"The thing that is unique about our field is that it changes almost instantly," explains Wetzel. "We can never know everything that will happen, or happen next. That is the nature of cybersecurity: It is about anticipation and intelligent reaction. So we train our students to think ahead, and this ability makes them especially well-suited to hit the ground running."
In classwork and labs, students also deploy applications and tools that create virtual, walled-off environments. Within those confines, they can practice hacks and defenses without damaging actual systems.
"We give them some of the tools, in an isolated, sandboxed environment, that hackers use so that they can understand what they will be defending against," explains cybersecurity master's degree program director Antonio Nicolosi. "We do projects where we ask students to think like the adversary."
Faculty also impart best practices and programming techniques: the compartmentalization of key data and functions when coding, so that a break-in in one area of a software or system doesn't immediately compromise all the data; slimming down of the code real estate crooks can scan for weaknesses; and "defensive coding" principles, such as the building in of multiple security checkpoints, to name a few.
Case studies are another component of Stevens' experiential approach.
"We learn a great deal about real-world attacks at Stevens through the use of case studies," says Drew Malzahn, a Class of 2018 undergraduate and master's cybersecurity student and leader of an informal 60-member security club that meets weekly on campus to dissect the latest hacks in the news.
Some courses even employ "red-teaming" role-playing exercises, splitting experienced students into multiple groups. A blue security team, working hard to design unbreakable protections, might be pitted against a second "red" team trying its best to outsmart those controls.
"The vulnerability we find tomorrow is probably something we haven't seen before," notes Wetzel.
All undergraduate cybersecurity majors are now also required to participate in capstone projects addressing real-world, or highly similar, cybersecurity challenges during their senior years, giving a taste of what their future cyberdefense assignments in industry or government will look like.
Malzahn, for example, spent a summer as a digital-detective intern with the Department of Homeland Security; now he studies the data quietly collected and stored by connected devices, such as Amazon's Alexa personal-assistant device, for his capstone project. Julian Sexton '15 M.S. '16, a cybersecurity engineer with the research nonprofit MITRE, performed a Stevens internship with MITRE prior to graduation, studying potential cyberweaknesses in vehicles' diagnostic ports.
Faculty research takes aim at privacy, passwords, more
Backing up its rigorous academic programming in the discipline, Stevens performs leading-edge cybersecurity research across a surprising range of fields.
Wetzel holds patents in wireless security and the generation of cryptographic keys, and the NSF recently appointed her a program director for NSF's prestigious Secure and Trustworthy Cyberspace (SaTC) program, a key one-year appointment.
Computer science department chair Giuseppe Ateniese works on a variety of security-related projects including investigations of password crackers and checkers, artificial intelligence-style cyberattacks, cloud security and bitcoin/blockchain privacy.
Other faculty are also active.
Professor Georgios Portokalidis has received a number of key grants for projects that may help prevent rogue software attacks, including an effort to systematically “debloat” huge programs such as those that operate defense systems. Nicolosi conducts research in cryptography and its applications to resolving issues of security and privacy in distributed systems, including fast authentication mechanisms for data forwarding in future internet architectures and a novel approach to non-commutative cryptography.
School of Business professor Paul Rohmeyer helps create models that enable better security planning and crisis decision-making, while mathematics professors Robert Gilman and Alexei Miasnikov investigate mathematical aspects of cryptography. Computer science professor Nikos Triandopolous develops solutions to ensure the privacy and trustworthiness of computations.
And a new cybersecurity project involving Stevens' Maritime Security Center will examine the cybersecurity of the nation's port, harbor and maritime transport operations.
Preparing the next professionals
It's clear cybercrimes will continue to expand in reach and evolve in scope.
Yet it's also clear that the next waves of attackers will be met with a more formidable collective effort than ever to bolster our national and personal digital defenses with strong counter-measures — and that Stevens will continue to help lead the way in training those on the front lines of that defense.
"Now that the battle has been joined, much will depend on equipping the current generation of students and professionals with strong computing fundamentals while also continuing to perform relevant research," concludes Ateniese. "Stevens, working closely with the government, industry partners and fellow universities, is a place where cybersecurity teaching and research is really thriving in this regard."