Changing technology creates new cyber opportunities, raises questions of ethical use
April 27, 2016
The term “hacker” may have negative connotations for many citizens around the world, but in today’s ever changing society, hackers may be the internet’s equivalent of police officers.
Benefitting from a world dominated by smart devices—interconnected data systems and precious files stored on flash drives smaller than a cracker—the field of information assurance has grown in both popularity and overall importance.
Though not a new concept to the Iowa State campus, the Information Assurance Master’s degree is gaining a healthy following of graduate students interested in defending computer systems and becoming proficient attackers.
Information assurance or cyber security is the practice of protecting data and computer systems for companies or businesses, while also understanding how to retrieve information from locked databases. Beginning with simple elective classes in 1995, the first masters course was created in 2000 with just a handful of course available for students at the time.
Today the amount of course content has nearly doubled, paving the way for new classes that have evolved alongside with technology. Creating a program that is always on the verge of change.
“A couple of the of the new courses that have been developed in the last few years speak to what people call ‘the internet of things,’ such as your furnace or refrigerator being connected to the internet and how to protect something that can’t protect itself,” said Doug Jacobson, professor of Electrical and Computer Engineering and chair member of the Information Assurance Center.
“Another important idea is that of grids such as power and water being controlled by computers, an attack just occurred in the Ukraine where a cyber attack took out their entire power grid,” Jacobson said. “So we now have an entire course on what is known as cyber physical security.”
Emerging ideas and discussion that wasn’t able to take place 10 years ago have lead to courses developing and introduced at Iowa State to deal with newer threats.
“You’re seeing these newer courses coming along to deal with emerging threats and issues, but the core curriculum is still there such as network security and information warfare. It’s just the material that is always being updated,” Jacobson said.
Taking roughly two years to complete, the course requires a total of 30 credit hours with an extra 6 credits worth of research. Given the nature of the program, much of the lab and class work focuses on hands on experiences that include cyber competitions or projects.
The ISEAGE Cyber Defense competition is one of the larger events within the information assurance program, tasking students with attacking and defending various computer systems.
Keane O’Kelley, junior in computer engineering, president of the Information Assurance Student Group and member of the ISEAGE lab, said students form a blue team, who are like IT administrators for a company, and are tasked with securing systems given to them.
“However, they are horribly insecure with many bugs security flaws,” O’Kelley said. “Their job is to find all these bugs over three to four weeks, then on competition day we bring in professional hackers from Boeing, Union Pacific, etc. and they come in and try to hack into what they students create.”
Serving as a learning tool for students, learning to create a defensive strategy for a system is an important aspect of the competition but for some the real joy comes from attacking and retrieving data.
“I’d say I probably like red team [attackers] more, it’s like what’s more fun building a castle brick by brick or knocking it all down with a rocket launcher,” said Alec Poczatek, information assurance masters graduate student.
The difficulty for those who develop defensive options for individuals and companies is the ever evolving landscape of information assurance. As technology become more advanced, techniques change and popular methods of data extraction can become obsolete.
This creates, as information assurance masters graduate student Eric Eng claims, a constant battle between developers for control over security.
“If you look at the world of information assurance as a whole it’s practically an arms race,” Eng said. “Someone develops something to defeat a defensive practice so then we have to produce another practice that’s able to defeat what’s been created.”
An example of a newly created malicious software can be seen in the jigsaw ransomware virus, a program designed to extract money from a user in a style similar to that found in the film franchise Saw.
“A person came out with this cryptography, cryptolocker Jigsaw, that locks down your computer and says ‘let’s play a game.’ If you don’t pay the person a certain amount of money they will begin deleting thousands of files every hour until nothing is left on your computer,” said Joe Wilson, graduate student in information assurance.
Despite the large amount of potential dangers for unsuspecting web users, much like the before mentioned arms race, it doesn’t take long for programs like jigsaw to be cracked and destroyed.
“However, 24 hours after that [the arrival of jigsaw] someone managed to break the Jigsaw key distribution and publish their keys online, so someone gets hacked and then not too long after that they themselves are hacked back,” Wilson said.
This vicious cycle of creating malicious content and then creating defensive measures to deal with the new viruses raises ethical questions of whether teaching students how to hack computer systems is truly a beneficial system.
“Before 9/11, the pilots who conducted the attacks were later known to have been training to fly in America. Though we know now at the time we were not able to detect this suspicious activity,” said Patrick Clancy, a student in the Information Assurance Masters program. “We can’t blame the teachers who taught those men how to fly as they had no way to know what they were doing or any way to prevent what happened, it was their job. In the same manner, you can’t blame Doug Jacobson for teaching a 534 class to a student who ends up using what he knows for bad purposes.”
Instilling a sense of ethical responsibility when dealing with computer systems is an integral part of the masters program, as gaining classified or personal information from a person is all too easy for a trained hacker.
“There’s been a paradigm shift over the years in the security world where it used to be companies working to keep everyone out and not letting a single person in, but the lesson that’s been learned is that it’s virtually impossible,” Clancy said. “People that know what they are doing are going to find a way in and get into at least the outer structure of your network. So now people are saying that the focus should now be locking down and protecting the most important assets to a company/business.”
Clancy sees those who wish to embark in the master’s program as people wanting to make positive change in the world, but still realizes there is no guarantee when working with students that foul play will never be involved.
“Is there a guarantee that those who come out of the class won’t use they learn in the class for malicious purposes?” Clancy said. “Of course there isn’t, but the hope is that those who go through the program and in it for the right reasons, wanting to help protect companies or government agencies.”
Having over 20 years of experience in the working world of software development and managing software employees, Clancy began to change his path towards information assurance as way to become more hands on with software and see his work help those who need it. This starts with an internship for a major intelligence agency under the department of defense in Washington.
“I really didn’t feel fulfilled with what I was doing… though I can’t say what I will be currently working on in the future as it is classified I can for sure say that it will make a difference for people and that’s what I was looking for [in a career],” Clancy said. “Technically I was helping in my last job, creating software for managing medical records for those with disabilities, but I felt like a glorified babysitter just managing people. I wanted to get my hands back into actually working on a project.”
As part of this ethical training, students within the program must complete an ethics training course in the form of a class. INFAS 534, legal and ethical issues in information assurance, teaches students important state and legal codes for data intrusion as well as the issue of privacy vs. protection in today’s society.
As student interest continues to grow, Jacobson sees no stop to the building momentum behind the program.
“It’s always growing and we are always looking towards adding new classes, the newest thing we’ve added is a minor in cyber security,” Jacobson said. “Now a lot of our undergraduates in computer engineering are taking our graduate classes because they now have those opportunities as an undergrad.”
Being the only university in Iowa to receive the NSA accredited centers of academic excellence, students have the opportunity to work with many institutions and businesses as well as other colleges across the nation on cyber security projects.
“Some of the intelligence organizations have specific problems, but don’t have the manpower to solve every problem at once so they have this program called ENSURE where they authorize schools to be good in areas like cryptology for example,” Poczatek said.
Currently the graduate team is working alongside other accredited universities such as with Houston University, Austin University, John Hopkins University and Purdue of which—along with Iowa State—is credited with having one of the first cyber security programs in the country.
“The program will bring in employees from places like the NSA or the FBI and we skype them once a week where they will give us projects, you’re literally working with them,” Poczatek said.
The team worked last semester the team worked on quantum resistant algorithms to quantum resistant cryptography. Due to upcoming quantum computers encoding data on qubits instead of binary digits (bits), they are able to break current encryption methods much quicker than usual. The idea was to create a new encryption that could beat quantum computing, using just a laptop.
As more and more classes become standard to online portals versus an in class variation, the focus of the degree is becoming more popular with those who are choosing to come back to school either on a new career path or to further their education.
“A lot of time people get information technology or MIS degrees, and then while they are out on the job they’ll go and get the master’s degree,” Poczatek said. “Many sub security jobs require you to have certifications or maintain a certain amount of education hours, meaning you actually have to go to class because cyber security changes so often.”
Currently, between 50 and 60 graduates are in the online component of the Information Assurance program, among many who are currently occupying a job.