Op-ed: Moving beyond ‘medieval’ cybersecurity

The following op-ed was published in the St. Louis Post-Dispatch on Friday, Oct. 30, 2015. The author is Dr. Bruce McMillin, professor of computer science, associate dean for research and external relations in the College of Engineering and Computing, and co-director of Missouri S&T’s Smart Living signature area.

The U.S. Office of Personnel Management’s recent announcement that 5.6 million fingerprint records were stolen is the latest in a rash of break-ins that raise concerns about how to make our online lives more secure. From the U.S. government to the adult online dating site Ashley Madison, it seems no system is safe from a potential cyberattack.

Dr. Bruce McMillin

Dr. Bruce McMillin

As we finish National Cyber Security Awareness Month (observed every October), our nation continues to face threats to our cyber infrastructure that could cripple national security. Despite tremendous advances in technology, our approach to protecting information stored online still has more in common with medieval defense tactics than with the integrated and smart approach we need.

A firewall is much like a castle moat or wall designed to keep the “bad guys” out. But history shows that this approach does not work. The Great Wall of China, for instance, was a defense fortification that was breached simply by going around it. In modern times, attackers use breaks in the (fire)wall and phishing attacks to steal passwords to launch their assaults.

The problems will get worse. Our modern systems are both physical and computational. In such a “smart” environment, attacks can come from multiple sources, some even inside what we consider protected. The Stuxnet worm, for example, caused a factory floor process to produce sub-standard product and destroy the very equipment that was being operated — all while reporting to the factory operator false information that everything was going fine. What’s particularly insidious is that the worm, the factory floor and the factory operator were all inside the security firewall.

Imagine a similar scenario in your smart home, where the cyber system now controls your physical house — seemingly for you, but also for an attacker monitoring your electrical usage. That attacker could steal your appliance usage for commercial reasons, enter your house when you are not away or to do physical damage to your house, such as shutting off the heat in the winter.

To secure cyber-physical systems today is simultaneously easier and harder. On one hand, attackers are limited by what false information they can use to trick a system owner. On the other hand, the physical part of our systems inherently leak confidential information through physical observations; the pattern of your home lights and the route you take on your commute give an attacker an idea of when you’re away.

What can be done? In a purely cyber system we can “opt out” — not use the system — or reduce the amount of information stored, so that when an attack does occur less information can be lost. But these are stopgap measures. Some approaches are to store your information encrypted in the cloud, and then never decrypt it, only operating on the encrypted information. This would mitigate cyber theft. But in a smart community, it isn’t possible to opt out, or you would never get electricity or water.

In the end, we must focus on the information that both flows into and out of every portion of our smart living environment, both hiding what we consider private and disrupting the ability of our adversaries to launch information attacks.