Mark (Mohammad) Tehranipoor is F.L. Castleman Associate Professor in Engineering Innovation and director of the UConn’s Center for Hardware Assurance, Security, and Engineering (CHASE). He discussed the federal government's recently issued draft guidelines to achieve a higher level of defense against cyber attacks with UConn Today.
Q: The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) last week released its preliminary cybersecurity framework for the country that is supposed to better protect the nation’s critical infrastructure from cyber attacks. What kinds of threats do these cyber attacks pose for U.S. national security and economic stability?
A: The threats are very serious and they should be one of our main concerns when it comes to critical infrastructures. Traditionally, we think of natural disasters and terrorist activities as the biggest threat to some of our critical infrastructures, such as power systems, and cybersecurity does not seem to get the attention it needs. Given the complexity of the systems and networks, combined with globalization, there are vulnerabilities in our systems today. A cyber attack can shut down major power systems, obtain access to nuclear sites, obtain secrets, and access financial information. All of these can have catastrophic effects, disrupt people’s lives, impact national security, and hurt our economy.
Q: What is your initial impression of the proposed national cybersecurity plan and how do you feel industry will respond?
A: This is certainly a step in the right direction. The proposed framework outlines very high-level steps organizations can take towards addressing cybersecurity risks. A big assumption when putting this framework together by NIST is that the organizations already have risk management programs in place. Past experience has shown unfortunately that this is not necessarily the case.
I think industry will respond to this framework positively. To what extent it will be accepted depends on the different organizations, different risks in different sectors, etc. For an organization that already has a strong risk management program in place, implementing this framework should not be a major challenge. However, those who are new to risk analysis may be reluctant to invest as much in establishing such a framework, unless it is proven efficient for other organizations or industries.
Q: One of the concerns about earlier drafts of the framework was that it was overly cumbersome. It sets guidelines for five cybersecurity functions – identify, protect, detect, respond, and recover – centered around 21 categories and 90 subcategories across 16 critical infrastructure sectors like power, transportation, and telecommunications. Is this level of complexity necessary when dealing with an issue like cybersecurity?
A: I think these are valid concerns. As I mentioned earlier, organizations that have already implemented their own risk management may be able to leverage many of their existing functions for cybersecurity risk management as well.
Another concern is the dynamic nature of the cybersecurity threats. How adaptive is this framework to such a moving target? It is easier to prepare for a natural disaster because those types of threats are known and often well understood. However, this is not necessarily the case for cybersecurity threats. I do not believe there is such a thing as “a comprehensive cyber threat taxonomy” that different organizations can prepare for. Different infrastructures, networks, systems, and software can be vulnerable to cyber attacks differently.
For instance, the framework includes a step for creating an organization profile and to better understand existing security gaps. The main challenge here is a general lack of understanding of all the different types of cybersecurity attacks the organization will have to deal with. Knowing the attacks, a priori, will certainly make the implementation of the above-mentioned five steps – Identify, Protect, Detect, Respond, and Recover – much easier. This is a challenge that requires a significant amount of research. It is known that cybersecurity threats are more of a cat-and-mouse game. The adversaries are becoming much more sophisticated every day, so our framework must be able to adapt quickly and respond to threats that are known as well as those that are “unknown.”
Q: The standards set forth in the new framework are not mandatory for businesses, and there seems to be some confusion as to what specific recommendations industries must meet in order to “adopt” the guidelines designed for them. Do you think implementing this new framework will be difficult because of this?
A: Indeed, implementing the suggested standards without the proper scientific support will be difficult for industry. As I mentioned earlier, this is, in my view, a step in the right direction. The cybersecurity threat is real, therefore this framework, even if not completed entirely, will have a positive impact on industry.
However, there are many challenges associated with the proposed framework. The suggested number of standards will certainly not be the complete answer to the problem. These standards have yet to be proven in the context of cybersecurity attacks.
Q: UConn’s Center for Hardware Security Assurance, Security, and Engineering (CHASE) is dedicated to meeting the cybersecurity challenges of the future. Can you share with us some of the projects your research teams are working on?
A: Our projects at CHASE are sponsored by government and industry. We develop tools and methodologies for improving the security of hardware underlying information systems, ensuring trust in the supply chain, assessing the security of electronic devices and systems, network security, data privacy, and more. I believe CHASE is positioned well to (1) help examine the proposed framework for different critical infrastructures, (2) foster a workforce that understands cybersecurity threats and risks, and (3) work very closely with industry on their challenging problems.
Q: The federal government has made cybersecurity a major priority. Are there plans at UConn to expand existing research programs or launch new collaborations with industry in response to this significant issue?
A: Currently there is a collaborative effort underway between the Electrical and Computer Engineering and Computer Science and Engineering departments to grow the areas covered by the CHASE center, and move this center from a “Hardware Security” center to a “Cybersecurity” center under the same name as CHASE (Center for Cyber and Hardware Assurance, Security, and Engineering). This is indeed an exciting development, which is timely given the emphasis from President Obama in addressing cybersecurity threats and the development of NIST's framework. Given the expertise the two departments have, I firmly believe that the new CHASE center will be able to contribute significantly to these very challenging problems.