Sign In

Communications of the ACM

BLOG@CACM

The SolarWinds Hack, and a Grand Challenge for CS Education


View as: Print Mobile App ACM Digital Library Full Text (PDF) In the Digital Edition Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
BLOG@CACM logo

December 21, 2020 http://bit.ly/2YD1e9c

For all its breadth, depth, and skillful insertion via the supply chain, the latest hack of critical departments of the U.S. government—and of many leading corporations from around the world—should come as no surprise. Twenty-two years ago, as American forces were readying to strike Iraq for violations of an agreed-upon U.N. weapons inspection regime, deep intrusions into sensitive military information systems were detected. Enough material was accessed that, if printed out, it would have made a stack over 500 feet tall. The investigation into this hack, code-named "Solar Sunrise," unearthed a group of teenagers, two in Northern California, one in Canada, and a young Israeli computer wizard, Ehud Tenenbaum.

The youth of the miscreants, and their lack of connection to a hostile power, led to a somewhat dismissive attitude toward this sort of cyber threat. The absence of a sense of urgency about the problem was noted in a study of the matter undertaken by the National Academy of Sciences the following year, 1999, at a time when yet another very grave series of intrusions into American defense information systems—this time seemingly by Russians—was occurring. The effort to detect, track, and then deter further hacks was code-named "Moonlight Maze," an investigation that revealed the intrusions had been ongoing or at least three years before having been spotted.


"The SolarWinds affair is simply another incident in a long pattern of intrusions."


It also took about three years to catch on to an apparent Chinese effort that had been cyber-snooping in sensitive American national security systems as well. That was back in 2003, when the "Titan Rain" forensic investigation got under way in earnest. Ever since, the Chinese efforts, led it is thought by their elite Unit 61398, have focused more on industrial and commercial intellectual property theft rather than on specifically military matters, to the tune of what is thought to be hundreds of billions of dollars worth of cutting-edge information.

The SolarWinds affair is simply another incident in a long pattern of intrusions. Yes, the angle of inserting malware in software specifically designed to enhance security is a creative touch. But we in the defense world have long been aware of this means of insertion. Indeed, I had graduate students at the military school where I teach working on exactly this sort of problem many years ago. And the Stuxnet hack of the Iranian nuclear program a decade ago operated through the supply chain as well.

Why, then, this worst-ever hack? The National Academy study from 1999 put the matter well when it focused on an organizational culture, especially in the military, that tended to downplay thinking and planning for defense. To this I would add that, when conceiving of defense, too much reliance is placed on firewalls and anti-viral software designed to keep intruders out. These are Maginot Lines. Instead, the right approach is to "imagine no lines," to think in terms of aggressors who will always find a way in. By cultivating a mind-set emphasizing this inevitability, those charged with protecting our cyberspace will find that innovative defensive practices will arise more readily.

For example, replacing the current faith in triple-belt firewalls with the ubiquitous use of very strong encryption will improve cyber defenses immeasurably. For it should be obvious by now that data at rest is data at risk. And beyond more and better use of encryption, sensitive data should also be kept moving. In the Cloud, even around in the Fog (populated by "edge devices" such as routers and switches that provide entry into enterprise or provider networks), the combination of strong crypto and cloud and edge computing will frustrate even the best cyber spies.

What is to be done now? Aside from fundamentally shifting the emphasis away from "static" cyber defenses such as fortified firewalls and anti-viral software that find it difficult to detect the latest advances in malware, it is crucially important to take full advantage of the opportunity the SolarWinds hack has provided to scour all information systems for any signs of delayed-action devices—designed not for spying, but rather for disrupting or distorting data flows in time of war. Military and business information systems should both get a clean bill of health; that is, test negative for signs of "cybotage," before shifting to a new security regime based on strong codes and regular movement of data.

Such a scrubbing makes for a tall order. But unless action is undertaken now, the risk will grow that the next SolarWinds-like event will come in a time of crisis or conflict, when lives are at stake and the price of complacency will be paid with the blood of soldiers frantically trying to access vital systems that no longer work.

Back to Top

Mark Guzdial: Teaching Critical Computing is a Grand Challenge for the Whole CS Curriculum

December 28, 2020 https://bit.ly/3oASM4U

The October 2020 issue of Communications had an education column by Amy Ko and her students, "It is time for more critical CS education" (see the paper at https://bit.ly/3jfnhw3). I had been looking forward to this paper since I saw Ko give the keynote talk on this topic at the Koli Calling conference in 2019, "21st Century Grand Challenges in Computing Education" (see the YouTube video at https://bit.ly/39GODrN). The authors argue that computing is so pervasive and critical to modern society that we need to prepare students to make decisions as professionals that are careful with the power that they are wielding. We must be teaching students that:

  • Computing has limits.
  • Data has limits.
  • CS has responsibility.

I highlight here one particular paragraph in the paper:

Realizing a more critical CS education requires more than just teachers: it also requires CS education research. How do we teach the limits of computing in a way that transfers to workplaces? How can we convince students they are responsible for what they create? How can we make visible the immense power and potential for data harm, when at first glance it appears to be so inert? How can education create pathways to organizations that meaningfully prioritize social good in the face of rising salaries at companies that do not?

I strongly agree that we need CS education researchers to figure out how to achieve these goals, because we don't know how right now. I also agree that we need more than "just teachers." We need ALL CS teachers. You don't meet a grand challenge with a handful of education researchers. A grand challenge requires a broad and pervasive response. We can use research from other-than-CS sources to identify the issues in meeting the challenges in Ko et al.'s paper.

A significant risk of teaching students about critical computing is the risk of buoying confidence without imparting knowledge or changing behavior. There are questions about the effectiveness of ethics education, like this study in business (https://bit.ly/36BtGN8). Some studies of financial literacy education showed that students leave the course with greater confidence in their ability to make decisions, but without enough knowledge to actually make better decisions (see this study at https://bit.ly/3jekweG, and this study at http://bit.ly/39GRqRX). The concern is that we may give CS students the confidence that they know how to make critical decisions about computing, when they actually do not know enough to make those decisions or they don't use the knowledge that they have effectively.

We cannot solve a grand challenge with a single course, either. Erin Cech is a sociologist who studies engineering education. She writes (see the paper at https://bit.ly/3cy9SOv) that we can't get past the "culture of disengagement" unless we send a consistent message across the entire curriculum. A single "ethics" course sends the message that ethics is a one-shot deal, a box that you tick. Learning sciences research suggests that getting students to apply their knowledge in outside-the-classroom situations (the challenge of "transfer") requires an approach that helps students connect the knowledge to several situations. If we want students to engage with ethical decision making, it has to be a message sent throughout the curriculum.

We need to prepare our students' to have a critical perspective on computing. It is a research challenge, but it is also a challenge of will. We have to decide to meet this challenge as a field, not just with a course.

Thanks to Michael Kirkpatrick for pointing me to the Cech paper.

Back to Top

Authors

John Arquilla is Distinguished Professor of Defense Analysis at the U.S. Naval Postgraduate School. From 2005–2010, he served as Director of the Department of Defense Information Operations Research Center. The views expressed are his alone.

Mark Guzdial is professor of electrical engineering and computer science in the College of Engineering, and professor of information in the School of Information, of the University of Michigan.


©2021 ACM  0001-0782/21/4

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from permissions@acm.org or fax (212) 869-0481.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2021 ACM, Inc.


 

No entries found