The field of cybersecurity has become a never-ending cat-and-mouse game. A security vulnerability is identified, a fix is developed, malicious hackers devise a more creative attack, and the cycle repeats itself.
"This arms race between the good guys and the bad guys needs to stop," says Larry Rohrbough, executive director of the Team for Research in Ubiquitous Secure Technology (TRUST). "We need to become less reactive and more proactive."
And so TRUST, a research center funded by the U.S. National Science Foundation (NSF) and based at the University of California, Berkeley, is developing what it calls a cyber-security "science base" — a principled approach to developing "trustworthy systems" in which security is an integral part and not "bolted on like an afterthought."
TRUST, now in its seventh year, is developing cybersecurity science and technology that will transform the ability of organizations to design, build, and operate trustworthy information systems for the nation’s critical infrastructures, including the financial sector, healthcare delivery, and physical infrastructures.
TRUST also contains an education component aimed at curriculum development and research opportunities for undergrad and graduate students, an outreach component looking to broaden participation in computer science, and a knowledge-transfer component that works with industry partners and government agencies "to take the results of our work out of the research lab and have them applied to products and systems," Rohrbough says. Currently, TRUST has more than a dozen U.S. and international industry collaborators, including Cisco, IBM, Intel, Qualcomm, Symantec, and SELEX-SI.
Shankar Sastry, dean of Berkeley’s College of Engineering and TRUST’s director and principal investigator, hopes the project will reduce the huge amount of time and resources the computer science community spends on fending off attacks on a piecemeal basis.
"What we need is the sort of science the medical profession has developed, like the kind taught in medical schools," explains Sastry. "Med students learn anatomy, physiology, epidemiology, disease models… and then the treatment options and how to dispense cures. Similarly, we need a roadmap for people to invest in cybersecurity in a formalized, holistic fashion rather than passing out Band-aids in an ad hoc fashion. We need to standardize these technologies, instead of everyone having their own hush-hush, very boutique methods."
According to Sastry, three of the big questions TRUST is tackling involve:
- Cybersecurity economics. Beyond taxation or regulation, what sort of positive incentives can be devised to urge spending to secure the infrastructure and provide cyber-security for the common good?
- Cyberattack attribution. How to determine from where attacks emanate? It is difficult to defend yourself when you don’t know who is attacking you, especially if it comes from foreign soil, says Sastry.
- A successor to TRUST. How to set up and fund a successor center that involves industry, government, and academia?
In 2015, when the NSF completes its 10-year, $37-million funding of TRUST, Rohrbough hopes the center will have created a well-established approach to thinking about building systems.
"We intend to have tangible results in terms of changes to curricula to teach these concepts to the upcoming generation of students," he says, "and also tools and techniques that software companies, vendors, and system integrators can use to improve the security of their technologies. Our goal is to complete all of this by the end of TRUST which will be a nice legacy for all the effort we’re putting into this project."
Meanwhile, Rohrbough welcomes input from disciplines outside the computer science and engineering research communities — perhaps in biology or medicine — that might have a different perspective, "perhaps a scientific method they use that we can apply to security to steer computer scientists towards thinking a little differently. I believe that will help this science base become more than an ivory tower initiative."
Paul Hyman was editor-in-chief of several hi-tech publications at CMP Media, including Electronic Buyers’ News.