acm-header
Sign In

Communications of the ACM

ACM News

Software to Test Cybersecurity Systems For Flaws


View as: Print Mobile App Share:
Clarkson University Chair of Mathematics & Computer Science Christopher Lynch

"Almost everything in our lives today involves computers. We need them to be secure," says Christopher Lynch, Chair of Mathematics and Computer Science at Clarkson University.

Credit: Clarkson University

In 1971, an enterprising hacker discovered that the plastic whistle that came in a Captain Crunch cereal box precisely reproduced the 2,600-hertz tone needed to access AT&T's long-distance computer network. For his efforts, he got free phone calls, according to California's Office of Information Security, which recently recounted the incident.

Cybersecurity systems are tougher to crack these days, but not tough enough. "When you work in cybersecurity, everything has to be just right," says Prof. Christopher Lynch, chair of Clarkson University's Division of Mathematics and Computer Science. "One little thing might be off, and that's the hole the intruder needs to come through and get everything."

To prevent that, Lynch is developing software programs that will test cybersecurity systems for flaws before they become operational. The U.S. National Science Foundation is funding the $1.2 million project, which involves Clarkson and four other research centers — the University at Albany-SUNY, the University of New Mexico, the University of Illinois, and the Naval Research Laboratory.

Lynch works in a mathematical realm called automated reasoning — teaching machines to think. In his current project, Lynch wants to teach machines to scan cybersecurity systems for glitches. People could do the job, but not as well. "A machine works better because the job requires speed, keeping track of many things at one time, plus the work is tedious," says Lynch. "A human might not consider all the alternatives, and they would make mistakes."

The project is so complex that it requires the input of specialists at the five research centers. "We have different expertise," says Lynch. "I know automated reasoning. My colleague at the Naval Research Center is an expert in cryptographic protocols [instructions written in code]. One of us alone cannot do this."

For many, cybersecurity means using passwords and keeping them secret. In Lynch's world, hackers steal information and disable computer systems with barrages of junk. It's a world where computers talk to each other, creating openings through which hackers can intercept information or substitute their own. Sometimes hackers dart in and out without being detected. "From the point of view of the criminal, the best thing is to get in and out without anybody knowing about it — to make things look normal when they're not," says Lynch.

Lynch's research comes as hackers have developed capabilities that could damage global commerce, penetrate national security networks, disrupt the electric grid, and derail pretty much everything else that depends on computers. As the threats grow, the current state of cybersecurity isn't good enough. "An adequate national capability to respond to the growing cyber threat does not exist," concluded a report issued by the National Telecommunications Advisory Committee in May 2009. Six weeks later, an orchestrated cyber attack struck 27 U.S. and South Korean government agencies and commercial Web sites, temporarily jamming more than a third of them, according to reports in The New York Times.

Lynch envisions a cybersecurity system with wide applications — everything from banking to national security. "It would deal with pretty much anything where you need to be sure your information is kept secret," he says. "The point is that almost everything in our lives today involves computers. We need them to be secure."

Lynch and his collaborators want their programs to find cybersecurity flaws in a system before it hits the commercial market, but their software could also be used to look for flaws in products already in circulation.

Still, whatever Lynch and his colleagues come up with to combat these problems won't work indefinitely. Periodically, it will need to be reworked as computers evolve and hackers find new ways to access data.

"When we finish this project, it's not going to be the end," says Lynch. "We come up with better ways to protect our data, and then people who are trying to steal our data come up with better ways of doing that. It's a battle back and forth. I don't think there will ever be a point where we've solved the problem."
 


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account