Robert Cunningham on Advancing the Art and Science of Cybersecurity

Robert Cunningham

Robert Cunningham leads the Secure Resilient Systems and Technology Group at MIT Lincoln Laboratory is chair of the IEEE Cybersecurity Initiative, which was created jointly by the IEEE Computer Society and the IEEE Future Directions Committee. In this interview, he highlights accomplishments over the three-year lifespan of the Initiative as it prepares to formally graduate at the end of 2017.

Question: The IEEE Cybersecurity Initiative launched in 2014. What was the goal? And what were some milestones toward that goal?

Cunningham: The Initiative was started to address the massive challenge of cybersecurity that was being observed by almost every IEEE society. To meet this need now and into the future, we’ve developed educational tools, design and development documents, and impactful new venues to help students, members, and cybersecurity practitioners hone their skills.

For example, we wanted to give students and their professors access to great educational tools, so we started the Try Cybersecurity Initiative (Try-CybSi). It was designed as a quick introduction for those who are interested in cybersecurity. The idea behind Try-CybSi is that people tend to learn best when they’re actively engaged with learning. This started with a number of simple examples that showed people what an attack was and how you would defend against that attack. We had a lot of help on that from Justin Yang at Purdue.

More recently, we’ve been working with Fabian Monrose of UNC Chapel Hill on building a platform to help engineers learn about security through challenge-based learning. In this game, students actively defend a system while the game’s AI is trying to attack the system. Both of these are useful and exciting ways for people to learn a little bit about this whole field and to get excited about some of the interesting problems that people working in this field have to face.

In the case of cybersecurity professionals, we pursued what we called a building code approach to secure design. We wanted to get away from sprinkling “a little cybersecurity,” onto an already-built system, and move toward thinking about software development like building a house or a bridge. With those structures, there are a number of problems that you have to address in the design stage before you start construction. It’s our hope that we’ve helped convince others that careful software architecture should consider how to keep a system up even if attacked, and to design the system using components that can survive unanticipated stress.

To ensure we captured the best available understanding of how to do this, we worked with industry and academia to lay out key design considerations and constraints and describe pitfalls and best practices for building a more secure system. There’s now a range of documents that we’ve developed. We started with a discussion about Avoiding the Top 10 Software Security Design Flaws that apply across the board and then expanded into the additional, unique considerations for specific sectors. The first building code was for medical device software security, followed by power system software and, most recently, the Internet of Things (IoT). These are living documents in the sense that they’ll be updated to reflect new vulnerabilities and attack vectors.

Question: What are some other successful programs that the Initiative developed?

Cunningham: A great milestone in 2016 was working with the IEEE Computer Society’s Technical Committee on Security and Privacy and its chair, Ulf Lindqvist to launch the annual IEEE Secure Development Conference (SecDev), which is dedicated to building security into systems. It’s been held twice so far in the Boston area and has found an enthusiastic and growing audience. It’s a great opportunity for people who want to discuss cybersecurity and learn from peers who are struggling with and solving some of the hardest problems in this area.

We also launched a Cybersecurity Ambassador program, with special thanks to Celia Merzbacher, who created this to encourage growth of and train engineers worldwide who are aware of the cybersecurity challenges and solutions available.

Question: When you look at all of the factors that affect cybersecurity, where would you rank the skills gap/talent shortage? And what could/should vendors, governments, schools and other organizations do to help get more people to consider a career in cybersecurity? 

Cunningham: There are broad gaps and many opportunities. In order to build a secure system, you have to get things exactly right at several phases in the software lifecycle. First, the designer or the software architect has to know what the right design patterns are to make sure that the systems they build are themselves secure. The second phase is implementation, where you build the software to meet the security and functionality design, properly integrating tools and libraries that are themselves secure. Next is deployment, which requires configuring the system so that it’s secure. The fourth and final stage is operating the system in a secure manner.

It turns out that the people who work in each of these areas often come from different backgrounds, have different types of knowledge and expertise and have different techniques that they could use to deploy the system securely (or insecurely). For example, in the architecture phase, one of the things that really helps ensure security is segmenting the data that you need to keep private from the data that’s going to be used by or provided to some other party. The whole notion of segmentation and what software and data you segment from others is really important.

The software developer working during the implementation phase has a completely different set of concerns. A key challenge for these people is handling user-provided inputs. This data needs to be properly acquired and safely stored in memory, then scanned to ensure that the data is of the right type and in the right range. The software architect probably never thinks about that sort of a thing, but the person doing the implementation does. This person might or might not have a formal computer science background, so they might not know the implications of not carefully checking input. The Cybersecurity Initiative leaders want to make sure that all developers are more aware of this challenge.

Question: It sounds as if one overarching theme is that whether you’re an enterprise using some piece of IT that has to be kept secure, or whether you’re a vendor developing an IT solution that has to be secure, you really can’t have everybody in the organization operating in silos. They have to communicate their concerns and their best practices with their peers in other areas to make sure that the entire system is secure holistically. 

Cunningham: Exactly right. This is extremely challenging. That’s why we created a conference on secure development. Attendees at SecDev discuss the process of learning the right things to look for and understanding how an assumption at the front end will affect what the person at the back end can and must do.

One of my favorite SecDev conference presentations was by the renowned cryptographer Jonathan Katz, whose “Thinking about Cryptography” presentation gave us his view on what needs to be done to allow a developer to securely implement cryptography, what we’re doing right and what we’re doing wrong, and how we can change things going forward. He highlighted a common cause: an incomplete separation between specification (the application programming interface) and the implementation (mechanism) and showed how this has led to a lot of security errors over the years. He then went on to offer a few ideas of how to allow a software architect and developer to work together securely. It was a great talk full of brand-new ideas that I hadn’t heard before and is well worth viewing.

Another first-year highlight from SecDev was Lorrie Cranor’s presentation about operating networks and services — specifically, thinking and rethinking what it means to have a secure password. She gave a great summary of her many years of research in this area and what the implications are for people who are working in that space.

This year, there were some great talks by speakers from industry, including keynote presentations by Francesco Logozzo at Facebook and Christoph Kern at Google, who told us about what they’re doing in their day-to-day operations to make sure that the systems they build remain secure.

Finally, we created two IEEE Cybersecurity Awards for practice and for innovation. These awards will be given out yearly at the IEEE SecDev conference. I encourage colleagues to nominate each other for these awards.

Question: What else would you like to share as you help to wrap-up the Initiative? 

Cunningham: The Initiative’s had a huge amount of help over the years, and I’d like to thank everyone who volunteered to be part of our progress. From the beginning, our steering committee provided feedback, suggestions, encouragement, energy, and ideas for a lot of the efforts we pursued, and I’d especially like to thank everyone on that committee. And thanks to the SecDev organizing and program committees and to those who are going to carry this program on in the future. They helped enable discussions covering a practical approach to security, which is really important.

Cybersecurity as an area is going to continue to be a challenging and exciting. The way that we currently architect our computer systems, starting with the hardware of those computers, moving up to the operating systems, and up to user-level applications will continue to make it difficult to build secure systems and secure services until we learn how to separate the specification from the implementation, and until we learn how to select and properly use components that are themselves secure. We will also need to know how to deploy and operate those systems securely. As I look to the future and consider other advances underway, I don’t think that future innovation in related areas like AI or the Internet of Things is going to make security easier either.

The cybersecurity field needs a way to continue to address these and many as-yet unimagined challenges as they come forward. It’s my hope that the tools, documents and the SecDev venue that we created during this Initiative will enable people who are excited about solving these problems to talk to each other and develop techniques that will solve these extremely hard problems.