ShareThis Page

Carnegie Mellon expert to school Congress on security

| Monday, March 2, 2015, 11:30 p.m.

It should be harder to bring down the nation's most critical computer systems than by just finding a single weakness, a top Carnegie Mellon University computer security researcher plans to tell Congress on Tuesday.

Americans can take some simple short-term steps to protect their computer information, says Greg Shannon, chief scientist for the CERT division of Carnegie Mellon's Software Engineering Institute. But eventually, the United States must develop a coordinated national strategy to build trust in computer networks while making it harder for hackers to attack, he says.

“Today, it takes only modest energy (computing and human) to find and execute economy-threatening attacks,” Shannon says in the prepared testimony he plans to deliver to a House Energy and Commerce subcommittee. “This creates an environment that favors the adversary by orders of magnitude.”

The Oversight and Investigations subcommittee chaired by Rep. Tim Murphy, R-Upper St. Clair, plans to hold a series of hearings focusing on computer threats and their impact on businesses and consumers. The first hearing Tuesday seeks to provide an overview of the history, present and future of cybersecurity.

The gap between hackers' abilities to break into systems and cybersecurity experts' abilities to protect them continues to widen, Murphy said.

“It does affect every family and will continue to do this,” Murphy said. “Our job is to make sure we provide the assets to stay on top of this. It continues to change and morph with time.”

The Tribune-Review's ongoing Cyber Rattling series has examined how computer hackers could attempt to bring down the nation's systems for energy, banking, transportation and other critical infrastructure and commerce. The newspaper reviewed advance copies of prepared statements experts are expected to present to Murphy's subcommittee.

“No sector is immune,” warns Richard Bejtlich, chief security strategist for FireEye, a Milpitas, Calif.-based cybersecurity company, in his prepared statement. “... The time to find and remove intruders is now. There is no point in planning for theoretical, future breaches until you know your own current security posture.”

Most recently, hackers have started using more so-called “phishing” emails that appear to come from computer technology workers within the victim's company, Bejtlich says. Criminals use them to steal passwords and eventually empty bank accounts.

In many cases, victims go for months without realizing their computers have been breached, he says. The median time to discover an attack is 205 days after the hackers have broken into the victim's systems.

“Unfortunately, it means that for nearly seven months after gaining initial entry, intruders are free to roam within victim networks,” Bejtlich says.

For retailers and other consumer-based companies, it can be hard to balance cybersecurity and convenience, Herbert Lin, senior research scholar at Stanford University's Center for International Security and Cooperation, says in his statement.

Computer users have better ways to secure their systems than easily guessed passwords — such as two-factor authentication that requires a second piece of information. But most of those other tools are a bigger hassle or cost more, Lin says.

“Cybersecurity measures are the antithesis of convenience,” he says. “Mostly, cybersecurity gets in the way of doing useful work.”

Shannon at Carnegie Mellon's CERT wants companies to share more information about computer breaches so researchers can start identifying more efficient ways of preventing attacks, he says. Hackers take advantage of victims' unwillingness to talk about being attacked.

“Science or technology are only as good as the data it is created from,” Shannon says, “and currently, researchers and developers have limited access to data, resulting in sub-par solutions and slower innovation.”

Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or andrewconte@tribweb.com.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.