Cybersecurity systems are tougher to crack these days, but not tough enough. "When you work in cybersecurity, everything has to be just right," said Christopher Lynch, chair of Clarkson's Division of Mathematics & Computer Science. "One little thing might be off, and that's the hole the intruder needs to come through and get everything."
To prevent that, Lynch is developing software programs that will test cybersecurity systems for flaws before they become operational. The National Science Foundation is funding the $1.2 million project, which involves Clarkson and four other research centers - SUNY Albany, the University of New Mexico, the University of Illinois, and the Naval Research Laboratory.
Lynch works in a mathematical realm called automated reasoning - teaching machines to think. In his current project, Lynch wants to teach machines to scan cybersecurity systems for glitches. People could do the job, but not as well. "A machine works better because the job requires speed, keeping track of many things at one time, plus the work is tedious," said Lynch. "A human might not consider all the alternatives, and they would make mistakes."
The project is so complex that it requires the input of specialists at five research centers. "We have different expertise," said Lynch, a professor of computer science. "I know automated reasoning. My colleague at the Naval Research Center is an expert in cryptographic protocols (instructions written in code). One of us alone cannot do this."
For many of us, cybersecurity means using passwords and keeping them secret. In Lynch's world, hackers steal information and disable computer systems with barrages of junk. It's a world where computers talk to each other, creating openings through which hackers can intercept information or substitute their own. Sometimes hackers dart in and out without being detected. "From the point of view of the criminal, the best thing is to get in and out without anybody knowing about it - to make things look normal when they're not," said Lynch.
Today's cybersecurity threats are far removed from their predecessors. One of the first things to invade a computer system was an insect - a moth trapped in a Navy computer in 1945. Rear Admiral Grace Murray Hopper discovered the intruder, removed it, and coined the term "debugging," according to a history of computer hacking compiled by The Washington Post.
Later threats weren't much more sophisticated; early hackers created blue boxes which generated a tone to access long-distance telephone networks. The Captain Crunch whistle was an extreme low-tech version of this. As time passed, the hackers got more troublesome. The term computer "worm" was coined in 1979, the term computer virus in 1983. In 1988, a worm disabled some 6,000 computers on the ARPANET, the forerunner of the Internet.
Lynch's research comes as hackers have developed the capability to damage global commerce, penetrate national security networks, disrupt the electric grid, and derail pretty much everything else that depends on computers. As the threat grows, the current state of cybersecurity isn't good enough. "An adequate national capability to respond to the growing cyber threat does not exist," concluded a report issued by the National Telecommunications Advisory Committee in May 2009. Six weeks later, an orchestrated cyber attack struck 27 U.S. and South Korean government agencies and commercial Web sites, temporarily jamming more than a third of them, according to reports in The New York Times.
Lynch's introduction to computers came in the mid-1970s, when his Vermont high school got a computer. The school gave students a few pointers about programming, but not enough to satisfy Lynch, who began to stay after school to work on the device. It was the beginning of his career. "If my high school hadn't shown us a computer, I probably would have been a math major," said Lynch. Instead, he earned a B.S. in computer science from Syracuse and a Ph.D. in the same field from Boston University. Between degrees, he did a five-year stint in software engineering at IBM.
Lynch envisions a cybersecurity system with wide applications - everything from banking to national security. "It would deal with pretty much anything where you need to be sure your information is kept secret," he said. "The point is that almost everything in our lives today involves computers. We need them to be secure."
Lynch and his collaborators want their programs to find cybersecurity flaws in a system before it hits the commercial market, but their software could also be used to look for flaws in products already in circulation.
Still, whatever Lynch and his colleagues come up with to combat these problems won't work indefinitely. Periodically, it will need to be reworked as computers evolve and hackers find new ways to access data.
"When we finish this project, it's not going to be the end," said Lynch. "We come up with better ways to protect our data, and then people who are trying to steal our data come up with better ways of doing that. It's a battle back and forth. I don't think there will ever be a point where we've solved the problem."