The Department of Computer Science is ramping up its research and education efforts in the area of cybersecurity to help meet a critical national need
In 30 years of teaching and research in the area of network and software security, Dr. Douglas Reeves has seen the landscape change drastically.
Hackers were once interested mostly in the notoriety, proving that they could break the most impenetrable systems, said Reeves, a professor in the Department of Computer Science (CSC). That changed in the mid-2000s, when organized crime saw the potential for profit and became very interested in cyberattacks.
“The motive for attacks has changed significantly over the last 20 years,” Reeves, who is also the College’s associate dean of graduate and international programs, said. “It’s much higher stakes.”
The CSC department is enhancing its research and education efforts with expanded offerings for undergraduate students, scholarship opportunities and a new cybersecurity research center.
The move will help meet a growing need for research that leads to more secure systems and for trained professionals to work in the industry. Cyber Seek, a website that provides data about supply and demand in the cybersecurity job market, reported that in North Carolina alone, 34,379 people are employed in the field and 19,657 job openings were listed between October 2018 and September 2019.
“The good news for students, of course, is that there are just unlimited opportunities,” Reeves said.
From Education to Research
The department launched a master’s track in security in 2017 and an undergraduate track in 2019. At the same time, CSC has received a $2.75 million award from the National Science Foundation (NSF) to launch a CyberCorps Scholarships for Service program that is available to undergrad and graduate students specializing in cybersecurity. Five scholarships will be awarded annually.
In addition to full tuition, the two-year scholarships provide a generous stipend, health insurance and an allowance for other professional expenses. In return, students agree to work after graduation with a federal, executive-branch government agency for an equal period of time. A newly created director of cybersecurity education position will oversee the undergraduate concentration and the scholarship program.
On the research side, the Secure Computing Institute (SCI) created in 2019 will pull together much of the work and funding already in place in CSC and other parts of the University. Chief among them is NC State’s Science of Security Lablet, a National Security Agency program that has brought $19 million in research to NC State since it was established in 2012. Science of Security Lablets are multi-disciplinary labs at a handful of leading U.S. research institutions that promote security and privacy science as a recognized field of research and encourages rigorous research methodologies.
The institute and undergrad concentration will both include a strong industry component, enabling partner companies that work in cybersecurity or need more of it to benefit from research collaborations and have mutually beneficial interactions with students.
The department has eight faculty members in security and privacy, in areas ranging from cryptography to the security and privacy risks of sensors embedded in modern smart electronics, telephone networks and Internet of Things-enabled devices.
“We’ve worked very hard to create a really rounded-out security group that complements each other well,” said Dr. William Enck, associate professor in the department and co-director of SCI.
The Best Defense is a Good Offense
In order to know what defense to play you need to know how the attackers play.
Dr. Alexandros Kapravelos
In order to teach students to be good defenders, Dr. Alexandros Kapravelos teaches them to be attackers.
As part of his undergraduate and graduate security classes, Kapravelos, an assistant professor of computer science, introduces his students to common cyber-attacks and has the students try them out in a test environment. It’s the same idea behind HackPack, a student organization interested in cybersecurity that Kapravelos advises. Each spring, the group holds a Capture the Flag event that involves teams competing to solve security challenges.
“Fundamentally, in order to know what defense to play you need to know how the attackers play,” Kapravelos said. “So, hopefully when they build software for a company, they will be more aware of the security problems that may be introduced.”
Today’s cybersecurity landscape includes thieves looking to empty your bank account, but also governments that want to gain access to other countries’ infrastructure and companies trying to steal intellectual property from competitors.
Enck says that, despite all of the headlines about hacks that steal our data or threaten the U.S. energy grid, our systems are better prepared today than decades ago.
“Systems are more secure, but there are more attackers and they are better equipped. Both are true.”
And we have more to lose. Kapravelos points out that when hacking was mostly done to prove a point, there wasn’t much to gain. Today, our bank accounts and so much of our valuable personal data are online.
Most successful attacks, Dr. Laurie Williams, Distinguished Professor of Computer Science, says, fall under what she calls social engineering, relying on a human mistake instead of a hole in a system. An email disguised as a message from a friend tricks you into sharing important information. Someone claiming to be an IT technician for your company hands you a USB drive that you plug into your computer.
Security risks are everywhere, from airplanes to self-driving cars. That’s why, instead of offering a degree program that would focus solely on cybersecurity (the route that some universities have chosen), NC State CSC’s intention is to give students a broad knowledge base that includes security concepts for whatever platform they are working on, said Williams, who is also a co-director of SCI.
“We’re trying to create computer scientists who are also experts in security,” she said. “You need that domain expertise, plus security.”