Categories
Culture, Society & Family Researcher news SMU In The News Technology

KERA: 8 Questions For The Government To Consider Before Investigating Encrypted Data

“This debate is quite polarizing; it’s been in the media for a couple of years now. It was quite an accomplishment on our part to agree on a set of facts, to agree on a vocabulary and to agree on the framework.” — Fred Chang, SMU

Journalist Justin Martin with KERA public radio covered the new government guidelines for investigating encrypted data from the National Academies of Sciences, Engineering and Medicine. Frederick Chang, director of SMU’s Darwin Deason Institute for Cyber Security and former director of research for the National Security Agency, participated in developing the guidelines.

KERA’s interview, “8 Questions For The Government To Consider Before Investigating Encrypted Data,” aired March 7, 2018.

Chang, a member of the prestigious National Academy of Engineering, joined SMU in September 2013 as Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security, computer science and engineering professor and Senior Fellow in the John Goodwin Tower Center for Political Studies in Dedman College. The Darwin Deason Institute for Cyber Security was launched in SMU’s Lyle School of Engineering in January 2014, with Chang named as its director.

In addition to his positions at SMU, Chang is a distinguished scholar in the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin. Chang has been professor and AT&T Distinguished Chair in Infrastructure Assurance and Security at the University of Texas at San Antonio and he was at the University of Texas at Austin as an associate dean in the College of Natural Sciences and director of the Center for Information Assurance and Security. Additionally, Chang’s career spans service in the private sector and in government including as the former Director of Research at the National Security Agency.

Chang has been awarded the National Security Agency Director’s Distinguished Service Medal and was the 2014 Information Security Magazine ‘Security 7’ award winner for Education. He has served as a member of the Commission on Cyber Security for the 44th Presidency and as a member of the Computer Science and Telecommunications Board of the National Academies. He has also served as a member of the National Academies Committee on Responding to Section 5(d) of Presidential Policy Directive 28: The Feasibility of Software to Provide Alternatives to Bulk Signals Intelligence Collection.

He is the lead inventor on two U.S. patents, and he appeared in the televised National Geographic documentary, Inside the NSA: America’s Cyber Secrets. He has twice served as a cyber security expert witness at hearings convened by the U.S. House of Representatives Committee on Science, Space and Technology.

Chang received his B.A. degree from the University of California, San Diego and his M.A. and Ph.D. degrees from the University of Oregon. He has also completed the Program for Senior Executives at the Sloan School of Management at the Massachusetts Institute of Technology.

Listen to the KERA radio interview with Justin Martin.

EXCERPT From KERA News:

The debate over government access to personal and private information dates back decades. But it took center stage after the 2015 mass shooting in San Bernardino, California, when Apple refused to open a backdoor into an assailant’s encrypted cell phone for FBI investigators.

The agency ultimately paid a hacker to unlock the phone instead.

Now, the National Academies of Sciences, Engineering, and Medicine has produced a set of guidelines for government agencies to consider before approaching or investigating encrypted data.

To learn more about them, I talked with Frederick Chang, the executive director of Southern Methodist University’s Darwin Deason Institute for Cyber Security.

He’s also a member of the National Academy of Engineering and former director of research for the National Security Agency.

Listen to the KERA radio interview with Justin Martin.

Categories
Culture, Society & Family Feature Learning & Education Researcher news Student researchers Technology

Cyber grad and U.S. Marine Corps vet Michael Taylor proved his mettle as an outstanding student researcher

‘Outstanding student in computer science & engineering’ graduates Dec. 16 with master’s degree and Raytheon ticket to a Ph.D.

Michael Taylor will be the first to tell you that he was not ready for college when he graduated from Plano East High School in 2006. And he’ll also tell you that nobody was more surprised than he was when SMU admitted him in 2014, a little later than the average undergrad.

But Taylor’s disciplined approach to life, honed through five years in the Marine Corps, combined with the intelligence he learned to tap, has earned him a master’s degree from SMU’s Lyle School of Engineering that will be awarded Dec. 16. And after proving his mettle as a student researcher in Lyle’s Darwin Deason Institute for Cyber Security, Taylor has been awarded the first Raytheon IIS Cyber Elite Graduate Fellowship, which will fund his Ph.D. in quantum computing at SMU and then put him to work as an employee at Raytheon.

“Michael Taylor stood out to me when I first had him in an undergraduate class,” said Mitch Thornton, research director for the Deason Institute and Cecil H. Green Chair of Engineering at SMU. “I could sense there was something special about him and that he had a lot of talent. I actively encouraged Michael to do research with me and he has excelled in everything I have asked him to work on. He is a credit to the student body of SMU’s Lyle School, and a credit to the nation.”

Taylor learned to focus on the details in the Marine Corps. He had sampled community college very briefly after high school, but it didn’t stick. He knew he didn’t have skills to trade for a decent job, so joining the Marine Corps made sense to him.

“Honestly? In retrospect, I wasn’t ready for school,” Taylor acknowledged.

After the Marines, finally ready for college
Taylor’s dad was an SMU engineering alumnus, and this was not the career path he’d envisioned for his son. But it’s funny how things work themselves out. Taylor completed Marine basic training, and took an aptitude test to determine where his skills might fit the Marine Corp mission. He did very, very well.

“My score on that test – I qualified for every enlisted job in the Marine Corps,” Taylor said. “I got to pick what job I wanted.” Working as a calibration technician sounded interesting – a job that would require him to conduct testing for proper operation of a wide range of mechanical and electronic devices and tools. But before working in calibration, he’d have to go school for a year.

“Ironic, I know,” Taylor said, smiling. “I had to sign up for an extra year, so I ended up doing a five-year tour in the Marines.”

He spent most of that time working out of Camp Pendleton in California, but was deployed to Helmand Province, Afghanistan, from March through September 2010, at the height of the surge of U.S. troops. “I wasn’t a combat guy,” Taylor said. “But even on base, sometimes, the rockets would come in the middle of the night.”

Nearing the end of his enlistment in 2012, Taylor was getting the hard sell to stay in and make the Marines a career. By now, he had decided he was ready for college, but the career planner he met with tried hard to talk him out of it, predicting that Taylor would “fail again.”

“He actually told me if I got out of the Marine Corps and went back to college, I’d end up living under a bridge,” Taylor said, shaking his head. It just made him more determined to succeed.

He started back at community college, and this experience was very different. “It seemed like it was so hard the first time,” Taylor said. “What then seemed like a monumental task, now seemed like nothing. I started thinking, I might be able to do school, now.”

And he started thinking about SMU. Taylor’s grades at Collin County Community College were good – good enough to get him into his father’s alma mater.

SMU Prof’s mentoring made all the difference
Taylor never dared to think he could live up to what his Dad had accomplished, starting with the scholarship to attend SMU that Jim Taylor ’89 had received from Texas Instruments. “He was a technician there,” Taylor recalled, “and they paid for him to come here. As a kid, if you’d told me I could do something like that, too, I’d never have believed you. For me there was Albert Einstein, and Jim Taylor.”

Michael Taylor came to the Hilltop on the GI Bill, and SMU’s Yellow Ribbon program for military veterans covered what the GI Bill didn’t. Then, the Darwin Deason Institute for Cyber Security picked up the cost of his master’s degree.

Taylor’s first semester at SMU’s Lyle School was a tough adjustment after his relatively easy path at community college, but that class with professor Thornton his second semester changed everything. “Dr. Thornton offered me a position working in the Deason Institute for Cyber Security,” Taylor said. “It’s been going great since then.”

Thornton’s influence and mentoring made all the difference for Taylor.

“If I had not met Dr. Thornton, there were times I wondered if I would have gotten my bachelor’s degree. I definitely wouldn’t be getting the master’s degree. And a Ph.D. wouldn’t have been something I ever considered.”

Compelled to dive into quantum computing and cyber security
Taylor was interested in computer hardware when he arrived at SMU, but the Deason Institute opened the door to the contributions he could make in cyber security. He received the Lyle School’s 2017 Rick A. Barrett Memorial Award for outstanding work in computer science and engineering. And as he neared the completion of his master’s degree, he was tapped for the Raytheon Cyber Elite Graduate Fellowship and is looking forward to pursuing his Ph.D. in quantum computing.

“Quantum computers solve problems that are too difficult for classical computers to solve,” Taylor said. “Certain problems in classical computation are intractable, there’s no way you can solve them in this lifetime. It’s only a matter of time before quantum computers render all encryption obsolete.”

For Fred Chang, executive director of SMU’s Deason Institute and former research director for the National Security Agency (NSA), finding talented students like Taylor to fill the gaps in the cyber security workforce is “job one.” Chang testified before a congressional subcommittee in September that we are likely facing a worldwide shortage of cyber security workers five years from now.

“Today’s students will be responsible for designing, creating, operating, maintaining and defending tomorrow’s cyber infrastructure,” Chang explained. “We need a large and capable pool of folks to staff these positions for the future.”

For Taylor, cyber security is just plain compelling.

“I just like the challenge. There’s somebody out there that’s trying to crack what you have, to break you down. You have to be smarter than them. It’s a game!” — Kim Cobb, SMU

Categories
Learning & Education Researcher news Technology

SMU Lyle School cyber defender Fred Chang named to National Academy of Engineering

Academy membership is among the highest distinctions in engineering, honoring those who have made outstanding contributions to engineering research, practice or education.

Dr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security, Southern Methodist University, testifies before the US House Science Committee on information security at HealthCare.gov.  (Photo:  Jay Mallin. jay@jaymallinphotos.com)
Dr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security, Southern Methodist University, testifies before the US House Science Committee on information security at HealthCare.gov. (Photo: Jay Mallin. jay@jaymallinphotos.com)

Fred Chang, director of SMU’s Darwin Deason Institute for Cyber Security and former director of research for the National Security Agency, has been elected to the prestigious National Academy of Engineering.

Chang and other new members will be formally inducted during a ceremony at the NAE’s Annual Meeting in Washington, D.C., on Oct. 9, 2016.

The U.S. National Academy of Engineering is a private, independent, nonprofit institution that supports engineering leadership.

Its mission is to advance the wellbeing of the nation by promoting a vibrant engineering profession and by marshaling the expertise and insights of eminent engineers to provide independent advice to the federal government on matters involving engineering and technology.

“I feel incredibly honored to be elected into the National Academy of Engineering,” Chang said. “The level of innovation and accomplishment achieved by its members is inspiring, and I take great pride in joining them. I am grateful to many, many colleagues who have worked with me and helped me over the course of my career, including those at SMU.

“This recognition further motivates me to continue pursuing the challenge of securing cyberspace,” Chang said. “It means continuing the important research we are doing at SMU, to help advance the science of cyber security, and training a workforce of skilled cyber defenders.”

Chang joined SMU in September 2013 as Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security, computer science and engineering professor and Senior Fellow in the John Goodwin Tower Center for Political Studies in Dedman College. The Darwin Deason Institute for Cyber Security was launched in SMU’s Lyle School of Engineering in January 2014, with Chang named as its director.

“Being inducted into the National Academy of Engineering is one of the highest honors a professor can achieve,” said Lyle School Dean Marc Christensen. “We are so pleased that Professor Chang is being recognized as one of the brightest minds of our generation at a time when his expertise in cyber security is so critical to our nation’s future.”

Chang is the second Lyle School professor to be named to the NAE. Delores Etter, the founding director of the Caruth Institute for Engineering Education in the Lyle School, a Caruth Professor of Engineering Education, a distinguished fellow in the Darwin Deason Institute for Cyber Security and a senior fellow in the John Goodwin Tower Center for Political Studies, was elected to the NAE in 2000.

In addition to his positions at SMU, Chang is a distinguished scholar in the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin. Chang has been professor and AT&T Distinguished Chair in Infrastructure Assurance and Security at the University of Texas at San Antonio and he was at the University of Texas at Austin as an associate dean in the College of Natural Sciences and director of the Center for Information Assurance and Security. Additionally, Chang’s career spans service in the private sector and in government including as the former Director of Research at the National Security Agency.

Chang has been awarded the National Security Agency Director’s Distinguished Service Medal and was the 2014 Information Security Magazine ‘Security 7’ award winner for Education. He has served as a member of the Commission on Cyber Security for the 44th Presidency and as a member of the Computer Science and Telecommunications Board of the National Academies. He has also served as a member of the National Academies Committee on Responding to Section 5(d) of Presidential Policy Directive 28: The Feasibility of Software to Provide Alternatives to Bulk Signals Intelligence Collection.

He is the lead inventor on two U.S. patents (U.S. patent numbers 7272645 and 7633951), and he appeared in the televised National Geographic documentary, Inside the NSA: America’s Cyber Secrets. He has twice served as a cyber security expert witness at hearings convened by the U.S. House of Representatives Committee on Science, Space and Technology.

Dr. Chang received his B.A. degree from the University of California, San Diego and his M.A. and Ph.D. degrees from the University of Oregon. He has also completed the Program for Senior Executives at the Sloan School of Management at the Massachusetts Institute of Technology.

Chang joins the National Academy of Engineering with 79 other new U.S. members and 22 new international members, bringing the group’s total membership to 2,275 U.S. members and 232 foreign members.

Membership honors those who have made outstanding contributions to engineering research, practice or education, including, where appropriate, significant contributions to the engineering literature, and to the pioneering of new and developing fields of technology, making major advancements in traditional fields of engineering, or developing/implementing innovative approaches to engineering education. — Kimberly Cobb, SMU

Categories
Culture, Society & Family Economics & Statistics Researcher news Technology

Survey finds executive cybersecurity decisions are evolving from compliance to proactive cyber-risk management

SMU Darwin Deason Institute for Cyber Security releases new study on how financial, retail, healthcare and government sectors manage cyber risks

cybersecurity, IBM, SMU, chang,

A new research study from SMU’s Darwin Deason Institute for Cyber Security finds that executives are changing the way they manage and invest in cybersecurity, moving away from limited, reactive approaches and adopting systemic risk management frameworks that combine hardware, software and operations protocols to mitigate cyber risk.

The study, Identifying How Firms Manage Cybersecurity Investment, was sponsored by IBM Security and based on a semi-structured survey of 40 executives across financial, retail, healthcare and government sectors. Participants, most of whom were chief information security officers (CISOs), were selected primarily from large firms.

The study revealed several signs of increasing support for cybersecurity programs, including:

  • More than 80 percent of those interviewed reported broad and increasing support among senior-level management and corporate boards for their cybersecurity efforts.
  • Eighty-eight percent of respondents reported that their security budgets have increased.
  • The majority of respondents cited news coverage of large and harmful security breaches as the driver of that support.
  • In an interesting twist of perception, while 46 percent of interview subjects believe their organization is spending the right amount of money on cybersecurity, 64 percent reported that their peers were spending too little.

While most of those surveyed said getting funding for their cybersecurity efforts is not a hurdle, many executives talked about the difficulty they experience in finding and hiring skilled cybersecurity personnel. And while findings were similar across most of those interviewed from the private sector, the relatively small number of government executives surveyed noted that the lengthy budgeting processes they must work through make it difficult to react quickly to the emergence of new threats.

“Cybersecurity is more than a technology challenge,” said Fred Chang, director of the Deason Institute in SMU’s Bobby B. Lyle School of Engineering. “Dealing with the landscape as it exists today means making decisions within specific management cultures and understanding what drives the decision-making process. By explaining the move from compliance to risk-based cybersecurity programs we see in many C-suites, this report connects the dots for people making important decisions about what it takes to maintain privacy, financial security and operating capability — all of which are vulnerable.”

The widespread use of security frameworks shows a general maturation of cyber risk management, the study notes.

“Companies are realizing that simply checking the box for compliance requirements is no longer a sufficient security strategy,” said Bob Kalka, Vice President, IBM Security. “Hackers are becoming increasingly sophisticated in the battle for corporate data, and the survey results show that companies are evolving their security to keep pace. The increasing use of strategic, risk-based frameworks is a huge step forward in protecting these organizations’ most critical assets.”

“This report is powerful information for anyone guiding cybersecurity decisions today,” Chang said. “And it’s a good example of the kind of interdisciplinary focus the Deason Institute brings to the table.”

Chang joined SMU’s Lyle School of Engineering in September 2013 with the goal of creating a cybersecurity program that takes an interdisciplinary approach to what is frequently perceived as a strictly technical issue. The Deason Institute, launched in January 2014, provides SMU and the Lyle School with the critical resources to advance that goal. Chang’s career spans service in the private sector and in government, including as the former Director of Research at the National Security Agency.

The research team for this study also included Deason Institute Principal Investigator Tyler Moore and Scott Dynes, a visiting scholar at the Institute. Moore’s research focuses on the economics of information security, the study of electronic crime and the development of policy for strengthening security. Dynes’ research addresses how firms identify and manage cyber risks at the firm and sector levels, and he is well published on topics related to incentives for firms to invest in information security, as well as the economic consequences of information security failures.

Interviews with the 40 executives cited in the survey were conducted in person or by phone with one or two researchers, and lasted from 30 minutes to an hour. The interviews were semi-structured in that researchers worked from a list of common questions in every interview, but allowed the answers to those questions to serve as a launching point for follow-ups. Of the participants, 33 represented U.S. organizations and the remaining seven were international.

Interview questions included:

  • What methods and inputs do you use to prioritize cyber investment?
  • Do you feel you have adequate information in managing overall cyber risk?
  • Is your management supportive? Do you have sufficient budget?
  • What factors are driving cybersecurity investment at your firm?
  • How do you decide among offerings in the marketplace?

A key study finding was the central role that frameworks now play in defining how executives perceive risk, and how much money they are willing to spend to mitigate that risk. “Using these frameworks provides a platform for CISOs to make an understandable, compelling case for specific cybersecurity products and operations,” Moore said. Or as one interviewed executive put it, “Security has to be able to have a basis to argue its point of view in a compelling story with some thought behind it, rather than ‘I want to get these things because it’s the next cool security thing that’s out there.’”

Worth noting, Moore added, is that the lack of qualified, available cybersecurity professionals creates its own set of problems. “In some cases, CISOs say their senior management wants to fund cybersecurity measures more quickly than they can staff them,” Moore said. “In other cases, senior management is hesitant to fully fund proposed cybersecurity projects because they fear the CISO doesn’t have the personnel available to implement them.”

The interviews were conducted between February and October 2015 and participants were assured anonymity for themselves and their firms. The authors note that the advantage of the semi-structured interview methodology is that it enables the researcher to glean detailed contextual information that would not be possible under a more structured interview scenario. The disadvantage, they note, is that the contextual findings do not generalize to the profession as a whole.

The findings described in the report, Identifying How Firms Manage Cybersecurity Investment, are not to be construed as an endorsement of any person, product or company by the Darwin Deason Institute for Cyber Security at SMU. Note that the respondent opinions presented in the report do not necessarily reflect the opinions of the study authors or the study sponsor, IBM. The study’s objective is to relay as accurately as possible the statements of the interview subjects.

Read an independent analysis based on the Deason Institute report by sponsor IBM Security at this link. — Kim Cobb

The mission of the Darwin Deason Institute for Cyber Security in SMU’s Bobby B. Lyle School of Engineering is to advance the science, policy, application and education of cyber security through basic and problem-driven, interdisciplinary research. The Lyle School, founded in 1925, is one of the oldest engineering schools in the Southwest. The school offers eight undergraduate and 28 graduate programs, including masters and doctoral degrees.

SMU is a nationally ranked private university in Dallas founded 100 years ago. Today, SMU enrolls approximately 11,000 students who benefit from the academic opportunities and international reach of seven degree-granting schools.

Categories
Researcher news Technology

SMU’s Deason Institute for Cyber Security and Raytheon partner for strategic cyber research

Collaboration between university and industry leader benefits ‘anyone with a laptop or smart phone’

SMU, Raytheon, cyber security

Raytheon Company has named Southern Methodist University (SMU) as a strategic partner in cyber research based on the company’s collaborative efforts with the Darwin Deason Institute for Cyber Security in SMU’s Bobby B. Lyle School of Engineering. The strategic partnership includes joint research projects in cyber security, Raytheon internships for SMU students, and strategic education initiatives benefiting both SMU and Raytheon.

“We are very proud to have earned this designation,” said Fred Chang, director of the Deason Institute and the Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security. “The work we do together benefits SMU and Raytheon, government and industry, and ultimately anyone with a laptop or smart phone. It will also help train our students to become part of a desperately needed workforce of cyber defenders.”

”Collaboration between academic centers of excellence like SMU and industry leaders like Raytheon is a powerful engine for innovation,” said Dave Wajsgras, president of Raytheon Intelligence, Information and Services. “This strategic partnership is an example of Raytheon’s commitment to growing the cyber workforce and enhancing the technology and capabilities needed to help our customers and society face the ever growing cyber threat.”

Raytheon also utilizes the Lyle School’s training for its own workforce. Fifty-nine Raytheon employees have graduated from the school’s Master of Security Engineering program since 2005 when the program began.

“The work Dr. Chang is directing through the Deason Institute taps the University’s strengths in technology, social science, policy and the law to attack perhaps the most challenging problem facing our society today: cybersecurity,” said Lyle School Dean Marc Christensen. “It’s one reason why this strategic partnership with Raytheon is so important to us.” — Kimberly Cobb

Follow SMUResearch.com on twitter at @smuresearch.

SMU is a nationally ranked private university in Dallas founded 100 years ago. Today, SMU enrolls nearly 11,000 students who benefit from the academic opportunities and international reach of seven degree-granting schools. For more information see www.smu.edu.

SMU has an uplink facility located on campus for live TV, radio, or online interviews. To speak with an SMU expert or book an SMU guest in the studio, call SMU News & Communications at 214-768-7650.