Categories
Culture, Society & Family Researcher news SMU In The News Technology

KERA: 8 Questions For The Government To Consider Before Investigating Encrypted Data

“This debate is quite polarizing; it’s been in the media for a couple of years now. It was quite an accomplishment on our part to agree on a set of facts, to agree on a vocabulary and to agree on the framework.” — Fred Chang, SMU

Journalist Justin Martin with KERA public radio covered the new government guidelines for investigating encrypted data from the National Academies of Sciences, Engineering and Medicine. Frederick Chang, director of SMU’s Darwin Deason Institute for Cyber Security and former director of research for the National Security Agency, participated in developing the guidelines.

KERA’s interview, “8 Questions For The Government To Consider Before Investigating Encrypted Data,” aired March 7, 2018.

Chang, a member of the prestigious National Academy of Engineering, joined SMU in September 2013 as Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security, computer science and engineering professor and Senior Fellow in the John Goodwin Tower Center for Political Studies in Dedman College. The Darwin Deason Institute for Cyber Security was launched in SMU’s Lyle School of Engineering in January 2014, with Chang named as its director.

In addition to his positions at SMU, Chang is a distinguished scholar in the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin. Chang has been professor and AT&T Distinguished Chair in Infrastructure Assurance and Security at the University of Texas at San Antonio and he was at the University of Texas at Austin as an associate dean in the College of Natural Sciences and director of the Center for Information Assurance and Security. Additionally, Chang’s career spans service in the private sector and in government including as the former Director of Research at the National Security Agency.

Chang has been awarded the National Security Agency Director’s Distinguished Service Medal and was the 2014 Information Security Magazine ‘Security 7’ award winner for Education. He has served as a member of the Commission on Cyber Security for the 44th Presidency and as a member of the Computer Science and Telecommunications Board of the National Academies. He has also served as a member of the National Academies Committee on Responding to Section 5(d) of Presidential Policy Directive 28: The Feasibility of Software to Provide Alternatives to Bulk Signals Intelligence Collection.

He is the lead inventor on two U.S. patents, and he appeared in the televised National Geographic documentary, Inside the NSA: America’s Cyber Secrets. He has twice served as a cyber security expert witness at hearings convened by the U.S. House of Representatives Committee on Science, Space and Technology.

Chang received his B.A. degree from the University of California, San Diego and his M.A. and Ph.D. degrees from the University of Oregon. He has also completed the Program for Senior Executives at the Sloan School of Management at the Massachusetts Institute of Technology.

Listen to the KERA radio interview with Justin Martin.

EXCERPT From KERA News:

The debate over government access to personal and private information dates back decades. But it took center stage after the 2015 mass shooting in San Bernardino, California, when Apple refused to open a backdoor into an assailant’s encrypted cell phone for FBI investigators.

The agency ultimately paid a hacker to unlock the phone instead.

Now, the National Academies of Sciences, Engineering, and Medicine has produced a set of guidelines for government agencies to consider before approaching or investigating encrypted data.

To learn more about them, I talked with Frederick Chang, the executive director of Southern Methodist University’s Darwin Deason Institute for Cyber Security.

He’s also a member of the National Academy of Engineering and former director of research for the National Security Agency.

Listen to the KERA radio interview with Justin Martin.

Categories
Researcher news

Ronald A. Rohrer, Cecil & Ida Green Chair and professor of engineering at SMU Lyle, honored with TAMEST membership

“I’ve stayed close to industry to be a practicing engineer and close to academia to conduct deeper research on hard problems.” — Ronald A. Rohrer.

Legendary inventor and scholar Ronald A. Rohrer, Cecil & Ida Green Chair and Professor of Engineering in SMU’s Lyle School of Engineering, has been named to The Academy of Medicine, Engineering, and Science of Texas (TAMEST).

The nonprofit organization, founded in 2004, brings together the state’s top scientific, academic and corporate minds to support research in Texas.

The organization builds a stronger identity for Texas as an important destination and hub of achievement in these fields. Members of The National Academies of Sciences, Engineering and Medicine and the state’s nine Nobel Laureates comprise the 270 members of TAMEST. The group has 18 member institutions, including SMU, across Texas.

Rohrer joins three other distinguished SMU faculty members in TAMEST — Fred Chang, executive director of the Lyle School’s Darwin Deason Institute for Cyber Security; Delores Etter, founding director of the Lyle School’s Caruth Institute for Engineering Education and electrical engineering professor emeritus; and David Meltzer, Henderson-Morrison Chair and professor of prehistory in anthropology in Dedman College.

Considered one of the preeminent researchers in electronic design automation, Rohrer’s contributions to improving integrated circuit (IC) production have spanned over 50 years. Rohrer realized early on that circuit simulation was crucial to IC design for progress in size reduction and complexity. Among his achievements was introducing a sequence of circuit simulation courses at the University of California, Berkeley, that evolved into the SPICE (Simulation Program with Integrated Circuit Emphasis) tool, now considered the industry standard for IC design simulation. At Carnegie Mellon University, Rohrer introduced the Asymptotic Waveform Evaluation (AWE) algorithm, which enabled highly efficient timing simulations of ICs containing large numbers of parasitic elements.

“The appointment of Ron Rohrer into TAMEST will increase the visibility of Lyle’s outstanding faculty members,” said Marc P. Christensen, dean of the Lyle School of Engineering.

“Through TAMEST, Rohrer will share his vast knowledge and inspire additional collaborative research relationships with other outstanding Texas professors and universities. This will elevate SMU and the state as a leading center of scholarship and innovation,” Christensen said.

Once an SMU electrical engineering professor back in the late 70’s, Rohrer rejoined the Lyle School as a faculty member in 2017. He is professor emeritus of electrical and computer engineering at Carnegie Mellon and Rohrer’s career has included roles in academia, industrial management, venture capital, and start-up companies.

“I’ve stayed close to industry to be a practicing engineer and close to academia to conduct deeper research on hard problems,” said Rohrer.

According to Rohrer, one pressing problem is analog integrated circuit design automation, also the name of the project-based research course he’s currently teaching.

“In the analog domain, it’s hard to design a 20-transistor circuit. My goal is to make analog integrated circuit design more accessible to students and industry, especially for our local corporate partners,” he said. “I want to get the ball rolling so younger engineers can keep it moving toward a complete solution.”

Along with his membership in TAMEST and the National Academy of Engineering, Rohrer is an IEEE Life Fellow. His professional service includes several other prominent positions with IEEE, AIEE and U.S. government committees. He is the author and co-author of five textbooks and more than 100 technical papers as well as the holder of six patents. Rohrer has received 11 major awards, including the IEEE Education Medal and the NEC C&C Prize.

Categories
Learning & Education Researcher news Technology

SMU Lyle School cyber defender Fred Chang named to National Academy of Engineering

Academy membership is among the highest distinctions in engineering, honoring those who have made outstanding contributions to engineering research, practice or education.

Dr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security, Southern Methodist University, testifies before the US House Science Committee on information security at HealthCare.gov.  (Photo:  Jay Mallin. jay@jaymallinphotos.com)
Dr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in Cyber Security, Southern Methodist University, testifies before the US House Science Committee on information security at HealthCare.gov. (Photo: Jay Mallin. jay@jaymallinphotos.com)

Fred Chang, director of SMU’s Darwin Deason Institute for Cyber Security and former director of research for the National Security Agency, has been elected to the prestigious National Academy of Engineering.

Chang and other new members will be formally inducted during a ceremony at the NAE’s Annual Meeting in Washington, D.C., on Oct. 9, 2016.

The U.S. National Academy of Engineering is a private, independent, nonprofit institution that supports engineering leadership.

Its mission is to advance the wellbeing of the nation by promoting a vibrant engineering profession and by marshaling the expertise and insights of eminent engineers to provide independent advice to the federal government on matters involving engineering and technology.

“I feel incredibly honored to be elected into the National Academy of Engineering,” Chang said. “The level of innovation and accomplishment achieved by its members is inspiring, and I take great pride in joining them. I am grateful to many, many colleagues who have worked with me and helped me over the course of my career, including those at SMU.

“This recognition further motivates me to continue pursuing the challenge of securing cyberspace,” Chang said. “It means continuing the important research we are doing at SMU, to help advance the science of cyber security, and training a workforce of skilled cyber defenders.”

Chang joined SMU in September 2013 as Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security, computer science and engineering professor and Senior Fellow in the John Goodwin Tower Center for Political Studies in Dedman College. The Darwin Deason Institute for Cyber Security was launched in SMU’s Lyle School of Engineering in January 2014, with Chang named as its director.

“Being inducted into the National Academy of Engineering is one of the highest honors a professor can achieve,” said Lyle School Dean Marc Christensen. “We are so pleased that Professor Chang is being recognized as one of the brightest minds of our generation at a time when his expertise in cyber security is so critical to our nation’s future.”

Chang is the second Lyle School professor to be named to the NAE. Delores Etter, the founding director of the Caruth Institute for Engineering Education in the Lyle School, a Caruth Professor of Engineering Education, a distinguished fellow in the Darwin Deason Institute for Cyber Security and a senior fellow in the John Goodwin Tower Center for Political Studies, was elected to the NAE in 2000.

In addition to his positions at SMU, Chang is a distinguished scholar in the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin. Chang has been professor and AT&T Distinguished Chair in Infrastructure Assurance and Security at the University of Texas at San Antonio and he was at the University of Texas at Austin as an associate dean in the College of Natural Sciences and director of the Center for Information Assurance and Security. Additionally, Chang’s career spans service in the private sector and in government including as the former Director of Research at the National Security Agency.

Chang has been awarded the National Security Agency Director’s Distinguished Service Medal and was the 2014 Information Security Magazine ‘Security 7’ award winner for Education. He has served as a member of the Commission on Cyber Security for the 44th Presidency and as a member of the Computer Science and Telecommunications Board of the National Academies. He has also served as a member of the National Academies Committee on Responding to Section 5(d) of Presidential Policy Directive 28: The Feasibility of Software to Provide Alternatives to Bulk Signals Intelligence Collection.

He is the lead inventor on two U.S. patents (U.S. patent numbers 7272645 and 7633951), and he appeared in the televised National Geographic documentary, Inside the NSA: America’s Cyber Secrets. He has twice served as a cyber security expert witness at hearings convened by the U.S. House of Representatives Committee on Science, Space and Technology.

Dr. Chang received his B.A. degree from the University of California, San Diego and his M.A. and Ph.D. degrees from the University of Oregon. He has also completed the Program for Senior Executives at the Sloan School of Management at the Massachusetts Institute of Technology.

Chang joins the National Academy of Engineering with 79 other new U.S. members and 22 new international members, bringing the group’s total membership to 2,275 U.S. members and 232 foreign members.

Membership honors those who have made outstanding contributions to engineering research, practice or education, including, where appropriate, significant contributions to the engineering literature, and to the pioneering of new and developing fields of technology, making major advancements in traditional fields of engineering, or developing/implementing innovative approaches to engineering education. — Kimberly Cobb, SMU

Categories
Culture, Society & Family Economics & Statistics Researcher news Technology

Survey finds executive cybersecurity decisions are evolving from compliance to proactive cyber-risk management

SMU Darwin Deason Institute for Cyber Security releases new study on how financial, retail, healthcare and government sectors manage cyber risks

cybersecurity, IBM, SMU, chang,

A new research study from SMU’s Darwin Deason Institute for Cyber Security finds that executives are changing the way they manage and invest in cybersecurity, moving away from limited, reactive approaches and adopting systemic risk management frameworks that combine hardware, software and operations protocols to mitigate cyber risk.

The study, Identifying How Firms Manage Cybersecurity Investment, was sponsored by IBM Security and based on a semi-structured survey of 40 executives across financial, retail, healthcare and government sectors. Participants, most of whom were chief information security officers (CISOs), were selected primarily from large firms.

The study revealed several signs of increasing support for cybersecurity programs, including:

  • More than 80 percent of those interviewed reported broad and increasing support among senior-level management and corporate boards for their cybersecurity efforts.
  • Eighty-eight percent of respondents reported that their security budgets have increased.
  • The majority of respondents cited news coverage of large and harmful security breaches as the driver of that support.
  • In an interesting twist of perception, while 46 percent of interview subjects believe their organization is spending the right amount of money on cybersecurity, 64 percent reported that their peers were spending too little.

While most of those surveyed said getting funding for their cybersecurity efforts is not a hurdle, many executives talked about the difficulty they experience in finding and hiring skilled cybersecurity personnel. And while findings were similar across most of those interviewed from the private sector, the relatively small number of government executives surveyed noted that the lengthy budgeting processes they must work through make it difficult to react quickly to the emergence of new threats.

“Cybersecurity is more than a technology challenge,” said Fred Chang, director of the Deason Institute in SMU’s Bobby B. Lyle School of Engineering. “Dealing with the landscape as it exists today means making decisions within specific management cultures and understanding what drives the decision-making process. By explaining the move from compliance to risk-based cybersecurity programs we see in many C-suites, this report connects the dots for people making important decisions about what it takes to maintain privacy, financial security and operating capability — all of which are vulnerable.”

The widespread use of security frameworks shows a general maturation of cyber risk management, the study notes.

“Companies are realizing that simply checking the box for compliance requirements is no longer a sufficient security strategy,” said Bob Kalka, Vice President, IBM Security. “Hackers are becoming increasingly sophisticated in the battle for corporate data, and the survey results show that companies are evolving their security to keep pace. The increasing use of strategic, risk-based frameworks is a huge step forward in protecting these organizations’ most critical assets.”

“This report is powerful information for anyone guiding cybersecurity decisions today,” Chang said. “And it’s a good example of the kind of interdisciplinary focus the Deason Institute brings to the table.”

Chang joined SMU’s Lyle School of Engineering in September 2013 with the goal of creating a cybersecurity program that takes an interdisciplinary approach to what is frequently perceived as a strictly technical issue. The Deason Institute, launched in January 2014, provides SMU and the Lyle School with the critical resources to advance that goal. Chang’s career spans service in the private sector and in government, including as the former Director of Research at the National Security Agency.

The research team for this study also included Deason Institute Principal Investigator Tyler Moore and Scott Dynes, a visiting scholar at the Institute. Moore’s research focuses on the economics of information security, the study of electronic crime and the development of policy for strengthening security. Dynes’ research addresses how firms identify and manage cyber risks at the firm and sector levels, and he is well published on topics related to incentives for firms to invest in information security, as well as the economic consequences of information security failures.

Interviews with the 40 executives cited in the survey were conducted in person or by phone with one or two researchers, and lasted from 30 minutes to an hour. The interviews were semi-structured in that researchers worked from a list of common questions in every interview, but allowed the answers to those questions to serve as a launching point for follow-ups. Of the participants, 33 represented U.S. organizations and the remaining seven were international.

Interview questions included:

  • What methods and inputs do you use to prioritize cyber investment?
  • Do you feel you have adequate information in managing overall cyber risk?
  • Is your management supportive? Do you have sufficient budget?
  • What factors are driving cybersecurity investment at your firm?
  • How do you decide among offerings in the marketplace?

A key study finding was the central role that frameworks now play in defining how executives perceive risk, and how much money they are willing to spend to mitigate that risk. “Using these frameworks provides a platform for CISOs to make an understandable, compelling case for specific cybersecurity products and operations,” Moore said. Or as one interviewed executive put it, “Security has to be able to have a basis to argue its point of view in a compelling story with some thought behind it, rather than ‘I want to get these things because it’s the next cool security thing that’s out there.’”

Worth noting, Moore added, is that the lack of qualified, available cybersecurity professionals creates its own set of problems. “In some cases, CISOs say their senior management wants to fund cybersecurity measures more quickly than they can staff them,” Moore said. “In other cases, senior management is hesitant to fully fund proposed cybersecurity projects because they fear the CISO doesn’t have the personnel available to implement them.”

The interviews were conducted between February and October 2015 and participants were assured anonymity for themselves and their firms. The authors note that the advantage of the semi-structured interview methodology is that it enables the researcher to glean detailed contextual information that would not be possible under a more structured interview scenario. The disadvantage, they note, is that the contextual findings do not generalize to the profession as a whole.

The findings described in the report, Identifying How Firms Manage Cybersecurity Investment, are not to be construed as an endorsement of any person, product or company by the Darwin Deason Institute for Cyber Security at SMU. Note that the respondent opinions presented in the report do not necessarily reflect the opinions of the study authors or the study sponsor, IBM. The study’s objective is to relay as accurately as possible the statements of the interview subjects.

Read an independent analysis based on the Deason Institute report by sponsor IBM Security at this link. — Kim Cobb

The mission of the Darwin Deason Institute for Cyber Security in SMU’s Bobby B. Lyle School of Engineering is to advance the science, policy, application and education of cyber security through basic and problem-driven, interdisciplinary research. The Lyle School, founded in 1925, is one of the oldest engineering schools in the Southwest. The school offers eight undergraduate and 28 graduate programs, including masters and doctoral degrees.

SMU is a nationally ranked private university in Dallas founded 100 years ago. Today, SMU enrolls approximately 11,000 students who benefit from the academic opportunities and international reach of seven degree-granting schools.