Kevin Du

It’s a mentality that has served Du, an electrical engineering and computer science professor in the , well as he has carved out a decorated career as a global cybersecurity expert. His labs have been used by more than 1,100 institutions and universities across the world, and it all started with the launch of the , which developed hands-on instructional laboratory exercises known as SEED labs for cybersecurity education.

But at the time of its creation in 2002, the experiences Du wanted to provide to his students around cybersecurity education didn’t exist in a practical fashion. He set out to create a virtual training tool that could help prepare cybersecurity experts on how to handle the pressing issues they would face in the future.

The initiative launched thanks to $1.3 million in funding from the National Science Foundation (NSF). The SEED project’s objectives are to develop an instructional laboratory environment and accompanying laboratory exercises that help students comprehend the practical security principles, concepts and technologies associated with cybersecurity issues; apply those principles to designing and implementing security mechanisms that can counter cybersecurity attacks; analyze and test computer systems for potential security issues; and apply these security principles to resolving real-world cybersecurity problems.

“I designed the SEED project so students can actually walk through those attacks by themselves on their computer,” says Du, who is a fellow of both the Institute of Electrical and Electronics Engineers and the Association for Computing Machinery. “Not just talk about the attack, but now they can actually see the attack and think about what they would need to do to stop the attack.”

Since its founding, the open-source (software that is made freely available to interested parties) SEED project, which operates by having the students access the lab work through virtual machines, has accomplished the following:

• Developed more than 40 labs exploring computer and information security topics like software security, network security, web security, operating system security and mobile app security, and
• through its SEED emulator, users can replicate the internet on a single computer, introducing students to hands-on cybersecurity research activities related to the internet, Border Gateway Protocols (the internet’s routing protocol), Domain Name System (the internet’s directory), and Blockchain, Botnet, the Dark-net and more.

“We are not teaching students to carry out these attacks, but if you don’t know what’s happening behind the attack, you won’t know what to do when you encounter an attack,” Du says.

Kevin Du (second from right) has carved out a decorated career as a global cybersecurity expert. His labs have been used by more than 1,100 institutions and universities across the world. (Photo by Jeremy Brinn)

A Safe, Hands-On Environment for Resolving Cybersecurity Attacks

Before Du created these virtual labs, cyberattacks would be explored on paper, with professors describing how a theoretical cyberattack could be carried out. While it is important for students to understand the theoretical workings of cyberattacks, Du says this approach leaves out the equally important practical application, the actual stopping of a cyberattack as it is happening or once it has happened.

Professors would discuss cyberattacks in theory, but gaining hands-on, practical experience was very limited, for one very good reason, according to Du. Working through cyberattacks represents a security threat, one that can’t be tackled on a normal University-issued computer, because some of the cyberattacks being studied could bring down the entire internet if they were successfully carried out.

The solution, according to Du, was to build virtual machine technology that would allow ���ϲ����� students—and students in classrooms all across the country—to access and run the cybersecurity software on their own personal computers.

At the time, virtual machine technology was still relatively new on college campuses. Du fine-tuned the project’s goals and objectives, focusing on educating students about the dangers of the different kinds of attacks while emphasizing ways to keep these attacks from happening.

“There was a huge gap between the theory and the practice of a cybersecurity attack. We needed to fill that gap,” Du says. “The big achievement with the SEED lab is we brought the ideas that students were learning about in their research and we simplified those ideas and made this hands-on component that compliments the theoretical teachings.”

Becoming a Global Leader in Cybersecurity

Since starting as a professor at the University in 2001, Du’s research papers have been cited 17,800 times, and he has won two ACM Conference on Computer and Communications Security Test-of-Time Awards.

In 2015, Du, who was always interested in hands-on learning, began offering training workshops funded through a $1 million NSF grant for interested cybersecurity educators at colleges and universities across the country. Each summer, approximately 80 instructors converge on Link Hall for a weeklong intensive training workshop where they learn the ins and outs of Du’s open-source software. Since offering the sessions, Du estimates that more than 400 college professors were trained on the software and are now teaching their students many of the same cybersecurity awareness and prevention lessons Du teaches through his labs.

“I’ve found that many instructors share my teaching philosophy that they want to have hands-on practice with their classes, but they’re finding there weren’t many opportunities,” Du says. “Now, my SEED lab can fill that gap and it’s very easy for the instructors to use. Because I put a lot of thought into designing this SEED lab, it makes it easier for other professors to bring the teachings back to their campuses.”

Du has also written a textbook based on the SEED labs, “Computer and Internet Security: A Hands-on Approach,” that is used by nearly 300 universities. Knowing the source material can be a bit dry when digested only in a textbook, Du built a recording studio in his basement and produces video lessons complete with hands-on demonstrations to accompany his lectures. The videos are posted online and available at a cost of $10 per class.

“The videos certainly help enhance the teachings through demonstrations of the attacks or the lessons we’re learning and have helped more people benefit from my SEED labs,” says Du, who hopes to one day introduce artificial intelligence topics into his SEED labs’ educational environment.

Why are government agencies more at risk when it comes to cyberattacks and operational vulnerabilities?

Lee McKnight

is an associate professor in the ���ϲ����� School of Information Studies (iSchool) whose research specialty includes cybersecurity. He provides written comments that can be quoted directly. He is available for interviews on future topics related to cybersecurity practices in the public and private sectors.

McKnight says:

“With state-sponsored actors taking advantage more frequently of outdated to non-existent��water supply security practices, it is refreshing -like a glass of (clean) water – that the EPA and CISA have begun to raise the alarm. The fact that 70% of water systems upon inspection failed to demonstrate their ability to maintain basic cyberhygiene is regrettable, but far from shocking.

“It is overdue for the public and private sector organizations supplying and supporting water systems to take these threats seriously. Even if the nightmare worst case scenarios have not happened at scale, the entire sector has to prioritize cybersecurity, just as oil pipelines belatedly did after the successful ransomware attack on the Colonial Pipeline several years ago precipitated.

“In the case of water supplies, the risks are more local but can be no less devastating if their operational technology is breached.

“Sending the sector’s IT workforce back to school – or at least scaling up online sector-specific training programs –��is��long overdue. Beyond ‘IT’ workers, the wider workforce must have more opportunities for training in basic cyberhygiene as well.

“Since now that it is widely known that cyber-attackers have a 70% probability of finding a soft target when going after a water system – unfortunately, we know the most recent successful cyberattacks on water systems will not be the last.”

To request interviews or get more information:

Daryl Lovell
���ϲ����� Media Relations

M��315.380.0206
dalovell@syr.edu |

���ϲ�����

Hoque has received the National Science Foundation (NSF) CAREER Award to research context-sensitive fuzzing for networked systems. This grant supports early career faculty with their professional development and will build upon Hoque’s research on computer networks and systems security, program analysis and software engineering.

“Many big tech companies like Google and Microsoft have been investing in fuzzing techniques and have seen the importance of finding bugs in existing software,” Hoque says. “The National Institute of Standards in Technology also endorses fuzzing as an automated technique for security testing. This project will push boundaries within the field and have an impact on cybersecurity.”

Endadul Hoque (Photo by Alex Dunbar)

Hoque’s project has three research goals. The first goal is to create a language that can encode complex structures of inputs that change depending on the context and develop algorithms that can quickly generate correct inputs based on this language. The second goal will create techniques that can mutate these inputs without losing their context sensitivity, which is essential for the process of fuzzing. The final goal is to create mechanisms that ensure the internal state of a protocol is accurately maintained. This will allow each fuzz input to be tested in a suitable state for the protocol being tested.

“In this area of research, people tend to focus on strengthening the system by finding flaws in the existing system that we use in our day-to-day life,” says Hoque. “How can we find loopholes in real-world security-critical systems? This research award falls under that category to advance the limitations of existing methodologies.”

As part of his project, Hoque plans to improve cybersecurity courses and hold K-12 workshops to promote cybersecurity awareness, integrating his research findings into these initiatives. The project will also encourage undergraduate and graduate students from historically marginalized communities to get involved with educational and research activities.

Additionally, Hoque will form a team for cybersecurity competitions such as capture-the-flag competitions, where participants search for hidden text strings in vulnerable websites or programs. These gamified competitions are also an effective way to improve cybersecurity education.

“This project has the potential to significantly enhance the robustness of protocol implementations and cybersecurity education, benefiting society. I’m happy to have received this prestigious award,” says Hoque.

In the photo (from left): Representative from FBI, Joon Park, representative from NSA and representative from CISA. (Photo courtesy of the Center of Academic Excellence)

���ϲ����� has been designated once again as a National Center of Academic Excellence in Cybersecurity (NCAE-C) through the academic year 2028. The program is administered by the National Security Agency (NSA) with a goal of promoting and supporting quality academic programs of higher education that help produce the nation’s cyber workforce.

The combination of required elements for the designation assures the institution meets the desired characteristics of a Center of Academic Excellence (CAE) institution and that the academic delivery to students is producing a qualified workforce needed by the nation.

Students attending CAE institutions are eligible to apply for scholarships and grants that require the CAE designation status.

As one of the 18 elite academic institutions that received the original CAE designation in 2001, ���ϲ����� has continuously maintained its CAE status through re-designations. Meanwhile, the CAE criteria has been updated with more rigorous requirements and multiple review rounds. The new criteria includes the new NSA PoS (Program of Study) Validation, evidence of sound cybersecurity posture/plan, sustainability, professional development, outreach activities as well as others.

According to the new criteria, the University received the NSA PoS Validation in 2022 with the bachelor of professional studies program in cybersecurity administration at the College of Professional Studies. This CAE re-designation reaffirms the University’s commitment to high-quality education and related activities in cybersecurity.

, a professor at the School of Information Studies, served as the point of contact ��and led the efforts for the NSA PoS Validation and CAE designations with other faculty, staff members, program directors and students in the cybersecurity area across the following schools and colleges in addition to the iSchool:

• College of Arts and Sciences
• College of Engineering and Computer Science
• College of Law
• College of Professional Studies
• Maxwell School of Citizenship and Public Affairs

Park attended the CAE designation ceremony at the National Cybersecurity Education Colloquium in Chicago in September.��“Despite the rigorous demands, serving as the point of contact brought about gratifying experiences as I collaborated with our dedicated colleagues and students with honors and privileges, guided by the support and directives from the CAE program officers,” says Park.��“The designation signifies that the University has the ability to meet the increasing demand for the protection of the National Information Infrastructure with our top-tier achievements in cybersecurity education through the courseware quality, faculty engagement, students’ learning outcomes and administration. Moving forward, we will continuously contribute to the national cyber strategy with our cybersecurity education!”

The prepare learners for in-demand fields including cybersecurity, data analytics, IT support, project management and UX design—with no experience required. This offering will equip students with job-ready skills as they pursue their degree, while also connecting them to career resources and a network of over through the program’s employer consortium.

“The certificate programs from Google are structured to address the skills gap being experienced by a number of employers,” says Arthur Thomas, executive director of the Office of Professional Acceleration and Microcredentials in the College of Professional Studies. “What we’ve created is a hybrid learning experience that builds on the excellent foundations established by Google by adding a dimension of live online sessions with instructors, specific readings, additional videos and discussion groups guided by our faculty. This added perspective and interaction will give our students a distinct advantage as they approach the job market.”

The certificate in cybersecurity is the first of six Google Career Certificates that will be available through ���ϲ�����.

Students who enroll in the Google Career Certificates through ���ϲ����� will unlock access to ���ϲ����� services, including personalized student support, career services and one-on-one instructor support. Additionally, students will have the opportunity to directly discuss course content through virtual live sessions that offer moments to engage with classmates and learn from industry experts who help illustrate how concepts are applied in real-life experiences.

When taking a Google Certificate through ���ϲ�����, students get the full Orange experience. The Google and ���ϲ����� partnership brings together two industry leaders to create a fully immersive professional development experience.

Originally designed and taught by Google employees, ���ϲ����� has added perspectives and information from both faculty and practitioners to build an even more comprehensive foundation in these areas. Each certificate program includes over 150+ practice and graded assessments, quizzes or writing assignments to ensure rigor and mastery. To help prepare learners for jobs, the program provides resources including resume templates, coaching from Career Circle and interview practice with Big Interview. Graduates are also connected with an of over 150 companies—including American Express, Colgate, T-Mobile, Walmart and Google—that considers them for relevant roles.

“Global interest in cybersecurity jobs among job seekers has reached an all-time high on Google Search this year, yet businesses continue to report a large cybersecurity skills gap,” says Lisa Gevelber, founder of Grow with Google. “The data is clear: we must create more pathways for people to enter the cybersecurity field and build a lasting career. Google is combining our industry-leading expertise in cybersecurity with our proven approach to training people for in-demand jobs to help create a solution. The Google Cybersecurity Certificate will help businesses fill cybersecurity roles and enable people to earn an industry-recognized credential that will qualify them for a great job.”

A Prior Learning Assessment (PLA) will be available for students who complete the Google Career Certificates through the University. This assessment awards college credits based on prior learning and experiences by identifying direct course overlaps in a specific for-credit program at ���ϲ����� to which the student is applying. The PLA allows students to personalize their learning pathway into a for-credit degree or certificate program.

Since Google launched the original Grow with Google program in 2018, over 200,000 people have graduated in the U.S. Seventy-five percent of them report a positive career impact—such as a new job, higher pay or a promotion—within six months of completion, and over 50% of graduates identify as Asian, Black or Latino.

To learn more about this program, visit .

Shiu-Kai Chin

The Biden-Harris administration recently unveiled a new aimed at protecting America’s digital infrastructure. It comes as high-profile attacks continue to target both government agencies and private companies.

is a professor of electrical engineering and computer science at ���ϲ�����. He is affiliated with the university’s Institute for Security Policy and Law and is an expert in computer security.

Here, Chin helps break down the new strategy and looks at the roles government and corporations will play in securing critical infrastructure.

Just how big of a problem is cybersecurity, and why is it important to tackle it at the federal level?

Safety and security in cyberspace is a global wicked problem.�� That is, a problem that cannot be solved once and for all because of the myriad of stakeholders with differing views of what is adequate safety and security. Each stakeholder views the problem differently. The root causes evolve and are interconnected.�� This is very similar to other wicked problems such as climate change.

The federal government plays an important role in convening stakeholders nationally and internationally to gain consensus and international agreements on standards and acceptable behavior and minimum safety levels.�� Think about air travel and commerce. Think about arms control.

Safety and security in cyberspace is a global wicked problem. That is, a problem that cannot be solved once and for all because of the myriad of stakeholders with differing views of what is adequate safety and security.

Shiu-Kai Chin

What do you see as some of the key components of the administration’s strategy?

Important elements of the strategy include coordinating regulations, procurement, economic incentives, and R&D with the specific goal of making cyber-systems and cyberspace safe and secure as a realm of operations for people, business, and governments. For example, tech companies such as software and semiconductor manufacturers often focus on minimizing “time to dollars.” This type of thinking rewards companies who rush products to market with new and exciting features without worrying about cybersecurity. This effectively transfers risk to users while setting up de-facto standards for new products without much thought to security. “Leveling the field” means finding ways to reward companies and innovators who think about security from the start so that products with cybersecurity built-in from the start (much like safety is built-into to all our electrical appliances with UL certification) become the norm not the exception.

Do you feel the current strategy will have a measurable impact on future cyberattacks?

Yes, but it will take time.�� We didn’t arrive in this place a minute ago.�� Our problems started when, for understandable reasons, personal computers and the chips that powered them had all the security we used to have on mainframes stripped out of them (personal means only the owner has access, right?) and we networked PCs with the Internet. This invalidated an important design assumption in the development of PCs.

The emphasis on “zero trust,” i.e., all access and actions must be authenticated and authorized by enforcing appropriate policies, has “security by design” as a goal, as opposed to “bolt-on security” after a product is built with inherent security flaws that cannot be fixed. There are a lot of so-called legacy systems with poor security in operation.�� Things will get better to the extent that these systems are phased out of critical infrastructure and replaced by systems where security is part of the conceptual design of the system from the start.

What are some of the biggest challenges you foresee with implementing the strategy?

The emphasis on R&D leading to better authentication (identifying the source of requests and integrity of information) is good start to the problem of attribution in cyber attacks.

The harder issue is the balance of privacy and attribution.�� This is inherently an authorization or policy problem where the appropriate “good enough” policy is a trade-off among stakeholders.�� This where many difficult conversations will occur.�� Do we want a total surveillance state or the wild west?�� That’s a false dichotomy. We want something in-between where the trade-offs are made based on mission or situation.�� Protecting access to a biolab with pathogens that can trigger the next pandemic probably won’t value privacy as much as a public library giving internet access to people who cannot afford their own computers.

What else can/should be done to prevent attacks and mitigate damage to critical infrastructure?

Engineering exists to support society. Our profession exists in large part to provide critical infrastructure that is safe, secure, and operates with integrity and equity in mind.�� Our profession excels when we realize that “good enough” safety, security, integrity, and equity have no universally agreed-upon definitions for all cases, applications, and missions.�� It involves precisely and accurately identifying unacceptable losses to stakeholders for each mission and/or purpose. Once that is done, so-called “adult conversations” can happen where “good enough” is defined through trade-offs.�� Engineers, planners, folks in leadership know that it’s impossible to maximize all parameters simultaneously, e.g., you cannot simultaneously get the biggest, heaviest car with largest engine, while simultaneously maximizing fuel efficiency.

An adult conversation the US Government will have to have is the use of COTS – commercial off the shelf – products in mission critical systems and critical infrastructure.�� COTS products are built for the commercial market, often for home users (e.g., PCs).�� They are designed for benign operating environments, not military ones. Using COTS is like a SEAL team going to Best Buy and picking up someone from the Geek squad to deploy with them on a mission.�� The question is for any critical infrastructure system is should we prioritize cost over safety and security?

and , both professors of electrical engineering and computer science in the , and , professor of physics in the , have been elevated to that designation.

Wenliang (Kevin) Du

IEEE is the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity. It has 409,000 members in more than 160 countries who are engineers, scientists and allied professionals whose technical interests are rooted in electrical and computer sciences, engineering and related disciplines.

The Fellow designation is the IEEE’s highest level of membership, attained through nomination by peers and approval by the IEEE Board of Directors.

Du is being recognized for contributions to cybersecurity education and research. Phoha is being honored for his work developing attack-averse active authentication in computing systems using behavioral patterns. Plourde’s Fellow status comes in regard to his contributions to the integration of qubits into future practical quantum computing systems.

University Vice President for Research says that election as an IEEE Fellow recognizes the extraordinary accomplishments of these faculty members. “I congratulate Professors Du, Phoha and Plourde,” Brown says. “This award demonstrates the high impact that their research has had in the scientific community. Election to an IEEE fellowship shows that these faculty have made important advances in engineering, science and technology. Their accomplishments underscore ���ϲ�����’s continuing commitment to and its reputation as a top-tier research institution.”

Du’s research focuses on system security for web, mobile, smartphone/tablet and Android operating systems. He has also developed improved access control for mobile systems. In the area of computer security education, work that he began in 2002 to develop hands-on labs for student computer security education, is now used by more than 400 universities and colleges in more than 30 countries.

This year, he also received the IEEE Region 1 Technological Innovation (Academic) Award. Du also recently was named principal investigator for a National Science Foundation grant of $399,000, “Building and Internet Emulator for Cybersecurity Education.”

Vir Phoha

Phoha’s research in systems security involves studying malignant systems, active authentication, machine learning, decision trees and statistical and evolutionary methods. He looks at large-time series data streams and static data sets and anomalies and optimization of computer networks to build defensive and offensive cyber-based systems.

Phoha was named a Fellow of the National Academy of Inventors in 2020 and a Fellow of the American Association for Advancement of Science in 2018. He has achieved 13 patents for inventions in machine learning, biometrics, user identification and authentication, data decision-making and cybersecurity attacks. He is currently an associate editor of IEEE Transactions on Computational Social Systems and two other journals.

Britton Plourde

Plourde is a leading expert in quantum computing and is working to develop new computers capable of generating solutions to complex problems using qubit computing systems. His work examines ways to improve superconducting quantum circuits. He and his research partners recently received a $5.6 million Army Research Office grant to investigate processes that deposit energy in solid-state qubits, which can lead to correlated errors in quantum computers.

Plourde has served as principal investigator or co-principal investigator on more than 15 federally funded grants. At ���ϲ�����, he has been awarded more than $10 million in research funding from a number of government sources and national research foundations.

Du and Phoha were nominated for Fellow status by Distinguished Professor , of the department of , who was himself recognized an IEEE Fellow in 1997.

Two other professors of electrical engineering and computer science at ���ϲ�����, (2015) and (2019), have also been named IEEE Fellows.

The AT&T ’Cuse Digital Experience is designed to encourage more underserved and diverse students to enter the field of technology, an industry that has long faced a pervasive diversity gap. The program provided more than 120 underrepresented students from the ���ϲ����� City School District in fourth through eighth grades an opportunity to gain critical digital literacy and readiness skills through unique technology focused immersive experiences, while encouraging them to explore a STEM and technology educational and career paths

Over the course of the program, the students learned a vast array of digital literacy skills, including cybersecurity, positive social media uses, analyzing search engine results, computer coding basics, keyboarding skills, artificial intelligence, 3D printing disciplines, digital animation, robotics, computer-based design for civil engineering and public space projects, and skills for finding factual news online.

The students also learned how technology can be used for good and community building by creating solutions and discovering creative uses to address issues impacting youth of the region, such as digital citizenship, while also learning the dangers of cyberbullying, cyberscams and digital footprint issues that hurt children’s reputation later in life.

Deborah Nosky

“We are grateful to AT&T and our collaborative partners for allowing us to introduce digital citizenship to so many local students. During our time together we were able to learn more about safety and how to protect our personal information in the digital world,” says Deborah Nosky, professor of practice in the School of Information Studies. “By expanding the students’ understanding and use of digital technologies, students were better able to understand how the skills we learned applied to careers they were already familiar with and new ones that they may wish to explore.”

“Technology innovates and transforms our world, and it creates boundless opportunities for those who know how to unlock its potential.��This is why I am so excited for the 120 ���ϲ����� City School District students who participated in the first AT&T ’Cuse Digital Experience summer program.��They learned valuable skills that will surely be the foundation for their future success—and the economic prosperity of our community,” says Jennifer Tifft, director of strategic initiatives for the City of ���ϲ�����. “I am deeply thankful to AT&T, the Museum of Science and Technology, Tech4Kidz and ���ϲ����� for offering such an impactful program to our kids. Partnerships like this make it possible to create more inclusive educational and economic opportunities for families of all backgrounds.”

Digital knowledge has become the new literacy and is the driver of all new global technology. With the growing demand to innovate, organizations across various industries struggle to fill skilled positions. It’s��projected��that there will be 3.5 million��STEM and digital jobs��in the U.S. by��2025, underscoring the importance of providing the youth the tools and skills necessary to compete in this innovation economy.

The urgency for more diverse technology trained employees is accentuated by the low percentage of diversity make-up of the technology industry. This alarming diversity shortage in the tech industry and the growing STEM job market emphasizes the importance of providing programing like the AT&T ’Cuse Digital Experience for youth of all backgrounds and economic situations.

“It’s been a pleasure teaching and learning from these energetic local students about technology and digital citizenry. Thank you to AT&T for making it possible,” says Laurie Ferger, teaching professor in the School of Information Studies.

Laurie Ferger

The free program was made possible by financial support and programing collaboration from AT&T as part of the company’s from 2021-2023 to help bridge the digital divide and homework gap.

“It has been an honor to collaborate with the MOST, Tech4Kidz and ���ϲ����� to offer this innovative experience to these students, as it further enhances our commitment to providing resources for digital literacy educational programming throughoutnd builds upon our vigorous efforts to bridge the diversity gap in the technology industry,” says Kevin Hanna, director of external affairs, AT&T. “I am so impressed by these remarkable students and proud of their determination throughout the summer working hard to gain critical digital literacy skills, they all have great futures ahead of them.”

If you have not done so already, you can complete your annual training via MySlice:

• Go to MySlice
• From the Employee Home page, choose the Employee Resources tile
• Click the Security Awareness Training tile to access the training

To receive credit for completing the training, you will need to enter a code provided at the end of the video, as well as take a brief quiz.

is an associate professor in the ���ϲ����� School of Information Studies (iSchool) whose research specialty includes cybersecurity. He provides written comments that can be quoted directly, and is available for interviews as well as this situation unfolds.

McKnight says:

“U.S. cybersecurity leaders for private companies and in government have been on alert for weeks as President Putin telegraphed his intent to invade Ukraine’s territory, information systems, and infrastructure. Russian cyberattacks on critical infrastructure, falsely claimed to be provoked by Ukrainian attacks to which Russia was responding, and hacks of Ukrainian government websites, were all sadly to be expected parts of this operation.

“For average Americans, there is also a need to be extra alert both to the Russian disinformation campaign and its domestic witting or unwitting partners’ efforts to confuse and to deny the truth of what is happening. Everyone should also be aware of an increased likelihood of incoming phishing emails, and perhaps a little more skillful than average deep fakes. These are professional state-sponsored attempts to infiltrate and distract.

“The main thing for everyone to know now is this metaverse of real and unreal actions and actors is not going away any time soon. Everyone needs to boost their information security awareness, with training, and not just new services or hardware. Since the weakest link in cyber-defense is everyone’s “cyberhygiene”, it makes it easy to infiltrate and wreak havoc.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

M��315.380.0206
dalovell@syr.edu |

���ϲ�����

���ϲ�����’s Information Security team within Information Technology Services (ITS) has not detected any marked increase in activity over the past week but continues to monitor for and prevent attacks. One of the most effective paths for an attacker to gain a foothold on the ���ϲ����� network is through phishing emails and other social engineering techniques.

ITS encourages all members of the University community to be mindful of and prepared to respond to cyberattacks. The tips below will help community members identify phishing emails and attempts to bypass multi-factor authentication (MFA). Additionally, there is information relating to taking the University’s required annual Information Security Awareness Training for faculty and staff. Please take a few moments to review the critical information below.

Don’t Fall Victim to ‘MFA Fatigue’

Attackers have been forced to shift their strategy since the University adopted multi-factor authentication to access key resources. Once an attacker compromises a ���ϲ����� NetID/password through phishing or other attacks, they repeatedly attempt to log in to University resources generating multiple MFA requests on the compromised user’s phone or mobile device. This is done in an attempt to “wear out” their victims and cause them to approve the MFA request to silence their phone or device. This, in turn, allows the attacker access. If you have not explicitly attempted to log in to a system, do not accept an MFA request from your phone or device. Contact your IT Support Staff or the to report fraudulent MFA requests.

When in Doubt, Don’t Click

To protect yourself from phishing attacks, ask yourself these questions the next time you receive a suspicious email:

• Was I expecting the document or link? Be suspicious of unexpected emails sharing documents and links you are not expecting. If you are not sure, contact the sender (preferably via text message, phone or an alternative email address) and ask if they shared a document with you.
• Do I know the person sharing it? Consider the message suspicious if you do not know the sender. Remember, phishers often use compromised accounts to send their messages. They also can forge the sending address. If you feel at all unsure, call the sender at a known number to confirm they sent the information.
• Can I identify the attached document before opening it? Is it clear from the document title and message what the document is and why it is being shared? Phishers often send vague messages stating a document has been shared with you. They rely on your curiosity to open the document. Do not open suspicious shared documents if you are at all unsure of what it is or who sent it.
• Does the product or offer seem too good to be true? Beware of emails promising financial gain, quick fixes or easy solutions, as these are likely phishing attempts.

Take Required Information Security Awareness Training for Faculty and Staff

Taking the University’s required annual Information Security Training is one of the best ways for faculty and staff to increase their knowledge and protect their own and the University’s information. The training is available through March 31 and can be accessed by logging in to MySlice, selecting the “Employee Resources” tile and then selecting the “Security Awareness Training” tile. The training is self-paced and takes approximately 30-40 minutes to complete.

All ���ϲ����� faculty and staff must complete mandatory information security training in accordance with New York State requirements. Employees now can complete their annual training at any time. To do so:

• Go to MySlice
• From the Employee Home page, click the Employee Resources tile
• Click the Security Awareness tile to access the training

“Even in the last few months, we have seen bad actors adapt to new security measures,” Chief Information Security Officer Christopher Croad says. “These training sessions are essential to discuss best practices and to learn how to protect against new threats.”

To receive credit for completing the training, employees will enter a code provided at the end of the video, as well as take a brief quiz. The expected time required to complete the training is 30-35 minutes. The deadline to complete this training is March 31. Employees with questions can contact Information Security IT Analyst Sarah Marciniak at smlittle@syr.edu.

“We know everyone has a lot going on right now,” Croad says. “We appreciate everyone’s investment of time and energy in protecting the University’s data. It really is up to all of us.”

Screenshots of what the multi-factor authentication process will look like for users of the Microsoft Authenticator app on a computer (left) and mobile device.

MFA is an excellent method for enhancing user account security. With MFA enabled, a prospective thief would need access to both your password and a phone you’ve configured to steal your information. Number verification will enhance MFA’s ability to prevent the unauthorized use of NetIDs and passwords.

For more about the upcoming change, including detailed log-in instructions, visit the on Answers. If you need to configure your MFA settings, you can find instructions for doing so on the on Answers.

If you have��questions, please contact the ITS Help Desk by calling 315.443.2677 or by emailing help@syr.edu.

If you have questions related to these changes, please contact the ITS Help Desk by calling 315.443.2677 or emailing help@syr.edu.

Kevin Du

Electrical engineering and computer science professor Kevin Du wanted to up the production value of the cybersecurity instruction videos he has been posting to YouTube and decided to construct a studio inside his lab space.

“I used to have one in home at my basement but that one has a problem because my family just walked around,” says Du. “So I decided I’m just going to build one in the corner of the lab.”

The program focuses on developing essential skills for a career in information technology. Students will explore important topics like cybersecurity, machine learning, AI and cloud computing while expanding their skills in leadership, project management and business. Upon graduation, students will also have an extensive knowledge of data science and information systems.

“We’ve seen increased demand for this type of program over the past few years,” says Bruce Kingma, director of undergraduate programs at the iSchool. “We want to welcome as many different types of students as possible to the iSchool, and the addition of this flexible online program will help us do that.”

Students from various backgrounds and levels of education are invited to apply for the program. Up to 90 transfer credits from community colleges or other universities can be accepted but they are not required to enroll. The program offers options to combine online and in-person classes depending on the student’s schedule and preferences.

For more information about the program and instructions on how to apply, visit the or contact one of our advisors at startnow@syr.edu.

Chin comments on SU’s outreach and cybersecurity education programs, targeted specifically at military students, stating “[Cybersecurity] is a critical infrastructure that our modern society depends upon.”

How can universities and colleges position cybersecurity students to be ready for the growing threat of ransomware attacks?

Ryan O. Williams

is associate dean of academic affairs at ���ϲ�����’s University College. He is responsible for researching, developing and launching new market-sensitive undergraduate and graduate programs.

Williams says:

“As recent ransomware attacks against Colonial Pipeline and JBS demonstrate, the digital world has created an unprecedented need to protect information systems.��Preventing, detecting, and responding to attacks is essential to every individual and to corporate, governmental, and non-governmental organizations worldwide.��Victims of cybercrime are often faced with an impossible decision – to give in to cyber extortion or forever lose mission-critical data.��Ransomware attacks can be both targeted and random.��No one is immune.��The decentralized and market-oriented US economy remains especially vulnerable, particularly in industries critical to national security, such as energy and agriculture.��The federal government has a role to play here, in setting the rules of engagement with criminal actors, communicating threats to the private sector, and in coordinating an appropriate response.

“More than ever, companies need highly-trained, competent cybersecurity specialists fighting on the front lines of this effort.��Our����prepares students with the necessary skills and expertise to protect systems and infrastructures – a key, transformative career for the 21^st������Գٳܰ���.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

T��315.443.1184 ����M��315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 4^th Fl., ���ϲ�����, NY 13202
news.syr.edu |

���ϲ�����

Michael Fudge

is a professor of practice in the School of Information Studies (iSchool). His areas of study center around digital transformation and the impact of information technology on society.

In this Q&A, Professor Fudge provides tips for password creation and advice on how to keep them safe and discusses extra safety steps you can set up on your devices today to better protect your digital identity.

Q: What are some of the most common mistakes people make when setting passwords?

Fudge: There are two common mistakes users make when deciding on which password to use.

First: using the same password for more than one account. When you re-use the same password on multiple websites, if one of those websites gets compromised and an attacker gets a hold of that password, they can use that password to gain access to the other sites. This is usually automated through an approach called credential stuffing. You should always use a different password for each account.

Second: using too simple of a password. When a website has password complexity requirements (must be at least 10 characters, one uppercase character, one digit, etc..) we sometimes resort to approaches that do not necessarily ensure good password complexity. For example, you might think using your middle name as a password (mine is Alexander) and then to meet the complexity requirements add the current year with a question mark (Alexander2020?). Automated attacks can take this into account nowadays so while at one time this was a good choice it no longer is. The more characters in the password the harder it is to guess, but to meet the length requirement we tend to do some really foolish things like:

• Repeating the password pattern: Alexander2020?Alexander2020?
• Adding the name of the site to the password, to make a unique password for each site: Alexander2020?google or Alexander2020?syr.edu

These password choices offer little additional complexity. They are predictable and provide insight into my algorithm, or process for creating a password.

The best choice for a password is a truly random sequence of characters that satisfy the complexity requirements. So how do you remember hundreds of randomly generated passwords? You don’t—use a password manager to do it for you.

The password manager is a personal database of your passwords. It will generate random passwords for you and store them securely. Some password managers will recall the password for you when to return to the site.

Q: So that leads well into this question…My iPhone offers me the option to create a complicated password and save it so I don’t have to remember it. Sounds like that is a good idea?

A: This is Apple’s keychain password manager. The Google phones have one as well. These options are better than you coming up with your own passwords. The risk is you are trusting Google or Apple to securely store your passwords, but it’s better than Post-It notes under your keyboard! There are third-party password manger services: Lastpass, 1Password, Dashlane, and RoboForm. They do the same thing but are not tied to just your phone or Apple/Google devices. The important thing to remember is that when you use these services, we are trusting these organizations to store the key that decrypts our passwords. If you wrote all your passwords in a notebook and locked that notebook in a safe, it would be like giving Google, Apple, Lastpass, etc. the keys to that safe. This is necessary for a password manager to function.

Q: How often should you be changing passwords? Are some accounts more important than others to update regularly?

A: With my passwords randomly generated, I do not change my passwords unless the service requires it.

What is really important is to enable two-factor authentication. This adds an extra layer of security, requiring you to not only know your password but also have a device that can verify your identity, most of the time this device is your smartphone. Two-factor might send SMS TXT to your phone each time you log in or use a special Authenticator app. For example, each time I log into my bank, I must reach for my phone and allow it to read my fingerprint. That way if my bank password does get stolen an attacker would also need my phone (and fingerprint) to log in to my account.

Two-factor authentication also gives you peace of mind as I get a notification each time someone tries to use my password to log in. If that person isn’t me, I need to change my password.

If the service supports two-factor, I turn it on. If you use a password manager to store your passwords, enable two-factor to protect your passwords!

Q: What are your thoughts on other types of security measures connected to biometric technology, such as facial recognition and fingerprint security?

A: These technologies work well as part of a two-factor strategy. For example, facial recognition paired with a pin on your phone is a good idea.

Q: With many of us living in the digital world now more than ever, what do we neglect or not know about when it comes to passwords and our digital security?

A: The ways attackers can attempt to obtain our passwords are numerous and varied. Some things we can control, like only installing software from trusted sources, and never clicking on links in an email. For the times the company gets hacked and the password exposure is not your fault, I suggest checking the email used when you signed up for the service on . When you enter your email, it will check to see if that email account was used with a service where your data was leaked. For the companies appearing on that list, change your password on that company’s website and set up two-factor if allowed.

As a reminder, faculty and staff have free access to IdentityForce’s��UltraSecure Plus��identity protection, credit services and recovery services until March 2022. To access coverage, employees need their personalized access code which was emailed from Karen Morrissey, associate vice president, human resources, on March 19, 2021. If you need assistance in obtaining your personalized code, contact HR Shared Services��������315.443.4042.

Effective immediately, employees can now purchase additional coverage and add one other adult directly through the IdentityForce secure portal using a credit card. This will allow for immediate access to upgraded coverage through IdentityForce.

Visit the HR����for more information and to learn how to enroll. For any questions, contact��HR Shared Services��������315.443.4042���ǰ���IdentityForce Member Services at 877.694.3367.

How secure is this type of payment method? And what could be the future implications of a company like Amazon having this sort of biometric information?

Professor Vir Phoha

Vir Phoha is a professor of electrical engineering and computer science at ���ϲ�����. His expertise areas include biometrics, cybersecurity, machine learning, and smartphone and tablet security. Professor Phoha answers a few questions about biometric technology and some of the challenges it presents.

He is available for interviews and additional questions.

Q: What are your initial thoughts about the use of this sort of biometric technology?

Phoha: Typically palm prints are based on characteristics of the palm, such as the length and width of the palm, fingers, bone structure, and surface area of palm; and lines and ridges on the palm.

They can be contact-based such as placing the hand on a scanner. Placement may be guided by positioning pins that align the hand correctly for the camera or it can be contactless such as through a camera.

Some form of a scan or picture is taken of the palm, although different people have different palm structures (and palm veins). Privacy and security will be an issue because there is a lot of overlap in the structure of hands of different people, so this biometric is easy to spoof – identity theft may be a bigger problem as compared to a face biometric – it will relatively be easy to spoof or claim the identity of an individual. It can be a concern if the palm biometric is linked to credit cards and the information is stored on the Cloud. And the Cloud is under the control of Amazon.

Benefits of this technology: Sturdy and user friendly– ease of use is high; Changes in skin moisture or texture do not affect the results. There are not many studies that examine whether there are differences in palm structure for different ethnicities etc.

Drawbacks of this technology: There is a lot of overlap in the structure of hands of different people, so it is easy to spoof. Thus, the security of these systems is not as high as say a fingerprint.

Q: How would someone spoof a palm print?

Phoha: Typical ways to spoofing a palm are silicone glove; building a mold of a victim through replicating the palm prints (or image) from a picture of an individual’s palm or from palm prints left on glass, etc.

Q: What are some safeguards that should be put in place to prevent misuse?

Phoha: In addition to cryptographic and secure computation methods, I think palm biometrics should be combined with some other forms of biometrics or identification technologies including some form of second-factor authentication.

Q: Should we be concerned of having a large retail/tech company like Amazon with access to this kind of biological identifier?

Phoha: Yes, because unlike the face, one has to depend on algorithms to refute any false positives. Your face is visible so one can refute any allegations in a straightforward way. For example, in the case of facial recognition, the persons accused were able to refute because they saw the face of the real person who was to be charged and said that is not them.

Q: Similar to facial recognition software, how should companies navigate the use of this sort of technology by law enforcement agencies?

Phoha: To a large extent palm print is similar to fingerprint because an image (picture) is taken and just a visual inspection does not identify a person (unlike face). Algorithm matching has to be done. I feel that there are fewer chances of implicit bias because of palm print as compared to facial recognition.

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

T��315.443.1184 ����M��315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 4^th Fl., ���ϲ�����, NY 13202
news.syr.edu |

���ϲ�����

As a follow up to the message we shared earlier this week regarding fraudulent unemployment benefit claims filed on behalf of New York State residents, we are writing today to share more information about identity protection services.

To help provide peace of mind to our community, the University has engaged IdentityForce, a leader in the identity protection industry, to provide services to faculty and benefits-eligible staff. Beginning Friday, March 19, eligible faculty and staff will have one year of free access to IdentityForce’s identity protection (including fraud, change of address and dark web monitoring); credit services (including credit freeze and reporting assistance, credit bureau monitoring, and monthly credit reports and scores); and recovery services (including white-glove remediation assistance and up to $1 million of identity theft insurance). Employees will also have free coverage for their children and the option to purchase additional coverage for themselves and one other adult at a reduced price.

Next week, you will receive a welcome email from IdentityForce that includes a link to access its secure portal so you can activate the coverage and begin using its services. Enrolling in these services is optional. When you activate the coverage, you will decide the level of information you wish to provide to IdentityForce. No personally identifiable information will be provided to IdentityForce by ���ϲ�����. You will also receive a brief survey from the Office of Human Resources that will ask you if you want to elect additional coverage for yourself or another adult. If you complete this survey, the Office of Human Resources will transmit that information to IdentityForce on your behalf.

Please contact HR Shared Services (HRservice@syr.edu or 315.443.4042) with any questions about this new benefit.

Sincerely,

Andrew R. Gordon
Senior Vice President and Chief Human Resource Officer

Steve Bennett
Senior Vice President for Academic Operations and International Programs and Chief of Staff to the Provost

We write to you today to update you on the continued occurrence of fraudulent unemployment benefit claims filed on behalf of New York State residents. Many states across the country are reporting similar widespread unemployment fraud schemes, taking advantage of an increase in legitimate claims due to the pandemic.

Starting in February, the University experienced a rise in fraudulent unemployment benefit claims filed in the names of ���ϲ����� employees. Know that when this occurs, the University is identifying the fraudulent claim to New York State and working with affected employees. ���ϲ����� is also in contact with state and federal authorities.

In addition, our team has been communicating regularly with peers across a range of industries, including other colleges and universities throughout the state, who report that they are experiencing the same phenomenon. The University has also engaged leading global cybersecurity experts, who confirm the number of fraudulent claims we are receiving is similar to other organizations.

Our peers have indicated that they are unaware of any breach to their systems related to these fraudulent claims. Based on extensive testing of our own systems, we have no evidence that this comes from a data breach at ���ϲ�����. To verify this is the case, ���ϲ����� has engaged EY’s cybersecurity services to assess whether there are any indicators of compromise in our systems. Furthermore, as other organizations have done in response to this wave of fraud, to provide peace of mind to our community, ���ϲ����� will offer as an additional benefit to all faculty and benefits-eligible staff one year of identity theft protection services, free of charge. Information on how to register will be shared later this week.

If you believe that a fraudulent claim has been filed in your name, please visit the for step-by-step guidance on reporting fraud and protecting yourself. Any additional questions or concerns can be directed to HR Shared Services at 315.443.4042 or by emailing hrservice@syr.edu.

Sincerely,

Andrew R. Gordon
Senior Vice President and Chief Human Resource Officer

Steve Bennett
Senior Vice President for Academic Operations and International Programs and Chief of Staff to the Provost

Shiu-Kai Chin

Around half of states typically considered battleground states are facing cybersecurity challenges that put them at increased risk of a cybersecurity breach.

Shiu-Kai Chin, Ph.D., is a professor of electrical engineering in the College of Engineering and Computer Science and the Laura J. and L. Douglas Meredith Professor for Teaching Excellence. Professor Chin’s research interests include cybersecurity, systems assurance and formal verification.

Dr. Chin offered his perspective:

“The primary mission is to maintain the integrity of the voting process, particularly in terms of (1) assuring access by all registered voters to cast votes in a timely fashion, (2) ensuring each legitimate vote is counted without undue delay and (3) being able to provide an accurate accounting of the process to demonstrate trustworthiness.

Certainly, cybersecurity plays an important role and I would assume that all jurisdictions have contingency plans to mitigate loss of power, computers and networks. That is, the voting process does not depend entirely on one technological aspect, in this case one particular set of computers or networks.

For a relevant example, the financial services industry, particularly the use of consumer credit cards, demonstrates that a reliable and trustworthy service can be delivered using a combination of imperfect technology (e.g., a three-digit verification number on the back of a credit card), surveillance (e.g., consumers being able to monitor their accounts 24/7) and policy (e.g., questionable transactions being removed from customer accounts pending investigation). I would imagine that the voting process has all these capabilities in place and more.”

Two ���ϲ����� professors and cybersecurity experts offer comments on the latest developments.

Shiu-Kai Chin is a professor of electrical engineering at ���ϲ�����’s College of Engineering and Computer Science. His research interests include computer security, cybersecurity and systems assurance. He says now is not the time to play the blame game. Instead, officials should do a system-wide assessment to match safety and security expectations.

Chin says:

“Hospital operations epitomize mission-critical functions.��There is a real danger of unacceptable losses happening in terms of patient injury and death.

“The key to preventing future losses is to adopt a mission-assurance mindset combined with systems thinking. ��What a mission-assurance mindset means is: Avoid the blame game, which focuses on finding the one person whose head will go on a platter, or the single component responsible for the entire denial of access to patient records. Safety and security emerge out of the combined efforts of all involved. Safety and security cannot be created by one component or subsystem. At a minimum, it requires a controlled process and a controller operating together within system-wide constraints that match the safety and security expectations of the system’s stakeholders.

“We need to stop admiring the problem, i.e., stop focusing entirely on ransomware. Fixing ransomware alone will not assure the hospital’s mission. We need to identify mission-essential functions, e.g., timely, accurate, and precise knowledge of patient and hospital status, identify scenarios where these functions could be compromised, i.e., wargame the scenarios, and devise mitigations and/or adjust operations and decision-making processes prior to the next attack or accident.

“Moving forward, necessary questions are: What circumstances combined with hospital operating conditions can bring about the loss of mission-critical functions leading to unacceptable losses?; What are early indications and warnings that we are operating in a hazardous state that could lead to unacceptable losses; And based on wargaming, what mitigations or plans do we have to manage ourselves out of a hazardous state to prevent or minimize unacceptable losses?”

is an associate professor at the ���ϲ����� School of Information Studies (iSchool) whose research specialty includes cybersecurity. Prof. McKnight, who will present at the Oct. 14-16, says architectures and new community awareness efforts are needed to build cyber-physical security resilience.

McKnight says:

“I felt sick to my stomach when I learned of the Universal Health Services ransomware attack.

Turning hospitals back to 1950s paper-based operations, during a pandemic, will cause people to die in spite of best efforts ad back-up plans.��UHS is a huge operation with 90,000 employees now working on their penmanship.

“The need for a new secure cloud architecture approach for security, privacy, rights and ethics cloud to edge as we have been developing in public-private partnership with City of ���ϲ�����, NIST, and many firms and community organizations nationwide and worldwide, becomes more obvious every time poorly architected (for 2020)��legacy systems without access control and least privileges by design bring down a company.

“The consequences of non-compliance with ransomware attackers’ demands are growing more extreme. Even as Universal Health Services struggles to restore systems, the Clark County (Las Vegas) School District is also suffering a ransomware attack. Students’ grades and personal information has been released to the Dark Web as punishment for the District not complying with their financial demands.

“Fortunately, data backups of medical information limit the damage in the UHS case. And patient records are kept in a separate system that was not accessed, so their systems do have some cyber-physical resiliency by design. But that’s not enough in the UHS case to regain control of key healthcare systems from hackers.

“Since for both schools and healthcare systems like��Universal Health Services, as well as city governments, and small and large businesses, cyber-business as usual is just too easy for the hackers to take over. New architectures and new community awareness��efforts are��needed to build cyber physical security resilience.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

M��315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 4^th Fl., ���ϲ�����, NY 13202
news.syr.edu |

���ϲ�����

is an associate professor in the ���ϲ����� School of Information Studies (iSchool) whose research specialty includes cybersecurity.

McKnight says:

“Tik Tok has been guilty of being a fast-growing phenomenon, which exposed its sloppy technical practices to scrutiny, as happened with Zoom. The list of Tik Tok��vulnerabilities and flaws patched or not (yet?)��patched properly over the past months is long. Whether they were just sloppy like typical Silicon Valley companies, or malicious, would require access to classified information to say for sure one way or another.

“Going forward, the separation of U.S. user data from control of the ByteDance parent through the Oracle acquisition is a��significant change; but of course, we don’t know yet how Oracle will treat U.S. consumer data. If no better than say��Facebook or Google….user (still)��beware.

“The issue of control of the software coding highlighted by Senator Rubio is – sort of – a true concern. But since the bulk of the software would be in Oracle’s data centers, presumably Oracle can detect anomalous data flows back to China; or encrypted data exiting their data centers for points unknown. So, not a serious problem at the infrastructure level. For data flows from user devices, similarly, Apple or Google’s Android OS could detect anomalous encrypted data flows exiting user devices, so that is also not necessarily a serious concern. If we can trust Google and Apple to protect users over their Chinese market positions.

“But clearly the biggest security threat to Tik Tok user data remains the Chinese Communist Party, and the People’s Army, which even if they cannot come in through an open backdoor, have shown no hesitation to steal��and/or censor��data and information to��suppress dissent.��ByteDance the parent corporation, and its founder and CEO Zhang Yiming, are always subject to pressure and control of the CCP, which can make even the CEO of the most valuable startup in the world, disappear. In 45 seconds.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

M��315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 2^nd Fl., ���ϲ�����, NY 13202
news.syr.edu |

���ϲ�����

All students with an appetite for challenges (and pizza) are invited to the CyberStart launch party on Friday, Feb. 14, at 3 p.m. in 200 Falk College. Attendees will have the opportunity to demo the CyberStart video game and talk with cybersecurity experts from ���ϲ�����.

���ϲ����� is one of just nine universities selected by the SANS Institute to participate in the CyberStart program. Chief Information Security Officer Chris Croad and Professor Shiu-Kai Chin from the College of Engineering and Computer Science have partnered to bring CyberStart to campus.

“I’m excited that we’re able to bring this opportunity to all of our students,” Croad said. “CyberStart will help students across all majors learn about a field that effectively has negative unemployment.”

In addition to career opportunities, CyberStart offers a chance to think about the “promise and pitfalls of cyberspace,” according to Chin.

“Our society is increasingly a cyber-physical one, where how we live and what we can do depends on decisions made by electronic systems,” Chin said. “People who understand the cyber nature of the world can help shape it to become a more positive version of itself.”

The CyberStart program offers students across all disciplines an opportunity to learn more about the cybersecurity profession, test their problem-solving skills and learn new technology. The first round (CyberStart Go) consists of unscored gameplay. At the end of the first round, interested students will have the opportunity to move on to the competitive round (CyberStart Game) in March. CyberStart Game offers more advanced challenges and is scored by ITS. The top scorers from the second round will be recognized at a champions’ reception and will receive access to CyberStart Essentials, which provides a deep dive into cybersecurity technology equivalent to roughly 70 hours of professional training.

“My hope is students from all academic areas will give this a try,” Croad said. “Although they might lack the classic ‘cyber skills,’ students who excel in critical thinking and problem solving could discover that they want to further explore the cybersecurity discipline.”

is an assistant professor at ���ϲ�����’s College of Engineering and Computer Science. As a general precaution, he encourages users to close accounts they’re no longer using and to regularly audit which applications have access to your data.

Micinski says:

“Situations like these are good reminders that we’re only as secure as our weakest link.

“Once we give our private data to an institution, whether a hospital or just an app, we must implicitly rely upon that institution to secure our data in perpetuity. One tangible way we can prevent this is to close accounts we no longer use.

“As a concrete example, many people using sites such as Facebook, often, perhaps unknowingly, give third-party apps permission to use their data from Facebook (e.g., dating apps, Netflix, etc.) We must take proactive measures to cut these ties such as in the case of Facebook, Google, and other sites. Each network has the ability to remove apps that were previously installed.

“There’s a link to a that will help you audit and understand what apps have access to your data.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

T��315.443.1184 ����M��315.380.0206
dalovell@syr.edu |

The Nancy Cantor Warehouse, 350 W. Fayette St., 2^nd Fl., ���ϲ�����, NY 13202
news.syr.edu |

���ϲ�����

The workshop was attended by representatives from the National Security Agency, the U.K. Ministry of Defence, and the National Counterintelligence and Security Center, as well as the U.S. military, academia and industry.

Cyberattacks happen every day. From Equifax to Facebook, even the biggest companies struggle to protect our data, and they often fail to do so. But breaches that expose personal and financial data are only part of the problem. There are cybersecurity systems around the world that protect people’s very lives.

Earlier this month, ���ϲ����� hosted its second annual Enduring Assurance Workshop. The three-day, invitation-only meeting convened a team of experts who are devoted to thwarting attacks on the systems that military and intelligence agencies rely on to carry out their missions safely and effectively. Attendees included representatives from the National Security Agency, the U.K. Ministry of Defence, and the National Counterintelligence and Security Center, as well as the U.S. military, academia and industry.

A collaboration between the (ECS) and the (OVMA), this year’s workshop followed the theme “Making Mission Assurance a Reality.” The attendees addressed cybersecurity risks to U.S. Department of Defense missions; the architectural, functional and security requirements that impact data flows; securing the U.S. Air Force’s software-centric electronic warfare operations; and mission assurance and security by design.

“I am proud to say that the majority of people who attended are either ���ϲ����� alumni who are now working in government, industry or academia, or cyber experts who we have collaborated with extensively,” says , professor of electrical engineering and computer science in ECS. “Each participant is invited because they are grounded in both the theory and practice of mission assurance, risk management, and cybersecurity.”

“The OVMA is proud to support this important cybersecurity work which offers significant value to our country’s national security,” says OVMA Executive Director Ron Novack. “This initiative aligns well with the University’s commitment to serve veterans and speaks to the authority and caliber of the University as a recognized leader in this emerging field.”

Cybersecurity is a “wicked problem”—a problem that is unstructured, open-ended, systemic, multi-dimensional and operates in an evolving environment. By bringing leading cyber experts in this crucial field together, the University further establishes its reputation as a leader in cybersecurity and military affairs.

“Together, we are working to ensure that truly trustworthy systems are conceived, designed, tested, verified and operated, and that all stakeholders’ needs are addressed,” says Chin. “We’re protecting those who protect us.”

Kevin Du, right, has trained thousands of educators from around the world on the latest cybersecurity techniques using his custom-designed labs

A cyberattack is happening right now. At every moment of every day, increasingly sophisticated hackers are trying to gain access to the networks of businesses and institutions around the world. To combat them, College of Engineering and Computer Science Professor Kevin Du says learning how to protect a network is not enough. To fully understand cyberattacks, you need to think like a hacker and know how to break in.

“As educators, what we are actually trying to teach students is–what are the problem areas? How the attacker can attack. We don’t just teach them on paper, we really say you have got to do it because otherwise, you don’t know how to defend,” says Du.

Since 2002, Du has trained thousands of educators from around the world on the latest cybersecurity techniques using his custom-designed labs.

“Students learn better from doing but to actually do that is very hard so this lab serves that purpose,” Du says.

In his workshops on campus funded by the National Science Foundation, participants can safely attack and defend networks without the risk of doing any harm.

“What I provide is a contained environment. They launch an attack inside their own computer. So inside their computer, they have multiple computers actually,” says Du. “So they are attacking from one computer to another which sometimes we simulate some of the servers for example google.com but they actually on the inside of our computer.”



The goal is to boost the next generation of computer scientists and cybersecurity students–making sure they have are ready to adapt in the rapidly changing online security landscape.

Professor Dan Bennett from Edinboro University came to the ���ϲ����� campus to participate in Du’s workshop. He says his opportunity to work with a worldwide leader in cybersecurity education will benefit his students at home in Pennsylvania.

The goal of Kevin Du’s workshops are to boost the next generation of computer scientists and cybersecurity students.

“I hope to take some stuff that I can take and put in the class pretty directly,” says Bennett. “One of the things that is going to be wonderful is that we teach them techniques but then when they see these they will understand much better why we teach them software techniques.”

Educators say the material in Du’s workshop can benefit students across several tech disciplines since all need to be thinking about security.

“In your computer, there are a lot of doors, and many doors are not locked,” says Du.

Du just published the second edition of his computer security textbook that is currently being used by more than 80 schools.

During the podcast, Dr. Du spoke about “the importance of hands-on training in cyber security.”

Cybersecurity specialists work on the front lines and are responsible for implementing and overseeing networks that are required to run specific portions of a security program. The BPS degree provides the applied skills, breadth of knowledge and professional competencies needed to manage people and the technologies required to protect information systems and infrastructures.

According to , the national average salary for a cybersecurity specialist is $90,239 year. In ���ϲ����� and the surrounding area cybersecurity administrators make on average $85,756 per year.

“The online bachelor’s degree in cybersecurity administration was developed to address rapidly evolving global information security needs,” says Michael Frasciello, dean of University College. “While the online program is open to anyone who qualifies, it was designed to align with security and assurance specialist training in the United States military.”

Active duty military, New York State National Guard members and U.S. Reserve Component Military admitted to the online degree in cybersecurity can use their or New York State RIRP tuition benefit to cover 100 percent of the tuition.

“Offering our online bachelor’s degrees at the TA rate for active, guard and reserve members is another example of ���ϲ�����’s unwavering support for our veterans and those currently serving,” adds Frasciello.

Pursuing a college degree online allows students to manage the ever-increasing demands of personal and professional commitments while beginning or continuing their education. For more information on how to get started, call 1.866.498.9378 or email parttime@syr.edu.

This fall, the��Cybersecurity Semester (CSS)��returns to ���ϲ����� to teach computer science and computer engineering students from institutions across the country to become leaders in cybersecurity.

Designed by the and the , the CSS is an 18-credit semester in which students gain technical expertise from cybersecurity leaders and practitioners through hands-on experiences. Participants learn to identify and analyze system vulnerabilities, assess risks, develop countermeasures and secure systems, and deliver software that has verifiable assurance properties.

The CSS is open to qualified ���ϲ����� students, as well as ROTC scholarship cadets from��other colleges and universities. This year, SU is offering the CSS on a cost-neutral basis for up to 10 ROTC candidates from academic institutions outside of ���ϲ�����. SU’s cybersecurity programs have been .

Participants will attend a leadership development seminar, gain priority access to an internship with the U.S. Air Force, attend retreats and visit the Civil War battlefields of Gettysburg, Pennsylvania.

“Students in the CSS learn the theory, tools and practices to verify the security and integrity of operations formally. This capability is the basis for assuring missions in cyber physical space no matter the application.��There is no other program like this in the nation,” says Professor Shiu-Kai Chin.

The CSS consists of a core course load, electives and professional development. Core ABET-accredited courses include CIS 400: Certified Security by Design, CSE 484: Introduction to Computer and Network Security, and CIS 487: Access Control, Security, and Trust. Electives are tailored to individual student needs and interests. Professional preparation includes an internship and leadership development.

Students must be seniors or juniors in a computer science or computer engineering undergraduate program with an appropriate level of prior coursework and a preferred GPA of 3.3 or higher. They must also have experience with Discrete mathematics, programming experience in a high-level language and familiarity with Linux at the command-line level. It may also require a U.S. citizenship or permanent resident status to be eligible for internship opportunities, an optional part of the program.

Applications will be accepted until 11:59 pm EST on March 17, 2019. To apply, please send the following in a single PDF file to��cyberengineering@syr.edu:

• Resume
• Unofficial college transcripts (including transfer credits)
• A 100-word biography (include hobbies, interest and goals) with a recent headshot photograph

A letter of recommendation from an academic advisor or faculty member must also be sent to ��cyberengineering@syr.edu��directly from the reference by��the deadline. For ROTC cadets, a letter of reference from ROTC detachment leadership is also acceptable. Admission notifications will be sent in April.

The Enduring Assurance Workshop was an invitation-only opportunity to help set the research and development agenda for the U.S. Air Force (USAF) in support of cybersecurity. To support mission-essential functions, the Air Force needs to be sure its systems can maintain the necessary security, integrity, and stability.

“The workshop brought a diverse group of people from industry, government, military, and academia together to discuss cybersecurity applied to all areas of technology, administration, and human endeavor,” says Oh.

The research and development ideas generated will inform the research and development agenda put forth by Kamal Jabbour, USAF senior scientist for information assurance. Jabbour is the principal scientific authority and independent researcher in the field of information assurance, including defensive information warfare and offensive information warfare technology.

is a professor of electrical engineering and computer science at ���ϲ�����’s College of Engineering and Computer Science. Professor Du, who teaches internet security courses, says phishing attacks are not new to the cyber world. But the move of attacks into the political world is.

Du says:

“In general, this is called ‘phishing attacks.’ Attackers trick victims to visit their sites, which looks similar to��a legitimate site. The attack has been used against banking, financial institutes, companies,��and universities. To my knowledge, using it for political purpose is something quite new. Technically, however, they are similar attacks.

“I do remember one incident that is related to this most recent attack. In the 2004 presidential debate between John Edward and then U.S. Vice President Dick Cheney, Cheney said the following: ‘Well, the reason they keep mentioning Halliburton is because they’re trying to throw up a smokescreen. They know the charges are false. They know that if you go, for example, to FactCheck.com, an independent Web site sponsored by the University of Pennsylvania, you can get the specific details with respect to Halliburton.’��The debate was broadcasted live and within a few minutes, the website of FactCheck.com received a tremendous amount of traffic.

“Unfortunately for Cheney, the actual website should have been FactCheck.org, a politically neutral web site, not FactCheck.com. George Soro, who did not like Bush, immediately capitalized on this mistake by somehow (he might have paid the owner of FactCheck.com for doing so) redirecting all the FackCheck.com-bound traffic to his own website, where the top item was an article by Soros entitled ‘Why we must not Re-Elect President Bush.’ In essence, Cheney had launched an attack against himself by using an incorrect website name and Soro capitalized on that mistake.��In spirit, the attacks we see today are similar to this incident.

“To protect against this attack, customers just have to be very careful telling the difference between the real website and a fake website. It is quite hard.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Communications and Marketing

T��315.443.1184 ����M��315.380.0206
dalovell@syr.edu |

820 Comstock Avenue, Suite 308, ���ϲ�����, NY 13244
news.syr.edu |

���ϲ�����

is an electrical engineering and computer science professor at ���ϲ�����’s College of Engineering and Computer Science. Chin says the strategy of “robbing Peter to pay Paul” to address cybersecurity funding leaves us vulnerable as a nation.

��

Chin says:

“We’re all in the same boat when it comes to cybersecurity. The apparent strategy of robbing Peter to pay Paul still leaves us vulnerable as a nation. The fact is that much of the nation’s critical infrastructure, much of which depends on the correct operations of computers embedded in that infrastructure, lies outside the government, i.e., power, telecommunications, financial services, and transportation.

“The National Institute of Standards and Technology plays a crucial role in setting the bar for what’s good security practice, how to assess security, and how to implement computer security. NIST is working hard to address the root causes of our national cyber vulnerabilities by providing guidance on how to build trustworthy systems by building security into systems from initial conception through deployment.

“You cannot build a house on half a foundation. Cutting NIST is short sighted.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Communications and Marketing

T��315.443.1184 ����M��315.380.0206
dalovell@syr.edu |

820 Comstock Avenue, Suite 308, ���ϲ�����, NY 13244
news.syr.edu |

���ϲ�����

Passages from Professor Shiu-Kai Chin’s testimony to New York State Senate Public Hearing on Cybersecurity:��

Shiu-Kai Chin

“If you treat each item of information as if it were a $100 bill, then you will know what to do.��Security and integrity must be built in from the initial concept of a system, into its design and throughout its deployment and operation. This is no different than building and operating any business with the financial controls, constraints and policies to assure that every transfer of funds is authenticated and authorized. The same holds true for information. The gold standard is every transaction must be authenticated and authorized with assurances that if something was done, then whatever was done must have been authenticated and authorized because of the controls and constraints that were built into the system from the start.

There is no integrity or security without audit.��What we are talking about is accountability. Information and information operations must be treated with the same care and diligence as we treat money and financial operations. We need to mimic the routine business practice of annual financial audits to assure the public that public statements of a business’ information operations are accurate and reflect reality.

Math is essential.��Financial audits rigorously answer the question whether a business’ balance sheet and policies are accurate statements of its financial state and operations. Evidence is gathered, and numbers are crunched. Compelling proof of integrity requires that everything adds up and is balanced. The same is true for information operations. Math is essential for compelling assurance of security and integrity.

What I am saying is not new. The following passage is part of a paper written by Lieutenant Colonel Roger Schell describing remarks by a KGB officer:

“Comrades, today I will brief you on the most significant breakthrough in intelligence collection since the ‘breaking” of the “unbreakable’ Japanese and German cyphers in World War II—the penetration of the security of American computers. There is virtually (if not literally) no major American national defense secret which is not stored on a computer somewhere. At the same time, there are few (if any) computers in their national defense system which are not accessible, in theory if not yet in fact, to our prying. Better still, we don’t even have to wait for them to send the particular information we want so we can intercept it; we can request and get specific material of interest to us, with virtually no risk to our agents. …

“They are aware of the potential for a computer security problem, but with their usual carelessness they have decided not to correct the problem until they have verified examples of our active exploitation. We, of course, must not let them find these examples.”

The above comments are in Roger Schell’s paper “Computer Security: the Achilles’ heel of the electronic Air Force.” The paper was published in Air University Review, in 1979! The paper was reprinted in the 2013 issue of��Air & Space Power Journal��because of its historical significance.

One takeaway is this: cybersecurity is a known problem, and we have known about it for over��40 years.

Schell wrote his paper in response to the cancellation of his computer security research program by the Air Force in 1979. Our answers to the question “What did we know and when did we know it?” reveal we have no plausible deniability when it comes to cybersecurity. We knew early on this would be a strategic vulnerability and we chose to ignore it. I deliberately say “we” not “they” because even though “we” were not in command in 1979, “we” collectively set the market and the national expectations of what is reasonable, now.

We can no longer ignore the problem. Business as usual will lead to disaster.

The overarching guidance from Schell’s 1979 paper still applies today:
“Do not trust security to technology unless that technology is demonstrably trustworthy, and the absence of demonstrated compromise is absolutely not a demonstration of security.”

The implication is this: penetration testing, while very useful, is insufficient alone for assuring trustworthiness. We need to do the math much like auditors do the math to provide compelling evidence of trustworthiness. We need to verify that the controls and constraints are appropriate for the intended mission. We must verify the controls and constraints are correctly implemented and used properly.

The good news is we have made a lot of progress since 1979. Mathematical verification of computer systems was once thought to be too hard. Semiconductor companies such as Intel routinely integrate formal mathematical verification, simulation and testing to verify their microprocessor chips are correct. Companies, such as Rockwell/Collins, that manufacture onboard flight control computers for commercial airliners do formal mathematical proofs to assure flight control computers are secure.

���ϲ�����, in partnership with the Air Force Research Laboratory in Rome, New York, since 2003 has offered the ACE (Advanced Course in Engineering) Cybersecurity Boot Camp. ACE has graduated over 500 ROTC cadets, civilians and active duty personnel from over 50 universities in the U.S. and United��Kingdom. ACE provides compelling evidence that rigorous approaches to mission assurance and cybersecurity are feasible and practical at the undergraduate level in engineering and computer science.

As the B.S. degree sets the baseline capabilities for the engineering and computer science profession, it is essential that secure system design and engineering be routine at the B.S. level. I am proud to say that this is the case at ���ϲ�����.

I end my testimony by pointing out a looming problem we need to address now. We must address the need for trustworthy online and electronic identities. Social security numbers are fatally compromised. They must be replaced.

The thing about online identity is this: our identity is not who we say we are; it is who others say we are. Who are we going to trust with that authority? How will we know that the foundation for establishing identity is trustworthy? How will authorities trusted with certifying identity be audited to verify their trustworthiness? Authentication technology alone is insufficient. It is just one component in a system that requires policies, practices, norms, rules and regulations.

It is worth pointing out what happened to Roger Schell after 1979. Schell would go on to be regarded as the “father” of the National Security Agency’s Trusted Computer Security Criteria. It is the foundation of the current National Institute of Standards and Technology security standards. In 2012, Schell was inducted into the inaugural class of the National Cybersecurity Hall of Fame.

Schell is an example of what individuals can do. Our democracy, with all its well-publicized frustrations, is a workable system that enables engaged citizens to keep debate alive; shape the terrain of expectations, standards, policies and practices; and thereby move all of us to a better place.

Start the discussion and debate now on what minimum standards and expectations are required when it comes to establishing, maintaining and verifying the trustworthiness of systems, corporations and government entities entrusted with our safety, information and our identities in cyberspace.”

Passages from Associate Professor Steve J. Chapin’s testimony to New York State Senate Public Hearing on Cybersecurity:��

Steve Chapin

“My invitation to testify requested threat assessment, information on best practices in the face of cyberattacks, and concrete solutions to cybersecurity. I will address each of these points, but let me say in advance: the future is bleak. The path we are on will only see an increase in attacks and losses unless we make significant changes in how we do business (and by do business, I mean both how we conduct commerce and design, build, and operate cyber-systems).

Risk Assessment
In many ways, the Equifax breach is just the most recent and spectacular in a long string of security failures that put our citizens’ privacy and fortunes at risk. A list of data breaches just in 2017 includes more than 35 major data breaches in industries ranging from finance, internet services, retailers and telecommunications to health care and higher education. Last year’s Dyn DDOS attack using the Mirai botnet gave us a glimpse into what we can expect in the future if we continue to deploy insecure and in-securable devices in the Internet of Things. Mirai’s descendant, IoT Troop/Reaper, is estimated to have already infected devices on a million networks. In short, there is no natural upper bound to the damage that cyberattacks can do—all of our information, personal and financial, that is on commercial, off-the-shelf computers��connected to the Internet, is at risk.

This threat is not confined to e-commerce, but has already put our elections at risk. In 2003, a panel of experts at the IEEE Security & Privacy Symposium described the state of the art in electronic voting machines. They pointed out multiple flaws with the machines being installed in multiple states. In 2017, experts at DefCon broke into state-of-the-art voting machines in < 90 minutes. Some of their attacks were over WiFi and were able to change vote tallies without any trace. Other (white-hat) hackers have demonstrated how they can, with only the aid of a USB memory stick, change vote tallies while in the voting booth. In the words of Calvin and Hobbes, “Live and don’t learn. That’s us.”

When Best Practices Aren’t Good Enough
Twenty��years ago, Gene Spafford, one of the luminaries of cybersecurity, wrote: “Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights and there are no police.”

Sadly, that is still a largely accurate description of the state of security on the Internet. It doesn’t matter how well-protected the transport is if the computers at the ends of the transaction are not secure. Having a secure connection to a web server doesn’t help if the database that the server stores customer information in is vulnerable. It doesn’t matter how good the security controls on a system are if they’re not turned on and properly configured.

There is a fundamental lack of accountability for cybersecurity. As a private citizen, I would like to share my personal information with the smallest number of entities—but in modern society, I must share with my bank, my credit card company, my utility, my health care professionals and my employer, to name but a few. I have little insight and no control over with whom they share my information. My only choice is to withdraw completely from society, which is a Hobson’s choice. One factor that sets the Equifax breach apart is that most of the people whose data was stolen never directly consented to have Equifax hold it—that was done by the industries that use Equifax’s services to make credit decisions. When breaches happen, there is significant finger-pointing, but in the end, it’s the public that bears the true cost, through identity and financial theft. One of the breaches I referred to earlier involved a contractor leaving 9,000 documents containing personal information on holders of top secret security clearances on an unsecured Amazon server for six months.

We must move away from systems that conflate identification and authentication. There is nothing wrong with using a Social Security Number as an identifier; there is nothing right about using it for authentication. If I chose to have my SSN tattooed on my forehead it should make no difference—it is not a secret, and never truly has been. Treating it as such has given the illusion of security. Similarly, my birthday is a matter of public record. My mother’s maiden name has been in newspapers—newspapers that are now searchable on the Internet.

Recommendations
I have four recommendations to improve cybersecurity in New York State. Some of these are actions business and industry can take unilaterally; others may require regulatory or governmental support.

1. Adopt technologies that enable secure auditing and logging of data. Blockchain (the technology behind Bitcoin) provides the potential for secure, distributed logging of actions. This will enable full auditing of information handling and improve accountability.
2. Develop a true citizen-focused form of secure identification. Such a form of ID would allow secure authentication without relying on security through obscurity. This is not to be conflated with REAL ID, which does not provide real, nonforgeable, digital authentication and attestation.
3. Require security as a first-class element of system design. This security must be end-to-end, holistic and part of the system from day one. No more cardboard boxes and park benches!
4. Trust … but verify. We must stop trusting that systems are designed and implemented properly. Rather, system designers and builders should use formal modeling tools (i.e., math and logic) to prove that their systems perform as advertised and correctly implement authentication and authorization.

Conclusion
I know that it is difficult to define the proper role of government in modern life, particularly in complex technical areas with broad reach. I leave you with another quote from Gene Spafford, which reflects the fact that in 1956, GM advertised styling and performance while Ford emphasized the availability of seat belts. ‘People in general are not interested in paying extra for increased safety. At the beginning, seat belts cost $200 and nobody bought them.’ GM outsold Ford by 190,000 cars in 1956, almost three times the gap from 1955. Sometimes we need a nudge.”

“For many years, Congress has considered data breach notification legislation to regulate who must be notified, when, in what matter, and by whom after specific types of data are hacked or stolen.�� In 2009, the Obama administration posted a draft federal data breach bill on the White House website.�� Congress has not passed any data breach legislation.�� In the meantime, more than forty states have passed such laws,” said Prof. Snyder.

“Here in New York, both the State and New York City have data breach notification laws, which are somewhat inconsistent. This patchwork approach fails to protect consumers or the economy, and it makes it very difficult for organizations conducting business or other activities in cyberspace to comply with the law,” says Snyder.

“At the federal level, the Securities and Exchange Commission has imposed data breach notification requirements for publicly traded corporations within their jurisdiction, and the Federal Trade Commission has attempted to impose liability upon a few dozen companies for failure to adequately protect data, but Congress has not passed any national data breach notification law.�� Perhaps this enormous and dangerous breach of the confidentiality and integrity of data at Equifax will spur Congress to take long-awaited action,” says Snyder.

Prof. Snyder is available to speak��to speak to media via phone, email, Skype, or LTN studio. Please contact Ellen James Mbuqe, director of news and PR at ���ϲ�����, at��ejmbuqe@syr.edu or��315.443.1897��or��Keith Kobland, media manager at ���ϲ�����, at��kkobland@syr.edu or 315.443.9038.

��and his students developed the that include cybersecurity exercises, research and software that is provided at no cost to other schools.

“From my background, I learn much better when I do something. So then I decided, I should get the students to work some exercises. But at the time, there was not much going on, on the internet. So I decided I would just develop my own for my own class at ���ϲ�����,” says Du.

Du developed labs where students could simulate cyberattacks and then identify security flaws and software errors.

“It turns out students liked that very much and they are very passionate about this. So then I decided maybe other people will like that,” says Du.

“This lab itself sometimes takes some learning. So I also got a grant from the National Science Foundation to train other professors—especially professors who are new into this area—to teach them how to use that. So they come to ���ϲ����� for four days and the training and they take what they learn back to their class,” says Du. “So far 600 universities worldwide and in more than 30 countries are using my labs”

High-profile cyberattacks have shown hackers can exploit even small mistakes.

“In the past, just one computer is maybe open to the outside. Now 10 devices are in your home—10 doors open you don’t even know,” says Du.

Using secure computers inside the College of Engineering and Computer Science, professors can mimic attacks on networks and programs. Professor Megan Thomas from California State University Stanislaus was grateful for the opportunity to participate in exercises that can only be done in a controlled environment.

“It would be tough to do with limited resources and it would be almost impossible to do safely,” says Thomas. “It is very kind of folks at research universities like ���ϲ����� that they share what they have developed with the grad students and all that kind of thing, and public universities that don’t have the resources.”

Daniel Ragsdale from Texas A&M University uses Du’s labs in his classes. He believes the program offers practical experience that could help secure countless devices and networks we rely on every day.

“We continue to see, if you want students to understand what this is all about, they have go to do hands on. They have to work directly with the software, see the vulnerabilities, understand how those vulnerabilities could be exploited and you can only do that in an environment such as this. What Kevin and his students have done is really an incredible resource for people that are teaching in this space,” says Ragsdale.

“We are trying to educate our students so when they write a program, they know an attacker is going to attack in such a way so they don’t make the same mistake,” says Du. “As a result, their system is going to be more robust, more secure.”

For more information on using online versions of the SEED labs, .

For his work on the Seed labs, Du received the 2017 Academic Leadership award from , a leading computer science conference that brings government, academia and industry together.

This was the first time that Military Times evaluated cybersecurity programs. The rankings are based on academic rigor and efforts to recruit and work with veterans at colleges and universities.

“The strength of cybersecurity education at ���ϲ����� stems from our belief that technology, policy and people must work in tandem to keep America safe—the theme of the interdisciplinary curricula in our��,” says Teresa Dahlberg, dean of the College of Engineering and Computer Science. “The men and women that defend our country are ideally suited to master the skills needed to protect us from devastating attacks on our computing networks and infrastructure.”

���ϲ����� is routinely recognized for its work to welcome veterans to its campus and programs. In 2016, the College of Engineering and Computer Science earned the from the American Society of Engineering Education.

Currently, the Military Times’ Best for Vets: Colleges 2017 ranking places ���ϲ����� as the No. 1 private school in the country for service members, military veterans and their families.

“���ϲ����� has a 100-year history of providing opportunity and empowerment to veterans,” says Mike Haynie, vice chancellor of strategic initiatives and innovation, executive director of the Institute for Veterans and Military Families (IVMF) and Barnes Professor of Entrepreneurship at the Whitman School. “Through IVMF education and career training programs, and their military experience, our students are uniquely qualified, particularly in this critical cyber defense field, to pursue successful careers and make immediate impacts in one of the most highly sought-after careers in the country.”

Cybersecurity at the University addresses an acute need in the military, government and industry sectors for specialists in key aspects of cybersecurity. The programs challenge students to develop solutions for today’s issues and future threats.

The cybersecurity programs include the undergraduate Cyber Engineering Semester in partnership with the Air Force Research Laboratory to immerse students in cybersecurity training. About half of the students are ROTC cadets. Additional programs are the , and in cybersecurity in the College of Engineering and Computer Science.

Cybersecurity is a rapidly developing field. A recently estimated that the market will grow from $75 billion in 2015 to $170 billion by 2020. In 2015, about 209,000 cybersecurity jobs in the United States were unfilled, according to the Bureau of Labor Statistics

In creating the list, Military Times weighted academic performance as one of the top factors for the ranking. The remaining factors included the number of Accreditation Board for Engineering and Technology (ABET)-accredited computer science programs, the number of Centers of Academic Excellence designations, and the proportion of degrees awarded at a school that fall under computer science and computer security, respectively.

Data was provided by schools in the survey, as well as federal data and public information specific to computer science and cybersecurity. Federal data came from the U.S. Departments of Defense, Education and Veterans Affairs.

To see the full rankings and survey methodology, click .

This fall, the����returns to ���ϲ�����. Designed by the and the , the CES educates computer science and computer engineering students to become cyberwarriors. In a single, 18-credit semester, students will learn to identify and analyze system vulnerabilities, assess risks, develop countermeasures, build and verify secure systems, and deliver software that has verifiable assurance properties.

“Students in the CES learn the theory, tools and practices to formally verify the security and integrity of operations. This capability is the basis for assuring missions in cyber-physical space,”��says Shiu-Kai Chin, professor of electrical and computer engineering in the College of Engineering and Computer Science. “There is no other program like this in the nation. It is one important reason why Air Force Research Laboratory partners with SU in offering the CES.”

The CES consists of a core course load, electives and professional development. Core courses include CIS 400: Certified Security by Design, CSE 484: Introduction to Computer and Network Security, and CIS 487: Access Control, Security, and Trust. Electives are tailored to individual student needs and interests. Professional preparation includes an internship and leadership development.

Students must be seniors or juniors in a computer science or computer engineering undergraduate program with an appropriate level of prior coursework and a GPA of 3.3 or higher. They must also have experience with Discrete mathematics, programming experience in a high-level language and familiarity with Linux at the command-line level. It may also require a U.S. citizenship or permanent resident status to be eligible for internship opportunities, an optional part of the program.

Applications will be accepted until 11:59 pm EST on Sunday, April 30. To apply, please send the following in a single PDF file to��cyberengineering@syr.edu:

• resume
• unofficial college transcripts (including transfer credits)
• a 100-word biography (include hobbies, interest and goals) with a recent head-shot photograph

A letter of recommendation from an academic advisor or faculty member must also be sent to ��cyberengineering@syr.edu��directly from the reference by��the deadline. For ROTC cadets, a letter of reference from ROTC detachment leadership is also acceptable.

To the extent possible, admission decisions will be made on a rolling basis.

The presentation will be led by Kamal T. Jabbour, senior scientist for information assurance, Information Directorate, Air Force Research Laboratory, Rome, New York. He serves as the principal scientific authority and independent researcher in the field of information assurance, including defensive information warfare and offensive information warfare technology. He conceives, plans and advocates major research and development activities; monitors and guides the quality of scientific and technical resources; and provides expert technical consultation to other Air Force organizations, Department of Defense and government agencies, universities and industry.

Enduring assurance seeks to create a cyber domain that assures information across all stages of conflict, leading to friendly missions with no vulnerability in peacetime, denying the impact of cyber threat in escalation and exploiting at will adversary missions in wartime. This requires developing dual-purpose science and technology to create provable mission assurance through disaggregation and composition of untrusted components, and divorcing the adverse impact from cyber threat through Byzantine fault analysis.

“Apple’s resistance to an FBI demand to unlock the iPhone of one of the San Bernardino terrorists has created a heated debate about the privacy rights of citizens versus the needs of police and intelligence agencies to collect information to understand and possibly prevent terrorist or criminal acts,” says , associate dean for research at the iSchool, who is organizing the panel discussion. “A wide range of individuals and organizations have defended either Apple or the FBI, from tech industry leaders to presidential candidates, from intelligence experts to privacy advocates.”

With such a complex issue that has ramifications for individuals, companies and governments in the U.S. and around the world, the discussion is, “often uninformed, biased and even inflammatory,” notes Dedrick.

Dedrick has convened a panel of ���ϲ����� experts who will gather to provide knowledgeable perspectives on the technical, legal, policy and privacy concerns that are raised in Apple’s tussle with the FBI. They will engage in a lively discussion and conversation with the audience.

Panelists will include , professor at the , , visiting assistant professor at the , and , assistant professor at the iSchool.

The panel will take place at 3 p.m. on Friday, Feb. 26, in 347 Hinds Hall (Katzer Room), and is open to all campus and community attendees. The panel can also be viewed live online via Adobe Connect with the following link: .

Yet legal, policy and technological means for countering cyber espionage are not always clear. In order to examine the state of domestic and international approaches for controlling—and to offer recommendations for policymakers and practitioners who are addressing—this postmodern form of economic, military and industrial spying, the Institue for National Security and Counterrorism (INSCT) is joining with the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) to host “Controlling Economic Cyber Espionage,” an interdisciplinary workshop to be held at the College of Law June 18 and 19.

The workshop convenes cyber espionage and cyber warfare experts from around the globe, including: Michael Schmitt, director of the Stockton Center for the Study of International Law at the U.S. Naval War College; Joel Brenner, former Inspector General, U.S. National Security Agency; Herb Lin, senior research scholar for cyber policy and cecurity, Hoover Institution; Xiaofeng Wang, researcher, Center for American Studies, Fudan University, Shanghai, China; Gregory Nojeim, senior counsel, Center for Democracy and Technology; and Liis Vihul, Law and Policy Researcher, CCDCOE, who was a project manager for the “Tallinn Manual on International Law Applicable to Cyber Warfare.” Representing a cross-section of ���ϲ����� schools and colleges will be William C. Banks, director of INSCT; Shiu-Kai Chin, professor in the College of Engineering and Computer Science (ECS); Nathan Sales, associate professor in the College of Law; James B. Steinberg, dean of the Maxwell School; and Laura Steinberg, professor in ECS. A complete list of participants—as well as the schedule and list of topics—can be found at .

In exploring the state of contemporary cyber espionage, panels will ask who is doing the spying and by what methods, what is the current thinking of government and industry about the problem, and what methods of protection—such as identity assurance—currently exist. The workshop also will analyze the domestic and international law and policy landscape to ascertain what reforms and actions are necessary as cyber espionage—and cyber war in general—evolves.

Answers will be drawn from the disciplines of foreign and domestic law, public policy, international affairs, defense strategy, law enforcement, computer engineering and finance. Selected papers from the workshop will be gathered for publication by NATO CCDCOE and others in a special edition of the Journal of National Security Law and Policy, which is jointly published by INSCT and Georgetown Law and available at .

“I feel that it is important to acknowledge the vital role that these educational institutions play in the rapidly expanding field of cybersecurity,” says Tyrone Taborn, chairman and CEO of DiversityGPS.com and publisher of U.S. Black Engineer & IT, Hispanic Engineer & IT and Women of Color. “Our nation needs more outstanding programs that develop talent in the fields of computer science and research to expand our cybersecurity workforce. Equipping our young people with the knowledge to pursue careers in cybersecurity should not only be viewed as a goal of our nation, but as a matter of national security.”

Thousands of jobs in cybersecurity are created each year throughout the nation, illustrating the necessity of these positions. However, of the 2.5 million men and women currently employed by the United States Armed Forces, relatively few are qualified to pursue careers in cybersecurity. There is a clear demand for qualified individuals within this field, which includes people of all backgrounds, to ensure the protection and prosperity of the nation.

“The excellence of our cybersecurity education program is a result of the dedication of internationally renowned faculty members, such as professors Shiu-Kai Chin, Stephen Chapin, Wenliang Du and Heng Yin, who have advanced the field in multiple new directions,” says professor Chilukuri Mohan, chair of the Department of Electrical Engineering and Computer Science in LCS.

The Department of Defense, National Security Agency, CIA and armed forces are a few of the many organizations actively recruiting well-trained individuals from these outstanding institutions.

DiversityGPS.com is honoring LCS and other outstanding colleges and universities as part of “Minorities in National Security and Cybersecurity Awareness Week,” which takes place during the week of Dec. 5. The awareness week will serve as an opportunity to recognize the innovative leaders in cybersecurity and defense as they serve as role models to the minority cybersecurity workforce of tomorrow.