Posted June 27th, 2012
From left to right: Robert Ubell, Marcus Sachs, Paul Mahon, Edward Amoroso, William Pelgrin and Nasir Memon
We all spend a lot of time in a place that’s the “perfect playground for criminals,” according to Marcus H. Sachs, the vice president of Government Affairs, National Security Policy at Verizon Communications. A place where one can find community, get errands done, shop and play. But it’s also “very attractive to bad people.” This place is today’s Internet with larger security risks than initially imagined—“just like the real world.”
Sachs, distinguished lecturer at the NYU-Poly/Sloan Inaugural Cyber Security Lecture, sponsored by the Alfred P. Sloan Foundation, and delivered at the Polytechnic Institute of New York University’s (NYU-Poly) Pfizer Auditorium on Thursday, June 21, tackled the problem of cyber security and potential solutions in his talk that morning.
The problem, Sachs explained to an auditorium filled with more than 125 cyber experts, academics, students and press, is that "today’s Internet follows the same protocols as in the 1970s and 80s,” but now there is a completely different threat model, making it “the perfect place for crime”–identity theft, stolen PIN and credit-card numbers, hacking and leaking information, and even larger threats to power grids, air traffic control and other “large technical systems,” systems in which computers interact with each other.
Framing his lecture with the idea that perfection is impossible, Sachs claimed that cyber security failures are inevitable. The key, he suggested, is to minimalize failures, dealing with them when they happen, rather than putting effort into doing the impossible—eradicating them. We are also in a new age of chaos, one that organizations must learn to deal with, rather than sticking with old models that no longer serve us. “How do you govern and control chaos? We have to organize ourselves more chaotically in order to do that.
Citing Facebook, Sachs discussed the new chaotic model essential for thriving in the new corporate landscape. “Ad hoc groups form, do things and go away. Those organizations have embraced the chaotic world and are doing very well. Highly structured organizations are failing. They don’t understand what to do with the new technology … Organizations have a hard time adapting to the new chaotic world. It doesn’t look like the 1930s, doesn’t look like where we were before.”
Sachs cited many high-profile examples, such as Stuxnet and an “outbreak” of infected digital photo frames, with the consequences of threats tangible for experts and everyone else, too.
“What’s the difference between a pack of chewing gum and a USB key?” he asked. "You see them lying on the sidewalk. Will you pick up the gum, unwrap it and stick a piece in your mouth? Will you pick up the USB key and shove it in your computer? These things are looking for an orifice. They’re not just sitting there. You’ll plug [the USB key] into your [computer] at work, the more protected one.”
He urged the audience to follow social customs when it comes to security.
“We are told as children, don’t pick something up off the street and put it in your mouth! So why do we pick up a strange USB key and stick it into our computers?”
Nasir Memon, lecture series chairman and professor of Computer Science and Engineering at NYU-Poly, then introduced an expert panel—William F. Pelgrin, president and CEO of the Center for Internet Security, a nonprofit aimed at enhancing cyber-security readiness and collaboration in response to public and private sectors, Edward G. Amoroso, senior vice president and chief security officer for AT&T Services and Paul Mahon, assistant special agent in charge of the United States Secret Service New York Field Office. The four explored the issues raised by Sachs, agreeing on the importance of collaboration and information sharing.
Professor Memon asked what role academia can play. NYU-Poly is an internationally recognized center for cyber security research, education and policy, and was among the first universities to offer a dedicated master’s degree program in cyber security.
“Understanding how organizations interact is important,” Sachs replied. “To help inform us from more of a social policy kind of world, this is where we need to go. Help us understand from organizational, social and policy theory: why do some things work and others not work?”
Mahon agreed. “As we become better at what we do, [cyber criminals] become better at what they do. It’s been going on in crime for a long time, it’s just a matter of different crime,” he said. “The solution could come from academia.”
At a Cyber Security Award Luncheon following the panel, held at the New York Marriott at the Brooklyn Bridge, Robert Ubell, NYU-Poly’s vice president of Enterprise Learning, commented on the success of the inaugural lecture. “The objective was met,” he said. “It was a very productive and thought-provoking day. It was Professor Memon’s idea to have ideas presented followed by a panel with representatives from different stakeholders – the federal and private sector. From my perspective, it couldn’t have been better.”
Ubell then took the podium to introduce the next portion of the program. “We experienced one of the most inventive and powerful performances in cyber security this morning,” he said, while pointing out that the conversation didn’t end there—there was more yet to be said. Richard A. Falkenrath, a principal with The Chertoff Group, where he advises clients on homeland and national security, furthered the discussion with his keynote address, "The Hacker's Market: Internet Governance and Cyber Security." “Cyber ops will be part of all military conflicts,” he said, discussing Stuxnet and Russia’s cyber ops against Estonia and Georgia. Following Falkenrath’s talk, each panelist was presented with an award for his contribution to the event and his field. Sachs received his “in recognition for outstanding leadership in cyber security.”
The lecture inspired NYU-Poly graduate student in Computer Science Srilaasya Kalahasty to consider pursuing a second Masters, in Cyber Security. “It’s critical,” she said, “its importance to the whole world. I want to know more.”
The next lecture in the series will happen on September 7, 2012, and will be delivered by Deborah A. Plunkett, Director, Information Assurance Directorate, National Security Agency, at NYU-Poly’s Pfizer Auditorium. Two others are planned for early 2013.