Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer University. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University with a concentration in Curriculum, Teaching, Learning, and Leadership. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
Author’s note: On May 9, I presented my TEDx talk at the Spruce Peak Arts Center in Stowe. Below is the text of that talk. I will be explaining in more detail in later articles how the idea I presented could work.
[S]ome of you may recall the massive data breach at the credit reporting agency Equifax in 2017. Anyone here receive a letter from Equifax that your name, Social Security number, birthdate, address, maybe even your driver’s license information may have been compromised? Think about that for a moment because unknown parties have the same information that you use to identify yourself to your bank, utility company, or credit card company over the phone. Just as a reminder, Equifax experienced a compromise of over 143 million accounts. That is close to half of the U.S. population. That breach could have been prevented by applying a security update based on a known weakness in their Internet accessible-systems.
Closer to home, in December 2018, Rutland Regional Medical Center experienced a data breach when someone gained unauthorized access to nine employee email accounts which contained over 72,000 medical records. The question is, why are medical records being shared in email when they have a centralized medical records system?
If you think that’s alarming, the U.S. Government Accountability Office released a report in 2018 that a Department of Defense’s weapons system had egregious vulnerabilities. For example:
Parts of the weapons system shut down from a simple scan of the computers. That is like someone knocking on your door, and your door unlocks itself and opens automatically.
There were default passwords used for services that managed the system that was never changed. The security team found the default passwords using freely available internet resources.
Finally, there were vulnerabilities present that were discovered in a previous security assessment, but not fixed.
Just a reminder that was a weapons system.
Those case studies and breaches don’t surprise me anymore. What haunts me is the congressional testimony by Richard Pethia, former director of the Computer Emergency Response Team at Carnegie Mellon. He testified about the state of cybersecurity on the internet and discussed how the data breaches and vulnerabilities just described occurring far too often and how basic security controls could mitigate their occurrence. It is haunting because his testimony was in 1996.
It is 2019, and there have been no changes with the methods used to compromise computer systems. We are continually failing to implement the basic security controls to protect business and customer information and, apparently, our weapons systems.
There are now many Computer Emergency Response Teams or CERTs throughout the world that operate at a national and regional level, and many larger organizations have their own internal CERT. CERTs are staffed with professionals who understand cybersecurity, how to identify vulnerabilities, how to fix them and recover from a cyberattack. CERTs also provide early warnings of vulnerabilities and steps to mitigate their impact. The US-CERT, which is part of the Department of Homeland Security, alerted Equifax to the vulnerability that led to their breach around two months before the data breach occurred. In 1996, Richard Pethia testified how known vulnerabilities are not being properly addressed by organizations.
These CERT organizations are providing the same guidance and warnings over and over to little effect and a breach can be costly.
The Rutland medical breach costs are unknown, though we do know they are going to send a letter to over 72,000 patients at a cost of over $36,000 — just for postage.
It’s clear we need more cybersecurity professionals working this out! Unfortunately, we have a large number of jobs open and not enough people to fill the positions.
I’m working hard to fill that gap — I teach future cybersecurity professionals at the college level. Now, they will get the big businesses sorted out, and hopefully the weapons systems too!
However, the types of organizations that are the most common targets of cyber breaches are actually the ones that we use every day, that underpin our communities, the ones that make up 96% of our country’s business which are our small businesses, the sole proprietors, and the mom and pop shops. Those businesses may not understand, can’t afford, or know how to implement even basic security controls.
Well, folks, there is hope! I’m excited to tell you about my other students. The ones I don’t get paid to teach.
I am a mentor for the U.S. Air Force Association Cyberpatriots program which trains middle and high school students how to secure computer systems. The Cyberpatriots introductory training modules are teaching middle school kids how to implement the basic security controls Richard Pethia discussed in 1996.
I’m proposing we crowdsource middle, high school and college students as the new era of Cyberpatriots that will be our community-based Computer Emergency Response Teams or CERTS. Organizations could pay a small fee, say $200/year, to finance a CERT operations center that is staffed and managed by students at a local school to address their security needs on a continuous basis.
Now, you are probably stuck on middle and high school students overseeing cybersecurity at your office. It is mainly because people don’t understand cybersecurity that this idea sounds terrifying and why some schools don’t host the Cyberpatriots because they believe they are learning to hack. Think about this: Teenagers prepare and cook our food at restaurants; teenagers babysit our kids; a 16-year-old can be a lifeguard or emergency medical responder; teenagers are camp counselors that we have never met; but we trust them in those positions with our children. However, we understand those jobs, their roles, and responsibilities not that of a cybersecurity defender. Let’s admit it, your kids understand more about your computer than you do, so let’s use this untapped resource.
We have empirical studies that demonstrate students involved in community-based learning can be ethical, mature, professional, creative and work within reasonable budgets to no budgets. South Burlington High School’s Big Picture program is an exemplar of this model of teaching and learning and graduates students who possess those qualities.
How does that relate to being a CERT? Our Cyberpatriots, with the guidance of teachers, a community-based advisory committee of cybersecurity, system and network administrators, and business professionals will learn to secure computer systems, develop organizational management skills, and learn to communicate, verbally and non-verbally, with technical and non-technical people. By operating the CERT, our Cyberpatriots will develop executive functioning, analytic, and customer service skills.
Our Cyberpatriots will engage in higher order learning by transferring those skills to a much-needed community service. In a presentation to a mom and pop shop on how to secure their computer systems in context to their business operation, a 7th-grade Cyberpatriot could demonstrate they are developing or have mastered the common core “Comprehension and Collaboration” requirements.
Virtually every city in this country has a large pool of potential Cyberpatriots, and we need to embrace their potential.
What if our high school Cyberpatriots could have performed an assessment to determine if the Equifax vulnerability was fixed. The Equifax breach has been estimated to cost over $240 million. A $200/year investment to a local school to finance a CERT will be a great investment.
What if our middle school Cyberpatriots performed a security assessment on a simulated weapons system that was built just like the real weapons system? Will it take a group of 14-year-olds to wake them up to their basic security needs?
After knowing about these systemic cybersecurity problems since 1996 — it might.
