We are proud to announce

MARQUETTE UNIVERSITY

has been designated a
Center of Academic Excellence in Cyber Defense Education
2018-2023

By the Department of Homeland Security and the National Security Agency
for the curriculum path
M.S. in Computing with a specialization in Information Assurance and Cyber Defense

NEWS

Expand all   |   Collapse all  

Cybersecurity Training Opportunity

 The Department of Computer Science is offering Marquette University students, independent of academic program or college affiliation, an opportunity to apply for training in cybersecurity. Through a grant provided to the Department of Computer Science by ULINE, students will be provided 1-year unlimited access to the Infosec Skills training platform. The Infosec skills training platform provides more than 600 courses, 160 online labs, and 1,000 hours of online training. Access to training will be administered through the Center for Cyber Security Awareness and Cyber Defense. See this link for further information,

Dr. Michael Zimmer appointed to the ACM Technology Policy Council

The ACM announced the formation of a Technology Policy Council that was created to address security privacy and the future of the internet. This prestigious organization was announced in a ACM press release. "The digital revolution is an international phenomenon," said ACM President Cherri M. Pancake, “and the leading tech companies, whose services are used by billions every day, have facilities and customers in countries all over the world. So the pressing issues we hear about in the media―such as online privacy, data breaches, algorithmic bias, and the future of the internet―go beyond national borders. ACM’s new Technology Policy Council will provide a space in which computing professionals come together to offer global perspectives on global challenges."

VIEWS

Expand all   |   Collapse all  

A comment on governance and ethics

ETHICS BELONGS in DATA GOVERNANCE

The 4th annual Ethics of Big Data that was sponsored by our Center for Cyber Security Awareness and Cyber Defense and this year hosted by the Northwestern Mutual Data Science Institute. This was probably the best effort yet in the series. There were several excellent presentations that addressed privacy and acceptable use of information.

What was striking about the meeting's content is the shift that has occurred in the ethical expectations of society regarding the collection, management, and use of data and the abiding need to consider the ethical use of data.

As background, last week a textbook under consideration for use in courses recounted a 1980 agreement on professional ethics. The agreement was developed by the international Organization for Economic Cooperation and Development (OECD). The five rules that were mentioned in the agreement held by 30 countries were as follows:

  • Collect only what you need
  • Do not share information
  • Keep information up to date
  • Use information only for the purpose for which it was collected
  • Destroy information when it is no longer needed.

Clearly, that came from a different time. While researchers in academia may have lived by rules similar to those in the OPED agreement clearly the commercial organizations that hold that data have behavior that seems to reflect the following:

  • Collect data that you can sell
  • Monetize the data you have collected and sell access
  • Provide instant access to data as it is collected
  • Provide an API so that data can be used by others
  • Keep information because you never know when you''ll discover a future use to make better decisions

While the cybersecurity professionals are suggesting a strategy of "Zero Trust" for access control, organizations appear to be promoting "Just Trust Me" with their customers. There is a conflict between need-to-know for security and right-to-use for benefits.

At the symposium, there was some discussion about anonymizing data for privacy concerns, but flaws in anonymizing data are possible when the collection of attributes used to describe a sub-population effectively describe only one person, an outlier. Moreover, anonymization falls short in a world where multiple data sources can be aggregated and aligned. Consider how someone can triangulate information about internet searches for a product, data found in anonymized credit records, and Geo-location records obtained from a smart phone. If someone did a web search for a product, there is a anonymized credit card record showing that product was sold at a particular time, at a particular store, and there is a record that the user doing the search was at the location of the store at the time of the credit record, it is a pretty good bet that we can identify who made the purchase. The integration of data sources can defeat protections build into any one data set and lead to a mathematical conclusion of certainty in the same way that cryptography can be used to assign non-repudiation with certainty.

The keynote speaker at the Ethics of Big Data suggested that we now have pervasive data which has benefited computational social scientists in conducting all sorts of analysis about human behavior. It was mentioned that the scientific method in social sciences has become obsolete. The scientific method begins with a hypothesis and proceeds to define an experiment and collect data. In computational social science, the creation of a hypothesis persists, but it is followed by consideration of where one might be able to access data to investigate the hypothesis. Twitter, Facebook, and customer reviews of products and services are popular sources of data. Public records published with a desire for transparency in government are another.

Because of Fear Of Missing Out (FOMO) we have pretty much given up the right to privacy. The greater good is served when computational social scientist are able to explain human behavior; users are better served when data about user location and behavior can be accessed by an app because, for example, smartphones are more useful when the Maps app can notify us that it found a near-by restaurant with cuisine we enjoy around our normal lunch time.

So, we have a choice, do we believe that the use of pervasive data contributes to the common good or data should only be collected and used for a specific purpose and destroyed afterwards. No matter what you believe, you should ask what are you going to do about it.

Regardless of the ethics you apply, you should be thinking about the ethical use of the data you manage. What are you going to do to build an ethical community, a culture of ethical data management? DAMA International, like many professional organizations, encourages an ethical culture and in their case, it is an Ethical Data Culture. In their book of knowledge, the DMBOK for data management, they focus on the risks of unethical data handling practices, but they leave an organization to define its own ethics.

In reflecting on where a data ethicist would fit into an IT organization it appears that the data governance process is the best home if you are fortunate enough to have one. While the data governance team (or process) will typically focus on the accuracy, completeness, consistency, timeliness, validity, and uniqueness of data, the concerns need to expand. The traditional four pillars of data governance (stewardship, quality, master data management and use cases) need a foundation in ethics. Like DAMA International, the center encourages data management professionals to take a stand. Whether or not there is a formal data governance organization or process, data management professionals must take a stand; they must move the organization to an ethical data culture.

Comments on cybersecurity privacy and awareness

January 28th passed mostly in silence

Why do I mentioned January 28th? It was Data Privacy Day. So, what‘s the big deal?

Data Privacy Day is an annual international event to remind everyone to be diligent about online privacy and online information. The National Cyber Security Alliance led efforts in the USA to call attention to the event. Part of the message is to “own your online presence.”

So, here's the deal.

Part of owning your online presence is understanding what information about you is available to others. Why does that matter?

A recent investigative report aired on a local TV station. “Bogus background check could be costing you money” revealed how incorrect cyber information can hurt you. In this case a gentleman had his insurance rates go up dramatically because a company that collects credit records and provides them to insurance companies supplied bad data.

Yes, I know this is a case of garbage in garbage out, but whose garbage is it?

In this case the negative factors in the “Bogus background check,” came from the victim’s son who had the same first and last names, but we was “the second.” The son’s history was erroneously mixed in with the father’s record. According to the news story the company supplying the report responded that they do rigorous checks to maintain quality; but they didn’t in what they characterized was a “rare case.” The algorithms did not perform as intended.

What was the advice of the investigative reporter? Check the information that is available for accuracy. Sounds like “own you online presence.” I’ll be sure to add this story and this advice to people come next Data Privacy Day (January 28, 2019). Maybe more people will take notice and think more about their online presence.

The investigative news story mentioned the offending companies, but I have left them off. These kinds of mistakes are detrimental to corporate reputation. Sure, it was inadvertent, but was the company paying enough attention to the collection and use of data? What were they doing to avoid unintended consequences? One of the companies mentioned had a hugely embarrassing incident recently. It was credited to lax policy enforcement. What about you and your company?

I am proud to say that Marquette University is putting together a Symposium on the Ethics of Big Data III. This is the third in a series of meetings on privacy, data collection, and the consequences of Big Data technology. This year we will meet on April 27 in a discussion that is open to businesses, academics, students, and the public. Folks at Northwestern Mutual are demonstrating their recognition of the importance by joining us to sponsor and host the meeting at their new tower in downtown Milwaukee. See https://www.marquette.edu/ethics-of-big-data for information. Other companies have regularly made an appearance and supported this annual event.

Help make a difference; be cyber security and privacy aware. (See https://staysafeonline.org/data-privacy-day/about/ for information about Data Privacy Day and https://www.tmj4.com/news/i-team/bogus-background-check-could-be-costing-you-money to see the full story about the bogus background check.)

Cyber Security Awareness Requires Leadership

Cyber security is a question of leadership and awareness is the responsibility of leaders.

Most all successes are the result of a proper combination of People, Process, and Technology. The importance of these three items is apparent in the examination of the cyber security incidents that have gained national attention. It always starts with people. People can prevent breaches or people can cause them. Incidents can result from inadvertent behavior or by malicious intent. Cyber Security Awareness focuses on reducing inadvertent behavior that leads to failure of the security system. Often someone with malicious intentions takes advantage of the inadvertent action, but that is not always the case. There is not always a bad guy trying to take advantage of others.

Safety in manufacturing plants is not the same as safe computing but safety awareness is remarkably similar to Cyber Security Awareness. During my career before academia, I had the privilege of observing a dramatic improvement in plant floor safety that resulted from leadership and awareness. General Motors went from having a mediocre safety record to being by far the safest manufacturing environment in the industry.

The journey from mediocrity to excellence started with recognition of the problem created by workplace injury. Leadership from the C-suite resulted in having all executives take safety training from the world leader in workplace safety, DuPont. Having been in the explosives business is is clear why DuPont emphasized safety.

The manufacturing organization followed the leadership of the VP of Manufacturing, Joe Spielman supporting the theme "Safety is Our Overriding Priority." The corporation regularly heard the message that came form DuPont, "All incidents can be avoided." The term "incident" replaced "accident" in the conversation because accidents imply that they are somehow unavoidable.

Measurements were put in place; goals were set and clearly articulated. For example the goal at one assembly plant in Oshawa was a 50% reduction in lost time injuries and “recordable” injuries every three years. This led to reducing lost work day cases per 100 employees from 13 in 1994 to under 1 before the close of 2001. In 2002, GM plants from around the world had achieved an industry leading 3.6 recordable incidents per 200,000 hours worked compared to an industry average of 20.3. [1]

A practice that helped lead to the improvement was attention to "near-misses." These were recorded and analyzed at safety meeting which were mandated to occur regularly. In our office environment, we held these meeting weekly. The clear goal was fool-proofing the system. In all plants, serious near-misses required the Plant Manager to tour and assess the situation within 24 hours. Supervisors and team leaders were required to investigate all actual incidents before the end of a shift.

There is a strong parallel between this example and the Stop. Think. Connect. campaign coming from the Department of Homeland Security. This is one of the primary concepts included in the DHS program in cyber security awareness.

I mentioned that there must be attention to People, Process, and Technology, The culture must change. An example from GM of the emphasis of balanced attention to People, Process, and Technology can be found in the 2004 announcement of a new safety device aimed at reducing railcar workplace injury. A joint union-management memo stated, "constant vigilance to the safety process and ongoing training to ensure compliance to safe operating practices is necessary to protect all employees."

All of this provides a nice story for safety management. Why don't we do that for cyber security? Who is providing leadership? Who is measuring the organization? What are the goals?

I am organizing a Colloquium on Cyber Security Awareness to start a conversation about how we improve security within populations such as the general public that is involved using hundreds of apps and social computing, our customers who use our IT infrastructure to communicate with us, our employees who have access to the information we need to secure, and students who are the future of computing. This event will come in October, National Cyber Security Month.

References

[1] M. Rosen, General Motors: Achieving and Maintaining World-Class Leadership in Worker Health and Safety in the Automotive Industry, Safety Management Education, May 2008, available on line at: http://safetymanagementeducation.com/wp-content/uploads/2015/06/Case_Study_GM_Truck_Plant_Case_study.pdf on 22 July, 2016.

A comment on helping people understand some simple concepts

Do you need Geek-speak to be convinced?

If setting up automatic system updates sounds too simple to be effective in combating cyber-attacks, try this...

employing the auto-configurator to engage both server side and client side dissociated daemons in a distributed multi-tasking environment to update the hierarchical organized services directory and install executable specifications, processing abstractions and physical implementations of application program interfaces, peripheral drivers, communication protocols, dynamically linked libraries, interpretable kernels, and other service components and abstractions to their most immediate revision levels as prescribed by the service vendors.