MIT is attacking cybersecurity from three angles: technical, regulatory and managerial through three programs and in partnership with major corporations.
The initiatives include participants from across several MIT schools as well as from outside the university with a goal of making it harder for attackers to succeed in efforts to break into networks, disrupt them, and steal and destroy data.
The technical challenge will be met by the school’s Computer Science and Artificial Intelligence Laboratory (CSAIL) in cooperation with a group of industry partners – BAE Systems, BBVA, Boeing and Raytheon – that will meet periodically to be briefed about ongoing research. The goal is to address the technical challenges of cybersecurity with a big-picture view rather than a piece here and a piece there. CSAIL’s principal research scientist Howard Shrobe calls the latter a patch-and-pray strategy that fails to fight attacks systematically.
Already CSAIL has research projects to shore up technical weaknesses. One would lead to enabling computers to compute on encrypted data without decrypting it. Another has developed a Web-authoring language that guarantees applications cannot fall victim to cross-site scripting attacks. A third is developing a processor architecture immune to whole classes of attacks, says Shrobe.
The second program is the MIT Cyber Security Policy Initiative to establish quantitative metrics and qualitative models to help decision makers set cyber security policies. The program will try to provide policy makers with solid research on which to base informed opinions, says Danny Weitzner, a principal research scientist at CSAIL.
The program will rely on input from CSAIL, MIT’s Sloan School of Management and experts from MIT political science, economics and other departments. The program is funded by $15 million from the Hewlett Foundation, which said in announcing it that its goal is to generate ideas about how to improve the trustworthiness of computer systems and balance security needs with privacy. The foundation funded similar programs at Stanford University and the University of California, Berkeley.
The third program is the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)3 that draws on research groups at Sloan. The groups will look at the managerial, operational and strategic aspects of cybersecurity for critical assets such as financial institutions, energy suppliers and health care.
The effort will try to formulate, “How to keep critical infrastructure safe from potentially life-threatening attacks,” says SP Kothari, deputy dean of Sloan and a professor of accounting and finance.
IC3 plans to extend earlier studies on management of industrial accidents and safety to cover cyber events and cyber-safety. It will also apply ways it developed to improve and coordinate community emergency readiness teams (CERT) to improve information sharing within countries, internationally and across sectors of critical infrastructure. The group is also trying to identify choke points – the best places in networks to interrupt cyber attacks.
Prospective members of the group have said they hope it develops models and metrics for better protecting networks and preventing cyber incidents. These tools would include risk analysis, calculating return on investment, improving processes and simulating cybersecurity resilience, as well as increasing corporate buy-in for cyber security efforts.
The project is funded by membership fees ranging from $45,000 to $450,000 per year.