The CEO of a Japanese Web-hosting firm calls in his team of IT experts, relaying the details of an overnight emergency with more than a hint of desperation in his voice. A hacker has gained access to a database containing private client information and is posting a directory of account passwords, usernames, and other personally identifying data to a public forum online. Hundreds of new listings keep appearing each minute, and the CEO is powerless to stop it.
For identity thieves, this information is a goldmine. It can be used to commit credit-card or bank fraud—or even to get a driver's license, job, or government benefits under false pretenses. For the victims of identity theft, it's the beginning of a nightmare that can sometimes last years.
The CEO knows he faces a potential legal and public relations nightmare that could destroy the firm's reputation, the trust of his loyal customers, and maybe even his job. With so much hanging in the balance, the CEO can only hope the IT team will be able to fix the security breach—and do so quickly.
The four team members set up their command post—a jumble of laptops, servers, wireless routers, and network switches needed to determine what the attackers did and then try to undo the harm. The problem is one of computer forensics, an emerging science that involves searching for, preserving, and analyzing digital evidence on computer systems, much like detectives hunting for clues at a traditional crime scene. To begin their investigation, Eddie Yu-Fang Tsai, Cindy Pei-Chun Su, and Chris Yu-Lu Liu perform a damage assessment and launch the search for network vulnerabilities, while Yuki Osawa—the team's only native Japanese speaker—relays their progress by phone to the frantic CEO in Tokyo.
Their work is under the scrutiny of officials in some of the highest echelons of Japanese government.
That's because the digital break-in is, in reality, the final exercise in the cybersecurity competition at the 13th annual Shirahama Cyber Crime Symposium —sponsored by the country's Minister of Economy, Trade, and Industry. The three-day annual conference, which takes place in the resort town of Shirahama, brings together government officials, industry leaders, and academics interested in how to prevent computer crime. The five teams competing in the finals had to first survive a preliminary round that included more than three-dozen international entries.
Each team, comprised of college and graduate students, must effectively role-play and collaborate to resolve mock IT challenges for virtual customers in real time. In the case of the hacker breaking into the database of the Japanese Web-hosting firm, the "IT experts" foursome is comprised of students from Carnegie Mellon's Master of Science in Information Technology-Information Security (MSIT-IS) program in Kobe, Japan. All of them are from Taiwan except Osawa, a Kyoto native.
In the championship round, the five teams have six caffeine-fueled hours to handle as many security incident complaints as possible. Judges evaluate the students on the speed at which they solve the problems, their knowledge of cybersecurity, and how well they communicate with their virtual clients and teammates.
"This contest is quite famous in Japan—and very prestigious to win, especially if you want to work in the IT security field," says Su, 25, who studied computer science as an undergraduate in Taiwan and came to Japan for the opportunity to study at Carnegie Mellon without traveling too far from home.
The 16-month program in Kobe underscores the expanding global reach of the Information Networking Institute (INI) at the university. The INI is an integral department of the College of Engineering and a collaboration of the School of Computer Science, the Tepper School of Business, and the Heinz College. It also is the educational partner of Carnegie Mellon Cylab, one of the largest academic cybersecurity research and development centers in the United States, points out Dena Haritos Tsamitis, director of the INI and director of CyLab Education, Training, and Outreach. In addition to the Kobe MSIT-IS degree program, the INI also runs graduate degree programs with academic partners in Athens, Greece; Lisbon and Aveiro, Portugal; and a new bicoastal program in Silicon Valley.
"Carnegie Mellon has great depth of expertise in cybersecurity and networking, and we want to share that with other institutions around the world who are trying to solve the same global problems," Tsamitis says. "In that way, we can have a greater impact than what we could achieve only by ourselves in Pittsburgh."
There was a unique historical imperative to launch the Kobe program, according to INI Associate Director Nicolas Christin, who taught for three years in the ancient port city as a faculty-in-residence for the MSIT-IS program. In 1995, The Great Hanshin earthquake killed more than 6,500 people in Kobe and its surroundings and caused more than $100 billion in damage. The tragedy served as a wake-up call to the Hyogo Prefecture (Kobe's state) government for the need to better secure its information infrastructure in case of future disasters.
"There was also the political will to have Kobe be known for something other than the earthquake—to have it become a beacon of information security," says Christin, also a CyLab Systems Scientist.
After learning about the INI's successful program in Athens, local leaders at the Hyogo Institute of Information Education Foundation and Hyogo Governor Toshizo Ido reached out to Carnegie Mellon in 2002 to join forces in this undertaking. The Kobe MSIT-IS program was the byproduct of that partnership, created to meet the growing worldwide demand for trained professionals capable of helping organizations implement effective information-security measures.
"We certainly hope to see the enrollment of young people with high career goals in this program, so that they can acquire knowledge of advanced information-security technology and apply their expertise for the good of the world," Governor Ido said at the program's opening in 2005.
It is impossible, experts say, to overstate the need to protect the world's digital information and communications infrastructure. Just last year, the Center for Strategic and International Studies, a policy research group in Washington, D.C., warned that near-constant cyber attacks represent one of the most serious economic and national security challenges of the 21st century for the United States and its allies. Almost nothing is immune, because cyberspace underpins every facet of modern society—from power grids and financial markets to hospitals and military bases.
The center has compiled a list of dozens of major cyber incidents already documented since 2006, citing strikes on government agencies, defense, and high-tech programs such as when intruders briefly gained access last year to personnel files of Federal Aviation Administration workers. A breach like this, if not quickly quashed, could disrupt commercial air traffic or lead to a devastating terrorist attack. The list also logs economic crimes with losses totaling in the millions of dollars, including more than 130 million credit-card numbers stolen from major companies such as convenience store chain 7-Eleven and New Jersey-based payment processor Heartland Payment Systems.
"The scale of the problem is enormous at this point," says INI instructor Christopher May, who also serves as technical manager of Workforce Development for CERT, the world-renowned computer security organization that is part of Carnegie Mellon's Software Engineering Institute. "People aren't just in this for fun anymore to see how far they can get. Now they are in it for the money or geopolitical reasons."
As a result, top leaders in business and government have never been more serious about bolstering their cyber detail. "It's the great irony of our Information Age—the very technologies that empower us to create and to build also empower those who would disrupt and destroy," President Obama declared while announcing his intention last May to create a new White House cybersecurity office that reports directly to him.
Yet a recent study by the nonpartisan Partnership for Public Service found that the pipeline of potential new talent with the skills to prevent this kind of destruction is highly inadequate. Only 40 percent of high-level IT and human resources professionals surveyed in 18 U.S. federal agencies were satisfied with the quality of applicants for federal cybersecurity jobs—and just 30 percent were satisfied with the quantity of job candidates for this workforce, the report says.
"Virtually all organizations—from small businesses to large government agencies—are recognizing the need to build security into their computer systems," says report author Sally Jaggar, a senior advisor at Partnership for Public Service. "It's really a growth industry, but the supply of people trained in cybersecurity is not able to keep pace yet."
That's why there is a keen focus on people like Liu and his three teammates in the Shirahama competition. Are they up to the challenge? The cybersecurity competition could go a long way in answering that question.
Almost immediately after the CEO describes his situation to the Carnegie Mellon team, they suspect a problem called SQL injection, a cyber attack method that exploits a gaping hole in the security of many Internet sites. "Our first intuition was to try to stop the source of the leak by blocking the hacker from gaining access to the network," recalls Liu, 25, who plans to join an information security firm in Tokyo after graduation. "But that didn't work, so we realized there was a bigger problem that must be SQL injection."
Here's what happens in SQL injection:
Most people log in daily to Web sites—for shopping, banking, or just catching up on the news—that use back-end databases to store their usernames and passwords, often with other personal information such as credit-card numbers. When a user enters a name and password into the text boxes on a Web form, those values are checked against those in the database. If the values entered are found as expected, the user is allowed access to the site. If they aren't found, access is denied. However, many Web forms have no mechanisms in place to block input other than usernames and passwords. By simply adding a string of malicious code in a database access language called Structured Query Language—or SQL—to a Web form input box, hackers can manipulate the form to steal, change, or delete information from the databases.
SQL injection is the technique that was used to hack into the customer credit-card data of 7-Eleven. It is a pervasive security risk that Kobe MSIT-IS students are trained to recognize and protect against during their Applied Information Assurance (AIA) training, which includes 36 virtual lab exercises. They also must participate in a hands-on team exercise in information assurance (a term sometimes used interchangeably with information security). This training calls upon them to rebuild the network of a fictitious company that failed a security audit, and then—similar to the Shirahama competition—instructors subject these overhauled systems to live attacks.
"What we try to do is expose our students to the most current, relevant security problems that are present on the Internet today," says May, an AIA co-instructor. "And we try to give the students the critical experience they need to deal with these problems in teams, just like they will have to do it when they get out into the real world."
Applied experience like this helps graduates of the INI programs land top security jobs at government agencies, tech firms, investment banks, insurance companies, and other major corporations, according to May. "Their Carnegie Mellon diploma will get them the interview, but eventually they make you talk to someone who is technical, and it only goes so far if you just have theoretical knowledge," he says. "They want to know how you can help them right away."
May is one of almost a dozen faculty members who teach each semester in the Kobe MSIT-IS program, either in Japan or from Pittsburgh through state-of-the-art videoconferencing technology that makes students separated by thousands of miles and a time difference of 13 hours feel as if they are in the same classroom. Every day the Kobe students join their counterparts studying in Pittsburgh, who report to one of two of the INI's Distributed Education Centers. The centers look like ordinary classrooms, but they are actually high-tech TV studios that film the lecturer and students at eye-level to make remote students feel a part of the discussion. Monitors on the back wall allow instructors in Pittsburgh to observe and interact seamlessly with the students in Japan.
The Kobe students are also building community outside the classroom by interacting with their Carnegie Mellon peers in Pittsburgh, Silicon Valley, Athens, Aveiro, and Lisbon through social networking tools such as Facebook. "They provide moral support to each other when working on projects or preparing for exams or just keeping up with each other's news," says Tsamitis.
And beginning next year, students in Kobe also will have the opportunity to spend a semester at the Pittsburgh campus under a new program structure being coordinated with the University of Hyogo. These cross-cultural connections are redefining the Carnegie Mellon experience, while they help ensure that INI students understand the truly global nature of the challenges they face, Tsamitis says. Because hackers and other criminals can work from anywhere to disrupt globally interconnected information networks, she believes it is paramount for institutions such as Carnegie Mellon to train professionals in the information security field not just in the United States, but worldwide, too.
Christin agrees. "There are no borders on the Internet. Tomorrow a bad guy in Country A could use a machine in Country B to attack a computer in Country C. We have to adapt to the new reality that completely remote places can be part of the same attack." He adds that countries like Japan and South Korea with highly powerful information networks are especially vulnerable but lag behind when it comes to cybersecurity. "It is as if they are driving a Formula One race car with only a learner's permit, which is kind of scary," Christin says.
That's part of what makes the mission of the INI's cybersecurity programs overseas so critical. By reaching out to the finest students from around the world such as Liu and his classmates in Kobe, Carnegie Mellon is trying to do its part to train the next generation of leaders who understand the importance of information security.
For Liu, learning what to do when a computer's security is compromised began when he was a young boy growing up in Taiwan. His computer was paralyzed by a virus, but his parents refused to buy him a new machine. "I loved to play computer games, so I had to fix it myself," he remembers. Now, at the Shirahama competition finals, he and his teammates are being called upon to solve a much bigger cybersecurity problem.
With time running out, the Carnegie Mellon foursome draw on their AIA training to figure out how to plug the data leak from their company's Web site. Conversing in a frenzied mix of English, Mandarin, Taiwanese, and Japanese, they agree what must be done to stop the suspected SQL injection attack. Then Osawa calls the CEO to obtain approval to take action, and just as the contest buzzer sounds, the team successfully filters out the malicious code.
"We were pretty confident we wouldn't be in last place," Osawa says. "But that's all we expected." The next morning, the judges call the members of the Carnegie Mellon team to the stage and present them with the first-place trophy.
Jennifer Bails is an award-winning former newspaper reporter. She is a regular contributor to this magazine.
