Imagine a corporate executive cruising down a highway in a sports car loaded with the latest digital toys and gadgets, right down to a state-of-the-art entertainment system. Sinking into his soft leather seats, he opens the sunroof, feeling powerful and in control.

A minute later, the music abruptly changes from soft rock to throbbing heavy metal. Then the windshield wipers start flapping and the windows jerk up and down on their own. Startled, the CEO slams on the brakes, which for some reason don’t work, and his car careens into a guardrail.

A few miles away in the suburbs, a woman browses the sale rack at her favorite mall store. She plunks down her credit card to pay for the half-off blue dress she considers a steal. But the real steal—the one that will change her life—happens halfway around the world, where hackers have lifted her credit card number along with millions of others.

At about the same time, in a different neighborhood of the same city, an elderly man slumps to the floor of his living room. It’s not a crime or anything sinister. Nonetheless, it’s a horrific malfunction. His pacemaker has stopped working. His death certificate will say “heart attack,” but it could just as easily say “software error.”

These events may seem like far-fetched scenes worthy of a Hollywood thriller, but they are only a few of the real possibilities that researchers at Carnegie Mellon University’s Software Engineering Institute (SEI) in Pittsburgh work hard to prevent. For the past three decades, the SEI—a federally funded research and development center sponsored by the U.S. Department of Defense—has helped the military and private sector develop “assured software” that works reliably and is free of vulnerabilities.

“There is almost no technology that software doesn’t touch.
Paul D. Nielsen, director and CEO of the SEI

The stakes have never been higher. Today, software runs everything from the most sophisticated anti-missile systems to the game apps on our smartphones. For all its seductive power to connect the world and make people feel in control of their environments, however, software also exposes mankind to new risks—some mere inconveniences and others potentially catastrophic.

The SEI is in the middle of the fight to defend software from attacks by rogue hackers, cybercriminals, and unfriendly governments. Recently, the institute got an impressive vote of confidence from the Department of Defense, which renewed its contract with the SEI for a term of five years, with an option for an additional five years. The contract has an overall ceiling of $1.73 billion, and it ensures that the institute will continue to support the nation’s defense by advancing and transitioning the science, technologies, and practices needed to engineer and secure software systems. The SEI continues to be the only federally funded research and development center focusing specifically on software-related security and engineering issues.

“It is an honor for CMU to be selected to manage the government’s research and development center for software engineering and cybersecurity at such a critical time for this work,” Carnegie Mellon President Subra Suresh said. “CMU’s expertise in securing systems and combatting cyberattacks is a university-wide strength across SEI and various academic units, and this work is becoming increasingly important not only for national defense but also for individual citizens, critical infrastructure and commercial enterprises.”

The award renewal will no doubt help to advance military-related initiatives, but it also will generate applications for a range of civilian activities. That’s because the work that takes place inside the sleek glass-and-stone building has implications for everything from Wall Street to your doctor’s office to your kitchen.

“There is almost no technology that software doesn’t touch,” says Paul D. Nielsen, director and CEO of the SEI. “At one time, it was just defense, then telecommunications. Now it affects medicine, wholesaling, retail, finance, shipping, transportation… I can’t think of a better area in which to make an impact for the 21st century.”

Though SEI officials do not discuss specific cases because of the sensitive and confidential nature of the work, they have worked with major carmakers and medical device manufacturers. They’ve given technical support to the military to create highly sophisticated missile systems and tanks. They’ve researched new ways to make robots more “trustworthy” so that military personnel will use them to perform more duties in combat.

Over the years, the SEI has also worked behind the scenes to give law enforcement the technical assistance it needs to chase down cybercriminals whose exploits make regular headlines.

David Hickton, U.S. Attorney for the Western District of Pennsylvania, is among those praising the SEI’s role in fighting computer crimes. He says the institute has helped cement Pittsburgh’s reputation as a leader in tracking down cybercriminals—no small feat in the murky and increasingly sophisticated world of Internet espionage and destructive hacking.

“We are talking about exceptionally clever criminals, proceeding in the dark anonymity of the Internet, where the evidence is evaporating because of the digital nature of communication,” Hickton says. “The technology is advancing and changing in a flash, and the legal platform is built for the pre-Internet age and is behind.

“It is very challenging to protect people in cyberspace,” he says. “But we are good in large measure because of our CMU partnership. From the day the digital environment began and the digital threat occurred, CMU has been there.”

Grandfather of Cybersecurity

Richard D. Pethia picked up the phone on his first day on the job. It was Dec. 7, 1988. Pethia was the one and only employee at CERT (the Computer Emergency Response Team), a brand new cybersecurity unit established at the SEI by the Department of Defense. The caller was from a lab on the West Coast. A hacker keeps attacking the lab’s computers, the caller said. He was desperate. Could Pethia help?

Pethia, who had previously worked for computer companies, had been selected by the SEI Director to start CERT in the wake of the Morris Worm incident. One of the first viruses distributed on the Internet, the worm was launched by Robert Tappan Morris, a graduate student at Cornell University, on Nov. 2, 1988, from the Massachusetts Institute of Technology. Though Morris said he was motivated by intellectual curiosity and not malice, the damage he did to thousands of computers across the fledgling World Wide Web woke up software companies to their security vulnerabilities and showed what havoc a single technologically savvy person could unleash on the Internet. 

Pethia didn’t know that the phone call from the West Coast—Case No. 1 at the SEI—would be the start of an avalanche of computer crimes he’d have to solve. He just knew he needed to contain the attack immediately. So he rounded up three part-timers from the information technology department, and they begin exploring the breaches in the software in the lab across the country from their desks in Pittsburgh. It took six weeks for Pethia and his team to discover and plug the vulnerabilities.

During that first case, Pethia found he had a calling. He loved the thrill of finding how to fix a breach. He loved writing code and then reversing the process to get inside the mind of the hacker. Over the next few years, he investigated viruses mostly created by hackers who wanted to disrupt computer systems just to show everyone how smart they were or sometimes to get the systems people fired. The hackers made sure Pethia knew they were out there and didn’t appreciate his computer counter-sleuthing. He got hang-up calls at midnight. One summer he continually got pizza deliveries to his house on Saturday nights that he hadn’t ordered.

Fast-forward 27 years and thousands of hacker cases later. Pethia—sometimes called the “grandfather of cybersecurity”—presides over a staff of 260 and runs the SEI’s largest division. Hackers are no longer ordering pizzas as a prank or tying up computer systems to puff up their egos. They are pilfering millions of consumers’ credit card numbers and other financial data from the likes of Target, TJX, and Home Depot.

The headlines get more chilling every day. The government initially announced that the hacking of confidential databases at the U.S. Office of Personnel Management affected some 4.2 million people, but as the digital strands of the case were pulled, the number of people affected grew more than fourfold. Described by The New York Times as “a colossal breach of government computer systems,” the cyberattack—thought to be made by China—stole Social Security numbers, fingerprints, and personal information.

“It’s like organized crime,”says Kristopher Rush, CERT’s Director, Monitoring & Response, of the new wave of attacks. “You no longer go to one of those guys’ houses and take his computers.

“We see more sophisticated groups involving tiers of people. Someone orchestrates it. A few key players write an ‘exploit.’ Someone else finds the target for the exploit. Another person scours the Internet for a class of targets. There is a separation of duties, giving them leverage to go deeper and deeper into the system.”

“We are talking about exceptionally clever criminals, proceeding in the dark anonymity of the Internet, where the evidence is evaporating because of the digital nature of communication.”
David Hickton, U.S. Attorney for the Western District of Pennsylvania

Aside from investigating some of the biggest cybercrimes in the nation, the SEI also helps protect politicians and visiting dignitaries at high-security events. For each event, Pethia says, SEI staff need to look at the computer systems that control everything from traffic lights to elevators. If the president is staying at a hotel where the elevators are automated, for example, the SEI has to make sure the bad guys can’t take control of an elevator and stop it.

The SEI provides technical advice to the Secret Service to protect the President and others during inaugurations, Republican and Democratic national conventions, G-20 summits, etc. After it was called in during the 2002 Winter Olympics in Salt Lake City, Utah, to investigate a hack by a disgruntled employee of one of the contractors, the Secret Service raided the hacker’s home and headed off any trouble.

Pethia and his staff have worked with major computer and software companies to fight computer viruses. But it’s like an arms race, with the hackers attacking from every angle, every second. With about 200,000 new pieces of malware to deal with per week, Pethia says, the SEI has had to develop software to catalogue all the malware because humans can’t keep up with the proliferation of hacks.

“I am sure this place is being attacked now,” Pethia says, referring to the SEI. Then he added with a sly smile, “But not successfully.”

Risks to Automobile Drivers

Today’s luxury cars are so smart that you might need a few hours with the dealer to figure out how all the software-enabled features even work. Ignitions start without a key, while your key fob lets the car know who is driving, and the seat, mirrors, radio settings, and A/C all adjust accordingly. Entertainment systems answer calls and connect to the apps you’ve downloaded. Wheels sense when you wander out of your lane and push you back. Brakes go on automatically before you hit a wall or another car.

All those extras that make driving safer and easier than ever before are made possible by about 100 million lines of computer code in a new luxury car. While computers in cars aren’t necessarily new, we’re just getting started in realizing the innovations software can provide, says Anita Carleton, deputy director of the Software Solutions Division of the SEI.

“In the near future, cars will have 300 million lines of code because they will have to communicate with each other and the road, immediately using the information they gather to avoid crashes and traffic pile-ups—while at the same time providing customized entertainment for those riding inside. It’ll be almost like a smartphone on wheels.”

The approximately 150 people in the SEI’s software solutions group have advised the makers of cars, medical devices, guided missiles, and tanks. They even have a hand in the development of the DoD’s new robotic exoskeleton, or “Iron Man suit,” which seems almost straight out of science fiction, providing superhuman strength and bulletproof protection. Carleton urges developers, in DoD and industry, to make their software and systems a priority from the outset instead of creating something “good enough” that ultimately isn’t—and leaves products open to dangerous cyberattacks. “Almost 50% of any software effort is rework. It takes so much more time and money to go back and fix something than to build something high quality from the beginning,” she says.

The risks to automobile drivers posed by hackers is obvious, but they were made painfully clear recently when researchers at the University of San Diego hacked into the computer of a car’s brakes via a text message. In the future, as researchers at Carnegie Mellon University and other places develop a driverless car, the need for secure software will be even more acute.

Driverless or not, however, cars of the future will come loaded with more and more software. With that in mind, Carleton recently gave a talk to automotive executives from around the world where she made the case that they are now already in the software business, not just the transmission, alloy wheel, and airbag business. “Software is not just something in your product,” she told them. “It is your product.”

Historic Triumphs 

Inside the SEI’s Emerging Technology Center (ETC), a disembodied robot arm sits on a table. It doesn’t look like the kind of innovation that could save the life of a U.S. soldier in the field or prevent him or her from losing a limb in combat. But the arm is part of a new robot lab that will develop technology so that bots can explain to humans in simple language why they make the decisions they do.

The aim is to get humans to trust robots more so they will allow the robots to make autonomous decisions more often. Most of the robots used in the military now are remotely controlled by humans. But if military personnel learned to trust robots more, robots would be able to engage in combat or conduct search missions by themselves.

“One of the things we don’t like about robots is that we don’t trust them,” says Matthew E. Gaston, director of the ETC, the SEI’s newest and smallest division. “We don’t know how they are going to move. Imagine a robot helping you cook in the kitchen, and it suddenly moves the knife it is holding abruptly. Chances are you will feel startled. But if it says, ‘Sorry I moved abruptly. I saw your three-year-old coming, and I wanted to get out of the way,’” then you may trust your bot as a sous chef.

“We want people to have this level of trust with robots. If I am working with a robot, and the robot explains itself to me, I will trust it more.”

The group of researchers in the ETC will devise a mathematical formula to assign a task to a robot—perhaps writing something on a white board or even feeding a marshmallow to a human. That will allow them to write a mathematical algorithm to enable the robot to explain its actions to humans in simple English in light of the variables in the real world. Though there may not be much of a market for a robot that feeds people marshmallows, a robot that explains itself to soldiers in the heat of combat could save human lives.

Figuring out how to do that is just one of the latest ways that CMU’s world-renowned SEI is making sure the age of automation is an age filled with historic triumphs rather than historic calamities.