Carnegie Mellon University
January 12, 2017

Jahanian, Acquisti Deliver Calls To Action at NSF Meeting on Cybersecurity, Privacy

By Julianne Mattera

Jahanian, Acquisti Deliver Calls To Action at NSF Meeting on Cybersecurity, Privacy

Carnegie Mellon University Provost Farnam Jahanian called for continuing investments in cybersecurity to meet the evolving challenges in securing cyberspace. He delivered his remarks during a keynote speech at the National Science Foundation's Secure and Trustworthy CyberSpace (SaTC) Principal Investigators' Meeting.

The biennial forum of the SaTC research community, held Jan. 9-11 in Arlington, Va., included top experts in academia, government and industry.

Prior to coming to CMU, Jahanian led the NSF Directorate for Computer and Information Science and Engineering, which hosted the event.

Jahanian's keynote described the co-evolution of attacks and defenses in cybersecurity. A system that was secure in the past might not be in the future and as upgrades occur, new systems introduce new vulnerabilities. As automation pervades new platforms, Jahanian cautioned that vulnerabilities will continue to threaten critical infrastructure, automotive systems, smart grids, medical devices and transportation systems.

"Cybersecurity is a multi-dimensional problem," Jahanian said. "It requires expertise from various disciplines, not just computer scientists and mathematicians, but from economists, social scientists, behavioral scientists and policymakers."

Following this holistic approach, Carnegie Mellon's CyLab brings together experts from across the entire university, spanning the fields of engineering, computer science, public policy, business and others.

Jahanian said some of the simplest security measures are not necessarily being used. A recent Duo Security Trusted Access Report estimated that 71 percent of Android mobile devices and 50 percent of iOS devices are out of date.

Future cybersecurity challenges will continue to follow internet adoption patterns and rapidly emerging technology trends.

According to Jahanian, those emerging trends include smart systems and the melding of the cyber and physical world; the explosion of data and analytics; and advances in automation and robotics.

According to research by the Software Engineering Institute (SEI) cited by Jahanian, more than 40 percent of all security issues fixed by Google in the Android platform in 2016 came from externally developed software. Thus, systems are rarely written from scratch anymore and are instead built by integrating previously developed components, often from outside organizations. While accelerating the time to market, the process also introduces security issues.

While big data has transformative implications for commerce and the economy and is increasingly critical to accelerating the pace of discovery and innovation, it also has created major security targets that motivate sophisticated hackers, including those who gained access to millions of credit and debit card accounts from Target and Home Depot.

Jahanian's address emphasized the importance of cybersecurity and data privacy as national priorities that demand sustained investment.

"Future cybersecurity challenges threaten the tightly integrated economic, political and social fabric of society," Jahanian said. "There is a need for large-scale integration, experimentation and evaluation, and continued growth in R&D investments for cybersecurity and privacy at the federal level."

Academic institutions like CMU can help to bridge the gap between research, innovation and practice.

"Institutional and academic leadership need to support faculty and researchers serving in federal agencies," Jahanian said. "This is truly a call to service for the community."

Jahanian was one of several CMU representatives who spoke during the three-day meeting.

Alessandro Acquisti, professor of information technology and public policy at CMU's H. Heinz III College and Cylab, and director of the Privacy Economics Experiments (Peex) lab, gave the meeting's final keynote address Jan. 11.

Acquisti's talk focused on the relationships between privacy, economics, and behavioral economics in a time when people disclose so much of their personal lives and data over the internet. Much of the talk revolved around two questions: Do people care about privacy, and should they?

The degree to which people care about privacy ends up depending on the context of the situation, Acquisti said. He added that both the sharing and the protection of personal data can benefit some while having a negative impact for others — a more nuanced approach than the argument that sharing data is an unalloyed economic win-win.

For instance, Acquisti said the success of platforms like Facebook makes it possible for employers to find job candidates' publicly shared personal information, such as religious affiliations or sexual preferences, which legally shouldn't be used in the hiring process. In an experiment that included four male candidates, including one whose Facebook profile represented him as Muslim and one whose Facebook profile represented him as Christian, Acquisti and his co-author (CMU's Christina Fong), found the Christian candidate to have about a 17 percent probability of being called back for an interview, whereas the Muslim candidate's probability was about 2 percent, in more conservative states in the U.S.

The appearance of having more control over their data also can lead to people having less privacy, Acquisti said. The study's findings suggested that, when users had more control over the publication of their private information, their privacy concerns decreased while their likelihood of publishing sensitive information increased.

Other CMU faculty participants were: Norman Sadeh, a professor in the School of Computer Science (SCS); Lorrie Cranor, professor in SCS and the Department of Engineering and Public Policy (EPP) who is serving as chief technologist at the U.S. Federal Trade Commission; Greg Shannon, chief scientist for the CERT Division at CMU’s Software Engineering Institute and the assistant director for cybersecurity strategy at the White House Office of Science & Technology Policy; Cleotilde Gonzalez, a research professor in the Department of Social and Decision Sciences at the Dietrich College of Humanities and Social Sciences; and Nicolas Christin, an associate research professor in SCS and EPP.