Carnegie Mellon University
March 26, 2019

Cybersecurity Stars

In a field dominated by men, female researchers take the lead at CMU

By Jason Maderer

Jason Maderer
  • Marketing and Communications
  • 412-268-1151

At a university internationally recognized as one of the best for security and privacy research, three groups have made the field their primary focus.

CyLab is Carnegie Mellon University's security and privacy research institute.

The CERT Division within CMU's Software Engineering Institute develops cybersecurity technology on behalf of the Department of Defense.

And the university's Information Networking Institute (INI) has taken the lead in educating and developing cybersecurity professionals via master's degree programs since launching one of the nation's first security degrees in 2003.

According to most estimates, women constitute less than 20 percent of America's cybersecurity workforce. But at CMU, all three divisions — CyLab, CERT and INI — are run by women. In fact, so is the university's information security team.

"Having worked with each of these women, I know they are the best in the field," said Bobbie Stempfley, director of the CERT Division. "Not the best women in our field. They're the best in the field."

Together, this quartet says Carnegie Mellon's culture is the reason they find themselves atop positions within a male-dominated digital world.

"Our university has historically done so much to attract and develop women in computing and engineering," said Dena Haritos Tsamitis, who directs INI and is a founding director of CyLab. "I continue to see it when I read admissions essays for our program. Women applicants recognize the work we have done to create a culture of inclusion and consistently tell us, ‘we want to be part of that at CMU.'"

CyLab's Lorrie Cranor and Chief Information Security Officer Mary Ann Blair complete Carnegie Mellon's Mt. Rushmore of privacy and security.

But they aren't the only women reshaping the field and industry. Below are some of CMU's security stars.

Mary Ann BlairMary Ann Blair, chief information security officer

The Information Security Office’s (ISO) Security Operations Center forms the virtual front door of Carnegie Mellon. It houses Mary Ann Blair and her team. They protect campus from cyber threats that attack the confidentiality, integrity and availability of information and systems. The ISO builds the program that keeps CMU’s systems safe and reacts when adversaries are successful. Blair says it’s the best job in the world. But it’s certainly difficult.

"We’re never going to reduce the threat to zero, but campus should be confident that we’re always addressing it in the strongest way possible. And when an attack does occur, we focus on resiliency — how quickly can we recover. Then we use it to learn lessons and pass them along to our students and faculty as part of our cyber teaching hospital initiative. We think of our operations and campus as a living lab for research.

CMU is the birthplace of cyber. We take that legacy seriously."

Kathleen M. Carley, professor of computer science, Institute of Software Research

Kathleen M. Carley joined CMU's faculty in 1984. She never dreamed she would wade deep into the world of social media 35 years later. Carley searches for algorithms that pretend to be real people sowing provocative messages intended to distort public opinion. These accounts tap into Twitter, YouTube or other platforms to distort information and change who is talking to whom. This can drive traffic to dangerous groups, increase anger or make it appear that no one cares about you.

"Most research in this 'information warfare' is focused solely on what these fake accounts are talking about. Our algorithms are different, as they also look at whom they are talking to and how this changes over time. This lets us design counterstrategies and reduce their influence in order to enable open, honest communication. As we saw in the last two elections, the U.S. is behind in this area. If we don't consider humans when designing technology, artificial intelligence has the potential to make it crazier before they make it better."


Lorrie Cranor
Lorrie Cranor, CyLab director and Bosch Distinguished Professor in Security and Privacy Technologies and FORE Systems Professor, Computer Science and Engineering & Public Policy

Lorrie Cranor once took America's 500 most-used passwords and stitched them into a dress. It's a fitting wardrobe for someone who has dedicated her career work to making passwords more secure. There's only one problem: when people find out what she does for a living, they can't wait to tell Cranor their own password and strategy. She always tells them to stop.

"Passwords should be secret. Unfortunately, most of them are bad. You shouldn't put numbers or exclamation points at the end. Don't use birthdays or pet names. Never include the word "love" in any language. And don't use the same password in multiple places. Your best bet is to use a password manager to randomly generate strong, secure passwords every time you need one. This tool will remember these passwords so you don't have to."

Julia FantaGiulia Fanti, assistant professor, Department of Electrical and Computer Engineering

To use Giulia Fanti's words, blockchains are a technique for storing data among multiple parties that don't trust each other. For example, they can be used by companies to process financial transactions, keeping accounts safe and protected as they pass through multiple systems. Fanti is interested in designing scalable blockchains that account for resource constraints in the network and in individual devices. Her work ranges from protecting users' privacy to building faster consensus algorithms.

"Blockchain is an exciting field because everything is so new. The opportunity to find security gaps in existing systems is relatively common because the technology is still emerging. Being in this field also gives us a chance to create new systems that could potentially be adopted by the corporate global community. It's an exciting time to be a blockchain researcher."

Lori Flynn, software security engineer, Software Engineering Institute’s CERT Division

Lori Flynn currently leads a five-year project within CMU's SEI centered on the automated classification of static analysis warnings. Those analyses examine software for code flaws without having to actually run the program. By analyzing the source code syntactically and semantically, static analysis can find code flaws that can be fixed before code is released.

"These days, static analysis alerts are manually examined by experts, who examine the alert and its related code to determine if there’s truly a code defect. In the general case, it’s usually not possible to manually examine all the alerts for a large codebase. There are simply too many. My research aims to make automation of the process practical. We combine machine learning with novel uses of test suites to provide labeled data, multiple tools as features and an extensible API for alert classification and prioritization. With better technology, more developer effort can be directed toward fixing true code flaws, rather than manually determining if the alert is false or true."

Limin Jia
Limin Jia, associate research professor, Department of Electrical and Computer Engineering and Information Networking Institute (not pictured in group photo)

The "Internet of Things" (IoT) is poised to change the world we know, even if we’re not sure of all IoT’s future applications. It already has changed Limin Jia’s research focus. She constantly is trying to determine if the software we use, including mobile apps and web applications, are secure. One of Jia’s projects focuses on how people will use IoT and face the quirks it will bring.

"People like to think using services like IFTTT (if this, then that) to connect IoT with web services will be nice and convenient. For instance, if you’re on vacation and tell Flickr to immediately post when you snap a photo, it makes sharing with friends a one-step process. But what about when you come home, apply for a visa and take a picture of your passport? If you’ve forgotten to turn off the app, you have a privacy invasion.

I’m looking at these new computing infrastructures, trying to find security flaws before they become unexpected consequences. We need to think about these issues before they arrive."

Dena Haritos Tsamitis
Dena Haritos Tsamitis, the Barbara Lazarus Professor in Information Networking and director of the Information Networking Institute 

As the director of the INI, Dena Haritos Tsamitis doesn’t create new ways to foil cyber attackers or build software to protect networks. Instead, she is responsible for producing the future leaders in security. It’s looking increasingly female. When she took the reins of the INI in 2002, her student population was only 6 percent women. This past fall, she welcomed a 42 percent female incoming class and reached 50 percent female faculty.

"There’s a shortage of 3.8 million professionals in the cyber world. If we invest in women and underrepresented minorities, we won’t just get more experts. Research shows diverse organizations see increased innovation, ideas and revenue. 

It's essential we move beyond the male-dominated, cutthroat culture of cybersecurity to instead foster a culture that is welcoming and supportive of diverse talent. I encourage young women not to allow misconceptions to hold them back. The more women who join the field, particularly in leadership roles, the larger our influence can be to shape the culture."

Lena Pons
Lena Pons, machine learning research scientist, Software Engineering Institute’s CERT Division (not pictured in group photo)

Lena Pons is a computational linguist, which means she distills down large amounts text to identify critical information within cyber threat intelligence. This machine learning tactic allows her to search a series of threats for patterns. Pons then submits those patterns to analysts, saving them hundreds of hours as they attempt to outmaneuver adversaries.

"I think of cyber as an intelligence problem. Just as spies in the world are trying to gather info about a government or its military, we're gathering info about what bad people on the internet are doing and the source of their threats. The problem is that there are a few useful techniques, but many more unique problems. My background is in the biomedical space, where there's a deep understanding of language. Medical libraries have existed for more than 150 years. The cyber world needs to discover and share more common information. Computational linguistics is a good way to close the gap." 

Leigh Metcalf
Leigh Metcalf, Software Engineering Institute senior network security research analyst and co-editor-in-chief ACM journal Digital Threats: Research and Practice

SEI is an odd landing spot for someone with Leigh Metcalf's background. She has a Ph.D. in mathematics, one of very few within the CERT Division. But she also can code in multiple languages. That unique expertise gives Metcalf the freedom to work on the research of her choosing, and she spends much of it challenging popular cyber assumptions.

"A few years ago, I wanted to find out the truth about blacklists, the software that can be used, for example, to control spam from getting into your email. Everyone thought blacklists were the same — it didn't matter which one you bought to protect your network. They all blocked the same threats. Our research at SEI found that wasn't the case.

I like to challenge what people think is true. Sometimes they get upset. That isn't as important to me as finding out what really is true."

Bobbie Stempfley
Bobbie Stempfley, director of Software Engineering Institute’s CERT Division

Bobbie Stempfley spent 23 years as a public servant, working for the Departments of Defense and Homeland Security. Now she oversees a group of nearly 300 nationwide SEI researchers. Along the way, she’s learned there are two certainties in the always evolving, chaotic world of cyber. First, cyber experts rarely know how to solve a new problem when they initially see it. That uncertainty motivates them.

"Then, once we figure it out, the second certainty is that a majority of the people will initially see the solution as a cost and not a benefit. We as a society are just coming to realize the value of cybersecurity. Our entire lives are impacted by technology and are software-driven. The efforts of cybersecurity researchers and practitioners are growing in importance, and we have to continue to drive usable, adoptable solutions."

— Related Content —