Kevin Houk and his Penn State team were told their client, a major bank, might have been the target of a data-breach attempt. Someone threatened to make customers’ information public unless the bank paid him off.
It was part of a scenario at the Deloitte Foundation’s annual Cyber Threat Competition in November, but it doesn’t sound like fiction. In fact, the threat of cybercrime is all too real.
It was real for Target in 2013 when millions of customer credit card numbers were accessed by hackers. And it was real for the Democratic National Committee last summer when its staff members’ emails were hacked and made public.
At Penn State, instructors, students and researchers are paying increasing attention to cybersecurity and the protection of personal data.
For students, knowing how to code and program won’t cut it — security engineers must know how to apply these skills after assessing a threat.
Houk, vice president of Penn State’s Competitive Cybersecurity Organization, said competitions like Deloitte’s in Westlake, Texas, are where he can put into action the principles he studies in the security and risk analysis program.
“They give challenges you would find in the real world,” the Falls Church, Va., native said. “It’s not enough nowadays for people to just go to class and go home.”
Competitions aren’t new to Houk, who has participated in them since high school. As important as knowing how to secure a computer, he said, is knowing how to exploit one.
“The job of the security person is a heck of a lot harder than the job of a hacker. The hacker only has to find one way in,” Gerry Santoro said. “The cybersecurity professional needs to be aware of all possible ways in and understand how to deal with them.”
Santoro is coordinator for the College of Information Sciences and Technology risk analysis program.
In 2014, the program was designated by the Committee on National Security Systems — a government organization responsible for security standards — as a National Center for Academic Excellence.
Santoro’s students are taught not only how basic security programs such as firewalls, intrusion detection and authentication systems work, but also how to respond to potential problems without running afoul of the law.
This is a break from the way cybersecurity has been approached so far, he said. In the past, employers often assumed that a degree in information technology was qualifier enough for security responsibilities.
“The many breaches that we’ve seen have been an example of that,” Santoro said
The cybersecurity field has grown rapidly, he said, and many of his students graduate and go on to high-paying jobs.
While corporations and governments are wary of prying eyes, others at Penn State are wary of prying corporations and governments. The amount of personal data, such as search histories, geolocations and Facebook friends, can form a telling profile of a person.
“We now live in … a far more perfect, panoptic environment — this environment where we’re always surveilled, we’re always watched,” said Sascha Meinrath, the Penn State Palmer chair of telecommunications. “We’re always thinking that we might be surveilled or watched. The implications of that are profound.”
Meinrath is a technology policy expert and activist. He was named to his position in 2015 after years of work for a public policy think tank, New America, in Washington, D.C.
In 2014, Meinrath founded X-Lab, a think tank that examines the relationship between personal computer technology and privacy rights. It’s a perspective he brings to the classroom.
One of the first things Meinrath shows students in his courses is a function nestled in the privacy settings of their iPhones. Dig deeper into that menu and you can find the “frequent locations” function; it will show you a map of all the places you’ve traveled with your phone — and the time of each visit.
“It’s kind of spooky,” Meinrath said. “The reality is, we don’t know who this data is being sold to and what they’re being used for.”
Users aren’t always aware of what they authorize a company to know about themselves when they accept the lengthy terms-of-service agreements common for services like Facebook or Instagram. Meinrath suggested that advertisers might be interested in such data for targeted ads, but he admitted that the truth is “unknowable.”
X-Lab projects, by contrast, give users more autonomy over their personal data. Commotion Wireless, which Meinrath began working on during his time in Washington, is one such initiative.
Commotion provides tools for users to create their own mesh networks — wireless connections between computers that allow them to share data without using the internet. The work of X-Lab, Meinrath said, is to look at the trajectory of public policy and thought, and develop technology that will empower and connect users now.
“Just because a technology does enable a certain level of data collection … doesn’t mean that’s a good thing,” Meinrath said.
Matt Guerry is a Penn State journalism student.