frenta - Fotolia
Stuart Madnick wants to look beyond firewalls, encryption and the other usual technologies deployed by organizations in search of computer security. Instead, the director of the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity wants to understand how factors such as organizational structure and employees impact data protection.
The MIT Sloan School of Management launched (IC)3, as the consortium is known, in March to help improve critical infrastructure cybersecurity by using interdisciplinary research to delve deeper into these non-traditional factors.
"Others are focused on technical aspects, which is great. We're focused on complementary issues: the organization, managerial and strategic areas," Madnick said.
This is just the latest MIT contribution to cybersecurity strategy. The school's work in computer technology is certainly significant and well-known, and its cybersecurity work goes back decades.
Still, hackers are more active than ever and their attacks have become more sophisticated. Society is also experiencing a rapid increase in the number of potential targets with the proliferation of consumer devices, "smart" equipment and the Internet of Things.
"In the last couple of years, there's been heightened attention to this, because hardly a day goes by that there isn't something [about a breach] in the headlines," said Madnick, who authored the 1979 book Computer Security.
As the FBI and many other cybersecurity experts assert, there are only two types of companies: Those that have been hacked and those that will be. Madnick said (IC)3 is focusing on interdisciplinary research and forging industry partnerships to develop more effective approaches to combating cyberattacks.
The team itself exemplifies this approach: MIT representatives working with the consortium include a political science professor, a senior research scientist in computer science and artificial intelligence, and a professor of aeronautics and engineering systems. Madnick is a professor of information technologies at the MIT Sloan School of Management and a professor of engineering systems at MIT's School of Engineering.
Madnick said a strong and varied team of people working on cybersecurity will help the consortium address the complex, multifaceted challenges that require experts in a wide range of areas.
"We're taking a holistic approach," he said, adding, "I don't see many others doing the kinds of things we're doing."
The approach has helped (IC)3 attract corporate sponsorship. Kurt Silverman, senior vice president of development and delivery at digital content delivery firm Limelight Networks Inc., said Limelight was looking to join an organization that was advancing cybersecurity in unique ways.
"It was pretty clear to us that this was the right consortium to be part of. We found no other area that was close to taking this synergistic approach to solving problems," Silverman said. "It is driving forward best practices and research and sharing."
George Wrenn, cybersecurity officer and vice president of cybersecurity at Schneider Electric, said MIT's decision to draw in researchers and experts from various disciplines promises to bring new insights into computer security.
"MIT is really the type of institution that can bring the right minds, the intelligence and expertise in each of the domains together to come up with innovative solutions to something that has been an intractable problem," Wrenn said.
(IC)3 cybersecurity research
The consortium is delving into multiple research areas to guide organizations as they shore up their defenses, Madnick said. Initial research projects at (IC)3 include:
- Developing metrics and models for organizations to conduct cyberrisk analysis, and return on investment calculations.
- Applying lessons learned from accident prevention research to prevent cybersecurity failures.
- Simulation and modeling of cybersecurity resilience.
- Developing incentives for more effective cybersecurity information sharing.
- Increasing corporate adoption and commitment to cybersecurity efforts.
As its full name suggests, the consortium is also focusing on improving critical infrastructure cybersecurity protection. Celebrity hacks and breaches at big-name retailers get all the headlines, but Madnick said lacking security at computer-controlled oil refineries and electrical grids don't get addressed nearly enough.
"They're not as interesting as leaked emails of famous Hollywood movie stars, but the consequences are significant," Madnick said.
The emerging Internet of Things will not only tie together more online infrastructure processes, but will also create large numbers of new potential targets.
"Those next generation of targets, the airline control systems and smart cars, they're woefully less protected," he said. "I don't think it's because security is so great they haven't been attacked."
Madnick said hackers still currently have more incentive to target credit card numbers than attacking a smart car or power station system. But incentives are changing: There are increasing numbers of attacks for ransom or blackmail; other attacks are for revenge or to settle a score.
"All you have to have is someone who is pissed off at you and has the desire and capability to unleash something," Madnick said.
The consortium plans to disseminate its research findings to help companies realize the old ways to protect cybersecurity may need to be reworked.
"[These research areas] overlap with the conventional concerns," Madnick said. "We're not excluding them -- but we're shining a flashlight in places that many people haven't looked."
About the author:
Mary K. Pratt, a freelance writer based in Massachusetts, writes frequently about business management and information technology. She can be reached at firstname.lastname@example.org for questions or comments about this improving critical infrastructure cybersecurity tip.
After OPM breach, White House pushes cybersecurity changes
Outdated security processes put company data at risk
CIOs offer best practices for protecting against healthcare cybersecurity vulnerabilities