David Brumley, Director of Carnegie Mellon CyLab Security and Privacy Institute and faculty adviser to CMU’s Hacking Team, joins Hari Sreenivasan to discuss cybersecurity.
According to my next guest, hacking shouldn't be looked at in the context of good or bad, but rather as a necessary skill.
Joining me now is David Brumley, director of Carnegie Mellon CyLab's Security and Privacy Institute and faculty adviser to CMU's hacking team.
So, what's CyLab, first of all?
CyLab is CMU's Security and Privacy Institute, where we focus on, really, all the different areas that need to come together to create effective cybersecurity solutions.
And part of this is teaching your students how to hack, but responsibly.
Yeah. We're a big believer that we have to give people the tools to understand how things can go wrong in computers in order so they can protect them.
And there's actually competitions where you guys figure out how to measure who the best hackers are.
What do those competitions entail?
There's competitions throughout the world.
There's competitions in Russia, in Korea, here in the U.S.
And it's really this kind of underground community, if you will, of hackers who go into a room.
They're all given identical computers with identical software.
And the goal is to break into your opponent while preventing them from breaking into you.
And how have you done?
Well, we have a pretty good team.
There is something that's considered, really, the Super Bowl of hacking called DEF CON, where we've won three out of the past four years.
And when you say you're breaking into the other person without them breaking into you, in simple terms, how do you do that?
Well, computers are written by people, and people sometimes make mistakes when they write programs.
Just like if you're writing an essay, you may have spelling, grammatical, or, worse, logical errors.
These happen in computer programs, as well.
And so the job of a hacker is to understand the computer so deeply that he can find those problems, demonstrate that they're real, because people don't want to just speculate about problems, and then fix them.
What happens after these people get this?
Do they go into the security industry?
There's a number of jobs out there.
In fact, computer security is growing 2 1/2 times that of the national average.
It's also a really high-paying job.
The national average is $93,000 a year, starting.
So it's a huge market.
It's a growing market.
There really just aren't enough people doing this right now, so it's a great place to get into.
And as we become more enmeshed in the Internet, as the Internet of Things start to pervade our lives more, in a way, those are all different opportunities for security or lack of security to exist.
Yeah, these are all opportunities.
As we rely more and more on technology, everything from self-driving cars to public announcements to E911, these really enhance the quality of life, and we need to make sure they're secure and safe.
What's a tip that you'd give people that perhaps are not looking enough at in their daily lives?
Well, I think, in our daily lives, one of our biggest problems is -- most people have no idea how cybersecurity works.
They just don't have the basics down.
And, so, at Carnegie Mellon, one of the things that we have a big initiative on is a cyber-aware generation.
We think understanding basic cybersecurity is something everyone should know, because we're all choosing passwords, accepting terms of service, giving information to Google and Amazon.
And we really need an education about what are those implications?
And, oftentimes, it seems that it's the humans that are the weak link in the chain.
Often, it is, so the humans often have no idea about computer security.
They've not been trained in how to protect systems.
They've not been trained in the importance of, for example, patching software.
And I think that we can do something about that by making computer-security education one of the basics that we focus on.
As we kind of go forward five years, 10 years, is there a technology arms race, or is this between kind of locks and lock pickers, that there's constantly going to be this battle of creating a more secure environment and somebody figuring out how to poke a hole in it?
Well, I think so, but I wouldn't term it a rat race.
Really, the goal of cybersecurity research is to take entire types of attacks off the table.
So, for example, right now, a lot of our software is plagued with a particular type of vulnerability called a buffer overflow, and research has shown how to get rid of that.
The great thing is -- when we start to make these incremental changes in cybersecurity, we start building new technologies that create new business opportunities.
The example I always think of is Amazon.
I shop on Amazon, and that only works because cryptography is working correctly.
Software security is working correctly.
There's network security.
And, so, there's this rat race of -- or there's this opportunity to keep building more and more secure technologies, and then getting to this place where people start to be able to trust their technology is the goal.
Do you see a scenario where normal, non-tech companies have to start thinking about how to secure their information, regardless of whether they're in plumbing or whether they're Amazon?
I think everyone needs a basic understanding.
You know, there's these malicious programs out there today that can infect anyone, that while encrypt their hard drive and demand a ransom.
It's called ransomware.
People need to be aware of computer security so they can avoid threats like that.
So, when your students are not working on becoming the Super Bowl champions of hacking, are they participating in communities that are figuring out, here is a list of all the known ransomwares out there.
Here's the patches that should be installed.
I mean, how does the kind of academic community work in this world?
Well, the academic community works on creating new technologies that are more secure.
These technologies end up in things like Google Chrome, a web browser millions of people use, or Apple Safari or an Internet Explorer.
So part of what our students are doing is creating these more secure technologies that really impact everyone's life.
David Brumley from CyLab at Carnegie Mellon University, thanks so much for joining us.