Cybersecurity lab poised to grow: At USM, students gain real-world cyber experience

Photo / Tim Greenway Edward Sihler of the Maine Cyber Security Cluster in his classroom at the Portland USM campus.

Write a Comment

By Laurie Schreiber

The Maine Cyber Security Cluster at the University of Southern Maine is fast becoming a force in the fight against malicious cyber activity.

MCSC trains students in cybersecurity techniques, placing them in real-world applications in the public and private sectors and positioning them for employment in this fast-growing industry.

In tandem, MCSC provides public and private entities with the personnel, facilities, and training needed to understand and test malicious activity and its solutions.

This year, USM leveraged its new facility by partnering with other campuses across the University of Maine System to create a baccalaureate degree in cybersecurity. It is designed to prepare students for jobs in the cybersecurity field.

In connection with that initiative, USM faculty and staff achieved recognition for the University of Maine System from the National Security Agency and Department of Homeland Security as a National Center of Academic Excellence in Information Assurance/Cyber Defense.

MCSC is not so much a classroom setting as it is a training center that hires students, at the federally mandated work-study rate, to train them and then apply their training to real-world situations.

“We bring students in and give them real-world problems and say, 'Solve this,'” says Edward Sihler, assistant director of MCSC. Working in a simulated town they've named Betaport, which has different businesses such as a bank or coffeehouse, students practice both defending and attacking simulated websites associated with these companies.

“When we do our job properly, in their junior or senior year, the students are out doing internships rather than working for MCSC,” Sihler says. “We really want them to be pushed out the door.”

Cybersecurity is a body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage, or unauthorized access. MCSC, headed up by Glenn Wilson, an associate research professor in USM's Department of Technology, consists of a systemwide cybersecurity laboratory headquartered at USM that has been officially up and running since August 2014.

About $1 million went for lab construction, equipment — such as servers, network gear, and software — and personnel, with about half coming from the Maine Technology Institute.

The lab, set up as a shared and secure testing and evaluation environment, is called a “cyber range” — a space to set up computers to try out techniques as defenders and attackers.

“If you have a range set up for defense, you bring in attack systems and you try to break in,” says Sihler. “If you have a range set up for attack, you bring in defense systems. Frequently, they're at least somewhat competitive in nature. You'll have machines that are identical, and they're assigned to teams, and you compare how well team A does against team B. What's different about our range is that we have Betaport and we set students up to run companies. The goal isn't to be better than the company next door, but to work with the company.”

The most notable example of this was when students from York County Community College, University of Southern Maine and University of Maine/Fort Kent joined forces on a Saturday morning to defend against an “attack” — all while trying to perform the normal functions of an IT department, including dealing with “outraged users” and “demanding bosses.”

Cyber dangers

In a 2013 report, “The Economic Impact of Cybercrime and Cyber Espionage,” McAfee Inc., a global cybersecurity firm based in Santa Clara, Calif., breaks malicious cyber activity into six parts: loss of intellectual property and business confidential information; cybercrime, such as identity theft; loss of sensitive business information, including stock market manipulation; opportunity costs, including disruptions in service and employment, as well as reduced trust for online activities; additional cost of securing networks, insurance and recovery from cyberattacks; and reputational damage to the hacked company.

The McAfee report estimates that the cost of cybercrime and cyber espionage to the U.S. economy is $24 billion to $120 billion, or 0.2% to 0.8% of GDP, annually. In Maine, that would translate to $109 million to $273 million.

“To bring the problem into perspective, consider critical infrastructure such as the traffic lights,” Sihler says. “If somebody were to steal them all one evening, the economic costs would be high, not just in wasted time and fuel, but also injury and death due to traffic accidents, along with losses in the tourism sector. Fortunately, this is not practical. However, depending on how the signals are networked, it might be possible to do this with a few keystrokes — same effect, from anywhere in the world.”

Cyber defenses

Cybersecurity solutions comprise a number of specialties such as penetration testing, information assurance and digital forensics. Penetration testing involves breaking into a protected network in order to identify the network's weaknesses, which can then be fixed. Information assurance involves protecting data release and data integrity. Sihler posits the question: Is a shopping website real, or is it a clone concocted by a cyber bad guy who takes your credit card info? This issue is related to the field of encryption and the effort to keep encrypted data safe from prying eyes.

Digital forensics investigates the source of break-ins. “Somebody's broken in. Now what?” Sihler says. “What's the flaw, how did they get in and how do we close it? What did they touch, take, alter and add?”

The goal, he says, is to understand the scope and ramifications of an attack — who needs to be told their credit card or social security number has been viewed — with an eye to preventing the next attack and finding evidence for criminal prosecution. This area, he says, overlaps with the type of traditional police work involved, for example, in recovering emails from a hard drive that were erased to hide a crime.

MCSC is also charged with public outreach and conducts classes and presentations in the lab and in the field around the state.

“It's raising awareness at the broadest level,” Sihler says. In contrast to cybersecurity firms which, he says, tend to be secretive by nature, “one of the nice things about being part of the university is that we are here to talk. We spend a lot of time going out to anybody who wants to listen, and we say, 'Here is why you need to worry about changing your password. Here's why you need to worry about that phishing email.' We also explain how things are done. For example, after just about every large hack, someone from here will end up on multiple media outlets being the talking head who explains how it was done.”

MCSC operations are partly funded by the Maine Economic Improvement Fund and other grants. In June, MCSC received another round of funding from the Maine Technology Institute's Cluster Initiative Program in the amount of $496,174, plus $2.1 million in matching funds for the purpose of pursuing partnerships with business, government and academic institutions.

As a training facility and a resource for outside users, MCSC has great potential, says Sihler. With the completion of the spring 2014 semester, all seven graduates found immediate employment with local businesses. MCSC's capacity for enrollment for fall is about 21 students. So far, 12 have enrolled; it's expected more will sign on through the school year. Since MCSC doesn't offer classes, per se, it's not tied to the semester enrollment schedule.

So far, MCSC has performed tests for local, state and federal government agencies, as well as the private sector, primarily in IT, insurance and pharmaceuticals. It is also conducting a series of workshops for the Coast Guard on the nature of cyber attacks. MCSC is in the process of reaching out to Maine's small- and mid-sized businesses, in areas such as credit card security. It's a delicate balance, he says: As part of a public institution, MCSC is required by law to avoid competing with firms that offer cybersecurity services. So MCSC focuses on raising consciousness about the need for cybersecurity, running classes and research and testing of new gear in partnership with commercial entities.

“In the best of all worlds, from the USM standpoint, we'd talk to small businesses, get them interested, then say, 'Here's a student who will work with you,'” Sihler says. “So the student gets an internship out of it, the cybersecurity firm makes money out of it, and the business gets a good product at a reduced price, because it's student labor. The end result is the state of Maine gets a graduate who is hired, stays in Maine and continues to work in the technology field meeting the shortage of skilled technology professionals we have in the Maine economy and the national economy as well.”