Cyberattacks and Internet security mistakes continue to rock economies and businesses worldwide and the Luddy School of Informatics, Computing, and Engineering’s Jean Camp is big part of the solution.
Camp, Luddy Professor of Informatics and Director of Center for Security and Privacy in Informatics, Computing, and Engineering, was listed by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, as one of 12 leaders in Secure by Design, an initiative that aims to spur companies to build secure software and reduce if not eliminate successful cyberattacks.
The challenge is formidable, but not insurmountable, Camp said.
“It’s a problem where we can make vast and profound improvements,” she said. We can’t solve the problem of security, but it doesn’t have to be terrible. Right now, it’s a rivers-catching-on-fire-levels-of-pollution problem. We haven’t solved pollution, but our rivers don’t catch on fire anymore.”
In 1969, the Rouge River in Detroit and the Cuyohoga River in Cleveland caught fire because of pollution. Today, there are fish in these rivers that are safe to eat.
“Now you can swim in the Seine River (in Paris),” Camp said. “You can eat fish from the rivers in (Ohio).”
Cybersecurity issues have hit hard this year, from a February ransomware attack that disrupted healthcare industry billing operations for months to more than 100 businesses compromised by multiple attacks on Snowflake customer environments to the CrowdStrike software update that knocked out global IT systems and networks in one of the largest IT disruptions in history.
During last month’s Blackhat USA 2024 event in Las Vegas, which featured specialized cybersecurity trainings and demonstrations, Easterly spoke optimistically about repelling and mitigating attacks. Camp also spoke at the event, which drew more than 20,000 attendees and included security professionals from 117 countries.
The Secure by Design initiative seeks to make technology manufacturers responsible for cybersecurity rather than technology users. As part of the White House’s National Cybersecurity Strategy to develop secure software, it wants companies to build cybersecurity into the design and manufacture of all technology products.
More than 300 companies worldwide have pledged to follow Secure by Design guidelines.
Is that a sign the nation and the world are moving in the right privacy and security direction?
“How much more in the wrong direction can we get?” Camp said with a laugh. “Seriously, is the network more secure today than it was yesterday? I don’t know. But five to six years from now, if the companies that signed onto the Secure by Design Pledge follow up and meet their public commitment, then we’ll be in a better place.”
The challenge will continue because cyberattacks will never stop and cybercriminals will keep developing better strategies.
“There will certainly be that,” Camp said, “just like there are always vandals and arsonists. But we are much safer because we have building codes.
“There are always people who will take their paint or oil and dump it into the river because they’re jerks. That’s not the same as having industrial garbage pouring into our waterways.”
The Cybersecurity and Infrastructure Security Agency and Secure by Design initiative seeks to stop the Internet “garbage.”
“Right now, all the cost and all the risk are being felt on the Internet because the producing companies aren’t doing risk mitigation and behavior responsibility,” Camp said. “They don’t have liability.”
Combine that with consumers who can’t or won’t distinguish between secure and insecure software products, then you have vulnerabilities at scale for cybercriminals to exploit.
“The first thing is to encourage better practices by providing common standards,” Camp said. “The idea is to let people who want to buy secure products be able to buy secure products. That requires defining what it means to be a secure product. That means requiring some information on production, the product, and the practices to keep it secure.”
Camp is internationally recognized for her work in privacy, security and user data availability. Her research focuses on risk identification, risk mitigation and risk communication.
Camp was drawn to privacy and security while studying international competition and manufacturing at Carnegie Mellon. She joined Computer Professionals for Social Responsibility, “and became deeply involved in computer security and privacy.”
“My advocation became my vocation.”
Besides Camp, Easterly mentioned 11 other Security by Design leaders. They included Hans de Vries, chief cybersecurity and operations officer at the European Union Agency for Cybersecurity; Felicity Oswald, CEO of the United Kingdom’s National Cyber Security Centre; Moxie Marlinspike, founder of secure messaging app Signal; Craig Partridge, chief scientist at Raytheon BBN Technologies and an Internet Hall of Fame member; Katie Moussouris, founder and CEO of Luta Security; Dino Dai Zovi, mobile security lead at Square; and cryptographer and security expert Bruce Schneier.
“People have dismissed my work because it is not narrowly technical, and includes economics and human behavior,” Camp said. "The recognition was very validating for me. I do very interdisciplinary research. I have strictly technical patents, but I also work with security in the real world and how it works with people.”
In the wake of all the cyberattacks, they’re not dismissing it now.