Could hackers have disrupted HealthCare.gov’s opening week, when 3.72 million visitors were attempting to register?
"Possibly," says computer forensic analyst Rebecca Mercuri, PhD. The launch was ripe for attack in an atmosphere of intense social and political opposition. “But we’ll probably never know.”
Nonetheless, there’s a lesson in the importance of "cyber-securing" critical infrastructure for policymakers to take away, said Mercuri, founding president of New Jersey-based Notable Software, Inc.
She was among more than 50 researchers and senior executives who networked and exchanged ideas in the Jan. 8 Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, co-hosted by the University of Maryland’s School of Public Policy and Robert H. Smith School of Business.
Mercuri delivered the Ira H. Shapiro Memorial Lecture as part of the 10th annual event held in Van Munching Hall.
“Rebecca Mercuri’s session reinforced the high caliber of presentations and discussions at the 2014 Cybersecurity Forum," said Lawrence Gordon, Smith's EY Alumni Professor of Managerial Accounting, who coordinated the forum along with Martin Loeb, professor of accounting and information assurance and Deloitte and Touche LLP Faculty Fellow and William Lucyshyn, director of research and senior research scholar for the Center for Public Policy and Private Enterprise in the School of Public Policy.
"The mixture of senior executives from private businesses and government agencies, as well as academicians from a variety of major universities, created a setting for stimulating discussions concerning President Obama's 'Improving Critical Infrastructure Cybersecurity' Executive Order 13636," Gordon said.
Mercuri said HealthCare.gov should have been prioritized as a “critical infrastructure” as defined by the Department of Homeland Security (DHS), with “security as a built-in feature, instead of as an add-on.” The designation would have been justified, she said, by a Centers for Medicare and Medicaid Service memo warning of security risks just weeks ahead of launch.
She said the website's structure and design also would have merited a higher level of cybersecurity. “The way they divided the processing tasks, the user's computer is used for over 50 programs. So, the transfer of data between the person logging on and the main servers is basically killing the system,” said Mercuri, citing other experts' analysis.
The apparent collective shortcomings led Mercuri to metaphorically reference the 1986 Space Shuttle Challenger disaster: “A delayed launch is much better than letting something blow up.”
Earlier topics of discussion in the forum ranged from cyber insurance and trade policy to education initiatives and Internet security. “This year's speakers delivered an especially rich and diverse set of perspectives,” said Loeb.
The other presentations and idea-sharing included:
- FBI Supervisory Special Agent Daniel Gray’s insight into the way hackers rely on psychology expertise -- more than technical skills -- to manipulate user behavior to infiltrate individual and network systems. “There are banks and financial organizations that still do not separate their operational (executing financial transactions) systems from their communication (email, Web access) systems. It’s a huge risk.”
- Rand Corporation Policy Researcher Sasha Romanosky’s recommendation of cyber insurance (“a fairly robust” $1.3 billion industry that grew by 33 percent from 2011-2012) as a wise investment for larger companies
- University of Michigan professor Mingyan Liu’s “Building a global network reputation system: classification and community detection of network-level malicious activities”
- “Cyber Policy: Keys for a global interoperable, secure Internet” by Adam Golodner, Cisco’s director of global security and tech policy
- “DHS’ role in cyber security research, education and innovation” by Douglas Maughan, director of the DHS cyber security division
- UMD Associate Professor of Reliability Engineering Michel Cukier’s overview of the university’s groundbreaking honors program in cyber security, ACES, which he directs
- Insight to cyber security implications for global trade and related policy from Allan Friedman, representing George Washington University’s Cybersecurity Policy and Research Institute
“The presenters reaffirmed our belief that the nation’s critical infrastructure cyber security challenges will require a collaborative response from the public and private sectors -- a true public-private partnership,” said Lucyshyn. “These have been the focus of our center’s research since its inception.”
In welcoming remarks, Smith School Dean Alex Triantis said the forum’s decade-long run indicates Gordon, Loeb and Lucyshyn were “far ahead of the game" in developing a forum promoting discussion of cyber security. “It exemplifies the way Smith faculty are at the forefront in their research areas, and connecting with government and practice to make sure our thought leadership gets out into the community,” Triantis said.
Gordon and Loeb developed the industry-renowned Gordon-Loeb Model for investing in cost-effective cybersecurity systems.
Along with Lucyshyn, they have garnered major research grants, including a recent $660,000 Department of Homeland Security grant to extend the Gordon-Loeb Model to help private sector firms improve their decisions regarding cyber security investments.