Among U.S. Army branches, Infantry, Special Forces and Corps of Engineers are household names. Perhaps “Cyber,” the newest branch, is approaching such status. “We look to do partnerships in how to secure our nation in a cyberattack, based on the reality that targeted attacks can deny or disrupt critical services at the local or city level and reverberate outward," said one of the branch’s leaders, Col. Andrew Hall, in describing the initiative to about 60 cyber and policy experts representing academia, business and government and coming from as far away as Houston, Toronto and Taiwan.
The group was gathered in Van Munching Hall on January 8, 2020, for the annual Forum on Financial Information Systems and Cybersecurity: A Public Policy. The event, in its 16th year, is co-hosted by the Robert H. Smith School of Business and the School of Public Policy at the University of Maryland. The forum is organized by Lawrence A. Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance; Martin Loeb, professor of accounting and information assurance and a Deloitte & Touche Faculty Fellow; and William Lucyshyn, research professor and the director of research at the Center for Public Policy and Private Enterprise.
This year’s event featured Hall, an infantry officer-turned-researcher/professor at West Point Military Academy. He has applied his 2009 PhD degree in management science from Maryland Smith to directing the Army Cyber Institute (ACI) at West Point.
The work of ACI – a multi-disciplinary 70-person think tank and research group – feeds into the Department of Defense and private sector partners, such as Cisco. The latter has used ACI’s work, for example, as a basis for illustrating cyberattack vulnerabilities in a series of graphic novels, or cyber comic books.
Moreover, said Hall, ACI is a government vehicle for initiating “problem-solving from the top” by producing cybersecurity research and expertise and making it actionable through organizing and preparing response teams via public-private-sector collaboration in localized settings – “where the rubber meets the road.”
Hall’s team introduced such framework in 2016 in a workshop in New York City known as “Jack Voltaic.” It significantly required interactions between technicians and emergency response leaders, Hall said. Participants included representatives of Citigroup plus personnel from FDNY and NYPD and New York City’s Emergency Management, Information Technology and Environmental Protection departments. The ACI-designed exercise involved computing with technicians in a virtual environment defending against an opposing “red team’s live-fire.” Plus, a “tabletop” component engaged senior leaders from the emergency response community, water supply, utilities, banking, telecommunication, health, and transportation.
A second iteration, Jack Voltaic 2.0, was in Houston in 2018. During preparation, Hurricane Harvey hit the city. “But instead of postponing the workshop, Houston’s mayor said, ‘Let’s shift it.’ So, we did the exercise in Houston’s 911 Emergency Control Center. And the people sitting at the tables were the same people that had just responded to [the hurricane].” The circumstances demonstrated to the participants how cyber defense should be approached similarly to natural disasters, Hall added. “A cyber attacker and mother nature are very similar in that neither really cares about artificial boundaries between sectors.”
The next Jack Voltaic exercise, in February 2020, is more regional, focusing on maritime critical infrastructure in port cities from Charleston, South Carolina, to Savannah, Georgia. It’s also part of a broader exercise, Defender 2020, simulating rapid, U.S.-to-Europe deployment of Army units.
In a broader sense, Hall said, the Jack Voltaire series is “demonstrating how the Army’s planning culture can empower local communities. Among the five military branches, we are the biggest planners."
Preceding Hall in the cybersecurity forum, Rebecca Mercuri, Notable Software, Inc., founder and digital forensics expert, critiqued “risk-limiting auditing.” Recently introduced for U.S. elections and mandated in four states, the method is based on checking a limited number of voted paper ballots or voter-verifiable paper records to help ensure the accuracy of reported outcomes. Contests with a wide margin can be audited with very few ballots, freeing up resources for auditing closer contests. Closer elections generally entail checking more ballots.
However, the method isn’t good for detecting dispersed fraud, said Mercuri, adding: “The intention of the risk-limiting audit is essentially to avoid counting a full set of paper ballots.”
Among better solutions, she said, is “barcodes” – “similar to how they are used on lottery tickets, which are so much more secure than any ballot…It’s not like this is rocket science. We know how to print out little pieces of paper and secure the data on them. We could print out the ballots and they could be scanned.”
The forum’s closing speaker, University of Illinois Professor A. Rashad Abdel-Khalik, gave the keynote Ira H. Shapiro Memorial Lecture titled “Rich Soft Spots for Breaching Security.” Abdel-Khalik is an internationally renowned accounting scholar who has served as Senior Editor of The Accounting Review, and, since 1982, serves as Editor of The International Journal of Accounting. Using the case of over-the-counter financial derivatives, he provided historical examples demonstrating the “enormous financial risk” associated with poor internal controls in today’s computer networked environment.
Among additional presentations, including by luncheon speaker Sherri Ramsay (cybersecurity consultant and former director of the National Security Agency Threat Operations Center), the forum featured:
- “Digital Insider Trading: Hacking for Illegal Profits” by Jonathan Jona, assistant professor, Tulane University
- “Evolution of Insider Threat Via Pre-Incident Data Analysis” by Melissa Vice, COO of the Vulnerability Disclosure Program, Department of Defense Cyber Crime Center
- "Quantitative Issues in Cyber Insurance" by Fariborz Farahmand, senior research faculty, Georgia Institute of Technology
- “Consumer Financial Protection Bureau: Equifax Data Breach Settlement” by Jenelle Dennis, senior litigation counsel, Consumer Financial Protection Bureau (CFPB) and Richa Dasgupta, assistant litigation deputy, CFPB
- “Crypto, FinTech and Financial Security” by John Bagby, professor emeritus, College of Information Sciences and Technology, Penn State University
When Gordon, Loeb and Lucyshyn launched the event 16 years ago, cybersecurity was considered esoteric, said Loeb. “A key element to the forum’s enduring success since its founding has been the ability to attract audience members, as well as speakers that have great expertise and passion about cybersecurity.”
In summing up the most recent forum, Gordon said, “It is gratifying to see that what we started 16 years ago has grown into an internationally known interdisciplinary forum, attracting experts from academia, business and government. We definitely were ahead of the curve in this area.”