Home | Alumni Magazine

Battling Cybercrime

MIT Tackles A Global Challenge

Cybersecurity is a topic that regularly frustrates executives and government officials. They spend inordinate time and worry trying to protect their data, yet on balance, it’s a losing battle. Nearly two-thirds of Americans say they’ve had digitized personal information stolen, according to a recent survey by Pew Research Center, and few have confidence in companies or the federal government to protect them.

Sophisticated phishing schemes, ransomware, state-sponsored hacking, and the like certainly contribute to this maddening struggle. But at the heart of the problem is a simple fact: “People tend to think cybersecurity is solely a technology problem,” says MIT Sloan’s Stuart Madnick, the John Norris Maguire (1960) Professor of Information Technology and academic director of MIT Sloan’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, also known as (IC)³.

Stuart MadnickStuart Madnick

Instead, “cybersecurity issues are multi-faceted, much like a multi-headed hydra,” says Madnick, “so they need to be addressed in a multi-disciplinary manner—which is one of MIT’s great strengths.” Consider a ransomware attack that effectively locks up an organization’s data and systems. On the surface, this problem—which many hospitals have faced in the past year—is a technical one: Can the data be unlocked, and how fast? But embedded within it is a host of management problems, as well, including decisions about whether to pay the ransom, how the organization should operate if its data remains locked, and whether new policies are required to respond to similar issues in the future.

To achieve a more holistic approach on cybersecurity, Madnick and other MIT Sloan faculty are increasingly collaborating internally and across the MIT campus, with the goal of getting ahead of the real-world problems that keep executives and political leaders up at night. Research topics range from the governance of the internet to global trade policies for cyber-risky internet-enabled devices to new approaches for calculating the costs and benefits of cybersecurity investments.

“Cybersecurity has technical, trade, and policy implications, along with the managerial ones. If you can’t bring together all those forces, you can only launch a partial attack,” says Madnick.

And MIT Sloan is exactly the right place to combine such forces. With a rich history of collaboration across the campus, “the ability to bring world-class technology and engineering resources to address managerial problems is unparalleled,” saysMadnick. Plus, cybersecurity is increasingly rising to the level of being the type of “really hard problem” that MIT exists to overcome. “This sits right in the center of our mission to make the world a better and safer place.”

Who’S The Boss?

A big question anchoring a major strand of MIT Sloan research collaboration is: Who exactly is in charge of cyberspace? Who is policing its borders, and who is to blame when things go wrong? While each country may have its own policies and governance for the internet, there is little coordination among them. And many elements of cyberspace transcend existing country borders: The undersea cables that carry nearly all internet traffic crisscross the globe, for example.

“Existing law is attached to countries, but the internet is not just about countries,” notes Nazli Choucri, an MIT professor of political science, who is currently working with Madnick to examine what new structures or rules the boundless world of cyberspace might require. In her view, cyberspace will require a new set of laws, as well as new transnational institutions to govern it. And that has major implications for company decision making, since “country-level issues and consequences are inexorably woven with company-level issues and consequences,” says Madnick.

Nazli ChoucriNazli Choucri

So far, though, countries don’t typically even share information about when or how often they’ve been hacked, much less discuss how to band together against such attacks. “Often, we don’t agree across countries on how to define cybersecurity or incidences of cyberattacks,” Choucri says. “On the obvious issues, governments across the world do not willingly share information, and neither do international institutions that are presumably above the fray.”

That’s the bad news. But Choucri’s work with Madnick seeks to catalogue existing practices and move forward with a framework and standards that would make it easier for sharing to occur. Improving cybersecurity information sharing will actually improve cybersecurity, their research proposal notes.

“We are seriously lagging in basic interaction,” says Choucri. “As a result, we may be creating serious opportunity costs—for all.” In hopes of broadening the perspectives of the next generation of leaders, Choucri and Madnick co-taught a cybersecurity course last semester that featured a variety of guest speakers, such as researchers from the MIT Center for International Studies within the Political Science department and the Internet Policy Research Initiative (IPRI) and Cybersecurity@CSAIL; an initiative within the

Computer Science and Artificial Intelligence Lab. This course was crosslisted in both MIT Sloan and the Political Science department. “We’re teaching cybersecurity from both a geopolitical point of view and from a business point of view, then including fundamentals like the architecture of the current internet,” says Choucri. “Those three sides are all closely interwoven; you really can’t untangle them.”

Meanwhile, IPRI is a cross-MIT research initiative that is examining related themes. “Our goal at IPRI is to develop technically grounded internet public policy options for governments around the world,” says IPRI founding director Daniel J. Weitzner, former U.S. Deputy Chief Technology Officer for Internet Policy in the White House. With faculty leadership from MIT Sloan as well as departments such as Political Science, EECS, Sociology, and Anthropology, research in IPRI spans policy aspects of encryption, protecting critical infrastructure, privacy, network architecture, and machine understanding. Related materials, in particular case studies that explored the questions arising from the conflict between Apple and the FBI over access, were used in MIT Sloan’s module of ethics of cybersecurity.

Eyes Everywhere

Against the backdrop of such a big-picture, systemic investigation into the internet, an emerging project within MIT Sloan is looking at what it means to have the power of the internet embedded in small devices throughout our lives.

The Internet of Things—the catchphrase for the rapidly growing class of internet-enabled devices such as smart TVs and self-driving cars—is largely known for its convenience factor. According to leading economist Simon Johnson, PhD ’89, however, it is a threat to global trade and national security. Together with Madnick, Johnson—the Ronald A. Kurtz (1954) Professor of Entrepreneurship and professor of global economics and management at MIT Sloan—is investigating how governments are and should handle imports of items that could ultimately be a conduit for harming their citizens.

Simon JohnsonSimon Johnson

While it may sound far-fetched, some governments are already dealing with such concerns. Since 2012, for example, the U.S. Congress has urged U.S. telecommunications companies not to purchase network equipment from two Chinese companies, Huawei and XTE, for fear that the hardware could funnel intelligence back to China. On the flip side, this year Germany banned an interactive toy made by U.S.-based Genesis Toys, My Friend Cayla, on the grounds that the doll’s internal camera could be used to spy on its citizens.

“These are harbingers,” said Johnson, of a scenario in which countries, by attempting to block the potential for international spying via internet-enabled devices, could force global trade to grind to a halt. That’s because as the scope of products with internet connections extend to such common items as toothbrushes, such restrictions could effectively cover the majority of products—except perhaps bricks, Madnick remarks.

While the research is still in its formative stages, one of the project’s aims is to create a framework that policymakers could use in constructing treaties with foreign governments. For governments, “the question is who trusts us and whom do we trust, in terms of what may be embedded in electronics—or really anything that has any kind of electrical element,” says Johnson. The follow-on question is “Can you converge on some type of standards?” so that trade can continue flowing despite the malicious potential of some items.

Johnson and Madnick are hoping that large multinational companies will play a prominent role in the research, and welcome feedback from them. A major open question is whether standards should cover companies as entities or simply individual product lines. “If you trust Apple, does that mean anything they produce is fine?” Johnson asks. Companies will also have to decide how to respond to the fact that governments appear increasingly able to work around their security measures in order to, say, unlock phones of those involved in crimes, or listen in on cellphone conversations for signs of suspicious behavior.

New Math, Timeless Problems

Yet another dimension of narrow thinking around cybersecurity is the impulse to underinvest in defensive measures, since it’s difficult to measure how effective any given level of spending is. “There are about 100 well-known ways you can improve your cybersecurity, and if everyone did all of them, we’d probably improve quite a bit,” says Jerrold Grochow, an MIT Sloan PhD who was formerly MIT’s vice president of information systems and technology, and is now a research affiliate with MIT Sloan and the (IC)³ initiative.

“The problem is that these measures cost money, and it’s not a one-time thing; you have to constantly maintain them.” Grochow is now working on an economic model that would make such management decisions more straightforward. “We’re unlikely to get to something as simple as a return-on-investment calculation that people can specify with absolute certainty, but I think we can get to some calculations that say, “If you think a cyber event is no more or less likely to happen every N years, then you should be spending X amount of money because the payoff is Y,” he says.

Part of that effort involves collecting data from companies to compare spending trends with breaches at different organizations. At the same time, Grochow and others, including Madnick and principal research scientist Michael Siegel, are proposing to use MIT as a laboratory to test the effectiveness of one generally accepted security practice: two-factor authentication, in which users must present a combination of evidence such as a password and a code texted to their smartphone to gain access. Two-factor authentication was recently mandated on campus, and Grochow is hoping to collect data that would one day allow a security professional to predict the percentage drop in data breaches as a result of implementing it. Overall, “the point is to quantify how effective some of these common practices are and balance that against the cost,” he says.

The Price Of Human Nature

Incorporated in these calculations, however, is a growing effort to understand how the so-called “human factor” can undercut pricey defense systems. In recent years, it’s become clear that no matter how good firewalls and virus protection software may be, people often make mistakes that allow cyberattackers easy entrance. For example, phishing schemes—in which attackers send emails posing as someone well known to the recipient— have been highly successful in convincing people to give up passwords, bank account information, and other sensitive data with almost no coercion.

One recent example—the May 2017 “WannaCry” attack—impacted over 200,000 computers in thousands of corporations in over 100 countries within hours.

In other situations, human efforts to cope with the complexity of security measures makes them more vulnerable to attack. Catherine Tucker, Sloan Distinguished Professor of Management and professor of marketing, found that the number of publicized data breaches actually increased after organizations implemented encryption technology, based on a study of hospitals published in 2011.

Other studies have shown that mandating frequent password changes can be counterproductive. The reason? Faced with hard-to-remember passwords, employees often resort to shortcuts that make it easier for thieves to enter, such as writing passwords on sticky notes, Tucker and co-author Amalia Miller of the University of Virginia hypothesized. Pew research backs this up: 49 percent of respondents admitted to writing down passwords to help remember them.

The upside of human error issues is that they don’t always require high-priced tools to fix. “There are a lot of small behavioral things organizations can do that help a lot,” says Grochow. For his part, he asked all of his employees to add a line to their email signature saying “No one in our department will ever ask you for your password” when he headed information systems and technology for MIT. “That meant that hundreds of people saw that message multiple times every day—an easy and effective way to get the point across and affect behavior,” he adds.

Cyberinsurance

MIT has been asked by the Geneva Association, the major insurance think tank, to explore the opportunities and challenges of cyberinsurance. Madnick is working with the Boston Consulting Group, and researchers, such as Howard Shrobe in CSAIL, on technologies to reduce risks. Choucri is studying government regulations and how they may even be in conflict for multi-national operations, and other colleagues at MIT Sloan are examining better ways to measure risk, especially for rare potential catastrophes.

A Tipping Point

Will cybersecurity still be an issue that keeps executives up at night 10 years from now? Most likely, yes. “The good guys are getting better, but the bad guys are getting badder faster,” says Madnick. But armed with better data, smarter networks, and a more holistic view of how to protect themselves, executives may be able to get back to sleep faster.