February 2009
University of Washington

Decades after the genesis of the Internet, cybersecurity experts like the University of Washington’s Barbara Endicott-Popovsky realize there is still much work to be done in order to combat what she calls the “unintended consequences” of networking technology.

“The Internet itself was designed over 40 years ago to be a trusted community for just a few people: researchers and the military. And all the sudden, we commercialize it in the mid-'90s and we made it do things it was never designed to do,” Endicott-Popovsky explained. “And this is when things break, when you make them do things that they weren’t designed to do.”

Endicott-Popovsky is the director for the Center of Information Assurance and Cybersecurity at UW, designated by the National Security Agency as a Center for Academic Excellence in Information Assurance Education. She is also a senior lecturer with the Information School (iSchool). Before working at the University of Washington, Endicott-Popovsky held executive and consulting positions in IT architecture and project management.

She first noticed a growing need for increased cybersecurity measures in the mid-1990s, long before most of us were aware of potential problems.

“The issue of security was looming in the background, but my customers weren’t addressing it,” said Endicott-Popovsky, who ran her own consulting business at the time. “I could see that we were headed toward rapid embracement of technology without thinking of the unintended consequences. And yet at the time, there were such huge productivity savings that my clients didn’t want to hear the negative.”

This juncture marked a major shift in computing as more systems became networked.

“It used to be, computer security was pretty simple,” said Endicott-Popovsky. “You had a big mainframe, it wasn’t wired to anything else, you had cipher-locked doors, you knew who was able to get in and who was able to get out. But once you start wiring things up, every node in the network, every wire, every bit of equipment, cabling, becomes a point of vulnerability.”

The potential risks and societal implications intrigued Endicott-Popovsky, who later furthered her education by earning a Ph.D. in Computer Science/Computer Security from the University of Idaho.

Endicott-Popovsky believes the answers to today’s cybersecurity conundrums lie in education, not only for society as a whole, but also for those designing the technology of the future.

“This is why I started that television series, the ‘Unintended Consequences of the Information Age.’ Because this is happening all over – we are challenging our infrastructure. And nothing gets that across as well as a video.”

This series of videos available through UWTV explores the vulnerabilities of our online infrastructure systems, privacy laws, Internet crime and other issues.

But there are many more aspects to the problem, including those seemingly innocuous online activities many of us engage in on a daily basis.

Downloading music through the Internet is one such example.

“Here’s the issue with illegal downloads: On those servers, bad guys know that that’s a good place to infect Web pages. All you have to do is open your browser, and you open yourself up to whatever information is there, and unbeknownst to you, Trojans are being downloaded on your machine,” explained Endicott-Popovsky.

Such risky practices can be damaging not only on a personal level, but systemwide. The first few weeks of every school year, networks at the University of Washington are stressed by illegal downloading and its undesirable side effects.

“I just would like young people to understand the unintended consequences and maybe the impacts on artists, maybe the impacts on the music scene,” Endicott-Popovsky said. “I think it would be helpful for people who are downloading illegally to at least be aware that when they go out into these illegal servers, they need to understand that they could be downloading other things that could infect their machines.”

The problem is much more pervasive than most people likely realize.

“It used to be that malicious kids would put viruses on your machine that would wipe out your system, do bad things and cause you loss of data. That’s not the big deal anymore,” Endicott-Popovsky explained. “They don’t want you to die, they don’t want you to know that they’re on your system.

“The FBI estimates that 75 percent of all PCs are infected. When your browser kisses a Web site and downloads music, they could be downloading a Trojan program that sits in the background, that doesn’t disturb you, doesn’t even let you know it’s there, but it uses your idle cycles to spam.”

Most people are aware of the risks of identity theft. We’ve all heard about the hassles of stolen credit cards, unauthorized purchases and damage to our credit scores. But the Internet can facilitate financial identity theft as well as medical identity theft.

“There have been incidences where medical identity has been stolen, and years of medical services racked up against them,” Endicott-Popovsky said.

A U.S. Department of Health and Human Services report released in January emphasized the importance of preventing medical identity theft. This issue will become increasingly critical as more and more medical records are transferred to new online systems. Among the dangers associated with this crime is the potential harm to patients who receive treatment and medications based on false information.

“In terms of having your identity stolen, the best thing you can do is keep a low profile on the Internet,” Endicott-Popovsky advised. “I know that’s hard for people. I understand everybody likes their social networks. But whatever’s out there is accessible, even if you lock it down. If you’re putting information out on the Web, think twice: Do you want the world to know this information?”

She also advises that with a little prudence and precaution, you can make it more difficult for an Internet predator to compromise your information. The Federal Trade Commission offers plenty of advice on this matter.

While caution may be key for the end user, designers must consider security as they create new technology systems and software.

“I’m hopeful that we begin to design things with security in mind from the very beginning,” Endicott-Popovsky said. “One goal that I have in my programs that I teach is to raise awareness of the ubiquitousness of the problem.”

Students at UW are already becoming a part of this shift toward proactively implementing security measures.

“We’re integrating secure coding practices now with our computer science classes,” Endicott-Popovsky explained. “So you’re starting to see it seeping in from the get-go, whereas it used to be you’d teach those things after they learned everything else.”

Endicott-Popovsky has no doubt that the UW’s Center of Information Assurance and Cybersecurity will continue to be a leader in ongoing cybersecurity efforts.

“We’re looking to establish several research directions that we can build on,” she said. “We’re looking at information assurance in the supply chain, we’re looking at security in virtual worlds, we’re looking at calibration of digital forensic tools."

She also envisions new partnerships with on-campus departments and centers in need of information assurance engineered solutions. The CIAC is also working with a national expert on the legal issues of cybersecurity, and with Microsoft’s Trustworthy Computing sector. A new certificate program will educate students about cloud computing.

Changing the way both designers and users think about cybersecurity is bound to create safer computing environments in the future. But Endicott-Popovsky concedes there will never be a complete cure for this conundrum.

“There is no 100 percent secure system,” she said. “You can have a technologically secure system, but you still rely on individuals to maintain it, to upgrade it, to implement it properly. The weakest link is always the people and the processes and the procedures.”

For more information about Insider features, contact Erin Lodi at erinlodi@u.washington.edu.


To receive stories like this one every month, sign up for the free UWTV newsletter.
Contact UWTV: 888-616-UWTV or e-mail us Copyright © UWTV, 2009. All Rights Reserved.