UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE | SPRING 2013
UNLOCKING THE SECRETS OF CYBERSECURITY www.umuc.edu | 1 | Achiever
CONTENTS
Cover Story
6 UNLOCKING THE SECRETS OF CYBERSECURITY by gil klein
Industry experts discuss the challenges of hacking, tracking, and attacking in a virtual world.
17 State of Emergency? by Lt. Gen. Harry Raduege (USAF, Ret.) 19 Big Data: Dream or Potential Nightmare? by Mark Gerencser 21 Cyberdefense: A Retrospective by Lt. Gen. John Campbell (USAF, Ret.) 26 UMUC and Cybersecurity by Greg von Lehmen
Features
22 maryland, my cybermaryland
by bob ludwig The Old Line State is the epicenter of a new industry.
UMUC students, alumni, and faculty are making waves in the world of cybersecurity competitions.
24 TEAM PADAWAN by KathY harvatt
News and Updates 2
Matthew Senna Named NCO of the Year
2
New UMUC President Javier Miyares Shares His Vision
3
UMUC at Quantico Opens in Northern Virginia
4
UMUC Forges Educational Alliances with AT&T, Smithsonian
4
Presidential Debate Moderators, Koppel Headline The Kalb Report
back of the book 29 Class Notes 30 Faculty Kudos
6 Achiever | 2 | University of Maryland University College
MESSAGE FROM THE
GOVERNOR OF MARYLAND
6
Dear Friend: Welcome to a very special issue of UMUC’s Achiever magazine that focuses on cybersecurity and showcases a roundtable discussion by some of the industry’s leading minds. I am especially proud that this important discussion was sponsored by one of Maryland’s many fine public institutions.
19
26
In 2010, the Maryland Department of Business & Economic Development issued a report entitled, “CyberMaryland: Epicenter for Information Security & Innovation.” In that report, I outlined how Maryland would respond to President Barack Obama’s call to defend and protect our nation’s information networks. Education represents a key component of the CyberMaryland initiative, and UMUC deserves highest praise for recognizing and responding to the critical workforce need for trained professionals in the field. The same year the CyberMaryland report was released, UMUC rolled out a comprehensive new online curriculum for degree programs in cybersecurity and cybersecurity policy. The response from students and employers alike was immediate and overwhelming, and today, more than 5,200 students are enrolled and 232 have already graduated.
24
28
33
These men and women are vital to the large and growing pool of resources that support and protect this nation’s online infrastructure. Not only is Maryland home to the National Security Agency and the U.S. Cyber Command at Ft. Meade, but Lockheed Martin, Northrup Grumman Electronic Systems, and the Defense Information Systems Agency represent just a few of the major players in cybersecurity that are headquartered in Maryland. I am proud to count UMUC among those resources. Not only do representatives from UMUC staff the Maryland Commission on Cybersecurity Innovation and Excellence, UMUC cybersecurity students, alumni, and faculty have also done Maryland proud, distinguishing themselves in national and international cyber competitions. One team, the Cyber Padawans, won gold at the North American CyberLympics, then went on to a second-place finish at the Global CyberLympics, besting more than 200 competitors worldwide. More recently, they took third at the Department of Defense’s Digital Forensics Challenge, and at the state level, earned first- and second-place honors in the four-year college category at the Maryland Digital Forensics Investigation Challenge, also sponsored by the Department of Defense Cyber Crime Center. In short, it is an exciting time for cybersecurity, for the state of Maryland, and for UMUC, and I hope you find this issue of Achiever as important and thought-provoking as I do. There is no subject more worthy of attention in our 21st-century world. Sincerely,
Cover AND TABLE OF CONTENTS ILLUSTRATION BY ADAM NIKLEWIcZ; FROM TOP: PHOTOGRAPH BY SAM HURD; ILLUSTRATION BY JOHN RITTER; PHOTOGRAPH BY MATTHEW PRICE
Martin O’Malley Governor www.umuc.edu | 1 | Achiever
NEWS & UPDATES New UMUC President Javier Miyares Shares His Vision for the University
President Javier Miyares Senior vice president, Communications, and Executive editor Michael Freedman associate vice president, communications Heather Date editor Chip Cassano Art Director and Photo Editor Cynthia Friedman Contributing Writers Kathy Harvatt, Gil Klein, Bob Ludwig Production Manager Bill Voltaggio Director, CLIENT SERVICES
Donna Grove
UMUC Student Named 2012 U.S. Army Noncommissioned Officer of the Year
Call 301-985-7200 with comments and suggestions, or e-mail chip.cassano@umuc.edu. University of Maryland University College subscribes to a policy of equal education and employment opportunities.
eco box Paper Requirements: 22,488 lbs. Using this combination of papers saves the following: Trees: 24 Total Energy: 10,000,000 BTUs Purchased energy: 1,000,000 BTUs GreenHouse Gases: 2,462 CO2 Wastewater: 11,100 Gallons Solid waste: 704 lbs Environmental impact estimates were made using the Environmental Defense Paper Calculator. FSC® is not responsible for any calculations on saving resources by choosing this paper. Achiever text pages are printed on forest-friendly Centura Silk Text and Centura Silk Cover FSC® paper.
% 10%
Cert no. XXX-XXX-000 SW-COC-2006
UMUC congratulateS Staff Sgt. Matthew Senna, who won the 2012 U.S. Army Noncommissioned Officer of the Year award after competing against some of the Army’s top soldiers for four days in the Best Warrior competition. The award was announced at a special ceremony on October 22, 2012, in Washington, D.C. “It was truly humbling and an incredible honor,” said Senna, an infantryman with Bravo Company, 7th Army NCO Academy in Grafenwoehr, Germany. The Sacramento, California, native recently completed his associate’s degree from UMUC and plans to pursue a bachelor’s degree in criminal justice. He credited higher education with helping prepare him for the Best Warrior competition, which added a new component this year—mental toughness—that tested cognitive and creative thinking abilities. “Part of the reason . . . I got here is my education with
Achiever | 2 | University of Maryland University College
UMUC,” Senna said, “We had to take written examinations and write essays, and that experience and practice is what led me to where I am.” The sacrifice needed to pursue higher education is well worth it, he added. “In this time where the Army is changing, . . . getting an education will help you get promoted and also increase your ability to be a critical and adaptive thinker and an exceptional leader.” Many UMUC students credit family members with helping them maintain focus as they juggle classwork with careers or military responsibilities. Senna is no exception, and his wife, Danielle—who is herself a criminal justice major at UMUC—helped him prepare for the competition. “It’s the same thing we do before our exams at UMUC,” said Senna. “We work together, quiz each other, and collaborate.” At the awards ceremony, when it was announced that Senna had taken top honors, Danielle couldn’t hide her excitement. “They could hear me scream for joy from the back of the ballroom,” she said. “I know how hard he has
Citing what he termed a “revolution in higher education,” UMUC’s new president, Javier Miyares, told a global town hall meeting January 8 that to survive and thrive, the university must “innovate, innovate, innovate.” The year 2013 “will set the course of UMUC for a generation to come,” said Miyares, speaking at his first town hall meeting since his appointment as UMUC’s president in October 2012. Speaking to faculty, staff, and students at UMUC’s Academic Center at Largo, in Maryland, and to a global audience viewing online, Miyares talked about the coming disruptive impact of technology on higher education. Yes, UMUC pioneered online education, but it cannot rest on that achievement, he said. Other universities, even the Ivy League, are now embracing online models. But online education “was simply the beginning,” he said. “Ten, 15 years from now, online education will be seen as a critical pivot point, but what we do today will seem primitive.” The university should not seek a final way to provide education, he said. “The day we think we have arrived at a model is the day we are doomed. Change is constant and you have to adjust to it.”
worked, and I’m so proud.” For his part, Senna—who was recently selected for promotion to Sergeant First Class—leads by example, encouraging other soldiers to make education a priority. “By taking a little bit of time and sacrificing, you can get a lot of stuff accomplished,” he said.
Higher education is “facing a perfect storm,” he said. Enrollments are leveling off or falling. State support is shrinking in many areas of the country while tuition increases have become unsustainable. More students come from families with limited incomes. There is now more student loan debt than credit card debt in America. So many students are overwhelmed with debt they question whether the cost of learning justifies the return in higher salaries. Many of UMUC’s direct competitors—for-profit universities aimed at adult learners—are seeing steep declines in enrollment. “In today’s world, a combination of access, cost, and quality represents the holy grail of higher education,” he said. The need for higher education has never been greater, he said. The White House has set a goal that 55 percent of adults will have a college degree. The state of Maryland is counting on UMUC to expand its student population to meet that goal. The university should be open to anyone who “wants to take a shot at higher education,” he said. “UMUC will be the global leader in offering working adults access to high quality education at a low tuition rate. That is needed; that is what is expected of UMUC; that is where UMUC can prosper.” But attracting more students is only one way to expand, he
UMUC Opens New Academic Center at Quantico UMUC at Quantico opened in September 2012, bringing the nation’s largest public university even closer for northern Virginia residents. The new academic center, located in the Quantico
Javier Miyares
said. Just as important is retaining enrolled students until they graduate. And that, he said, will mean radical changes to improve teaching methods. Faculty can no longer write off those students who are try-
ing but not succeeding, he said. Instead, we must ask, “What am I doing wrong that you cannot succeed?” That does not mean standards should be lowered, he said. It does mean that teaching practices must be improved.
Corporate Center, began offering on-site classes in January 2013, focusing on in-demand undergraduate and graduate degree programs in technology, security, criminal justice, and management. Conveniently located in North Stafford, one mile from Quantico Marine Corps Base and near I-95, UMUC at
Evidence-based research is developing technology to improve the learning process, he said, and UMUC must be in the forefront of embracing it so that a greater number of students succeed. In addition, he said, the university must constantly review its programs to ensure it is offering an education that is in demand by employers. For example, UMUC’s undergraduate and graduate programs in cybersecurity are preparing students for employers desperate for qualified personnel. “If we don’t use our built-in advantage of a culture of 60 years of innovation, then shame on us,” he said. “I am not afraid of making mistakes. I believe if we don’t take risks, we will not succeed.” Disruptive technology has created scary times for higher education, he said. But it is also creating opportunities. “If anyone tells you they know what higher education will look like in 10 years, they are either lying or they are crazy,” he said. “Nobody knows. It will be institutions like us that will be developing that future. I find that very exciting.” G
Quantico offers students the benefits of a full-service academic center combined with UMUC’s digital resources and online course catalog. UMUC at Quantico builds on UMUC’s rich history of serving military students that began in 1947 when UMUC first offered classes at the Pentagon. Today, more than half of the institu-
www.umuc.edu | 3 | Achiever
NEWS & UPDATES
tion area. Classes will be offered weekday evenings beginning at 6 p.m. “Our education coordinators are super advisors,” said Kevin Holmes, director of the new academic site. “They’re UMUC President Javier Miyares cuts the ribbon, versed in counseling formally opening UMUC at Quantico a vast variety of students, both military tions’ 97,000 students worldand non-military, on topics wide are active-duty servicefrom admissions to transferring members, reservists, veterans, credits, registering, and exploror their family members. ing financial aid options.” “UMUC at Quantico is yet another outstanding example UMUC Forges Educational of our profound commitment to Alliances with military students,” said UMUC AT&T, Smithsonian President Javier Miyares. But UMUC at Quantico UMUC forged isn’t just for members of the education allimilitary. The off-base location ances with two welcomes civilians, working icons of the professionals, and adult stuprivate and dents from the surrounding public seccommunity. UMUC has also tors—AT&T streamlined the transfer proInc. and the Smithsonian cess for students studying at Institution—late in 2012. nearby Germanna Community The agreement with AT&T College and Northern Virginia offers its employees—and their Community College. spouses and dependents— To meet the needs of the the opportunity to complete local workforce, UMUC at degrees or pursue continuing Quantico will offer undergradueducation at UMUC. Under the ate courses in cybersecurity, two-year agreement, students homeland security, and crimiwho are not Maryland resinal justice, as well as graduate dents may also be eligible for courses in business adminsignificant discounts on out-ofistration, management, and state rates. information technology. The Under a similar agreement, university already offers stuSmithsonian employees can dent support services—such as take individual courses or advising, financial aid counselenroll in any of UMUC’s ing, and testing—at 150 locaundergradutions, including more than 30 ate and in Maryland, D.C., and Virginia. graduate UMUC at Quantico comprises programs, three classrooms, a computer most of lab with 30 stations, a conferwhich are ence space for special events, a available student lounge with a kitchen, fully online. and a lobby with two additional Students computer stations and a recep-
Achiever | 4 | University of Maryland University College
enrolling in The Undergraduate School may be eligible to transfer credit from other institutions and may also be awarded credit for prior learning, if eligible under UMUC’s standard policies and procedures. “This represents a significant step forward for the Smithsonian and its employees,” said James Douglas, the Smithsonian’s director of Human Resources. “For the first time, we have a broad-based educational partnership that provides our employees, and their families, the opportunity to continue their education in a
wide range of fields, not just a few specific programs.” “UMUC is pleased to sign these pioneering agreements with a global business leader like AT&T and with the Smithsonian Institution, an organization with its own proud history as one of the country’s great educational resources,” said UMUC Acting Provost Marie Cini. “These alliances fit well with our mission of providing quality higher education to working adults worldwide and build on our long tradition of helping to strengthen the federal workforce across the Washington, D.C., metropolitan region.”
LEFT TO RIGHT: Jim Lehrer, Martha Raddatz,
Marvin Kalb, and Bob Schieffer.
Presidential Debate Moderators, Ted Koppel Headline The Kalb Report Bob Schieffer, CBS senior correspondent and the moderator of the final presidential debate in 2012, looked out at the packed audience at the National Press Club and explained why the debates are more important than ever. “The debates are the last political events that we have that you can get people from both sides to listen at the same time and watch at the same time,” Schieffer said. “Republicans will sit through listening to Barack Obama
so they can hear what Mitt Romney has to say. And Democrats will do the same.” With politics so polarized and so many people getting their political news from sources with which they agree, he said, the debates are “the last event you can say that is true.” In the first editions of the program since UMUC joined as sponsor and co-producer, The Kalb Report hosted moderators of the 2012 presidential debates on January 28, 2013, while on November 19, 2012, it featured ABC’s veteran newsman Ted Koppel, who discussed the quality of television news.
With CBS News legend Marvin Kalb asking the questions, the award-winning series is produced before a live audience at the National Press Club in Washington, D.C., and aired on public television stations across the country as well as by C-SPAN and SiriusXM Satellite Radio. Jim Lehrer, of the PBS News Hour, moderated the first 2012 presidential debate and said that, while the debates may not
change a lot of minds, they are “hugely important” because they are “confirming exercises” that rouse and rally voters. ABC’s Martha Raddatz, who moderated the vice presidential debate, said she didn’t ask “gotcha” questions that have been used in previous years because “you don’t want to look like a complete jerk.” In an edition titled, “The Twilight of TV News: A Conversation with Ted Koppel
on Democracy and the Press,” the ABC News veteran told Kalb, “When Americans finally realize how bad things are and what political straits our system is in, they will turn back to good journalism.” Information is so ubiquitous and travels so quickly now that without reliable sources of information, “the system collapses,” Koppel said. The Kalb Report is produced jointly by UMUC and
the National Press Club’s Journalism Institute with support from George Washington University, Harvard University, and the Philip Merrill College of Journalism at the University of Maryland, College Park. Now in its 19th season, the program is underwritten by a grant from the Ethics and Excellence in Journalism Foundation. To watch the programs in full, visit kalb.gwu.edu. G
support tomorrow's cybersecurity leaders
“
A career in the field of cybersecurity is a chance for me to join the fight against some of the most difficult challenges our society has faced since the Cold War. . . . This scholarship has enabled my participation in this program despite difficult economic circumstances, and I am looking forward to graduating in the spring of 2013.”
Copyright © 2013 University of Maryland University College
James Sobel (shown above) UMUC Graduate Student Sales Engineer, Molex Washington, D.C.
Invest in the nation's security. Today’s students are tomorrow’s leaders. Scholarship support is essential to ensure that highly trained cybersecurity professionals are available and prepared to keep our nation safe and secure. And your contribution will help fund these much-needed scholarships, enabling more students to continue their education. Support students like James and help tomorrow’s cybersecurity leaders achieve the educational credentials needed to protect our nation. Invest in the future of cybersecurity today.
Call Cathy Sweet, vice president, Institutional Advancement, at 301-985-7110 or visit umuc.edu/supportcyber.
www.umuc.edu | 5 | Achiever
Unlocking the Secrets of
Cybersecurity Industry experts discuss the challenges of hacking, tracking, and attacking in a virtual world. BY GIL KLEIN
Shortly after Defense Secretary Leon Panetta warned of a “cyber Pearl Harbor,” three of University of Maryland University College’s top advisers on cybersecurity agreed that he was wrong. A cyber Pearl Harbor is not in our future, they said. It already happened—as long as 20 years ago. Sneak attacks against the nation’s computer infrastructure occur daily—from personal identity theft, to “hacktivists” trashing targeted Web sites, to thieves stealing corporate secrets, to foreign agents probing U.S. security weaknesses. But with these dangers come opportunities. For people willing to get the right education, cybersecurity offers unlimited possibilities for creative employment that will provide essential services to the nation. Speaking were three members of UMUC’s Cybersecurity Think Tank, which has helped the university establish undergraduate and graduate programs in cybersecurity education: Retired U.S. Navy Rear Adm. Elizabeth Hight, who was vice director of the Defense Information Systems Agency and deputy director of JTF-Global Network Operations. She is now vice president of the Cybersecurity Solutions Group, U.S. Public Sector, of the Hewlett-Packard Co. Marcus Sachs, vice president of national security policy at Verizon Communications, who coordinates cyber issues with federal, state, and local governments. L. William Varner, president and chief operating officer of Mission, Cyber and Intelligence Solutions at ManTech International Corp.
ILLUSTRATION BY ADAM NIKLEWICZ PHOTOGRAPHS BY SAM HURD
They joined Achiever writer Gil Klein at the National Press Club in Washington, D.C., to probe this unprecedented new security threat. They talked about the possibility of what Panetta meant by a cyber Pearl Harbor—an overwhelming attack that shakes the nation’s security and economic system and warrants a military response.
Achiever | 6 | University of Maryland University College
www.umuc.edu | 7 | Achiever
‟
A Pearl Harbor is usually painted as an unexpected attack, where the airplanes come in at dawn. Cyberspace is a little different. We’re constantly being attacked, we’re constantly being penetrated. So, many would say that our cyber Pearl Harbor moment is actually in our past. We just don’t recognize it.
—MARCUS H. SACHS
But they were careful to emphasize that the situation is not totally dire. Solutions are available and opportunities abound to expand them to meet the ever-changing danger. As Marcus Sachs said, “All is not bad. We may paint a very horrible picture here, but we want to make sure people understand it’s not the end of the world.”
very bad that’s unpredictable, and we only hear about it the next morning. GIL KLEIN: And Bill, how about you? L. WILLIAM VARNER: My real fear is
the consequences of a successful cyber attack anywhere in our critical infrastructure. I think we had a little taste last summer of what that might be like with the storms that came through the Washington, D.C., area. Many lost power for several days. I was fortunate to be able to find power sources nearby and keep my phone and laptop charged for the five days I was without power. But what would we have done had the power not come on in five days? What if it hadn’t come on for five weeks? I think our behavior as a society would change at that point, and it would be a much different place to live.
GIL KLEIN: Defense Secretary Leon Panetta, who probably doesn’t sleep at all given all his responsibilities, recently warned of a cyber Pearl Harbor. Now, let’s start with Marc. What do you think that would look like?
Well, fortunately, Pearl Harbor has already happened, and it probably happened about 20 years ago. The problem is that we don’t know what a Pearl Harbor looks like. When was the first intrusion into our networks? When was the first actual loss due to cyber crime? A Pearl Harbor is usually painted as an unexpected attack, where the airplanes come in at dawn. Cyberspace is a little different. We’re constantly being attacked; we’re constantly being penetrated. So, many would say that our cyber Pearl Harbor moment is actually in our past. We just don’t recognize it; we’re still waiting for this big event, and we’re not paying attention to everything that has already happened. ELIZABETH A. HIGHT: Most people equate Pearl Harbor with the Big Bang. I mean, there were bombs dropping, there were people injured and dying. There was a lot of noise. So when professionals use that reference, we think there’s going to be a great big, loud bang somewhere. But that’s not the way cyberspace works. MARCUS H. SACHS:
GIL KLEIN: Betsy, what keeps you up at night? ELIZABETH A. HIGHT: The whole host of “unknown
unknowns,” whether they be very well-meaning but poorly educated information security officers, those who believe that the current host of products will keep their systems well defended, or those who have found unique and still undiscovered exploits to get into public, private, or personal systems. All of those things are still unknown unknowns to most of us. GIL KLEIN: And Marc, do you sleep well? MARCUS H. SACHS: Generally, I do, because
if you know what bad is out there and what good is out there, you can sleep well. But what bothers a lot of people is that one lucky person. This is one of the problems in cyberspace: Somebody can make a mistake somewhere that we don’t know about, and somebody can get lucky—an unknown hacker, an unknown terrorist, an unknown criminal can get very lucky and do something very,
A Brief History of cybersecurity
1973 ARPANet Virtual Communication with Europe
By Melissa E. Hathaway, president of Hathaway Global Strategies and a member of UMUC’s Cyber Think Tank. Hathaway served in two presidential administrations, spearheading the Cyberspace Policy Review for President Barack Obama and leading the Comprehensive National Cybersecurity Initiative for President George W. Bush.
1969 ARPANet Transmission 1969
1970 Intel introduces the first 1k DRAM chip 1970
Achiever | 8 | University of Maryland University College
1971 Creeper Worm demonstrates mobility and self-replicating programs on
ARPANet
1972 File Transfer and TCP
1973 Motorola invents the first cellular portable telephone to be commercialized
1971
1972
1973
1974 Development of the Graphical User Interface (GUI) paves the way for the intuitive design of Mac and Windows OS 1974
Timeline content excerpted from a broader presentation and analysis.
LEFT TO RIGHT: Gil Klein, Marcus H. Sachs, Elizabeth A. Hight, L. William Varner.
So if we think about it that way, everyone will say, “Oh, no, no, there’ll never be a big Pearl Harbor.” But the consequences could be so severe that we would have exactly the same kind of mayhem, if in fact our critical infrastructure were destroyed or even penetrated in some way. L. WILLIAM VARNER: And the worst thing is, we might not know until such an attack is well under way. It might not be the big, explosive, kinetic activity that we think we would immediately recognize. MARCUS H. SACHS: It is, however, a fair analogy, because a lot of what led up to Pearl Harbor, what actually allowed it to happen, was the misinformation sharing and the stove-piping of information. People knew what was going on. We had intelligence, but there was no sharing. And this is exactly what we see today. GIL KLEIN: And in general terms, how is the United States military preparing for a cyber attack? Is it happening quickly enough? L. WILLIAM VARNER: We should look at the responsibilities of the U.S. Cyber Command and the Department of Homeland Security. Even more importantly, look at all of the aspects of our Internet infrastructure that are not protected by either the Cyber Command or Homeland Security.
1977 Microsoft forms
1978 TCP-IP becomes universally accepted global standard to supply network layer and transport layer functionality
1977
1978
1977 Emergence of smaller computers
Timeline illustrations by robert neubecker
What that means is that a lot of our protection today is left up to private industry. In all honesty, companies like ours are, in large measure, responsible for protecting their own networks. And it’s a big challenge. The bad guys only have to be right once. We have to be right 100 percent of the time. GIL KLEIN: Do you think the general public is aware of the threat? What more can be done to prepare the public for the possibility of a major cyber attack? MARCUS H. SACHS:
I think the awareness is there that cyberspace has problems. But what’s missing is the “So what?” What do I do about that? In the physical world, we do a pretty good job of teaching people about looking left and right before crossing the street or about not slipping on the ice. We don’t do as good a job of teaching people what to do in cyberspace to make themselves secure. That’s the education gap. ELIZABETH A. HIGHT: People may be very aware of the threat, but they really don’t know how it impacts them personally. Unless they—or a close friend or family member—have had their identity stolen, for example, they won’t know the true impact on their credit report. They won’t know how long it will take to recover.
1979 1G network (launched by Nippon Telegraph and Telephone in Japan) allows the first cell-to-cell transmission without dropping the call
1979 Intel introduces the 8088 CPU and it is chosen to power IBM personal computers
1981 IBM personal computer
1982 AT&T divestiture in return for the opportunity to go into the computer business
1979
1981
1982
1983 DNS Registry lays foundation for expansion of Internet 1983 DoD begins using MilNet—mandates TCP-IP for all unclassified systems
1983 Fred Cohen authors the first computer “virus”— a term coined by his academic advisor, Len Adelman
1983 www.umuc.edu | 9 | Achiever
‟
And when you’re at UMUC, or in any college environment, that is the time to take your innovative ideas and tinker with them and mature them. And then offer them to the greater good. Because cyberspace is open to all of us. So when you innovate, you’re helping all of us. —ELIZABETH A. HIGHT
They won’t know that in fact what they put on social media is open to the world and will be there forever. I tell people all the time that we need to have a cyberspace ethics and civics class in elementary school to help teach our citizens from the very beginning what this cyber thing is. Because children like to reach out and touch things, and they can’t do that in cyberspace. GIL KLEIN: What is the need for a trained cybersecurity workforce? Are
universities producing the numbers needed? Are there enough students coming out of high school with the skills needed to begin learning this kind of complex information? And, of course, how intense is the competition for these jobs? That’s a lot of questions.
Those are easy questions, Gil, because the answer to most everything is no. There are not enough people currently. There are not enough people coming out of high schools or being trained in our colleges. And there are just not enough people in the general STEM—science, technology, engineering and math—curricula altogether. I know Betsy and Marc and I all share an interest in trying to increase the number of trained cyber professionals in the country, particularly those who are able to obtain the clearances that let them work closely with our government agencies. And we sponsor a lot of training programs. Just because someone graduates from college with a master’s degree in electri-
L. WILLIAM VARNER:
cal engineering or computer science does not necessarily mean he or she is ready to join the ranks of cyber warriors. MARCUS H. SACHS: Cyber education is a lot like health and healthcare. When kids are going through elementary, middle, and high school, we teach basic health principles. But not all kids grow up to be doctors and nurses. Cybersecurity is the same sort of thing. We need to teach the basics of hygiene in cyberspace, the basics of what can go wrong. Some can go on to become the professionals. But I think what we’re missing is that early education. We tend to think this is only for the little geeks and wizards. But it should be for everybody, just like health education is for everybody. ELIZABETH A. HIGHT: If ever there was a case for lifelong learning, it is cyberspace. All three of us are digital immigrants; we did not grow up with this technology. Our children and our grandchildren are very comfortable with it. But the technology is so complex and changes so rapidly, there is no one who can sit back and think, “Oh, well, I understand it, and I don’t need any more education.” GIL KLEIN: Are there enough university programs to do this? Or is this an
open field for universities? And who do you get to teach this if everybody who knows it has to be working and protecting somebody? MARCUS H. SACHS: There’s a lot of opportunity there. L. WILLIAM VARNER: There is. UMUC has a great program.
I also work with almost every university in the area, as well as with some that are not local. But to me, one of the most important things is making our career field attractive to people who are of the age where they are thinking about what kinds of careers they want. MARCUS H. SACHS: It applies to all career fields. It’s not just for those who get a degree in cybersecurity. If your degree is in education, there needs to be a cybersecurity component, because you’re going to be the one talking to kids. You need to understand cyberspace at a level where you can talk about it, just like you talk about American history, just like you teach math.
1988 Morris is Internet’s first widely propagating worm
1985 Microsoft Windows; utility of computer easier for consumer
1988 After Morris Worm, DEC white paper introduces the concept of firewalls and packet filtering; launches the market for security products
1992 OSD issues Policy 3600.2 Information Warfare
1984 Cisco Systems Inc. forms
1985 Generic toplevel domains are officially implemented (.com, .gov, .mil, .edu)
1988 DoD funds Carnegie Mellon CERT-CC as a result of Morris Worm
1989 DoD Corporate Information Management (CIM) Initiative to identify and implement management efficiencies in DoD information systems
1984
1985
1988
1989
Achiever | 10 | University of Maryland University College
1990 CERN develops HTML code and software (World Wide Web is possible)
1991 National Academy of Sciences: Computers at Risk Report
1990 Rise of Internet innovation
1991 First GSM network launches in Finland, giving way to 2G cellular networks
1992 2G networks make instant messaging possible
1990
1991
1992
LEFT TO RIGHT: Marcus
H. Sachs, Elizabeth A. Hight, and L. William Varner
But other career fields—engineering, law—are also wide open. It doesn’t just have to be focused on technical skills. I think this is where UMUC is really gaining an advantage, because they have a wide course curriculum, a big audience. L. WILLIAM VARNER: And in the position we’re in now, I don’t think all of the universities and colleges added together could produce enough people to meet the needs that we have today. GIL KLEIN: Talk a little bit about the kinds of attacks that are going on right
now. Who is making these attacks? And how much impact do they have?
There are basically three types of attackers. There are the hacktivists and the joyriders that we’ve seen for years and years. There are the state-sponsored attackers. And there are criminals. So each of them has varying degrees of support and education and training and opportunity. That creates a huge problem for the entire federal, state, and local government environment, because they have to protect against the entire continuum. MARCUS H. SACHS: There are some commonalities. It’s not machines that are attacking us; people are attacking us. The conELIZABETH A. HIGHT:
1993 MILNET becomes NIPRNET
1993 Mosaic Web browser makes the Internet an everyday tool 1993
1994 $10 million stolen from Citibank; Steve Katz becomes the first chief information security officer (CISO)
1994
1994 VCJCS directs IW Joint Warfare Capability assessment 1994 Nokia proof—sends data over cell phone (Wi-Fi possible)
versation we were just having about manpower—our adversaries have the same problem. There aren’t a lot of smart attackers out there, either. In fact, if I had the choice to work for one of us and have a beautiful, bright career, or to work for a terrorist organization and perhaps get blown up, I might decide that I don’t want to be a terrorist. This is an interesting quandary, because our adversaries do face the same problems. Government targets are lucrative, but a government system is no different from a private sector system, or a university system, or a home system. It’s the same silicon, the same software, the same vulnerabilities. The information may be different; the value of the information may be different, but that is actually a strength, because lessons that you learn in the government can be applied to industry, to academia, or to home systems. And vice versa. So it’s a fairly level playing field in terms of defense. Solutions work in multiple places. And that’s a strength we need to play to. GIL KLEIN: Can any of you tell me a story about an attack, how it came
about, and what was accomplished?
1995 AOL phishing attacks for passwords and credit card information
1996 ITU works on standard (H-323) for Voice over Internet Protocol (voice and data over single network reduces infrastructure costs)
1995 Evident Surprise wargame DEPSECDEF and IC agree to coordinate IW policy
1996 Defense Science Board paper: Information WarfareDefense
1995
1996
1996 OSD Issues 3600.1 Information Operations Broadening the Definition to Engage During Peace 1996 US relaxes export controls on encryption products to foster global electronic commerce
1997 Framework for Electronic Global Commerce policy (known as the “Green Paper” in the U.S.) encourages international adoption of DNS 1997 President‘s Commission on Critical Infrastructure Protection leads to formation of ISACs (information sharing and analysis centers) 1997
www.umuc.edu | 11 | Achiever
‟
Companies like ours are, in large measure, responsible for protecting their own networks. And it’s a big challenge. The bad guys only have to be right once. We have to be right 100 percent of the time.
—L. WILLIAM VARNER
MARCUS H. SACHS: What
we see today usually comes on one of two levels. There is the subversive attack that is very hard to see. The adversary is interested in targeting you because there is information that they want specifically from you. And they will take time to get it. They go in and grab what they want, they take it, and you may not realize that it’s gone. Often we see this happen after the fact. We have forensics teams that will go in and investigate, and a company or organization will realize that they have been breached. And it sometimes turns out that the initial entry was more than a year ago and the adversaries have had that much access before they are finally noticed. Then you have the class of attacks that are very noisy, like denial-of-service attacks or flooding attacks. The target may be an organization like a bank or a government, or it may just be anybody who happens to be connected to the Internet. Those are like a flash; here today, gone a few moments later. But they can still be very visible. And we face this all the time, particularly with high profile Web sites. This is the hacktivist problem we’re talking about, where in the past you might go up to whomever you didn’t like and spray paint your message all over their glass wall. Today, you go online and maybe deface their Web site, or cause a denial-ofservice attack so their customers can’t get there.
1997 Google search engine invented 1997 802.11 International Standard agreed upon 1997 Eligible Receiver Exercise focuses DoD and IC on vulnerabilities of U.S. infrastructure and foreign IO programs 1997
ELIZABETH A. HIGHT: We’ve had cases of government organizations dealing with their own bureaucracies. A recent state case involved the lack of a state information security officer for more than a year. The thing that held it up was the bureaucracy of finding someone with these critical skills who would accept the pay of a person in a government bureaucracy. Here in Washington, D.C., especially, I think the unemployment rate for cybersecurity specialists is less than zero. They’re in great demand. And that’s true not just for government but for industry as well. GIL KLEIN: Bill, do you have a great story here? L. WILLIAM VARNER: When you are attacked you
might not even know it; the data is still there. They take a copy of it; they don’t take the data. It’s a lot different from physically breaking into a building and stealing something, where you notice, “Hey, my stereo system is gone.” You may not know that somebody has taken your valuable intellectual property. MARCUS H. SACHS: Let me mention a real-world case here. The RSA Corporation, as many of us are aware, is at the top of their game when it comes to cybersecurity. Devices, software, consulting services, they’re all over. But yet they got breached. And it kind of reflects back on that very first question: What keeps you up at night? Here you have the best, and they get broken into, even though they’re doing everything right. ELIZABETH A. HIGHT: So 10, 15, or 20 years ago, we thought if we could protect the outer perimeter, we could keep all the bad guys out. As a matter of fact, in 2005, the Department of Defense really cracked down on two-factor authentication and required everyone to log on to the network with their CAC cards—something that they knew, something that they held in their hands that could not be stolen by someone who was putzing around in a network looking at the password file. So those defenses were developed, and then we went on to phishing. And now we’re into spear phishing, and the human
2001 Launch of first precommercial trial 3G network (packet-switch) by Nippon Telegraph and Telephone
1998 Internet Corporation of Assigned Names and Numbers (ICANN) established 1998 PDD-63 Critical Infrastructure Protection Policy
1999 U.S. Space Command assigned military Cyber Offense-Defense Mission responsibility
1998 Solar Sunrise DoD penetrations realized
1999 Melissa Virus sets stage for rapid infections
1998
1999
Achiever | 12 | University of Maryland University College
1999 In-Q-Tel established to help government innovate
2000 HTML accepted as international standard ISO: 15445
2000 Y2K
1999 DCI agrees to use same definitions signing out DCID 7-3
2000 National Academy of Sciences: Trust in Cyberspace
2000 DDoS attacks against e-commerce affect Amazon, Ebay, CNN
2000
2001 DoD Quadrennial Defense Review renews focus on information operations 2001 Wikipedia created 2001
Cyber-Speak Glossary CAC Card is a common access card issued by the Defense Department that allows entry to government buildings and computer networks. About the size of a credit card, it has an embedded microchip that has a digital image of the cardholder’s face, two digital fingerprints, Social Security number, and other identifying data. DARPA is the Defense Advanced Research Projects Agency, an independent research branch of the Department of Defense created in 1958 that funded a project that led to the creation of the Internet. Its mission is to think independently of the rest of the military and to respond quickly and innovatively to national defense challenges.
Exfiltration, also known as extrusion, is the unauthorized transfer of data from a computer or network.
tive sources asking for passwords and other information that will grant them access to classified information.
Hacktivists are people who break into
Stuxnet is a computer worm believed
computer systems for politically or socially motivated purposes. Their motives are usually not to steal information but to alter a targeted Web site or hamper the organization’s ability to operate online.
Spear Phishing is an attempt to gain unauthorized access to an organization’s information by targeting specific individuals in that organization. Unlike regular phishing, which is typically carried out by random hackers, spear phishers know exactly what information they want and who can provide access. They send messages that appear to be from authorita-
element is so unpredictable. A very well-documented case that involved an effort to hack into an international company was really engineered around calling a system engineer overseas and claiming to be a member of the company. It was very late in the evening, and the system admin overseas said, “Sure, I can reset your password.” And the hacker actually got into the system that way. GIL KLEIN: Is there a level of cyber attack that you think would warrant
a traditional military response? Or could we even figure that out?
I think with technology today, there are some who can figure that out. And as a citizen of the United States, if an organization or an individual actually turned off my power, or poisoned my water, or caused an airplane to crash, I certainly hope the United States would respond somehow. MARCUS H. SACHS: That somehow is the question. Is the somehow diplomacy that ultimately finds its way into the military? Or is ELIZABETH A. HIGHT:
2001 Council of Europe, Cybercrime Convention (treaty) 2001 Nuclear Posture Review calls for replacement of nuclear weapons with non-kinetic weapons
2002 Department of Homeland Security assumes Critical Infrastructure Protection Mission
2002 U.S. Strategic Command assigned military Cyber Offense-Defense Mission responsibility
2002 Social networking technology takes off with Friendster
2002 DoD 3600.1 policy is reissued with new definition for Information Operations
2002
to have been developed by the United States and Israel that was used in 2010 to attack the supervisory control and data acquisition systems of Iran’s nuclear development program.
U.S. Cyber Command was created in 2009 in the Department of Defense to plan, coordinate, integrate, synchronize, and direct activities to operate and defend the department’s networks. When directed, the Cyber Command conducts military cyberspace operations to ensure the United States and its allies freedom of action in cyberspace while denying the same to its adversaries.
the somehow trade sanctions? Or is the somehow just a demarche or a public outing? I think that’s a public policy problem we have here in Washington. We don’t have that answer. L. WILLIAM VARNER: Of course, that brings up the whole issue of attribution, which, in my opinion, is the most difficult problem in cybersecurity. You need to be pretty certain who launched the attack before you strike back. In reality, many attacks originate right here in the United States; they are just routed through other countries. MARCUS H. SACHS: We have a very clear policy about the use of nuclear weapons, for example. There is no ambiguity about what the United States’ response would be if somebody fired a nuclear weapon at us. We have a very clear policy on invasion. But we don’t have a clear national policy that says, “It is the policy of the United States to do the following if there is a cyber attack that meets such-and-such a threshold.” I think we have to have that.
2003 CA State Data Breach Law: Businesses must report breach of PII 2003 LinkedIn: Business application of social networking 2003 DoD Transformation Planning Guidance formalizes Net Centric Warfare
2006 Facebook forms 2004 DoD IO Roadmap programs more than $1 billion in new funds to normalize IO
2005 Choice Point first breach of personal identifiable information (PII)
2006 Congressional Testimony NSA outlines closer coordination with DHS
2003 Skype (beta) debuts
2004 EW Roadmap to focus DoD’s efforts to provide electronic attack options
2005 NERC announces standards for cybersecurity for reliability of bulkpower systems
2006 Hengchun Earthquake (Taiwan) affects undersea cables and Internet for 49 days
2003
2004
2005
2006 www.umuc.edu | 13 | Achiever
LEFT TO RIGHT: Marcus H.
Sachs, Elizabeth A. Hight, and L. William Varner at the National Press Club in Washington, D.C.
ELIZABETH A. HIGHT: And I think that is one of the great things about the UMUC curriculum. There are courses where students are challenged to think critically about those policy issues. And that area is ripe with opportunity, whether you’re a student, a private citizen, or a member of the legislative or judicial branch. Those discussions need to happen before we actually wake up one day and discover the catastrophic effect of a cyber attack. L. WILLIAM VARNER: And the interesting thing we’re all saying here is that cyber technology is more advanced than cyber policy. MARCUS H. SACHS: And of course cyberspace doesn’t belong to anybody. It belongs to everybody. It’s really a metaphor; it’s not really a thing. It’s not like dirt or air. It’s this made-up and synthetic thing that humans have built. So when we ask the question, “What should the military do?” it really depends on whom you’re asking. Because a network owner and operator would say, “The military has no role here, other than perhaps protecting my physical assets. The actual essence of cyberspace is a business; it’s not a military battleground.”
2007 USAF establishes a Cyber Command 2007 Comprehensive National Cybersecurity Initiative (CNCI) 2007 TJ Maxx breach (exploits Wi-Fi)
2008 RBS World Pay $9 million stolen in 30 min., 49 cities
2007 Estonia DDoS highlights use of force (wartime applications with conscripted computers)
2008 President announces modernization program (Smart Grid, Next Gen FAA, Health-IT, Broadband to America)
2007 Joint Staff, National Military Strategy for Cyberspace Operations
2008 Georgia-Russia conflict demonstrates cyber in warfare
2007
2008
Achiever | 14 | University of Maryland University College
So this is an ongoing debate here in Washington. Maybe we need to just keep talking about this, not wrapping it up behind classified doors, because it is a very serious policy matter that we have to start discussing openly. ELIZABETH A. HIGHT: I think one of the things to consider is the foundation of our own country. I mean, individualism and privacy and all of those concepts that our country was founded on really fly in the face of cyberspace. Because a lot of people would say there is no privacy in cyberspace, and others would say that there is all kinds of privacy, it just depends on how you use cyberspace. MARCUS H. SACHS: If you start with the Constitution, everybody understands the First Amendment. Freedom of speech, we want that; so, okay, we check that off. Then you get to the Second Amendment and things get very awkward. What does it mean to have the right to bear arms in cyberspace? What is an arm? And we’re only on the Second Amendment! We haven’t even gotten to Three or Four. [Laughter.] So, again, this is the debate we have got to have. What does this stuff mean?
2008 Cable cut(s) in Mediterranean dramatically slow down Internet and Egypt affected badly
2008 Conficker Worm requires unprecedented international cooperation and operational response
2009 Heartland Payments breach demonstrates that compliance does not equal security 2009 Cyberspace Policy Review: Cyber is economic and national security priority 2009
2009 Move to cloud computing 2009 National Research Council Report: Cyber Attack Capabilities
2009 4G offered via WiMAX standard (Sprint) speed improvement of 10-fold 2009 Operation Aurora coordinated attack on many high-profile companies targeting intellectual property
‟
We’ve pushed the government right now not to regulate us, but to let us innovate. Let us find our way out of this security problem by being creative. That’s what Americans do best. We are the world’s best innovators. —MARCUS H. SACHS
GIL KLEIN: The United States and Israel apparently launched a success-
ful cyber attack known as Stuxnet against Iran’s nuclear development program. Is that the type of low-level warfare we can expect to see that avoids actual firepower? Do you see an offensive use for the U.S. military?
Well, I wouldn’t call trying to disable a country’s nuclear arsenal “low level.” I think that as we evolve in this arena, we will continue to see operations of certain types until we have case law or legislation that defines that. I think one of the most important things to realize is that it’s not just U.S. citizens that are thinking about conducting defensive or offensive operations. This is a global domain; there is no state line or national border. And these conversations need to be held globally. MARCUS H. SACHS: It’s hard for the United States because we’ve always been ahead of this game when it comes to technology— from airplanes to spaceships to nuclear weapons. But enter cyberspace, and we just assume we’re in charge. We assume we have more capabilities than others. That may not be the case. And that’s very awkward for us, because now we have worthy adversaries. But they’re not necessarily countries like China or Russia. An adversary could be an individual, a corporation, a loosely affiliated group or a terrorist group. It could be a cause. That’s what makes cyberspace so interesting. When we say what offensive is, we try to go back to our classic industrial thinking of tanks and planes and ships and invasions. But offensive in cyberspace may be completely different. And I think Stuxnet is a great example, but it’s like a biplane compared to a strike fighter. This is so basic, to do a Stuxnet-type thing. And the history books will record this. Play this tape back even 10 years from now. Look at how we will refer to Stuxnet and say, “Wow, in its day that was pretty cool. But that’s so simple. We issue that capability to our kids; we show them how to do that to each other.” [Laughter.] ELIZABETH A. HIGHT:
GIL KLEIN: So is this asymmetrical warfare taken to a new level? L. WILLIAM VARNER: That’s an excellent question, because it is
2010 Intel Corporation SEC Filing 2010 Texas bank sues customer over cyber-theft 2010 UK Data Protection Law: $500,000 fine for lost protected data 2010 Stuxnet Worm strikes Iran’s nuclear facilities
asymmetrical warfare, and the barriers to entry are small. They’re the cost of a laptop or a PC and an Internet subscription; that’s all it takes. It’s just an inordinate cost to defend against what an attacker can do almost for free. MARCUS H. SACHS: But do you know the good news in all of this? There really are basic, simple things people can do to protect themselves. Oftentimes we do get wrapped up in the, “Oh dear, cyberspace is so dangerous; I think I’ll just unplug and go farm for the rest of my life.” But it turns out there are a lot of very simple things that anybody can do to reasonably protect themselves, much like in the real world. We’ve learned that as humans and as part of society. I think that’s the piece that we’re hunting for with cyberspace: What are those basic things individuals can do? Because you’re always going to have threats, and you’re always going to have attackers. GIL KLEIN: What is the responsibility of the private sector in providing
a level of security? And what is the responsibility of the federal government in making sure that it is meeting that responsibility?
I think cybersecurity has moved out of the computer operations center and into the boardroom. The boards and senior management teams who take the time to become educated in the risks associated with cybersecurity realize that there is a real reason to understand cybersecurity. A wonderful SEC guidance came out recently saying that if you have a significant risk to a public company, it has to be reported, and that includes cyber risks. So I think that’s a step forward in educating both the boards and the senior management teams of industry. MARCUS H. SACHS: Cybersecurity is now emerging as one of those areas where you’re actually better off if you’re outsourcing it and using what’s emerging as managed security services. This has become so complex and so technical and so specific that it may be better as a business leader not to try to do it all yourself. L. WILLIAM VARNER: This calls for a public/private partnership, along with a way to share information about attacks that may be ELIZABETH A. HIGHT:
2010 Court rules in favor of Comcast; Net Neutrality debate heats up on Internet regulation 2010 Standup of U.S. Cyber Command 2010 Smokescreen, online virtual reality game, guides teenagers through dangers of social networking
2010 NATO Strategic Concept Review highlights cyber 2010 NATO declares cyber defense a priority 2010 Market shift: Proliferation of handheld wireless devices
2010
2011 Epsilon breach: High profile customers exposed
2011 Libya cuts off Internet and social networking sites from citizens 2011 88 percent of Egyptian Internet cut off from citizens
2011 The Netherlands, France, and Germany publish cybersecurity strategies
2011 NASDAQ penetrated
2011 IPV-4 address allocation exhausted
2011 Hackers break into Canada’s Treasury system 2011 UK states that cyberattacks and cybercrime are among its top five security issues
2011 RSA/EMC Corporation SEC filing (SecureID breach) 2011 G8 discusses that laws need to apply to the Internet
2011 www.umuc.edu | 15 | Achiever
‟
I use this phrase: “Hug an ethical hacker.” Start thinking about how to protect your systems by thinking like a bad guy. One of the new industries that has sprung up is ethnical hacking courses for senior government and industry executives.
occurring so that both government and industry can benefit. In fact, there are activities like that under way that we’re all part of, and they are having some success. ELIZABETH A. HIGHT: I think we have been talking about public/ private partnerships for years. But in my view, most of these discussions are just far too general. They are not taken seriously by most people who are in control. Those individuals may like control, but they don’t understand that in fact they don’t have the expertise to keep up with this incredibly, remarkably dynamic, complex space.
GIL KLEIN: Along that line, former CIA Director James Woolsey said hackers are stealing us blind by breaking into company databases and taking secret development plans. How big a threat is this to U.S. business? And how adequate is the response?
That’s probably the number one threat to our country right now. It’s death by a thousand paper cuts. We are leaking—what’s the estimate?—trillions of dollars annually, intellectual property that’s just going out the door. We look at our current economy, which is kind of sputtering, and one of the factors we never talk about is cyberspace. What about the leakage of all this intellectual property that’s gone to other countries who can now compete against us because they stole all of our know-how?
MARCUS H. SACHS:
GIL KLEIN: Is it possible to give an example? L. WILLIAM VARNER: One estimate by people
who are generally well regarded in the intelligence community is that at least one terabyte per day of U.S. intellectual property is being exfiltrated to other countries. So to put that in perspective, the written material in the Library of Congress comprises about 10 terabytes. General Keith Alexander, the director of NSA and head of the U.S. Cyber Command, has stated publicly that he believes this is the largest wealth transfer in the history of the world.
2011 Sony PlayStation network breached; initial clean-up, $170 million 2011 65 percent of Syrian Internet removed from routing tables (40/59 networks)
2011 Microsoft acquires Skype for $8.5 billion 2011 Austria declares cyber defense a national priority 2011 New Zealand publishes cybersecurity strategy
2011 IMF penetrated and severs connection to World Bank as a precaution 2011 EU increases penalties for cybercrime
GIL KLEIN: So how much rigorous scientific experimentation is going on now that will lead to security breakthroughs?
I think there’s a lot going on, both in government and in industry. As a matter of fact, DARPA [the Defense Advanced Research Projects Agency] has recently released a fraud area announcement for some really exquisite defenses. And DARPA has hired some of the best-known hackers in the United States to turn their tradecraft into a defensive mechanism. So this is a well-recognized problem that academia, government, and private industry are all trying to solve. MARCUS H. SACHS: Often when we say cyberspace, we really mean the Internet. But the Internet is just a piece of cyberspace. Air traffic control and interbank transfers don’t go over the Internet, for example, but they’re part of the communication infrastructure. The Internet today is largely based on the explosion of personal computers back in the 1980s, followed by the explosion in the 1990s of the Internet itself, as everybody became familiar with it and as faster networks and laptops came along. In the past five to 10 years, a new wave known as wireless has come along. We’re beginning to see a different type of device, different applications, different ways of thinking. And in fact, that wireless world is now bleeding into home security systems. It’s in your car, thanks to Bluetooth. So there’s opportunity here. Where the old Internet is largely built on a string of wired PCs and hard drives, we now have a new cyberspace that’s coming out, largely Internet-centric, but with pieces that aren’t the Internet. And in fact, right behind that is this new thing called cloud computing. So just like any other technology, we have waves of innovation. And what I think some are seeing is that each wave gives us the opportunity to add security that wasn’t there in the previous wave. So cyberspace can in fact get more secure as we go forward. Because we tend to build in new resiliency. We build in new safety features. We kind of build on previous mistakes. continued on page 18 ELIZABETH A. HIGHT:
2011 Citigroup breach; 200,000 accounts accessed 2011 Syrian Electronic Army (SEA), a pro-government computer attack group, actively targets political opposition and Western Web sites
2011 Achiever | 16 | University of Maryland University College
—ELIZABETH A. HIGHT
2011 Anonymous targets NATO 2011 Federal Financial Institutions Examination Council (FFIEC) issues supplemental guidance on risk management: “Authentication in an Internet Banking Environment”
2011 DigiNotar certificate breached
2011 Singapore announces it will stand up a National Cyber Security Centre headed by the Singapore Infocomm Technology Security Authority
2011 CERT–EU opens 2011 International Code of Conduct for Information Security brought to the 66th UN General Assembly
STATE OF EMERGENCY?
Illustration by John Ritter
Cybersecurity is a growing concern at the state level, and cybersecurity breaches are costing state governments large sums of unbudgeted money to fix and accommodate. Like many who file state income tax returns electronically, I received official notice on December 22 from a state government that my Social Security number, tax identification number, payment information, bank accounts, and credit cards may have been exposed due to a security breach that took place three months earlier and was not discovered until a month afterward. In this particular case, which involves the state’s department of revenue, the potential breach of stored information goes back more than 10 years and involves millions of state income tax filers—both businesses and individuals. In addition to hiring outside forensic experts, putting new policies and procedures into practice, and installing new technology, this state government is paying an outside security firm for one year of credit monitoring and fraud resolution services for each tax payer who may have been violated (and who chooses to register for the offered services). This is just one example from our increasingly cyber-connected world, but it serves to illustrate how cybersecurity has become a new problem for individuals and businesses to worry about and for state governments to deal with on a comprehensive, crossfunctional, statewide basis. The National Association of State Chief Information Officers (NASCIO) continues to identify cybersecurity as a critical concern for state governments. The recently released “2012 DeloitteNASCIO Cybersecurity Study” notes that cybersecurity does not fail gracefully. CIOs and chief information security officers (CISOs) must worry that if they don’t get security right and
by Lt. GEN. Harry RADUEGE (USAF, Ret.)
Lt. Gen. Harry Raduege (USAF, Ret.) is a four-time military CIO and former director of the Defense Information Systems Agency (DISA). He currently serves as chairman of the Deloitte Center for Cyber Innovation.
systems are breached, the state’s cybersecurity program may be perceived as ineffective and the state’s citizens may suffer direct harm. Cybersecurity threats to state government—like threats to all sectors—are growing in sophistication and frequency. A new breed of cybercriminal and hacktivist is emerging with a narrowed focus on monetary gain or on making political statements. According to a recent Rapid7 report on the “Data Breaches in the Government Sector,” government agencies have lost more than 94 million citizen records since 2009. Remarkably, the average cost per lost or breached record is $194, according to the Ponemon Institute’s 2011 Cost of Data Breach Study. From the Deloitte-NASCIO Study, 92 percent of state officials feel that cybersecurity is very important for the state, yet only 24 percent of CISOs are very confident that they can protect state assets against external threats. Further, 70 percent of state CISOs have reported a breach, but only 32 percent feel that their staff has the required cybersecurity competency. Most noteworthy is that the increasing need for cybersecurity education and training is repeatedly identified in all sectors of government, business, and society. Within state government, security breaches may be far more costly than cybersecurity programs, especially when considering the cost of regaining lost citizen trust. At the heart of an effective state cybersecurity program are properly educated and trained cybersecurity professionals. I am pleased that UMUC continues to work to meet this need through its cybersecurity degree programs and by producing trained cybersecurity professionals to meet growing workforce demands. G www.umuc.edu | 17 | Achiever
‟
One estimate by people who are generally well regarded in the intelligence community is that at least one terabyte per day of U.S. intellectual property is being exfiltrated to other countries.
What I’m trying to say is that all is not bad. We may paint a very horrible picture here, but we want to make sure people understand it is not the end of the world. As new technologies come along, new vulnerabilities are introduced—don’t get me wrong there—but we are making some remarkable changes. But for anybody who is interested in this area, the field is wide open for new ideas, new concepts. My company and your companies, we all have open doors for innovators, for new ideas, for fresh concepts and fresh ways of doing things. And to kind of wrap this up, we’ve pushed the government right now not to regulate us, but to let us innovate. Let us find our way out of this security problem by being creative. That’s what Americans do best. We are the world’s best innovators. ELIZABETH A. HIGHT: And when you’re at UMUC, or in any college environment, that is the time to take your innovative ideas and tinker with them and mature them. And then offer them to the greater good. Because cyberspace is open to all of us. So when you innovate, you’re helping all of us. GIL KLEIN: So if you could get the ear of President Barack Obama or of
Congress, what would you tell them?
If the president were sitting right here, I would like to know, first, what he does to protect himself as the leader of the most powerful nation in the world. What does he do personally in cyberspace? It may be a bit of an embarrassing question, because it catches a lot of people off guard: What do I do? Because I can pontificate all day long about what everybody else should do, but what do I do? That might lead to a very interesting discussion. Now, the president might get it right, and might actually have a lot of insight. In which case, Mr. President, please stand up in front of the bully pulpit and start preaching. [Laughter.] But we don’t know where the president comes down on this. ELIZABETH A. HIGHT: I think what you’re really saying is, “Be a role model.” That’s one of the barriers to getting our young people really excited about these careers. MARCUS H. SACHS:
2011 ISO formally ratifies ISE/IEC 27035:2011, an information security best practices process for incident reporting
2011 Blackberry outage affects millions of customers
2011 NCIX Report: Foreign Spies Stealing U.S. Economic Secrets in Cyberspace 2011 SEC guidance to public companies: Cybersecurity Is a Material Risk
2011 Kenya launches information security master plan to safeguard public information on the Internet
2011 United Kingdom publishes new Cyber Security Strategy
I think it would be wonderful to shine a light on some of our heroes in cyberspace. And I think keeping everything behind the classified green door is a mistake. I guess if I were across the table from the president, now that he has won a second term, I would say, “Take a chance. Look at the issues that need to be developed. Look at the lack of case law. Let’s think about what that means to our economic future and our personal privacy. Let’s look at those issues, now that you’re in a position to take that risk.” And I would say, “Go for it!” L. WILLIAM VARNER: Right, so we would stress just exactly how important it is to develop that cybersecurity policy to the level of the policy and the doctrine we used to have, for example, in the days of the Cold War. We don’t have that for cyberspace. GIL KLEIN: You mentioned cybersecurity heroes. Can you give me a case study or a story? Can you tell me a story about cybersecurity, or is it all still classified? ELIZABETH A. HIGHT: Well, I know a lot of heroes who man network and security operations centers around the world for the United States military and for the Department of Homeland Security, and for some of our industry partners. I know local and state government heroes that are doing that job every day. They’re sort of like firefighters and policemen. Until something terrible happens, you just don’t know about them.
GIL KLEIN: I was hoping you could give me a real name here. MARCUS H. SACHS: There
was a book called The Cuckoo’s Egg, by Cliff Stoll. Cliff was an astronomer in a university and recognized that there was a problem in one of his computing systems, where the accounting was off by a few pennies. Now, computers are precise. They should be exactly correct. And when he found that they were off by a few pennies, he began to ask questions. Come to find out, there were intruders in there. And the intruders were changing the logs. continued on page 20
2011 EU TLD registry makes it easier for registrars to use Internet security protocol Domain Name System Security Extensions (DNSSEC) 2011 Cyclone Dagmar affects power supplies to electronic communication networks in Nordic countries; millions of users left without telephony or Internet for up to two weeks
2011 Achiever | 18 | University of Maryland University College
—L. WILLIAM VARNER
2012 WEF ranks cybercrimes as #1 technological risk
2011 South Korea leads the world in ICT development and peerto-peer botnets
2012 INTERPOL announces stand up of Global Complex for Innovation in Singapore focused on digital security and cybercrime 2012
2012 An Israeli IDF Team launches an attack against a Hamas Web site (qassam.ps), knocking it offlline to protest the site’s anti-Israeli stance
big data: dream or potential nightmare?
by Mark Gerencser
photograph by danuta otfinowski
Illustration by John Ritter
The amount of information about us—the products we purchase, the processes we use, and the businesses that surround us—has grown exponentially. We now generate more data every two days than we did in aggregate from the dawn of early civilization through the beginning of the 21st century. And this information explosion accelerates each year by 40 percent. This is called the “Big Data Revolution” and it is not only big in volume; it is also big in variety and velocity—meaning different types of data at a wide range of input speeds and refresh frequencies. Big Data has very big implications for business. Big Data offers a company numerous opportunities to enhance its value across entire product and service lines based on advanced analytics. For example, an airline might dynamically optimize fares based on customer preferences and behavior, or an electric utility might optimize power generation and distribution based on consumer needs and living habits. Some challenging questions revolve around data rights and ownership, and it will take some time for a consistent legal framework to emerge. In the interim, though, Big Data’s business advantages are offset by each company’s responsibility to protect private, personal, and sensitive corporate information. Leaders must know the answer to several key questions: Where does your company stand amongst your peers with respect to data security? Are you leading with best practices or lagging behind? Do you understand and appreciate your liability? Do you have a plan to address deficiencies? Because the cyber threat environment is rapidly advancing, traditional security methods are not just incredibly expensive; they no longer work. “Attack surfaces”—the ways a company’s data can be exploited—are increasing, even as attack methods are becoming
Mark Gerencser is chair of UMUC’s Board of Visitors and co-author of the best-selling book, Megacommunities. He is managing partner of Booz Allen Hamilton’s Global Commercial Business, the leader in enhancing company operating performance, regulatory compliance, and security.
more sophisticated. Responsible corporate leaders must understand their attack surfaces and the effectiveness of their security measures. We have found many companies don’t get the most for their security expenditures, and some spend more than their peers but get less in return. Since there are no absolutes in security, peer benchmarks provide the best measures of effectiveness. Companies need to think and act differently to get the most for their data security investment. This includes collaborating with others in their industry, even competitors. Every enterprise needs to understand the risks they assume and what they mitigate relative to one another. Companies that lead in this area will be advantaged as trusted partners and providers, which in turn will benefit sales and customer retention. It also promises to reduce liability in the event of data spills, insider disclosures, or remote data theft or destruction. Through collaboration, companies can create reasonable standards that may serve to head off more restrictive governmental regulations. But peer collaboration can provide more than just reasonable standards for an industry; it might also identify opportunities to share security investments and approaches. For example, the electric utility sector could develop a cooperative to monitor and identify imminent attacks on the power grid, spending less on static security and instead focusing resources when and where they are needed. While IWCA (indication and warning and counterattack) capability has proven effective, it is seldom affordable for an individual company; however, a shared cost approach could provide high value at significant savings. Our experience shows that once an IWCA capability has been established, adding companies in the continued on page 29 www.umuc.edu | 19 | Achiever
‟
But enter cyberspace, and we just assume we’re in charge. We assume we have more capabilities than others. That may not be the case. And that’s very awkward for us, because now we have worthy adversaries. But they’re not necessarily countries like China or Russia. An adversary could be an individual, a corporation, a loosely affiliated group or a terrorist group. It could be a cause.
—MARCUS H. SACHS So an entire book has been written about this. It would make a fascinating movie. GIL KLEIN: Bill, have you got any heroes out there? L. WILLIAM VARNER: I think of some of the former
directors of some of our major agencies—General Kenneth Minahan, for example, the former director of NSA [National Security Agency] and DIA [Defense Intelligence Agency]. He was involved in the very early beginnings of the Internet and working with Microsoft when some of the early vulnerabilities were discovered. Bill Crowell is another cyber hero, I think. He’s now a venture capitalist, but he was a former deputy director of the NSA. I think there are numerous people who have taken advantage of the positions that they had to make enormous strides in getting us to where we are today.
GIL KLEIN: Just to wrap up here, what I’m reading about is the next
phase of the Internet; it’s so unbelievable, when you get into the cloud and you get into artificial intelligence. Do you see greater threats here? At some point you were saying, “No, this could actually be better for us.” We’ve come through 20 or so years of the Internet and the world’s still here. What are we doing right? L. WILLIAM VARNER: In my opinion, Gil, we’re in a wonderful position. We have more technology than anybody ever dreamed we would have. We’re using it. My car sends me e-mails just to let me know how it’s doing. And I do think we have the opportunity to make it even more secure, especially when we move into cloud environments. Because when the Internet was developed, security was just not a consideration; it was about communication and convenience. We have tacitly made the assumption over all of these years that we value the convenience and the efficiency that we get from today’s Internet and all of cyberspace, and we’re willing to work really hard to develop the security that we need to be able to continue to use it.
2012 Google announces new privacy policy 2012 ISO/IEC 27032 publishes international guidelines on cybersecurity
2012 Shamoon used against Saudi Aramco and damages some 30,000 computers (attack aimed at stopping oil and gas production at the biggest OPEC exporter)
But I think it’s a system that the entire world depends on. It would be very difficult to imagine living without it. So I think we’ve made tremendous strides, and we just have to continue to work very, very hard to deal with all the security issues that come up. ELIZABETH A. HIGHT: This is a journey. A secure cyberspace is not necessarily a destination. With technology comes vulnerabilities. Our ability to recognize them is incredibly important. I use this phrase: “Hug an ethical hacker.” Start thinking about how to protect your systems by thinking like a bad guy. One of the new industries that has sprung up is ethnical hacking courses for senior government and industry executives. This is a continuum that we will be on forever, long after we’re no longer here. GIL KLEIN: Marc, do you have any final thoughts? MARCUS H. SACHS: Cyberspace being a metaphor,
it is also an extension of the human mind and human society, what we think and what we do. There’s opportunity for the bad guys to take advantage of it, and there’s opportunity for the good guys to do it right. And there are opportunities for governments, for the private sector, for academics. Right now, we’re at the beginning of something really, really cool. And we’re the only generation that gets the first bite of the apple. Subsequent generations have to put up with our thinking. When historians look back on our legacy, I hope they will say, “These guys got it right. Facing this complex challenge, they got it right.” Shame on us if hundreds of years from now they’re still fixing the problems that we come up with here. I think that’s our challenge. That’s a challenge we can meet. But can we lead? Can we cause these changes so that future generations can build on what we’ve done?
GIL KLEIN: That is a terrific way to end this. Marc, Bill, and Betsy, thank you so much for being here. We certainly appreciate all the time you’ve given us. Thank you. G
2012 Presidential Policy Directive 20 establishes national guidance for operations in cyberspace 2012 Distributed Denial-ofService against U.S. financial institutions peaks at 60 gigabytes/ second.
2012 Achiever | 20 | University of Maryland University College
2012 Hurricane Sandy affects power supplies and communication networks in northeastern U.S. for up to four weeks
2012 U.S. Congress releases a report on national security issues posed by Chinese telecom companies
2012 Syria shuts off Internet access across the country
2012 World Conference on International Telecommunications (WCIT) updates and revises the International Telecommunication Regulations (ITR)
cyberdefense: a retrospective by Lt. Gen. John campbell, (USAF, Ret.)
It is always tempting, but usually wrong, to mark the beginning of an era from when you showed up, but I think there’s a pretty good argument that the Pentagon’s exercise Eligible Receiver 97 (ER97) in June 1997 marked the point where the Department of Defense (DOD) began to get serious about cyberdefense and cybersecurity. ER97 was one in a series of periodic exercises designed to test DOD’s crisis action capabilities, and the scenario included intrusions into different parts of DOD’s command and control systems, as well as simulated disruptions of civil critical infrastructure. The intrusions into DOD’s C2 systems were authorized by the Secretary of Defense and were real. The Red Team left behind non-malicious marker files to document their success, and the exercise play incorporated effects the Red Team could have caused given the level of access they achieved. While the critical infrastructure attacks were simulated, they were based on well-understood systems, known vulnerabilities, and openly available tools. ER97 played out over a two-week period in a realistic operational scenario in the Pacific region, with the realism enhanced by a daily CNN-like news broadcast detailing the developing crisis, characterized by ambiguous information, confused lines of authority, and loss of confidence in command and control systems. While some inside observers had long recognized DOD’s growing cyber vulnerabilities, it was not a problem on most people’s front burner; however, to quote one senior DOD official, ER97 “scared the hell out of a lot of people” and got the attention of senior leaders like Deputy Secretary of Defense John Hamre, who provided the top cover to set up a formal structure with operational authority to organize for cyber defense. I happened to be newly assigned to the Joint Staff and had the opportunity to help respond to the findings of ER97. Later, I would serve as the first commander of the Joint Task Force– Computer Network Defense, which had, for the first time, the single mission of defending DOD’s networks from attack. From its origin in 1998, this fledgling organization grew through several iterations into the Joint Task Force–Global Lt. Gen. John Campbell (USAF, Ret.), is chairman, Government Advisory Board, Iridium Communications Inc. During a 32-year career with the U.S. Air Force, he served as associate director for Military Support for the CIA, vice director of the Defense Information Systems Agency, and the first commander of the Joint Task Force–Computer Network Defense, as well as completing a variety of flying assignments around the world.
Illustration by John Ritter
Network Operations, which was absorbed into the U.S. Cyber Command in 2010. So I think a case can be made that June 1997 marked the beginning of DOD’s widespread awareness of its cyber problem and the point from which the present cyber defense structure dates. Over the years, we have come to divide the cyber disciplines into Defense, Exploitation, and Attack, with exploitation and attack closely linked because the network access which enables exploitation can also be used for attack. (To paraphrase former NSA Director General Mike Hayden, “attack is a lesser included form of exploitation.”) Computer network attack has long seemed to have tremendous potential to support or even replace kinetic action, and some examples have emerged, most notably the Stuxnet attack on Iran’s nuclear enrichment plants. But because much of the discipline is highly classified, it is difficult to judge how well it has delivered on that promise. Still, cyber attack is an exciting tool with a growing target set. continued on page 28 www.umuc.edu | 21 | Achiever
Maryland, My Cyber Maryland
BY BOB LUDWIG
The name of the Maryland state song— “Maryland, My Maryland”—hasn’t changed. But today, it seems the title of the old battle hymn ought to include cyberspace, as Maryland quickly evolves into the epicenter of the nation’s booming cybersecurity and information assurance industries. The state is uniquely situated to lead a cybersecurity industry that has exploded in the past 10 years, and it is no surprise that Maryland was chosen as home of the National Cyber Security Hall of Fame. At the federal level, Maryland is home to key cybersecurityrelated agencies like the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), the Defense Information Systems Agency (DISA), and the Intelligence Advanced Research Projects Activity (IARPA). And as a result of the Defense Department’s Base Realignment and Closure (BRAC) Commission, Maryland added the U.S. Cyber Command, which relocated to Ft. Meade in 2011, and the Army’s Communications-Electronics Command (CECOM), now based at Aberdeen Proving Ground. Maryland’s colleges and universities are integral to the industry, as well, graduating students from some of the country’s first academic programs in cybersecurity. UMUC is one of 13 Maryland universities—more than in any other state—designated as National Centers of Academic Excellence in Information Assurance Education by the NSA and Department of Homeland Security (DHS). “Maryland has a phenomenal ecosystem,” said Jeani Park, director of cyber development at the Maryland Department of Business and Economic Development (DBED). “With our unique cluster of cyber-related government, academic, and business entities, we have the building blocks to be a dominant player in the cybersecurity industry.” Park’s comments echo some of the key points laid out in a comprehensive report that DBED released in 2010. That report, entitled, “CyberMaryland: Epicenter for Information Security & Innovation,” outlined Maryland Governor Martin O’Malley’s blueprint for the state’s role as the national leader in cybersecurity and launched the CyberMaryland initiative. “Our state has tremendous assets to keep the country safe and advance innovations in cybersecurity,” O’Malley wrote in an introduction. Achiever | 22 | University of Maryland University College
According to market research cited in the report, the federal information technology market is estimated at $98 billion in 2013, and federal demand for information security products and services alone is projected to total almost $12 billion in 2014. The commercial market is expected to be even larger. Lockheed Martin, the aerospace and defense giant headquartered in Bethesda, employs 9,200 in Maryland and 140,000 worldwide. In 2009, the company opened its NexGen Cyber Innovation and Technology Center, a cyber research and development facility, in Gaithersburg. CyberPoint International, a company that is developing innovative cybersecurity products for the consumer market, is an example of another company that is fueling commercial job growth. The Baltimore-based firm opened just three years ago and now employs about 300, most highly trained engineers and IT professionals. Karl Gumtow, CyberPoint’s co-founder and CEO, is a member of UMUC’s Board of Visitors. He located his company in Baltimore as a way to give back to the city and to spotlight the increasingly important role that cybersecurity plays in our society and economy. Rick Geritz, the general manager of product services at CyberPoint, also serves as chair of the Cyber Advisory Board, an informal group that includes representatives from leading systems integrators, cyber firms, and federal institutions, along with academicians and investors. The group helped organize the highly successful CyberMaryland 2012 conference last fall in Baltimore. UMUC was a major sponsor of the conference, which featured Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, and other prominent speakers, spotlighting Maryland’s position as the national epicenter of cybersecurity. A jobs report released in January identified 20,000 unfilled cybersecurity jobs in the state. Contributing to that demand is growing commercial activity that is drawing attention from venture capitalists and Wall Street investors who are increasingly bullish about Maryland. InvestMaryland, for example, has raised $84 million in venture capital to support commercial growth in key high-tech sectors, including cybersecurity. In an initiative to boost technology transfer, the NIST is creating Centers of Excellence that will put $20 million up for grabs through a grant program aimed at research and development and the commercialization of cyber-related technologies.
The Old Line State is the epicenter of a new industry. At the same time, a multitude of business incubators in the state already exist, and many are heating up with cyber-related activity. University of Maryland, Baltimore County-based bwtech@UMBC, for example, has about 25 startup companies in its Cyber Incubator and another 16 that are slightly further down the path. As technology advances and the federal government works to pass comprehensive legislation on cybersecurity, the Maryland legislature has been proactive, doing what it can to prevent cyber attacks internally while also fostering the continued development of the cybersecurity industry in Maryland. State Delegate Susan Lee (District 16-Montgomery County), who was instrumental in creating and served as co-chair of the Identity Theft Task Force, spearheaded the creation of the Maryland Commission on Cybersecurity Innovation and Excellence. The commission’s twofold mission is to review the state’s cyber laws and policies and to develop strategies that protect against future cyber attacks, while also helping spur cybersecurity innovation and job creation. Senator Catherine F. Pugh (District 40, Baltimore City) is the Senate co-chair of the commission. The commission draws on the expertise of the cybersecurity industry, higher education institutions, consumer and victim protection groups, and other state and federal officials to accomplish its goals. UMUC was chosen to staff the commission and support its work. “Technology is advancing very quickly, but so are the people involved in cyber crimes and terrorism,” said Lee. “We need to move just as fast, or faster, than they do. We will work with Congress to fill in the gaps that exist in federal and state laws and to advance state and federal cyber protection issues.” The University System of Maryland (USM) has also taken a leadership role in ensuring that higher education is adding to the state’s research and development environment, developing workforcerelevant cybersecurity programs, and producing the intellectual capital needed by industry. A Cyber Security Task Force convened by USM Chancellor William E. “Brit” Kirwan generated a report in 2011 that serves as a roadmap for the system’s institutions. As the industry evolves, the task force recommended that USM expand the number of cybersecurity and information assurance offerings and establish more government and private-sector partnerships, while continuing to strengthen research and support innovation and technology
transfer in cybersecurity. These goals have been incorporated into USM’s 2020 strategic plan, “Powering Maryland Forward.” Among USM institutions, UMUC has been at the forefront of responding to urgent workforce needs in cybersecurity. UMUC’s Cyber Think Tank, which includes experts from the military, government, and industry, was created to guide the development of cyber programs that are now some of the most popular academic offerings at the university. Most of these courses are taught online by adjunct faculty who are professionals in the field. Not surprisingly, enrollments in cybersecurity studies at UMUC have seen exponential growth in the past two years, and more than 5,200 students are currently enrolled. Quality and talent are outstanding, as evidenced by the team of UMUC cybersecurity students who have won numerous competitions that demand skills in network defense, data forensics, and more [see story, p. 24]. “Cyber is a ‘big tent’ term,” said Greg von Lehmen, senior vice president at UMUC and staff director for the state Commission on Cybersecurity Innovation and Excellence. “It covers a range of problems, from those involving individual security (i.e. protecting various types of personal information) to larger ones affecting our economic competitiveness and national security. When creating a workforce, we have to think about the variety of specializations that come together to do the work, from mathematics to any number of computer, network, and software-related disciplines.” UMUC, which recently added a new program in digital forensics, is working with the Defense Cyber Crimes Center (DC3), the largest digital forensics laboratory in the United States, to develop a pipeline of trained investigators. “It’s an exciting time to be part of higher education in Maryland,” said von Lehmen of the developments at UMUC and other USM institutions. While UMBC houses the Cybersecurity Incubator, the University of Maryland, College Park, is home to the Intelligence Advanced Research Projects Agency and in 2010 created the Maryland Cybersecurity Center (MC2), which partners with government and industry to provide educational programs and develop innovative cybersecurity technologies. “Come! for thy shield is bright and strong,” exhorts one verse in “Maryland, My Maryland.” It may not have been written with the cybersecurity industry in mind, but it seems fitting as Maryland establishes itself as the epicenter of the industry today. G www.umuc.edu | 23 | Achiever
Team Padawan BY KATHY HARVATT
UMUC students, alumni, and faculty are making waves in the world of cybersecurity competitions.
Achiever | 24 | University of Maryland University College
PHOTOGRAPHS by MATTHEW PACE
Although University of Maryland University help his students apply the theories and concepts they were College (UMUC) doesn’t field a football or basketball team, learning in class. one group on campus is nonetheless making a name for itself in “Having competed myself as an undergraduate, I know that national and international competition. these challenges are a great learning tool and an incentive to Meet the Cyber Padawans, a team of competitive cybersecurity study even harder,” said Tjiputra. “In my experience, those who experts. Their team name—a nod to the Jedi apprentices from the get involved in competitions tend to go on to bigger and better movie Star Wars—isn’t the only thing that has garnered attention. things, because it makes the field all the more exciting.” In fact, Matt Matchen and five of his fellow Padawans— To recruit players, Tjiputra created a special online class and invitstudents John Arneson and Armando Quintananieves, alumed all interested comers. At first, only 10 students signed up; just two nus Chris Kuehl, and faculty members Jeff Tjiputra and Rob years later, the class has grown to include 75 students who, Tjiputra Murphy—recently topped some 80 university and corporate said, are quickly moving into the “best of the best” category. teams to take first place in the North American CyberLympics For Arneson, the opportunity to compete has given him a trefinals. Representing North America at the Global CyberLympics mendous advantage in his cybersecurity bachelor’s degree program. in Miami, the team stepped up to the challenge, finishing “I chose this major because I’ve always wanted to work in intelsecond overall. ligence,” he said. “But when I got to UMUC after two years of com Soon after, the Padawans took first- and second-place honors in munity college, I had never even taken a computer class. I caught up the four-year college category at the Maryland Digital Forensics fast, though, when I joined the team, because you learn a lot just preInvestigation Challenge. They paring for competitions. I also went on to place third out love the major adrenaline rush of 18 U.S. undergraduate you get when you’re powering teams—and fourth out of 27 through a challenge.” worldwide competitors—in the During some of the more gruDepartment of Defense Cyber eling competitions, adrenaline Crime Center’s year-long Digital was all that kept the team going. Forensics Challenge (or DC3). “At the [Global] Cyber These achievements are Lympics challenge, we were on made more significant by our computers for six hours the fact that UMUC is still straight, working in tight relatively new to the world of quarters and taking restroom cybersecurity competition. It breaks one at a time,” said all began about two years ago Quintananieves. “So once the when Tjiputra—academic rush of playing wore off, all director of cybersecurity that any of us wanted to do and computer networks was eat and sleep.” and security for UMUC’s Like any good team, the Undergraduate School— Padawans have developed a began looking for ways to strong rapport, along with a The Cyber Padawans in action at the Global CyberLympics in Miami, Florida.
CLOCKWISE FROM TOP LEFT:
John A. Arneson, Christopher Kuehl, Jeff Tjiputra, Matt Matchen, Robert Murphy, Armando Quintananieves. opposite page, top: The team created avatars—through the South Park Web site—to represent their online personas.
signing on to the team, including Jean Costello, one of four Padawans to take first place in the Maryland DFI challenge. “I wanted to work with really bright people who have a passion for cybersecurity like me—and I wanted to have some fun while doing it,” said Costello, who is pursuing a bachelor’s degree in cybersecurity. “I decided [the Cyber Padawans] are the best of the best—and I wanted to get to know those people.” Meanwhile, Tjiputra looks forward to creating a UMUC-sponsored competition in the future that will help to raise even greater awareness around the university’s cybersecurity programs. “We’ve come a long way in a fairly short time, competing against some of the brightest minds in the world,” said Tjiputra. “And the momentum just keeps building.” G number of war stories. Matchen laughed as he recalled the team’s rather unconventional practice routine for the CyberLympics final rounds in Miami. “We decided to go down a week early to get in some muchneeded practice time,” said Matchen. “Problem was, the only Wi-Fi at our motel was in the lobby. Luckily, there was a Starbucks next door where we could set up, using my cell phone as a router for connecting into the practice program. Looking back, I guess we owe the folks who worked there a pretty big thanks.” While the cyber competition field is still, for the most part, maledominated, Tjiputra is also happy to see a growing number of women
UMUC extends special thanks to Cyber Padawan Matt Matchen and his employer, Braxton-Grant Technologies Inc. (BGTech), for providing a unique practice opportunity. Using his company’s IT resources, Matchen set up a private cloud with some 20 virtual machines, allowing the Padawans to log in remotely and practice together for competitions. BGTech is a small, woman-owned systems integration consulting firm that provides cybersecurity solutions to clients in government, healthcare, education, and finance.
www.umuc.edu | 25 | Achiever
umuC AND CYBERSECURITY
by greg von lehmen
photograph by katherine lambert
Greg von Lehmen is senior vice president of External Relations and Initiatives at UMUC and previously served as the university’s provost and chief academic officer. As provost, he led the university’s effort to bring UMUC’s cybersecurity programs to fruition. Among his current responsibilities, he staffs the legislative Maryland Commission on Cybersecurity Innovation and Excellence. Achiever | 26 | University of Maryland University College
Illustration by John Ritter
America has an urgent need for trained professionals in the field of cybersecurity—and UMUC has emerged as a pathfinder in meeting that critical need. Neither fact is surprising. We live in a digital age; vast quantities of valuable intellectual property and sensitive data now reside on networks or in the cloud, and financial transactions are conducted over the Internet. National communications networks, our electrical grid, and rail and pipeline infrastructure are all controlled online. While these developments have yielded great consumer and economic benefits, they have also created new kinds of vulnerabilities—and opportunities for those who seek to exploit them. The stakes have never been higher, with national security and the very competitiveness of the American economy at risk. Compounding that risk is the fact that demand for trained cybersecurity professionals far outpaces supply. That reality served as impetus for UMUC to launch some of the first online degree and certificate programs in cybersecurity in 2010. The role of pathfinder is not a new one for UMUC. The university is well known for being the first to offer academic programs to active-duty military servicemembers on military installations around the world. It has also distinguished itself as a pioneer in online higher education and is the largest public provider of distance education degrees in the United States. At the same time, UMUC developed a deep portfolio of applied technology-related undergraduate and graduate degree programs. It has offered degrees in information systems and information assurance and is certified by the National Security Agency and the Department of Homeland Security as a Center of Academic Excellence for Information Assurance Education.
Cybersecurity was a logical next step in UMUC’s ongoing efforts to respond to the country’s most critical workforce needs. In the fall of 2010, the university launched master’s, bachelor’s, and certificate programs in cybersecurity and cybersecurity policy. The response was immediate and umuc cyber supporters overwhelming. More than 5,200 students SAIC Corporate and are currently studyIndividual Donors SAS AT&T Sotera Defense, Inc. ing cybersecurity, Richard F. Blewitt Telecordia with another 3,300 Booz Allen Hamilton UMUC Alumni enrolled in related CISCO Association CITI URS Apptis programs like inforCOPT Verizon mation assurance, Creative Information computer science, Technology Educational Partners Cyberpoint and network security. AFCEA Dell To date, 232 stuARINC Deloitte dents have graduated Boeing Gerencser Family Booz Allen Hamilton Google with degrees from CACI Hyland the cybersecurity InfraGard National L-3 STRATIS programs alone. And Members Alliance Lockheed Martin L-3 STRATIS ManTech International last fall, the univerLockheed Martin McAfee sity added another Lunarline Microsoft master’s program, ManTech NJVC International Northrop Grumman this one emphasizing Open System Sciences Northrop Grumman digital forensics. SAIC Dr. Don Orkand The program’s TASC Pearson success is no acci-
learning from the best dent. Members of the university’s Cybersecurity Think Tank—comprising distinguished leaders from business, government, and the military— have informed both the design and content of each program, helping to ensure that students graduate with jobready skills. And UMUC’s commitment to addressing the human capital crisis in cybersecurity goes beyond creating degree programs. For example, the university helps build the pipeline of skilled professionals by forming educational partnerships with business and government agencies, allowing those organizations to develop their own cyber talent. More than 80 community college alliances in Maryland and nationwide allow students who graduate with a two-year degree in a computer-related field to transition smoothly into a UMUC bachelor’s degree program in cybersecurity or a related field. And the university constantly seeks scholarship support for cybersecurity students—often from the very firms poised to hire them when they graduate. Today, UMUC’s cybersecurity students perform impressively in cyber competitions [see the story on p. 24]. Its faculty regularly present at major conferences of the National Institute of Standards and Technology (NIST) and the Armed Forces Communications and Electronics Association (AFCEA), among others. And UMUC was asked to staff and now actively supports the Maryland legislative commission on cybersecurity. In short, cybersecurity has become an integral part of UMUC—even as UMUC has become integral to the field of cybersecurity. G
The academic leadership of UMUC’s cybersecurity programs reflects a rich background of experience and scholarly achievement.
Advisory Council at the Maryland Higher Education Commission.
Dr. Alan Carswell, chair of cybersecurity
computer information systems and technology department, in The Undergraduate School. He joined UMUC in 1998 after serving as senior programmer and analyst at SRA Technologies, Inc., in Falls Church, Virginia. He holds an MS from the School of Automation, Indian Institute of Science, in Bangalore, India, and earned his PhD in computer science from the University of Maryland, College Park. He has published articles in a variety of scholarly journals, including Pattern Recognition and Computer Vision, Graphics, and Image Processing.
and information assurance in The Graduate School, began teaching for UMUC in 1989, having served most recently as director of advancement operations for Howard University in Washington, D.C. He holds an MBA from Harvard Business School and a PhD in information systems and strategy from the Robert H. Smith School of Business at the University of Maryland, College Park. He currently serves as a member of the advisory boards of the National University Technology Network and of the CyberWATCH Consortium. Dr. Amjad Ali is director of the Center for
Security Studies and associate chair of the department of cybersecurity and information assurance in The Graduate School. He served previously as dean of the Keller Graduate School of Management–New York Region. He received an MS and PhD from the George Washington University in Washington, D.C., and is a member of the advisory board of the Center for Strategic Cyberspace and Security Science. Previously, he served on the Cybersecurity
Dr. S. K. Bhaskar is assistant dean,
Dr. Jeff Tjiputra, who joined UMUC in
2010, is academic director of computer networks and security and of cybersecurity in The Undergraduate School. Previously, he chaired the Business and Technology Division at the College of Southern Maryland. He earned his Master of Liberal Studies in internetworking management from Fort Hays State University in Kansas, and his DSc in systems engineering from the George Washington University. He currently serves on the advisory board for the upcoming GovSec Conference in Washington, D.C. G
LEFT TO RIGHT:
Drs. Alan Carswell, S. K. Bhaskar, Amjad Ali, and Jeff Tjiputra
www.umuc.edu | 27 | Achiever
cyberdefense: a retrospective continued from page 21 Looking back 15 years to ER97, however, it seems clear to me that defense is by far the most important of the cyber disciplines, because the consequences of mission failure are so enormous. Despite the Stuxnet example, computer network attack is mostly a supporting capability, and if we don’t do it well—or at all— our military and national objectives are unlikely to be compromised. On the other hand, if we don’t do passably well at defense, we are at risk in many ways. On the battlefield, almost everything we do to plan, execute, and
support military operations depends on networks of networks. At home, much of our critical infrastructure is vulnerable in varying degrees to cyber attack. And in the private sector, industrial cyber-espionage siphons off much of the investment in research and development. While it is hard to place a precise dollar value on these sorts of thefts, the similarities between the Lockheed F-22 and F-35 jet fighters and the Chinese J-31 and J-20 offer one example, suggesting that years of work and billions of dollars of intellectual property have gone east. Harnessing the power of computer networks helps create social, economic,
and military advantage, but it also makes us the world’s most attractive cyber target. Secretary of Defense Leon Panetta recently warned of the possibility of a “cyber Pearl Harbor.” Interestingly, Deputy Secretary of Defense John Hamre used almost the same words in testimony to Congress in 1998, and it’s instructive that the assessment of our senior leaders hasn’t changed all that much in almost 15 years. If we want to avoid being the world’s most vulnerable cyber target, we need to incentivize world-leading technology, develop and empower a responsive public/private cyberdefense organizational structure, and invest in a skilled cyber workforce. G
mystery Solved Who was the airman-scholar on the cover of the fall 2012 issue of Achiever? For 15 years it has been a mystery. The photograph of the Air Force staff sergeant studying while propped against a nose wheel first appeared in print in the history book that commemorated UMUC’s 50th anniversary. Despite repeated inquiries, the book’s editors could not identify the sergeant and settled for a generic caption: “Military students had to do their homework wherever and whenever they could find a place to study.” Flash forward 15 years. Achiever’s editor decided the photo best illustrated the cover story on UMUC’s long history of service to the military. Again, the young man was unidentified. Then, shortly after the magazine reached subscribers, the editor received an e-mail—and the mystery was solved. “I received my issue of Achiever yesterday,” wrote April Gower-Getz, a 1998 graduate of UMUC who lives near the university’s Adelphi, Maryland, headquarters. “What a wonderful surprise to see my uncle Fred R. Thomas on the cover.” April said that her uncle had passed away in 2010, and the cover photo was one of her favorites of him. Unfortunately, the original was lost in a fire in 1973. And although she knew that her uncle attended school while in the
Achiever | 28 | University of Maryland University College
military, she hadn’t known until she saw the Achiever that he, too, attended UMUC. UMUC President Javier Miyares was honored to share with April a copy of the photo, a copy of the history book, and three framed copies of the Achiever cover—one for her, and one each for Fred’s sister (April’s mother) and his widow (April’s aunt). G
CLASS NOTES
Anthony “Tony” Tomasello ’85
Ijamsville, Maryland, was sworn in as Gaithersburg city manager on December 4, 2012, following a competitive search. He has worked for the city since 1996, first as economic development director and later as deputy city manager. He had served as acting city manager since his predecessor resigned in June 2012. Before joining the city of Gaithersburg, he served as program manager for the Maryland Department of Business and Economic Development from 1988 to 1996 and worked for the Wells Fargo Credit Corporation from 1985 to 1987. Jack Kushner ’90
Annapolis, Maryland, a neurosurgeon and consultant, has been appointed honorary director general of the International Biographical Centre of Cambridge, England. Juan Carlos Gachet ’02
Fort Campbell, Kentucky, is a U.S. Army staff sergeant with Headquarters and Headquarters Company, 2nd Battalion, 502nd Infantry Regiment, 2nd Brigade Combat Team, 101st Airborne Division. After earning his undergraduate degree from UMUC and an MBA from Hawaii Pacific University, he went on to graduate with honors in October 2012 from California InterContinental University with a Doctorate of Business Administration in global business and leadership. He intends to retire from the military in May 2013 and return to the Fort Lee, Virginia, area, where he plans to serve either as a logistics instructor or a contractor. Thomas Hyde ’06
Olney, Maryland, vice president of Miller & Smith—an award-winning homebuilder
and real estate development company— has been installed as president of the Frederick County Building Industry Association. He also served on the board of directors of both the Maryland National Capital Building Industry Association and the Maryland State Builders Association. Sara Hopkins ’07
Norco, California, who has worked at the Norco Library for eight years, recently earned her master’s degree in library and information science from San Jose State University. She began taking courses online in 1999 at Ivy Tech University in Indiana, and went on to earn her bachelor’s and master’s degrees online, as well. David W. Carter ’09
Wichita, Kansas, is a military historian, author, and educator. His recent book— Mayday Over Wichita: The Worst Military Aviation Disaster in Kansas History—will be released for publication in fall 2013. It tells of the day in 1965 when an Air Force KC-135 tanker carrying 31,000 gallons of jet fuel crashed into a congested African American neighborhood in Wichita, killing 30 civilians—many of them children—and injuring dozens more. The disaster has been largely forgotten, and the book explores the causes of the crash and examines the community’s response in the context of Kansas’s role in the Civil Rights Movement. Carter was interviewed by Cindy Klose from KWCH 12 for Klose Up and by Kansas Public Radio’s J. Schafer. For more about Carter and the forthcoming book, visit dwcarter.wix.com/dwcarter. Danielle Ahmad Hayes ’12
Reno, Nevada, completed her studies at UMUC and has been accepted to medical school at the University of Nevada, Reno. Steve Klitsch ’12
Germantown, Maryland, has more than 30 years of experience as a remodeler and owns Creative Concepts Remodeling. He
enrolled in UMUC’s Master of Distance Education program with the express purpose of learning how to develop and disseminate college-level coursework in an asynchronous environment to peers in the remodeling industry, and soon purchased the domain name, www.remodelersinstitute.com. One of his instructors was also involved in workforce development for Anne Arundel Community College (AACC), in Maryland, and she suggested that he consider offering the four-course curriculum he developed through AACC’s established learning management system. The school began offering the first business course developed by Klitsch’s Remodelers Institute for Lifelong Learning in the fall of 2012. In a profile published in Remodeling magazine, the author dubbed Klitsch the “Professor of Remodeling.” G
big data: dream or potential nightmare? continued from page 19 same industry category increases value at only a slight increase in operating cost. This makes a community or shared services approach practical, affordable, and effective. In short, Big Data presents corporate leadership with new business opportunities—and new responsibilities. The opportunities vary greatly by industry, but the responsibilities are fundamentally the same: the protection of personal, corporate, and sensitive data. Data security strategies must shift from the expensive static approaches of the past to the more cost effective, dynamic, and collaborative approaches of the future. The market will ultimately reward those companies that capitalize on opportunities and take the necessary steps to ensure data security. G www.umuc.edu | 29 | Achiever
FACULTY KUDOS
THOMAS C. BAILEY, program director for psychology in The Undergraduate School, presented (with JENNIFER L. W. THOMPSON) “Designing an E-Online Course, with Options” at the Eastern Psychological Association Annual Meeting, in New York City. LISA BERNSTEIN, who teaches women’s
studies in The Undergraduate School, presented two papers—“Creating Class, Race and Gender Conscious Futures in the Feminist Classroom,” and “Feminist
National leadership institute
Transformations of Online Discourse: Decolonizing 21st-Century Pedagogy and Practice”—at the National Women’s Studies Association annual conference in Oakland, California, November 8–11, 2012. CHERIE BUTTS, who teaches natural sciences in The Undergraduate School, recently accepted a new, full-time post as associate director of immunology research at Biogen Idec, a leading biotechnology company, in Cambridge, Massachusetts. She also coauthored a chapter in the sev-
enth edition of Dubois’ Systemic Lupus Erythematosus textbook. Cynthia Davis, acting provost and dean of The Undergraduate School, presented a speech on outcomes-based curriculum design at the International Summit on Education, Catholic University of Chile, in Santiago, Chile, January 9, 2013. elena Gortcheva, program director for database systems in The Graduate School, coauthored a chapter, entitled “Artificial
Turn your rising stars into leaders.
National Leadership Institute (NLI) programs and one-day workshops can help your organization’s most promising employees develop new skills and leadership competencies through assessments, experiential exercises, and one-on-one executive coaching. NLI is a network associate of the Center for Creative Leadership (CCL) and a GSA/MOBIS contractor (GS#10F-0357N).
Choose from these programs: • Maximizing Your Leadership Potential • Leadership Development Program (LDP)® • Executive Coaching • One-Day Workshops • Customized Leadership Programs Attend an NLI "lunch and learn" program at UMUC at Dorsey Station or UMUC at Quantico.
Copyright © 2013 University of Maryland University College
Achiever | 30 | University of Maryland University College
Learn more about NLI at umuc.edu/nli
Intelligence: Methodology, Systems, and Applications,” in Lecture Notes in Computer Science, Vol. 7557 (2012). Melissa Hyatt, who teaches criminal justice courses in The Undergraduate School and holds the rank of major in the Baltimore Police Department, recently graduated from the FBI National Academy and was promoted to Central District Commander. Ruth Kastner, who teaches philosophy in The Undergraduate School, published The New Transactional Interpretation of Quantum Mechanics: The Reality of Possibility (Cambridge University Press, 2012). Kelly Knight, who teaches natural sciences in The Undergraduate School, was elected biology section chair of the Mid-Atlantic Association of Forensic Scientists in 2012. She was also awarded the American Academy of Forensics Sciences Regional Award for contributions by a young forensic scientist. Linda LaMacchia, who teaches anthropology and humanities in The Undergraduate School, presented “Basic Buddhism in Songs: Contemporary Nuns’ Oral Traditions in Himalayan Kinnaur District (H.P.), India” at Sakyadhita International Association of Buddhist Women 2013 Conference in Vaishali, Bihar, India, January 5–12, 2013. Bruce Lubich, program director of accounting in The Graduate School, was appointed in December 2012 by the governor to a two-year term on the Financial Education and Capability Commission. Kathy Marconi, program director for health care administration and health administration informatics in The Graduate School, in December 2012 was appointed chair of the Distance Education Committee of the Healthcare Information Management Society.
Ruth Markulis, a project coordinator in Instructional Services and Support, presented “Effective Course Design,” November 2, 2012, at the Western Interstate Commission for Higher Education (WICHE) Cooperative for Educational Technologies in San Antonio, Texas.
barry sponder, who teaches in the Master of Education in Instructional Technology program in The Graduate School, gave a keynote address at the 18th CIAED-ABED International Congress on Distance Education in São Luis– Maranhão, Brazil.
Debra McLaughlin, academic director of natural sciences in The Undergraduate School, presented “Staging Project-Based Assignments to Support Academic Integrity and Student Retention” to the International Forum for Women in E-Learning as part of the U.S. Distance Learning Association. She was invited by the American Council on Education (ACE) to serve as a reviewer for various emerging science and allied health programs around the United States.
Merrily Stover, collegiate professor of anthropology in The Undergraduate School, presented (with DARLENE SMUCNY, collegiate professor and academic director for social sciences) two papers—“Serving Those Who Serve: Anthropology and the Military Learner,” and “Anthropology and the Online Adult Learner: Building Bridges for Successful Teaching and Learning for Nontraditional Students”—at the 111th Annual Meeting of the American Anthropological Association in San Francisco, California, November 14–18, 2012.
irmak renda-tanali, program director for homeland security management and emergency management in The Graduate School, wrote a chapter for David Kamien’s Homeland Security Handbook (McMcGraw Hill, 2012), entitled “Higher Education in Homeland Security: Current State and Future Trends.” Richard Schumaker, assistant director of faculty development, workshops, and training in UMUC’s Center for Teaching and Learning (CTL), co-presented (with AMITY HALL, CTL faculty training specialist, and RICH POWERS, CTL senior trainer) “Teaching Military Learners Around the World: A Holistic Approach,” October 9–12, 2012, at the Sloan-C International Conference on eLearning in Orlando, Florida. barbara schwartz-bechet, program director for the Master of Arts in Teaching in The Graduate School, published “Can Course Design in an Online MAT Program Promote Personalized Learning Through E-Teaching and E-Learning Practices?” in the International Journal of Advanced Corporate Learning, Vol. 5, No. 4 (2012).
Jennifer L. W. Thompson, who teaches psychology in The Undergraduate School, presented “Crossing the Divide: Bridging the Distance Between Online Faculty and Students” at the Conference on Higher Education Pedagogy, in Blacksburg, Virginia; and “Using Multimedia Strategies to Enhance Student Engagement in an Online Classroom,” at the Mid-Atlantic Teaching of Psychology Annual Meeting, in Largo, Maryland. PING WANG, program director for cybersecurity in The Graduate School, published a chapter entitled, “Decision Under Uncertainties of Online Phishing,” in Electrical Engineering and Intelligent Systems (Springer Science, 2012). Denny Whitford, who teaches natural sciences in The Undergraduate School, served as guest speaker on Cunard’s Queen Mary 2 for its inaugural circumnavigation of Australia. Whitford presented an eightpart series of science lectures on topics such as tsunamis, coral reefs, ocean ownership, whales, tropical cyclones, and more. G www.umuc.edu | 31 | Achiever
Meet the Alumni Association’s 2012–2013 Board of Directors The Board of Directors is the 11-member leadership body of the UMUC Alumni Association. The board is made up of alumni volunteers who are exceptional examples of UMUC excellence, successfully representing the vast array of academic programs available. All board members are elected for two-year terms and serve on a number of committees and task forces.
Standing, Left to Right: Vice President, Student Relations and External Affairs Joan W. Lee ’97 & ’06 Advisory Project Manager IBM Corporation Secretary/Treasurer Fran Volel-Stech ’89 Manager, Service Delivery Operations Presidio Member-at-Large Kemisola Lofinmakin ’05 Managing Consultant IBM Corporation
Immediate Past President Nathaniel “Nat” Alston Jr. ’77 President/CEO The Horizons Group, LLC Member-at-Large Sheryl E. Banks ’00 & ’11 Account Manager/Billing Specialist Harte-Hanks, Inc. Senior Vice President Cheryl Adams ’90 & ’91 Course Chair, EDCP 100, and Collegiate Associate Professor UMUC
Seated, Left to Right: Vice President, Membership LaTonya (L.T.) Holland ’03 Office Manager Catholic University of America Vice President, Programming Yolanda E. Dowe ’03 & ’11 Chief of Physical Security U.S. Department of Health and Human Services
Vice President, Foreign Relations Melissa M. Penn ’04 Management and Program Analyst U.S. Citizenship and Immigration Services Member-at-Large M. June Taylor ’03 & ’10 Office Manager Prince George’s County Hospital Center
President Cleveland “Joe” Broussard ’05 Executive Director ManTech Systems Engineering Corp.
CONNECTING ALUMNI | BUILDING OUR NETWORKS | STRENGTHENING UMUC Achiever | 32 | University of Maryland University College
New Alumni Association Benefits UMUC Library Research Databases: Alumni Edition Now the UMUC Alumni Association can connect you to the UMUC Library Research Databases: Alumni Edition. This exclusive alumni benefit puts relevant content from top academic and business databases at your fingertips. You’ll have access to current news, market research, company profiles, the latest information on scholarship availability, and more from • ABI/Inform: Alumni Edition • Academic Search: Alumni Edition • Business Source: Alumni Edition • Emerald
Alumni Travel Program
Want the fun and enrichment of world travel—without the worries? The UMUC Alumni Association now makes it easy for you to experience new cultures, see the scenic wonders you’ve always dreamed about, and share the camaraderie of your fellow alumni and peers. The unique itineraries of GoHagan, our approved travel vendor, offer the advantages and discounts of group travel with the comforts of firstclass accommodations and stimulating educational components.
• JSTOR • Project Muse • RefWorks All these resources can be accessed from the convenience of your own computer—for just $75 a year with your FREE membership to the UMUC Alumni Association.
Two itineraries are already scheduled for 2013, cruising aboard the deluxe M.S. LeBoreal: • Celtic Lands (May) • Baltic Sea—The Changing Tides of History (June)
Tap into the Power of UMUC Alumni Networks Stay Connected—Online
Network at Alumni Events
The UMUC Alumni Association has a variety of ways to keep you virtually connected to the association, the university, and your fellow alumni.
Expand your personal and professional horizons by tapping into our growing global alumni network. Attend one of our events or activities in your region, such as
• Register as an Alumni Association member at www.umuconnect.org and become part of our fast growing, secure Alumni Online Community
• Alumni Association Annual Meeting and Award Reception
• Join the Alumni Association’s official LinkedIn group and network with fellow professionals • Follow the UMUC Alumni Association in real time on Twitter • Join our conversation on Facebook
• Alumni Association regional events • Field-specific networking events • Social meet-ups in your city • Regional alumni network activities And follow us online
• Share your unique UMUC story LEFT: Elethress Wilson-Knights, Shannon O'Brien. BELOW: Kirk Clear, Patricia Toregas.
ABOVE: Nat Alston, Javier Miyares, Nancy Slomowitz, Joe Broussard. RIGHT: Theresa Poussaint
www.umucalumni.org
www.umucalumni.org Stay connected! Join today!
www.umuc.edu | 33 | Achiever
NONPROFIT ORG. U.S. POSTAGE PAID
3501 University Boulevard East Adelphi, MD 20783-8003 USA 800-888-UMUC (8682) www.umuc.edu
UMUC
â–
To learn more about UMUC’s cybersecurity programs, the achievements of our students, industry news, and much more, visit www.umuc.edu/cybersecurity. This new site provides information for prospective and current students, faculty, partners, and potential employers.
Visit the new UMUC Global Media Center for the latest news about students, faculty, and alumni, along with profiles, features, and links to resources: www.umuc.edu/globalmedia