Cybersecurity has no borders.
Attackers don’t care if their targets are in another state or use a different currency. Cybercrime is costing the world trillions of dollars, and analysts say that there aren’t enough qualified professionals to prevent those attacks.
To address this problem, RIT is creating the Global Cybersecurity Institute (GCI), aimed at meeting the demand for computing security and artificial intelligence professionals, while developing future technologies, protocols and human understanding needed to address the global cybersecurity crisis.
The institute, to be housed in a new, state-of-the art facility, will expand outreach, research and student-focused programs to help the university become a nexus of cybersecurity education and research. GCI will bring together academic disciplines—computing, liberal arts, engineering, business and others—to conduct interdisciplinary sociotechnical cybersecurity research. It will also develop industry, government and academic collaborations and professional development programs.
“The cybersecurity skills gap continues to pose a challenge on a global scale, with roughly 3 million unfilled positions around the world currently,” said Heather Ricciuto, Academic Outreach Leader at IBM Security. “Projects like this which encourage global collaboration amongst industry, academia and government are key to building diverse talent that will be equipped to conduct complex research and develop creative security solutions to help make the world a safer place.”
The three-story, 45,000-square-foot facility will include a Cybersecurity Learning Experience Center, state-of the-art Cyber Range, five research labs and several student lounges, instructional labs and faculty offices. It is expected to open in fall 2020. Executive Director Steve Hoover, former chief technology officer and senior vice president at Xerox, will be leading GCI.
The facility was made possible in part with designated funding from a donation made by Austin McChord ’09 and a $5 million grant from New York state, awarded competitively through its Higher Education Capital Matching Grant Program.
“New York state is proud to support RIT’s game-changing Global Cybersecurity Institute,” said Howard Zemsky, president, CEO and commissioner of Empire State Development. “With its laser focus on research and professional development, the institute will train the workforce to drive this critical industry’s commercialization in New York state, creating jobs and driving economic growth for generations to come.”
By working with industry, federal agencies and other universities, researchers in the institute are aiming to tackle the most pressing cybersecurity questions and problems. GCI has designated health care, energy, defense and financial services as core areas of cybersecurity research.
“Cybersecurity is a broad area that requires an interdisciplinary approach,” said Anne Haake, dean of RIT’s Golisano College of Computing and Information Sciences. “We should collaborate in many areas, including computing, business, social sciences and engineering, because the problems need to be understood in context rather than in isolation. We need to consider the different people, domains, laws, policies and nature of the data, hardware and software that are involved with securing our digital and physical worlds.”
Research is already under way in RIT’s Center for Cybersecurity, which will become part of GCI. Matthew Wright, director of the center, is focusing on a human-centered approach to cybersecurity and using artificial intelligence. He and his researchers are designing software that helps automatically detect deepfake videos.
Wright and another group also are using artificial intelligence and deep learning to research website fingerprinting attacks on the Tor anonymity system.
For S. Jay Yang, professor of computer engineering, more interdisciplinary research will let cyber defenders be more proactive in responding to increasingly sophisticated cyber attacks.
“We are at the point where cybersecurity professionals shouldn’t simply detect and protect against attacks as they come in,” said Yang. “We need technology that can predict attacks and trends.”
With funding from government agencies, Yang is developing a common platform for cyber defense with anticipatory intelligence.
The three-part project includes: ASSERT, which uses machine learning and information theory to extract the critical features that should be focused on during an attack; CASCADES, which uses simulation to generate synthetic cyber attack scenarios that have not been observed but could happen; and CAPTURE, which forecasts future cyber attacks based on unconventional sensors and signals.
Victor Perotti, the Benjamin Forman Professor for Collaborative Research in Saunders College of Business, is researching with computing colleagues how businesses adopt cybersecurity solutions. This includes how an organization plans, decides on, then implements cybersecurity software and behavioral initiatives.
“I’m excited for our faculty to be engaged in these interdisciplinary research efforts that can lead to the development of comprehensive, systems-level cybersecurity solutions for business and industry,” said Saunders College Dean Jacqueline Mozrall.
Outreach and certifications
There will be 3.5 million unfilled cybersecurity positions worldwide by 2021, according to Cybersecurity Ventures. This gap in cyber experts is a rallying cry for GCI leaders, including Justin Pelletier, director of GCI Cyber Range and Training Center.
“Having qualified cybersecurity professionals is critical to the defense of our way of life,” said Pelletier, who is also a computing security lecturer and Army Reserve counterintelligence officer. “If things in our energy, health care or finance industries are taken down by a malicious attack, we are in deep trouble.”
Pelletier will help fill this gap by offering certification programs through GCI. People seek out these certifications to sharpen their skills, at the request of employers, and to make changes in their careers. Certification programs could be one-week boot camps, mixed with some online instruction.
Examples of high-demand programs include the Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP) and Certified Ethical Hacker (CEH) qualification.
While at RIT, professionals taking part in the programs will be based in the institute’s Cyber Range, a lab that simulates network cyber-attacks and problem-solving scenarios so people can practice their real-world skills.
RIT designers are working with experts at IBM to model the range after IBM’s X-Force Command Cyber Range, which was one of the first spaces to offer immersive simulations for cybersecurity training.
“This is a giant sandbox for cybersecurity experts to play and train in, without impacting real networks,” Pelletier said. “You could mimic the IT environment of an entire hospital in this lab and pinpoint critical systems during a specific attack scenario.”
GCI will also feature a Cybersecurity Learning Experience Center geared toward teaching general audiences about cybersecurity.
The experience center will include a cybersecurity hall of fame, student projects and hands-on demonstrations of best practices.
Industry is already connecting with GCI through the Eaton Cybersecurity SAFE (Security Assessment and Forensic Examination) Lab.
For the last two years, students in this lab have been performing penetration tests and vulnerability analysis on technology created by companies, including Eaton.
These partnerships blend research and experiential learning, allowing students to gain hands-on experience with internet of things (IoT) devices, while helping the companies better secure their new products.
Yang is also taking on a new role as director of global outreach for GCI. He will help the institute look beyond America’s borders by creating a coalition of academic partners who collaborate on cybersecurity research, pedagogy and experiential learning in culturally diverse environments.
“If we are going to have any hope in addressing this global crisis, we need to work with our allies to share best practices and learn how different cultures impact cybersecurity,” Yang said. “Hackers don’t care about physical boundaries—this is a global problem.”
GCI has already formed partnerships with universities in Czech Republic, Taiwan and Poland. Yang plans to organize scholarly exchanges for students and faculty and an annual workshop to examine ways to share data and infrastructure for cybersecurity research.
RIT is nationally recognized for cybersecurity education, having been designated as a National Center of Academic Excellence in Cyber Defense Education and in Research by the National Security Agency and the Department of Homeland Security.
With the new GCI, RIT’s computing security degree programs will have space to expand.
After moving its headquarters to the second floor of GCI, RIT’s Department of Computing Security plans to grow its undergraduate program by 25 percent to about 500 students. The graduate program will double, expanding to about 100 students.
“We are also going to add more in-depth scientific principles of cybersecurity into our curriculum, in addition to teaching the operational skills that we already do so well,” said Bo Yuan, professor of computing security and chair of the department. “We want to increase students’ knowledge of machine learning, advanced computer science and cyber analytics so they can solve the security problems of the future.”
Outside the classroom, students will continue to learn through RITSEC, the university’s cybersecurity club, and through competitions.
“Creating the Global Cybersecurity Institute is not the end goal—it’s the first step,” said Yuan. “This will enable RIT to jump to the next level, becoming a hub that advances the world’s knowledge in cybersecurity.”
Executive director named
Steve Hoover, former chief technology officer and senior vice president at Xerox, has been named executive director of the Global Cybersecurity Institute. He begins Sept. 15.
“I’m very excited about this opportunity and honored to be selected,” said Hoover. “Universities—and especially RIT—play a key role in preparing students and the technologies that we use to provide the security we all expect for our infrastructure, information and data.”
Hoover held a variety of roles at Xerox in both product development and research. He oversaw several global research centers including the Palo Alto Research Center (PARC), which he helped transform from Xerox’s flagship research laboratory to a world-class research and development organization in the business of open innovation.
Cyber competitions are an important part of the culture for cybersecurity students.
RIT is a perennial contender at the National Collegiate Cyber Defense Competition, taking home third place at the 2019 event in Orlando.
RIT is also the founder of the nation’s premier offensive-based competition, the Collegiate Penetration Testing Competition (CPTC). The Global Cybersecurity Institute will host CPTC every year.
Scholarship for Service
Many RIT computing students plan to give back to their country after graduation, by enhancing U.S. cybersecurity through the CyberCorps: Scholarship for Service program.
Students can earn a scholarship covering their costs at RIT, in exchange for agreeing to work at a government computing security job for the same number of years.