An interview with Eugene Vasserman

Eugene Vasserman
You’re right, my trajectory is unusual. I did start as pre-med in psychology at the University of Minnesota. I wanted a harder science and so I moved into neuroscience and being interested in biochemistry, I noticed that I could pick up a major with only three additional classes, so I decided why not? I never did finish my psych major. 

Towards the end of my bachelor’s degree, which because of what I just described, took far longer than it should have, I was doing research for a professor in robotics on the internet of things (IoT) before it was called that.

I’ve always been paranoid, so doing that research on networking protocols, I kept thinking, “Well what if you misuse it and how do I prevent that?” Having only a computer science minor, I applied to grad school in computer science. I think it’s a minor — maybe major —  miracle that I was accepted.

I think it was because several faculty members knew me. The person for whom I was doing research and the main security professor at the time who I kept bugging with questions because I didn’t do enough reading of related work. 

So I’m in security because I’m paranoid. I’m not paranoid because I’m in security.

Eugene Vasserman
When I started grad school, which I think was 2004, my advisor’s specialty was privacy and anonymity.

So I started in that area with several detours including looking at stuff like secure routing protocols. That was a major interest for me at the very beginning, but then… there were several projects along the way that were just done because, “Hey, interesting.”

The majority of my dissertation work ended up being privacy and anonymity, but particularly censorship resistance at a very large scale network. I simulated up to 100 billion users.

Eugene Vasserman
It was not really meant as a social media network, although it was bootstrapped for security reasons from social interaction. No one’s implemented it, including me. It was all just simulated. The protocol design is primarily what the dissertation was about. The network is meant as censorship resistance archival storage.

It had several interesting properties including being very robust in terms of information loss. You had to take about 70 percent of the network participants offline before you had any non-negligible chance of destroying even a single byte of data that is stored in the network. The major feature that it had was anything you store can’t be modified. It can be added to — you can upload future versions, but you can’t modify it.

And the reason for that is tied to the third major feature. Basically, in our definitions of who our adversary is, who our attacker may be, we were considering nation-states with perhaps not so pleasant police forces. So we assumed that someone may come to your house and say, “Hey, this information on the network, we don’t like it. Remove it.” It’s non-removable. You can modify it, but the old stuff will remain in place.

So the third feature, the reason this is related to the police coming to your house, is the network had a property that we were the first to define called membership concealment. That means even if you’re watching the entire network, it is difficult for you to determine who’s a member of that network and who isn’t. So if you have full control of the internet infrastructure, it’s still difficult to identify who is participating in the network and who isn’t participating in the network.

The thing is called a membership-concealing overlay network (MCON). The first rule of MCON, is that you don’t talk about MCON. So we place certain assumptions on it like you won’t just brag about it to your friends — because that destroys that membership concealment.

Eugene Vasserman
Yes. I graduated. I was very fortunate to find an academic job. It was a tough market. It still is. When I moved here, I wanted to explore a particular area of security, and that is security within medical device networks. So distributed systems of medical devices.

Eugene Vasserman
I have to admit, I don’t know a lot about the history of cyber-physical systems. I believe it was fairly organic in how it grew as a field.

Cybersecurity Guide
Okay.

Eugene Vasserman
Also, there’s not really a broad agreement on the definition of cyber-physical systems (CPS) especially as it differentiates from the internet of things (IoT).

Cybersecurity Guide
Okay, interesting.

Eugene Vasserman
A common definition I’ve heard is that cyber-physical systems can actually act on the world. Whereas internet of things devices can only sense the world, but I don’t really buy that. So I’m hard-pressed to find the difference, but I am sure there is a crisp, clean definition out there somewhere. I just haven’t seen it yet. 

In terms of their evolution, I don’t know if it was a specific effort to develop cyber-physical systems, but thinking to the most simple one, I can imagine a hydroelectric plant control. There may be a very common administrative task that you need to do every few weeks, days, or months and the location where you have to do it is in the middle of nowhere.

So at one point, you would hook up a computer to automate the thing, but what if you need to change something? You still have to go there. Eventually, you connect a modem to it and say, “Okay, I can just dial in, push a bunch of buttons and it’ll happen for me.” It evolved from there.

There were a lot of growing pains, especially with such indiscriminate connection of… well connectivity, especially if it’s internet-connected, not just connected to a modem via a random phone number, but there was… there’s a good history of people just going through phone numbers seeing if they connect to a modem and then seeing if that’s connected to anything cool. That’s also an ongoing process for the internet.

There are several search engines that specialize in scanning the internet looking for industrial control systems, cyber-physical systems, internet of things and basically telling you what their IP addresses are, what types of systems they are, etc. Without attacking them specifically, just mapping them from publicly available information.

Eugene Vasserman
Well, there are several major concerns. One is to actually introduce security in the first place. That is, how easy is it to retrofit into legacy devices? It is very difficult, mainly because of hardware limitations. But that was the first research question —  are there generalizable solutions for that kind of retrofitting and yes, we found several. The second question has to do with access control in the context of a different kind of connected device — a medical one.

When you think about connected medical devices today, you may think of a larger, more powerful device that does several things and sends on its information and even provides an interface for processing and analyzing that information.

But what if you broke up that device into individual sensors and actuators and the analysis step was done on a third component. So let’s say a sensor, an actuator, and a controller (“business logic”). Then you could dynamically compose a medical device from the sensors and actuators that are already present and create a “virtual” medical device, which is fundamentally different from what we think of today as “connected devices”. It’s just a bunch of connected components and you “build” the device as needed.

The controlling intelligence we just call an “app”, but it’s more like a smart workflow. Basically, if you have a workflow that provides blood pressure and pulse oximetry, and if you have sensors that support that, then you can poll those sensors dynamically, and the workflow pulls and displays that information together dynamically. Query them for their output format, how they produce data, what’s their quality of data, and then provide an analysis. You virtually “build” a device out of its individual sensing components.

The challenge there is how do you secure that entire interaction? Because you might imagine hooking up to random actuators and doing stuff to patients is a problem, and if you try to move as much intelligence as possible off of those devices, then how are the devices themselves to know whom to trust and whom to not trust?

There were several research questions including how do we even treat this type of network? Where do we put security? Of course, the answer is at all endpoints. Then how do we tie it all together? And how do we distribute and think about permissions from a clinician point of view versus a workflow point of view?

The hardest question of all I would say is how do you do access control in systems that are literally required by law to have an access control override such that a clinician can do whatever they need in case of emergency? We call this “breaking the glass,” which you have to do manually because by definition, devices are not trusted to sense that emergency.

The emergency means you have to tell the device “you don’t know what you’re doing. A human has to take over.” What can the device do if it can’t identify that human — how do you do access control without knowing who is accessing the device and what they intend to do? So you need robust access to control protection at the same time as you need a capability to turn it off literally at the press of a button.

Eugene Vasserman
This is mostly theoretical. They don’t exist yet. There are several systems that are approaching this kind of technology, but they’re not yet operational or they’re minimally operational. I tend to look 10 to 15 years into the future, which allows me a nice mix of practical research as well as theoretical.

Eugene Vasserman
The whole point of the center is to not confine ourselves to computer scientists doing research in the security field. So if you look at the people and the research projects at the center website, you’ll see a lot of traditional computer science-y stuff. But you will also see psychologists, and sociologists, education researchers, and other folks from many disciplines.

The research page has information on current and past work, and we have some new stuff we’re starting that I shouldn’t even discuss yet. But it’s going to be cool!

Eugene Vasserman
If you are just starting out, the best breadth resource I would say is Security Engineering by Ross Anderson.

It’s a book of stories. It’s not a textbook and it is just phenomenal in terms of covering a lot of breadth of security, including physical security, including psychology. So for pure breadth, I don’t think you can’t beat Security Engineering by Ross Anderson.

He’s currently actively writing the third edition, but the second edition is available on his homepage for free. He makes his books available after several years in print. So anyone can get that for free. I’m looking forward to the third edition.

For cryptography specifically, the mathematics of security, I recommend the two-volume Foundations of Cryptography by Goldreich. I thought that the Foundations of Cryptography specifically gave a really nice introduction to the mathematics behind practical security.

The last thing that I wanted to mention is you… the way you even started the interview, you started talking as if cybersecurity was its own science. Some people may disagree with me on this, but I would say no. I would just call it security because I’m a computer scientist and also because to me, it includes physical security.

So I just say security because I want to incorporate all aspects, but it is considered as a subdiscipline of computer science, and it’s huge, kind of like networking (and we don’t call it “cyber-networking”).