An interview with George Markowsky

George Markowsky
I was already teaching. At that time, I was at the University of Maine, and clearly, things were happening in cyberspace that needed attention, so I just got into it. I taught the first cybersecurity course at the university.

Cybersecurity Guide
When was that?

George Markowsky
Oh, boy. I don’t know, somewhere around 2000. Roughly 20 years ago.

Of course, cybersecurity became a lot more important with the growth of the internet, because when you had computers that were standalone, it wasn’t nearly such a big deal, because there would be very few connections, and a lot of them were directly computer to computer. But, as the internet started developing, cybersecurity became more important because more and more people were being connected, and people with different levels of expertise were being connected, so it became much more fertile hunting grounds for the bad guys.

George Markowsky
Well, there’s this concept that people talk about, which is called the attack surface, and what that means is the number of targets that attackers have. As the attack surface grows the attacker is more likely to find a weak spot. If you take an analogy of a wall, an attacker can walk around the wall and look for a weak spot and try to attack there. But, you, the defender, you have to make sure that every part of the wall is strong.

With a larger attack surface, there’s a bigger burden on the defender. When we only had large computers connected to some networks and those computers were supervised by experts, that’s a much harder target to attack successfully. But, as you increase the attack surface by putting smartphones all over the place and giving smartphones to people will little knowledge of cybersecurity you now have many more places that can be attacked. It’s really like taking a sock apart. When you pull one thread, it just unravels the whole thing.

Thus if you want to attack a system you could attack someone related to someone who works on the system and then work your way through through someone who works for some company and who carries a smartphone between home and work and so on. Attackers can find such chains of weaknesses that allow them to exploit a variety of systems, which makes defense a lot tougher. In one famous case, Target, the retailer was compromised because someone compromised their heating and cooling contractor.

George Markowsky
Well, currently, I’m actually a little bit off the main track for cybersecurity. Right now, I’ve been working on election security, which ties to cybersecurity. Because if you put everything online, that becomes a very tempting target for people who wish to influence an election. The question is how do you balance what you can do safely online and what you can’t do safely online. …so it’s that kind of straight-line classic cybersecurity.

Then there are always human factors related to cybersecurity, because if an attacker can fool somebody, so that person reveals a password, that makes their job a lot easier than trying to crack it. A lot of the attacks really begin with social attacks, getting people to click on them. I mean, it’s so elementary. You think, ”Who would ever click on this?”

George Markowsky
It works and so there’s a whole social element to cybersecurity. So I started a lab I call the cyber society lab where we want to focus on questions of computing and society. Cybersecurity has many aspects. Some of it is purely technical. If I have some technical defect in my system that you can exploit then that’s a weakness.

However, I can have the most secure system in the world, but if somebody bribes a person who’s in charge of that system, or fools a person who’s in charge of that system, and gets credentials, then my great system is minus its great value because it’s been compromised.

I think that for people thinking about getting into cybersecurity they should not think of it as there’s just one place that they can fit in. Some people think, “Oh, I don’t want to be a hacker, and sit in my room all day long putting up some esoteric software.” But, you can also work with people on what are some practices that you can follow to ensure security.

For example, in recent years, we’ve had spates of attacks — ransomware attacks on city governments, on hospitals of all places, on 911 centers, because a lot of the people who work there depend on their computing systems, but are not really thinking about cybersecurity.

Cybersecurity Guide
Right. That’s a good point.

George Markowsky
A person could make a real contribution by helping to make some of those areas more secure, even by training people. I guess I would like to convey to people that cybersecurity’s just a very broad field, and could use people with very different skill sets working in different parts of it, so if you do enjoy very technical hacking and things like [that], then by all means, you can do that and if you like working with people, the opportunities are there.

George Markowsky
You were asking what courses [I’ve taught] more recently. I taught a cryptography course. In the course, I even had some students working for the government in various capacities, and they tell me that the stuff they were learning in the course, they use every day, because they’re either trying to intercept messages by opponents or trying to send messages that opponents can’t read. You read the history, say of World War II, and you realize how important crypto analysis was in the allied victory. But, again, cryptography is very mathematical. For the average person, it’d probably be way too mathematical.

Cybersecurity Guide
Right.

George Markowsky
But, somebody who’s interested in mathematics can find extremely challenging problems in cybersecurity. The other course, which I just finished teaching this semester was quantum computing, also very mathematical. Also tied to cybersecurity because if we really get practical quantum computing, then a lot of our cryptographic protection gets compromised, and so we will have to figure out what to replace it with.

Cybersecurity Guide
There really is a lot you can do with cybersecurity.

George Markowsky
It’s a huge area … it could range from teaching middle school kids how to keep their system safe, how the municipalities can keep their system safe, how does a doctor office keep its records private — all that sort of stuff, to the most abstruse quantum mechanics, and how you could deal with computers using these ideas that 99.9 percent of the human race doesn’t understand. Maybe even 100 percent doesn’t totally understand.

George Markowsky
Yes, and for example, recently one of the things that has come into play is there’s a whole purely physical aspect to cybersecurity. One of the things that doesn’t get written about much is that there are people doing break-ins to get that information. It’s not always over the internet.

Sometimes, it’s just plain old physical breaking through the door, or picking a lock, or doing something like that. I think it’s important that especially if we’re talking about high school students that may not make too narrow a picture in their minds of what cybersecurity is.

If they study it, they will certainly get some technical background, but they should not think that, “Oh, if I go into cybersecurity, I’m going to be locked in a little office all by myself eight hours a day or 20 hours a day, or whatever. I’m just going to be solving these abstruse puzzles.” Yeah, there are people who do that. A lot of people who do that, really like it. I mean, it’s their personality.

George Markowsky
But there are other people doing training courses for staff, helping people secure the system. I want people to keep an open mind about it, that if they’re attracted to the idea, that they want to help make systems secure, that they want to say defend our systems, US systems, against attacks by other parties or against bad guys, they can find a role to play.

George Markowsky
Here at Missouri Science and Tech, all undergraduate computer science courses have to take the intro to cybersecurity course. That’s just a requirement that went into place just a few years ago, because in our feeling, cybersecurity is such an important topic, that any professional working in computer science-type areas needs to have a basic understanding.

They don’t have to be an expert at it. But they need to at least understand what the issues are, what some of the common attack methods are, etc., because let’s say you’re just working happily on some project. Well, what if you get struck by ransomware for example. Somebody attacks your computer system and locks everything up so nobody can do anything unless some ransom is paid, or your secrets are stolen by a competitor, or a nation spade or whatever, or your employee records are compromised.

I mean, it can impact so many different people in so many ways that we feel that every person who’s going to be a computer science graduate needs to have a basic understanding of cybersecurity. In that sense, we’re starting with everybody.

George Markowsky
I’ve had undergraduates take the cryptography course, and the quantum computing course, and we have other courses that talk about the security of mobile systems, so they have some core knowledge that we try to transmit to everybody.

Then, depending on the particular interests that the person has, then they typically pick the courses that make the most sense for them.

George Markowsky
Yeah. There’s a very small number of courses that are graduates only.
Most of our graduate courses are for upper-level undergrads, juniors, seniors, and beginning graduate students, so that’s where I’d say most of the courses are.

They can take them as electives, at the upper level. And there are also courses by the way that are not strictly speaking cybersecurity, but that are important. For example, networking. If you study how to run the network, obviously one of the issues you could come up against is, how do you secure the network?

There are many cybersecurity topics that are scattered through other courses, where the courses are not called cybersecurity.

I would say if you take networking, you might talk about even software engineering because one of the things we’re trying to do is build secure software. Let’s say you’re building an app for a phone. You might very well want to be interested, “How do I make that app difficult for someone to attack?”
You’re taking a course on writing apps. It’s not called cybersecurity, but there’s a cybersecurity component to it. Even if you don’t want to study cybersecurity, you’re going to get an increased amount of it, just because it’s infiltrating all the other courses.

Cybersecurity Guide
Right. Yeah, it’s tied to everything in some respects.

George Markowsky
Yes, for example, I taught a course on programming languages, and there are some programming languages that are harder to compromise than others. In other words, they have more checks built into the language to help you write more secure codes easily. There’s always a trade-off.

There is a very popular programming language called C, which maybe you’ve heard of, which is the basis of a lot of operating systems and stuff like that. It’s very flexible, but it’s very easy to write vulnerable code in C … the philosophy in C is you’re an expert, you know what you’re doing, we’re not going to provide a whole lot of checks. The other languages that are a pain to work with because they’re constantly checking you.

Then there are also tools you can use with the less secure languages, which warn you about certain problems, but there’s a famous case where the tools caused serious cybersecurity problems. The whole area of secure programming is complicated and challenging subject. I think that people who want to succeed in cybersecurity in a socially positive way, need to be attracted to the idea of protecting things, and they need to be open that that can be done in many different ways and at many different levels.

Keep in mind that If you take a lot of our courses, even if you don’t ever think that you’re studying cybersecurity per se, you will get a fair amount of it, just across the whole curriculum because it’s just evolved that way.

George Markowsky
It’s all over the place. For example, we had a recent graduate who’s now working for a cybersecurity firm, but he has been teaching this past semester. He taught a course remotely and the title of the course was malware.

Now, obviously, if you’re going to get into a course like that, you have to be very interested in programming at a very fundamental level, which is not for everybody. But that was a course that we offered and I hope we will continue to offer it periodically. It may not be every semester—but once a year, once every two years—but then, there’ll be other topics that come up. At our university, we have a whole student chapter … the SIG security, SIG stands for Special Interest Group.

George Markowsky
We have about 40 or 50 students who were meeting weekly and having their own speakers and topics, and I mean, it’s a very active group, and with quite a few students. I couldn’t even begin to summarize all the things they did. But I mean, some of the projects they did were physical.

They had one session called antenna in a can. You take a potato chip can and you put electronic parts into it to make a little scanner that allows you to detect wireless networks. There’s an activity called wardriving, where you could drive around a neighborhood to determine how many WiFi networks are present.

Cybersecurity Guide
Interesting.

George Markowsky
They just did all kinds of projects and they would have speakers, and we have a fair number of our graduates, alums now, who are working for different companies like MITRE for the national labs, all kinds of federal agencies, the Department of Defense. And they periodically come back to campus and talk … to the extent that they can talk about it.

Some of the stuff is classified, but they can come and talk in generic ways about what they’re doing on the job, and the kinds of challenges they’ve seen, and new trends. I mean, at one point, I had a student who did a project with honey pots, on honey pots specifically. As a matter of fact, I was also involved in a Ph.D. thesis on the subject. These specific systems they’re set up to attract attackers.

George Markowsky
Okay, partially that’s how you find out what’s out there in the wild. If you’re an insect specialist, you go out in the wild with your nets and you capture bugs and you study them. Well, cybersecurity people do similar things too.

They set up delicious-sounding computer systems and see who attacks them and where they come from and how they attack them. Those setups are called honey pots.
I had a student do a honey pot project, one of the undergraduates, and we were interested to determine the national origins of the attacks on our honeypots.

A lot of the attacks on US targets come from US IP addresses. Now, some of those US addresses may be addresses that have been compromised by somebody abroad, but we also have plenty of domestic bad guys.

George Markowsky
Well, for example, our university requires every employee to, every year, go through a cybersecurity little training module and answer questions, okay? That’s every employee has to do that. Well, that didn’t happen 10 years ago.

That’s our university, but I suspect that a lot of companies, banks, hospitals, etc., probably every … I mean maybe the janitor doesn’t have to take the cybersecurity module, but probably everybody who works on a computer, every doctor, every nurse, every receptionist, every data specialist, probably all have to take some kind of cybersecurity training on a regular basis.
I mean, I don’t know what’s more mainstream than that.

George Markowsky
There’s The Code Book by Simon Singh, and I think there were some associated videos. It’s basically the history of cryptography. What’s interesting is that the histories written right after World War II didn’t talk about cryptography at all, because they kept it secret for very interesting reason. Because after the war, a lot of developing countries bought all the surplus German military cryptographic equipment thinking that it was secure.

Countries like Britain and the US just kept quiet about it and so for the next 20 years, they could read all the secret traffic that these countries were generating. What I’m saying is that depending on where you’re coming from, if you want to have the more human element, histories — especially military histories — have a human element in the importance of communication, and the importance of secure communication. I mean, it’s not widely known why Mary, Queen of Scots was executed.

It is widely known that she was executed by Queen Elizabeth I, but the reason that she was executed was that she was using a cryptographic messaging scheme to communicate with her supporters about a plot to overthrow Elizabeth. Unfortunately for Mary, Elizabeth had crypto analysts who were able to read those messages.

Cybersecurity Guide
Oh wow. That really puts things into perspective.

George Markowsky
We’re talking about stuff that happened in the 15- and 1600’s. This is an old field in some ways. I would say there are a whole bunch of books for people who are interested in the historical approach.

George Markowsky
There are several that make really good reading and [once] you pick them up, it’s hard to put them down.

There’s an author by the name of Bruce Schneier who has a terrific, free, online blog. He writes books on a wide range of topics related to security and cybersecurity. He writes both non-technical and very technical material.

I would say things that Bruce Schneier has written over a very wide range and they’re typically very good quality, and he’s one of those kind of speakers who gets invited to give keynotes and all that sort of stuff. I would recommend anything by Bruce Schneier, at the appropriate level. … If you want to read something very technical, he could deliver there. If you want to read something very general, he could deliver there.

You could also read him online for free … Also, Simon Singh also has videos and things like that. He has some older software. The problem is you have to … It was written for old DOS systems and stuff. I think it’s still running in DOS box and stuff. People actually want to play with cryptographic things. Then, there’s a whole Linux distribution called Kali, and I think you could go to kali.org, and you can download this whole package that has … last count was over 400 cybersecurity tools.

Cybersecurity Guide
Oh, wow.

George Markowsky
Including tools related to what we call social engineering, tools to all kinds of attack tools, all kinds of scanners, and things like that. I mean, there are many, many materials available online to anybody interested that they’re even little certificates you can pick up at various places. I’ve done a lot of work with cybersecurity contests.

George Markowsky
One thing that I point out [is] that some of these contests go down as low as to middle school. If a student’s interested, one of the things I would recommend is they actually check with their school to see if their school is somewhat involved. Some schools have a cybersecurity team.

Almost every school has a math team, or they may have science fairs or groups that study science or a science club. Well, an increasing number of schools also have some kind of cybersecurity club or cybersecurity activity. I would say that … sometimes it’s hard to get the word out because there are so many activities competing for time and space. But, I would say to students who think they might be interested, check with your school, see what’s going on there.

George Markowsky
Right. There are also talks going on. For example, if you live near a college, or a university, or a community college, you could usually just check their calendars or check the computer science department. They often will have events or speakers and lots of times, they’ll welcome a high school senior, or somebody like that to come in and just get the flavor.

Now, one of the things that may or may not actually help people, is because of COVID-19, so much more stuff is being put online. A lot of seminars series are now being delivered online and you may be able to not even have to go to the school, but just find out that they’re having some event.

George Markowsky
Yeah, so I just want to encourage students who think they might be interested to do a little exploration of what’s available to them locally … Look for those kinds of local connections as well.

George Markowsky
Well, one that I’ve already mentioned which is quantum computing, because to the extent that that’s successful, that can radically change not only the picture for cybersecurity, but for computing in general.

Second, because our systems are getting so complex, and whatnot, there’s a lot of work-related to using artificial intelligence kind of techniques to help secure systems, and finding business, and things like that. I think that’s another area that’s developing that may be of interest to students as a hot topic. I think there are areas having to do with how do you write program securely in the first place, secure programming. How do you make it much more difficult for people to break, to technically break the programs?

Cybersecurity Guide
Definitely.

George Markowsky
Then, I think there’s this whole area of how do you educate people to be cybersecurity savvy. Because I could build the most secure system. I could have the fanciest lock that nobody can break, but if I give the key to a person, who would then give it away, then I’m not really very secure, am I?
Another issue related to cybersecurity but not always considered part of cybersecurity is the very important  issue of privacy.

As we become online more and more, how much of the personal information is out there and being tracked by people we don’t want tracking it?

George Markowsky
Right, and lots of times, people don’t think of privacy as a cybersecurity issue. But, it very much is because for example, if I learn your social security number, and I learn your date of birth, and I learn a lot of specifics about your life, I can go to the bank and electronically convince them that I am you.
I think that’s a very important topic that while it’s not classically thought of as cybersecurity, but it’s a close cousin, let’s put it that way.

Cybersecurity Guide
Thank you.