March 6, 2012

The Scientist: Prof. Fred Schneider ’75 Protects the Web from Hack Attacks

Print More

Prof. Fred B. Schneider ’75, computer sciences specializes in computer security, specifically language-based security techniques.  He advocates for public cyber security systems.Computer security is an important part of today’s networked world. “Nobody expected computers to be controlling the power grid when Windows was first written,” said Prof. Fred B. Schneider ’75, computer sciences.  Schneider specializes in computer security, specifically language-based security techniques.

“Attacks happen when somebody finds a flaw in a program and they cause the program to behave in a way the designer never intended. Usually it’s to gain information or make some financial gains,” Schneider said. “There are ways to understand the specification of the program and automatically include checks or automatically do some reasoning to make sure certain things can’t happen.  Anything we can do to increase the chances that programs don’t have flaws is going to make the program more secure.”

For many major U.S. companies, language-based security techniques are standard procedure:  “Microsoft doesn’t ship a version of Windows anymore unless it’s been checked over using techniques from language-based security.” Schneider is also the co-chair of Microsoft’s Trustworthy Computing Academic Advisory Board, a panel of technology experts and lawyers.  In this position he helps Microsoft develop software with as few security flaws as possible.While Microsoft is trying to make its software more secure, major entities such as Wall Street and the US power grid remain relatively unsecure, according to Schneider.  The vulnerability of these organizations to cyber attacks is particularly dangerous, Schneider said.“If an attack takes out the computer system in Wall Street during a trading day, then not only might trades stop being registered, but people are likely to panic and start selling; now the attack causes a small economic collapse.”Schneider suggested that the U.S. government take control of cyber security and enforce laws for public computer security that are similar to those that are in place for public health security.“Public health laws compel people and institutions to do the right thing and make investments, he said. “For example, children must get inoculated, or they are banned from attending school. Inoculation is a great privacy invasion, but society sanctions it to achieve herd immunity.”As with inoculations, public cyber security would help society achieve a higher level of protection, he said.But such sentiments are though of by some as being invasions of privacy. According to Schneider, an ideal public cyber security model would not entail tracking the activities of a person, but rather tracking the packets that a machine is sending out. “I believe we do need information to support accountability but not accountability to a machine, not to an individual. And therefore this doesn’t mean giving up your privacy.”He explained that a public cyber security system would have restrictions on running unpatched software, which is vulnerable to attack, as well as on selling software that is easily exploited. Schneider is currently working with the White House and Congress to create a framework for handling public cyber security to protect the public as well as organizations from cyber attacks.“The only way we as a nation will make real progress on the cyber security problem is if we first adopt that kind of a doctrine and only then do we start considering laws, which we would evaluate relative to the doctrine,” he said.As to the future of cyber security, Schneider said; “The legislation that’s being discussed isn’t very strong and it nevertheless hasn’t been emerging the deadlock congress. But a year ago we were never even talking about cyber security legislation, so I regard it as progress.”The policies that Schneider is advocating for public cyber security all use technology that is currently available—it just needs to be passed by Congress and then implemented. “If it doesn’t get adopted it’s not because I didn’t talk to the right people,” Schneider said.

Original Author: Kathleen Bitter