While data breaches aren’t anything new—Target’s massive 2013 breach affected 70 million customers, and last fall's iCloud photo hack victimized dozens of celebrities—this especially brazen corporate attack was unprecedented, elicited FBI probes and generated a response from President Obama (he sanctioned North Korea for their alleged involvement), but mostly, it left folks coddling their usernames and passwords and questioning the safety and confidentiality of their personal information.
To help reduce the risk of future data breaches, Dr. Kurt Rohloff is hard at work on groundbreaking, research-based strategies with an emphasis on encrypted data, privacy preservation technologies and protection from censorship. “One particular area I’ve been focusing on is in the development and application of practical methods for a new family of encryption schemes called Fully Homomorphic Encryption (FHE),” says the computer science professor and distributed computing expert, who worked as a contractor for the Defense Advanced Research Projects Agency before joining NJIT. The multiple FHE schemes provide approaches to encrypt data, pass the encrypted data off to a third party (such as the Amazon Cloud computing environment), give algorithms to the cloud data host that are run over the encrypted data, enable the cloud host to produce encrypted results from running the algorithms on the encrypted data and decrypt the result.
“The decrypted result is the exact same answer as if you had run the algorithm on the original source data,” explains Rohloff. “At no time does the cloud host have access to any decryption keys or the original unencrypted data.”
Here, Rohloff discusses the importance of his leading-edge research, the Sony hack heard ‘round the world and what everyday citizens can do to protect their digital identity.
Your research is beyond timely, given the frequency and impact of recent cyberattacks. Why is this particular work important?
This work essentially addresses one of the primary flaws of cloud computing: that in order to use cloud computing, you need to trust the person hosting your data to not leak it in some way. By encrypting the data and still enabling processing on the data, privacy-sensitive industries such as the medical and financial domains can begin to outsource much of their IT infrastructure, and obtain the resulting financial benefits. My work on practical FHE is motivated by application. Many academic cryptographers tend to focus on theory and protocols, but I strongly prefer to write software for everything that I do, either to show things working in a proof-of-concept or to solve real-world problems where people need technology solutions.
Cybersecurity certainly has everyone’s attention given the recent Sony Pictures Entertainment hack. What are your thoughts?
One of the challenges with cybersecurity is that it is a very difficult story, and many companies are unfortunately reluctant to share the true details about what happened. In some sense, this is something I’d like to try to address with my research: to develop a framework for companies to share sensitive information, such as cyberattack information, without fear of legal or financial repercussion that would result from full disclosure. This would allow companies to be better informed and protect themselves by learning lessons from past victims.
In what ways can a cyberattack affect a business's bottom line?
A cyberattack can affect a business’s bottom line in many ways. For one, a business can lose sensitive data, such as new product information or customer data to competitors. A business can also lose customers due to frustration with the lack of protection with their data. Also, a business’s stock price could decline due to lack of investor confidence.
Given its political slant, what kind of impact does the Sony hack have on the future of cybersecurity?
Hopefully, this recent attack shows the need for more comprehensive security postures to better segregate data within a corporate domain and provide so-called defense-in-depth. Furthermore, it shows that successful attacks even on corporate entities can have political and diplomatic implications. More research is needed in more usable and deployable security that is more likely to be used in real-world scenarios.
Data breaches seem to be common as of late. Why is personal information so easy to steal?
These kinds of attacks have been going on for a long time. They seem to have become more prominently reported in the news media as the scale of the attacks have increased, and the potential impacts on the lives of ordinary citizens have increased as companies are increasingly storing more data in corporate IT infrastructure that is increasingly accessible by the open Internet.
Why hack into accounts? What do cybercriminals have to gain?
Cybercriminals have any number of reasons to steal data. I can’t speak to specific motivations, but most are probably financial. The thieves can steal personal information that can be sold to other criminals either for identity theft or to obtain credit cards.
What can people do to protect their information?
Most importantly, only share information with people who really need it. Too often I see customers blithely share sensitive data such as Social Security numbers or even email addresses when not needed. Also, only do business with companies who will respect your privacy. Sony has been funny because they have had a surprisingly long string of huge cybersecurity blunders in recent memory, from the malware rootkit they put on CDs they sold to customers to the PlayStation data breach. Practice good cyber “hygiene” by always keeping software up-to-date on your computer, never install unneeded software, and never open unexpected email attachments.
By Shydale James