Cyber Security Q and A with Rafail Ostrovsky,
professor of computer science and mathematics and director of the Center for Information & Computation Security (CICS)
Can you describe some of major current issues in cyber security today?
Ostrovsky: Our society gets more mobile and more interconnected every day. For example, most of our data either already leaves or soon will migrate to the clouds, owned by big corporations; our mobile data, including personal preferences regarding shopping, travel, and online searches, are mined by companies for targeted advertisements. This ubiquitous connectivity is both helpful and harmful. It is helpful in communicating with our friends, yet it is harmful as individual privacy often becomes compromised. The biggest challenge of cryptography is to allow individual privacy to be maintained without hindering services and conveniences that the Internet and mobile platforms and cloud-based computing has to offer. The idea is instead of limiting what the big corporations can touch, to allow processing and manipulation of encrypted data in a way that carefully controls the information flow while at the same time protecting individual privacy.
With regards to those issues, can you very generally describe some of the research you’re leading that addresses these issues?
The research in my group focuses on developing new technologies for allowing willing participants to utilize benefits of the Internet and mobile platforms without violating individual privacy. What makes the research especially fun is trying to formalize in a rigorous mathematical sense what this means and how to prevent privacy breaches without limiting functionality and usefulness of the systems at hand. It is also important to be able to prove that even if some of the participants are malicious, and deviate from the protocol in an arbitrary, devious way, they cannot sabotage the system. While important gains on this front have been made, many outstanding questions remain, especially when security and privacy guarantees must hold in a dynamic and changing environment, such as the Internet.
Are you collaborating on security research in any areas outside of computer science, and if so, could you describe them and your role in them?
We have been collaborating with Professor (Eleazar) Eskin and Professor (Amit) Sahai on security challenges in bio-informatics. The idea is to allow people to “encrypt” data using their own genome is such a way that only relatives (with similar genome) can decrypt it, but someone who is not a close relative could not decrypt it. The notion of genome-based security will become ever more important as gene therapy medicine develops. The worry here is that you don’t want to disclose personal genomic information to, say, insurance companies or employers, since it may be possible in the future that such information would lead to discrimination based on the ability to predict an individual’s likelihood of developing some disease; yet, you want to make your genome available to doctors for potential prevention and treatment purposes. This leads to a very interesting collaboration between cyber security technologies and bioinformatics.
There are many other exciting questions in CICS that are being explored, ranging from location privacy to secure computation based on randomness that comes from nature, healthcare privacy concerns and national security challenges.
Where will we be 10 years down the road in regards to cyber security? Will some of these larger issues be settled? Will technologies/devices and the way we interact and use them continue to raise new concerns?
I see cyber security being far more pervasive ten years from now. Most of our devices, including buildings, cars, and home appliances will be wirelessly interconnected and will attempt to be more “helpful” to their owners. That will make our lives easier on the one hand, and more dangerous on the other. Imagine, for example, if you can switch on your stove, your microwave and your air-conditioner remotely through a hand-held device, or just a few hand gestures in front of your iPad. It sounds very appealing for individual citizens, but also could make it much easier for criminals to cause damage through identity theft or for terrorists and rogue states to cause massive political and economic damage through cyber-attacks that will be coupled with physical systems and control devices.
This is the challenge of cyber security: to allow ever increasing ease of use and convenience for individual citizens and businesses, while at the same time protecting individual privacy and national cyber security. It’s an exciting time for those of us working in this field, since both the good guys and the bad guys continue to develop ever more sophisticated attacks and defense systems – we must be ahead of the bad guys at all times.
From the perspective of an individual it seems the past few years that the biggest issue is privacy. This seems especially more as smart phones have become such a large part of our lives? are you working on any issues related to privacy information for individuals and/or mobile devices?
Yes, absolutely, as I alluded to before, mobile platforms and their communication with cloud based computing is a large part of our research. We try to allow individual hand-held devices to off-load computation to the cloud without violating the device owner’s privacy. This is possible through so-called secure multiply-party computation, a deep and interesting area of study in cryptography. What makes it especially interesting is that there are, often intricate connections from mathematical questions and proofs to very practical applications that people (and corporations) care about. The issues range from definitions of privacy, security and fairness, to issues of concurrent executions of protocols, to resource allocations (both physical and virtual) and other fundamental questions that are at the very core of well-functioning modern society. Defining modern notions through rigorous mathematical terms makes the whole area of cyber security a very exciting area to work in.
What about issues related to cloud computing/remote storage?
There are many. How do you allow cloud to “help you” without revealing your secrets? How do you prevent the cloud from learning your behavior just by watching if you are accessing the same encrypted file today as you accessed yesterday? Notice that these questions go beyond encryption, since no matter how good the encryption is, the cloud can still just watch which memory contents are being accessed. There are even more delicate issues that many corporations and the U.S. government care about, and I am delighted to work in an area where today’s ideas at UCLA may impact how cyberspace is being used tomorrow. I am also fortunate to have great colleagues and graduate students working at the CICS center with me. For example, Professor Ivan Visconti from University of Salerno, Italy is visiting our center for his sabbatical, with many exciting projects that we are jointly working on.
To find out more about Professor Ostrovksy’s research in cryptography and other areas of computer science, visit his Web site at: http://www.cs.ucla.edu/~rafail/