University of Pittsburgh
September 14, 2004

University of Pittsburgh Teaching Students to Build Secure Information Systems

Contact:  412-624-4147

PITTSBURGH—When you pick up a telephone in the United States, you expect to get a dial tone. When you turn the key in your car's ignition, you expect the engine to start. Generally speaking, those technologies are dependable. In contrast, many of today's computer networks and software programs are vulnerable to saboteurs, identity thieves, and system overloads, and they need regular patching to fight off the latest viruses and worms.

To educate tomorrow's information technology professionals to design truly secure and reliable computer systems and networks, the University of Pittsburgh's School of Information Sciences (SIS) is developing a Security Assured Information Systems (SAIS) curriculum. Funded by a two-year, $286,710 award from the National Science Foundation, the curriculum will build on existing multidisciplinary strengths in computer science, intelligent systems, and other areas within SIS' Department of Information Science and Telecommunications.

"We'll be training the cadre of engineers and scientists who will ensure that every computer user in this country will some day receive the same kind of reliable service that we've come to expect from the telephone system," said SIS Associate Professor Michael Spring, one of four coinvestigators on Pitt's SAIS project. "That's a lofty goal, but it's based on the simple fact that what hackers do is exploit weaknesses in software design. If the software is designed right from the start, it's impervious to attack."

With the Internet's global reach, Spring noted, it's currently all-too-easy for a lone hacker in Asia or Europe to infect a desktop computer in Pennsylvania just by exploiting a tiny, inadvertent coding error made years ago by a software programmer in Silicon Valley.

Faculty from the Department of Information Science and Telecommunications will develop four SAIS courses to add to three already being offered, and will add SAIS content to a dozen existing graduate and undergraduate courses. James B.D. Joshi, another coprincipal investigator on Pitt's SAIS project, said, "There is general agreement, both within our school and the National Science Foundation, that

information security cannot be treated as a separate discipline but must be developed by incorporating it into various disciplines." By fall 2006, about 20 percent of the content of every course offered by Pitt's Department of Information Science and Telecommunications will be devoted to security issues, Joshi said.

All three of the SAIS courses that Pitt currently offers have been certified by the U.S. government's Committee on National Security Systems (CNSS) as meeting national standards for instruction of information systems security professionals, including system administrators. Pitt also will seek CNSS certification for the four new SAIS courses that the University plans to offer.

According to Spring, creating impervious software is a very achievable goal; it simply wasn't as important in the past as making software user friendly, which sometimes was accomplished at the expense of security. Spring compared the software code-writing process to crafting a grammatically perfect English sentence. "If, in effect, you dangle a participle in computer programming, you may allow a hacker to get into a user's computer and violate it," Spring noted. "So, you must never, ever dangle a participle." The resulting, hacker-proof software may be slightly awkward for users at times—the computing equivalent of the kind of English up with which we'd rather not put—but there is no safe alternative, according to Spring. "We've come a long way in making computers easy to use for the average person, but in the process we've occasionally compromised security for user convenience," he said. "If we're going to create software that is truly secure, we must devote as much attention to security as we do to usability."

In addition to Spring and Joshi, coprincipal investigators on Pitt's SAIS project are SIS Assistant Professor Prashant Krishnamurthy and Associate Professor David Tipper, each of whose research focuses on network aspects of security, particularly as related to wireless networks.

Pitt's SAIS award, made by the National Science Foundation's Division of Undergraduate Education, took effect Sept. 1. It was one of 20 new awards that the division made this year in response to 78 proposals submitted last January, division officials said.