By Dan Grech MFA ’12
Andrew De La Rosa was an FIU undergraduate studying computer engineering when he enrolled in an elective course with a beguiling name: Ethical Hacking.
The course, taught by Professor Alexander Pons, teaches students how to expose vulnerabilities in computer systems without actually breaking in. “In order to protect, you need to know how to compromise,” Pons explained. “When you want to protect your home, you don’t look for a police officer. You look for a crook who knows how to get in and build your defenses around that.”
Ethical Hacking has become one of the College of Engineering & Computing‘s most popular classes, regularly drawing more than 100 students, including online students from other universities. It’s one of more than two dozen classes in cybersecurity taught at FIU by a dozen professors in fields as varied as criminal justice, business and international policy, not to mention computer science and engineering. In just a few years, cybersecurity has quietly grown into a major university-wide initiative, driven by an insatiable demand from industry.
“Cybersecurity is the need of the hour,” said Shekhar Bhansali, chair of the Department of Electrical and Computer Engineering (ECE). “Our cybersecurity classes are a pragmatic mix that start with foundations and go on to hands-on applications and real-world examples.”
This past March, after a rigorous review, FIU was designated a National Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security. It’s one of seven universities in Florida to get the designation, which is expected to increase grant and research opportunities for FIU.
A leader in cybersecurity academics
FIU is one of the first public universities to offer a graduate degree program in cybersecurity and an undergraduate degree with a concentration in this field.
The undergraduate track has 50 students and includes cutting-edge classes in malware analysis, digital forensics and security of the Internet of Things. Student research topics sound like the titles of Hollywood cybercrime capers: Pharming, Creating Exploits, Keyloggers.
“My students are getting hired after four years in college at an exorbitant amount of money,” said Pons, who serves as a director for cybersecurity within the Department of Electrical and Computer Engineering.
In January, FIU launched a one-year online master’s in network security after surveys indicated a strong interest among working professionals. The program already has 23 students enrolled. This fall, FIU will offer a joint master’s in cybersecurity between ECE and Computer Science, a nod to the multi-departmental nature of the field.
Spreading the word
FIU’s cybersecurity program is gaining in renown. In 2014, the Center for Digital Government recognized FIU in the education category of the Cybersecurity Leadership and Innovation Awards for the university’s commitment to greater data security.
To help build awareness of its program among business owners and corporate leaders, FIU offered a free, six-hour online course in cybersecurity to eMerge Americas conference participants in early May. Later that month, it hosted a CIO roundtable discussion.
Matt Gallo with Miami firm United Data Technologies said the demand for cybersecurity professionals is exploding. “We’re just breaking the barrier of businesses becoming aware of the importance of digital security,” Gallo said. “By studying it, you’re setting yourself up at an early stage in your career for an area that’s going to be overwhelming in the coming years.”
“Murky ethical and legal waters”
The heart of a cybersecurity education happens in the laboratory, where students hack into closed computer systems under the constant supervision of technical assistants. In the past 18 months, FIU has established three new research and teaching laboratories on cybersecurity, including the Advanced Wireless and Security Lab (ADWISE) and the Cyber-Physical Systems Security Lab (CSL). But even in these contained environments, things can go wrong.
For his class project, De La Rosa—the student in the Ethical Hacking class—decided to attack Bluetooth, a technology standard used to exchange data over short distances. He wanted to show that weaknesses in Bluetooth could allow him to download someone’s private contacts. He picked a device at random on the FIU campus and hacked into it.
“When I ran the serial number, I saw it was registered to campus police,” De La Rosa said. He rushed to the police substation at the FIU Engineering Center to explain.
“You’re lucky you told me,” the officer told him. “Even if you’re doing this for a class, I could have arrested you.” Florida punishes unauthorized access to a computer system as a felony.
Pons said a key goal of the program is to help students navigate the murky ethical and legal waters of cybersecurity. Pons says De La Rosa’s mistake was to hack a device at random. He counsels all students to avoid scanning any systems that don’t belong to them or where they don’t have written consent beforehand.
De La Rosa said that incident was one of the most profound learning experiences of his life. “It’s made me anal retentive,” he said of his more cautious approach to hacking.
Pons agrees that the “rules” of hacking are not simple. “Let’s say a student runs a tool against a website and finds a vulnerability. What does the student do? Expose the vulnerability? Or stay silent?” he asks. “Sometimes doing the right thing can get you in trouble. The fact that you’re even trying those doors can be seen as suspicious.”
De La Rosa’s run-in with campus police didn’t deter his studies. De La Rosa, whose friends call him Sherlock, graduated in December; he’s now pursuing a master’s in network security at FIU.
“Information is dangerous,” De La Rosa said. “We’re learning how to disrupt systems. If we use that for malicious purpose or financial gain, it destroys the reason behind doing the entire program.”