Safe computing environments are vital--and elusive--for businesses, governments, and other consumers of computer technology. As computer crime expands, truly safe information environments become increasingly difficult to achieve and maintain. And it doesn’t help, says David Wagner of the University of California (UC), Berkeley -- pictured left -- that we don’t know how to manage big software projects effectively. “Much of the software we use is some of the most complex manmade things that have ever been produced," he says. “When you have that level of complexity, people make mistakes.”
Unfortunately, software isn't forgiving of human error. Just one bug in a single line of code can permit an attack that can crash a network and possibly expose private information or do harm in some other way. “When you consider that your Windows system has over 50 million lines of code, that’s 50 million chances that can introduce a bug or security vulnerability,” Wagner says. His approach: developing software tools that safeguard computer technologies as they are created.
Wagner is among a select group of computer scientists who are taking up the gauntlet thrown down by hackers and other high-tech thugs. It's exciting work, he says, pushing technology forward and working to stay a step ahead of the hackers while also serving a quality-control function. "It’s kind of like being a bridge builder; first you’ve got to understand why bridges fall down before you can build them so that they are safe for the users," says Wagner.
The Job Market
According to the electronic security adviser to the U.S. Treasury Department, last year profits from global computer crimes exceeded the profits from drug trafficking for the first time ever. And according to a 2004 survey conducted by the nonprofit International Information Systems Security Certification Consortium, the number of information-security professionals worldwide was expected to grow from 1.3 million in 2003 to 2.1 million by 2008. The Department of Labor claims that “the demand for computer security specialists will grow as businesses and government continue to invest heavily in cybersecurity, protecting vital computer networks and electronic infrastructures from attack. The information security field is expected to generate many opportunities over the next decade as firms across all industries place a high priority on safeguarding their data and systems.”
“People are creating security problems faster than we can fix them,” says Wagner. “So I think that computer security people are going to be in demand for a while.”
Wagner's Road to Success
Working with such complex systems may seem tedious to some, but for Wagner the work has always been about having fun. In 1995 he made headlines when, while he was still a master's student at UC Berkeley, he and a buddy decided to look under the hood of Netscape--at the time the leading Web browser--after returning from the theater where they had just seen the movie Hackers. Netscape had just introduced an encryption utility that allowed online shoppers to send credit card information to merchants for the first time--securely, they claimed. But Wagner and friend discovered that Netscape’s random cryptographic key generator was easy to break. “We discovered right off the bat that it was easy to eavesdrop on cryptotraffic and get credit card numbers,” Wagner says. They reported their findings on an electronic bulletin board that night, and by morning reporters were knocking on their door. Within days, Netscape was shipping a revamped browser with a new security algorithm.
For the reserved Wagner, the attention was overwhelming. But this got him thinking about a career in computer security. “It made me realize that across the country there were a lot of people who were using this technology and were very curious about whether it was secure,” Wagner says.
Since the Netscape episode, Wagner has worked on security issues on other computational platforms, from cell phones to electronic passports. His success, says colleague Aviel Rubin, a computer science professor at John Hopkins University in Baltimore, Maryland, arises from his ability to bridge the wide gap between theoretical cryptography and applied systems security. “The problem is that too few people on the theoretical and practical sides of the fence know what the others are up to,” says Rubin. “David is one of a very select group of people who have managed to thrive in both communities.”
E-security may seem like a great way for anyone with talent and an entrepreneurial spirit to get rich quick, no matter which side you decide to work for. So why did Wagner choose to stay in academia? He chose it, he says, because he liked the idea of setting the foundation for new technology and working with the next generation of researchers. The university offered just the right setting. “The big draw for me in academia was I got to work with grad students. It is such a pleasure because they’re fresh out of school, they’re young, and they make the environment energetic,” he says.
It's also the right place to do work that matters but might not be profitable. Wagner's passion for practical applications turned him toward electronic voting systems. Despite its august history, paper has serious disadvantages as a medium for democracy, some say. Paper must be transported and stored before and after voting, they point out, and the more it is handled and moved about, the greater the chance it will be tampered with, destroyed, or lost.
Transportation is a nonissue with electronic voting systems, but they have disadvantages of their own. If they aren't designed with great care, electronic voting systems are likely to share many of the same vulnerabilities as the Internet. The private sector has taken on electronic voting, but the industry is very small. "The private sector can't afford to do much high-risk research, so issues like security have been somewhat neglected," Wagner says. "Amazingly, e-voting has been deployed before anyone ever worked out a scientific foundation for security, reliability, and other goals."
So Wagner, Rubin, and a select group of e-security researchers hope to solve e-voting's security and reliability issues, along with the concerns of voters who don't trust silicon to protect their rights. The biggest challenge, Wagner says, is building an electronic voting system that will be secure but won't require paper. “Right now, no one knows how to do that. That’s a big open question, and it may be very hard, but we’re going to try to resolve this issue,” Wagner says.
Wagner finds this kind of work deeply satisfying. And although some private-sector firms are working to make money from electronic voting, his kind of mission-driven work, he says, is only possible in an academic environment. “Probably the only place that I could do work on e-voting security is in a university because there’s not much profit to be had in securing elections. It’s crucial to democracy, but it’s not a big moneymaker.”
Wagner admits that the lure of a higher salary in industry was tempting. But he is satisfied with the choice he made and would never switch, he says, because he simply loves the level of independence academia offers. “I have a great deal of freedom to research issues that are important to society even if they’re not going to improve any company’s bottom line,” he says. “I get to work on a problem that actually matters, and that’s very rewarding.”
Check out David Wagner’s research at UC Berkeley.
Andrew Fazekas is a correspondent at Next Wave and may be reached at email@example.com.