UNIVERSITY PARK, Pa. — Malicious cyber activities — or hacks — cost the United States’ economy more than $100 billion a year, or about .64 percent of the nation’s GDP, according to the most recent figures from the White House. Training the next generation of cybersecurity experts is now a national priority.
A group of about 70 Penn State students, faculty and staff from a range of fields and disciplines took a step toward taking on roles as interdisciplinary cyber hack responders in the 2019 Penn State Hack Response Simulation Competition held recently at the Technology Support Building at University Park. Participants came from Penn State’s Dickinson Law, the College of Information Technology and Sciences, Penn State Law, Smeal College of Business, the Donald P. Bellisario College of Communications, the Applied Research Laboratory, and the U.S. Army War College.
Anne Toomey McKenna, distinguished scholar of cyber law at Dickinson Law, and Penn State’s Institute for CyberScience co-hire and professor of practice, developed the hack response scenario and worked with Russ Houseknecht, lecturer, information sciences and technology, to design of the simulation, said the idea for the exercise was inspired partially by her own experience as a trial lawyer representing clients over the years who struggled with compliance, security, and data privacy in their computer systems as her clients increasingly found themselves vulnerable to hacks and other forms of data breaches.
“Time and time again, I would see situations where clients would be faced with a data breach, but they would either not understand either the information technology aspects of it — the cybersecurity technical piece — or not understand the legal compliance piece of it,” McKenna said. “I recognized in my own practice area that it was very hard to find lawyers who understood the technology and very hard to find people in the technology area, who understood the legal requirements and also electronic evidence preservation.”
One way to address this disciplinary disconnect was to bring together students from business, information technology and sciences, communications and law to help students from diverse backgrounds learn how to collaborate effectively on responses to future hacks.
The exercise centered on a hacker who used a phishing scam to gain access to a university’s computer systems that contained, for research and development purposes, records from a health and insuring program for military personnel, their families, and civilian contractors. In a phishing scam, the attacker sends an email from what appears to be a trusted entity and when the unaware victim replies or clicks on a link in that email, it enables the hacker to have the victim’s access to the computer system. The exposed data in this scenario included sensitive medical and personal information that had national security implications as well, all of which were fictitious.