November 18, 2019
How do you incentivize people – consumers and vendors alike – to invest in better security? How do you design a cloud-based platform that will enable people to take back some control over their technology? How do we know if the messages we send today will be private 10 years from now?
It’s questions like these that Olin faculty member Steve Matsumoto, Ph.D., assistant professor of Computer Science and Engineering, investigates with students who are passionate about the hot-button topics of information privacy and security.
While his students are too young to have grown up with the early ’90s computer hacker movie Sneakers, the film made a lasting impression on Matsumoto as a youth. He was intrigued by how Robert Redford and his crew of burglars, spies and hackers tested the security of systems by trying to break into them, and with the potential of the technology to be able to hide messages within it. “The idea that the wars of the future wouldn’t be about who has the most guns, but about who has the information, stuck with me,” says Matsumoto.
Matsumoto’s enthusiasm was kindled for discovering fun ways to crack encryptions and how to hack systems to make them do things they weren’t meant to do. He went on to study math, computer science and electrical and computer engineering, in order to apply these skills academically in matters related to security. Along the way, he’s cultivated what’s called a “security mindset” that’s shaped his work. This mindset is used by people who incorporate general assumptions that we all make about the world in their developmental thought processes, along with contemplating the “what-ifs” that may happen when those assumptions are violated.
For example, if you have a game on your phone that only gives you 10 credits per week, how do you get more? At an airport, how would you get that slightly-too-large bottle of liquid past the TSA checkpoint? The answers: For the first, change the clock on your phone as needed, which works with some apps. For the second, put a nice label on it and make sure that somewhere it says “100 ml (3.4 fl oz), knowing that there's no practical way for TSA to check on the spot.
“There is a level of adversarial thinking involved,” admits Matsumoto. The appeal lies in how to deconstruct parts of the world and figure out the impact of structures and processes not working in the ways they’re expected to, because someone’s gamed the system.
This concept weaves through Matsumoto’s current research on cryptography, which is the mathematical and computational practice of encoding and decoding data. “In studying computer science and computer security, I think about the software assumptions we make and the way it can be manipulated,” he says. Bitcoin was the first example of cryptocurrency. Now there are thousands more, and there has been a huge amount of attention on these volatile currencies in the past few years. “Like any digital payment, you can use it without thinking about it, or you can ask questions; like, What are computers doing when we send and receive cryptocurrencies? How do you prevent forgeries of the digital signatures that prove that someone sees and approves of a transaction?” he says.
His research regarding incentives and cryptocurrency is in part about how to use cryptocurrency as a real financial incentive for people to improve their security practices. Questions he explores include things like, “What are the incentives for the computational work that computers do when sending or receiving cryptocurrency transactions?” or “How can we use cryptocurrency-based computational platforms to build better incentives for investing in security?”
Matsumoto is particularly interested in how to assess cybersecurity risk using cryptocurrency platforms. “We can either try to create carefully designed incentives to encourage people to adopt better practices in using cloud platforms, he says,” or we can make secure technology easier to use so that it doesn’t interrupt the current users’ experience too much, allowing them to adopt a more secure approach.”
Many of these ideas play out in the course he’s teaching, Modeling and Simulation of the Physical World, in which students endeavor to come up with good questions and test how trustworthy the conclusions are when creating realistic models. Matsumoto finds that students are keen to explore cognitive modeling and effective decision-making to addresses cyber security challenges, too. “That’s what’s so great about Olin students,” he says. “They’re passionate about many areas outside of their major, and there’s a lot of conversation on campus around the ethical implications of technology. I think it will be interesting to explore how that fits into the evolution of cybersecurity.”