- Jeb Wallace-Brodeur
Major Michel Kabay, a professor at Norwich University in Northfield, is just the sort of person youd expect to find in a military uniform. Hes meticulous in speech and conservative in dress, and his socks and shoes are all the same color: black. He says hes never worn his hair long or owned a lick of jewelry, nor has he ever smoked a cigarette or ordered a drink in a bar. What he calls his violently active superego makes him, as he puts it, excessively scrupulous about the letter and spirit of the law. He readily confesses that he wont even walk across a lawn for fear of damaging the grass. His rule-respecting attitude also gives him a deep and abiding respect for those in law enforcement and the military.
But Kabay is not a typical soldier. Though he wears a military uniform to work every day, he is not an active serviceman in any branch of the armed services. For that matter, he is not an American, though he is currently applying for citizenship. In the 1960s and 70s this French-Canadian, who holds a Ph.D. in applied statistics and invertebrate zoology, rallied against the Vietnam War; a decade later he was active in the anti-apartheid movement. Still, at age 52, Kabay dismisses his politics past or present as utterly irrelevant to his work.
Suffice it to say, the man is a rare breed.
Kabay or Mich, as hes known to his friends agrees to an interview at his spacious Barre home, which is perched like a citadel on a neatly landscaped hillside. Big as a bear but disarmingly affable, he leads the way to an upstairs office with an impressive computer work station. He occasionally interrupts his conversation to reposition his Corgi puppy, Gwyneth, onto a protected section of the couch.
Kabay has just begun his second year as an associate professor of Computer Information Systems. Norwich is the oldest private military college in the United States. According to the National Security Agency (NSA), it is also one of the nations top institutions in the field of information assurance that is, protecting and defending the confidentiality, control, accuracy, authenticity, availability and utility of electronic information. Kabay is a Certified Information Systems Security Professional the highest ranking in the field. His mission is to train the next generation of military officers and civilians one-quarter of the students are not enlisted in a civil defense of sorts: safeguarding computer systems against the endless barrage of cyber attacks launched by domestic and international terrorists, organized crime, anti-corporate hacktivists and countless other miscreants who prowl the digital frontier.
Computer security is, to say the least, a field commanding intense scrutiny. Military and civilian leaders alike have been scrambling, in the wake of 9/11, to plug the real and perceived holes in the nations electronic infrastructure. Its also an area that has sparked heated debate in some unlikely places among video and bookstore owners, librarians, reseachers about the erosion of civil liberties and the irreparable loss or destruction of vital historical documents.
Kabay has surprisingly little to say about the effects of 9/11 on his work, particularly about the U.S.A. Patriot Act, which he dismisses as part of the natural ebb and flow of rights and responsibilities in society.
Theres political pressure to alter the agreements of society over what constitutes public and private spheres, he explains. But this is not new. For anyone whos been following this area of privacy law and concepts of privacy, its in constant ferment.
Nonetheless, Kabays skills are now in constant demand. He has lectured in counterintelligence at NATO headquarters; he convened the first two international conferences on information warfare, in 1993 and 1995; and he is the co-author of the Computer Security Handbook, a 1224-page tome of information security principles and practices. I am proud to report that I have been named as an enemy by a good number of criminal hackers, Kabay says, and have appeared as a target for criminal hacker groups.
But his enemy status is not what interested Norwich. Tom Aldrich, the schools manager for information assurance education and training, declares that Kabay is a world-recognized figure and renowned speaker in the field of computer and network security. Hes also one of the most dynamic teachers I have ever seen. He has students totally enthralled throughout class. Moreover, Aldrich adds, Kabay challenges the students and they totally rise to the occasion he really cares about them.
Formerly in the employ of a computer networking consultant company with the fanciful name of Atomic Tangerine, Kabay now belongs to the Vermont Militia. His uniform bears the insignia of that unarmed civilian corps, which was established under Norwich Universitys constitution in 1819 and is comprised of its full-time faculty. Were wearing a costume out of respect for the real military people who are active-duty people I will salute any enlisted person regardless of their rank, says Kabay in his exuberant, sing-songy voice. Its a curious custom. Its like a game.
This professors work is anything but a game, though plenty of criminal hackers out there think and act otherwise. They fall victim or so Kabay speculates to the spurious logic that because the Internet uses the same interface as a video game, the two are roughly equivalent. This is not a video game. Life does not have a cheat sheet that lets you get away with pressing the control key or fixing the problem by rebooting, Kabay emphasizes. Five seconds of pleasure that some 13-year-old gets by destroying a Web site by printing, Ha ha ha! We own you! can translate into a week of extreme pain and panic on the part of the staff who are trying to rebuild the Web site, and who are going to be humiliated at their next job performance or may lose their jobs, not be able to pay their mortgage and so on.
Kabay knows those stories well. Among his numerous ongoing projects is compiling the INFOSEC Year in Review, an annual summation of key developments in information security. As you might expect from a report by an invertebrate zoologist with a fondness for creepy-crawly things, his work is a veritable taxonomy of cyber critters: digital worms, viruses, infestations and other predators along the information superhighway.
A brief scan of the 2001 volume reveals the dead seriousness of Kabays work. Consider, for example, the teen-ager who gained access to the pager system of a Fairfax, Virginia, hospital and was giving nurses medical orders for their patients, including authorizing prescriptions and minor medical procedures. Or the 16-year-old boy who used a computer and a hand-held radio to send Denver police cruisers and helicopters on phony emergencies for more than a month before getting caught. Or the former employee of a nuclear power station who tried to hack sensitive data in order to sabotage the plant, and whose prior criminal history had remained unknown because no one had bothered to run a simple background check.
This 245-page compendium of hacking and phreaking, electronic embezzlement and industrial espionage paints a startling picture of a nation thats been under constant attack in a war far older than the one now being waged against terrorism. For example, between 1995 and 2000, the incidence of identity theft tripled, making it economically the fastest-growing crime in the world.
Not surprisingly, Norwich is poised to address some of these threats: Its newest project on campus is an information warfare laboratory that will train students in real-world cyber-assault techniques, including ongoing information warfare games conducted in conjunction with West Point. And as one of 36 schools around the country chosen last May as a Center of Excellence by the NSA, Norwich will also be putting together the master of science in information assurance, program manager Aldrich notes. Mich will be teaching a couple courses within that venue.
You might expect Kabay to pepper his speech with the technojargon of computer geekdom. Instead, what crops up more often are words like ethics, rectitude, truthfulness, integrity and kindness. Kabay has written a series of papers and articles as well as a book entitled Cybersafety, which teaches children and adults to make safe and ethical decisions on the Internet. These range from not revealing credit-card numbers to strangers to not downloading stolen intellectual property such as music files, term papers or pirated software.
Kabay challenges those who use sloppy thinking to justify unethical or illegal behavior by posing some simple but straightforward questions: Who gains and who suffers from your action? Would you tell your boss what youre doing? Do you approve of the consequences of your actions if everyone behaved as you propose?
Some children have had so little contact with ethical decision-making that they seem to think ethics is on a par with preferences for the flavors of ice cream, Kabay laments. They have all the strength of emotion that they would over choosing pistachio over caramel. They seem to think that deciding whether to do something is purely a personal decision.
All of Kabays computer-science courses at Norwich incorporate discussions of ethics; he says he never introduces a new topic without also exploring its moral implications. While this might not surprise anyone in the information-security field, popular media and entertainment rarely pay much heed to such Boy Scout virtues. When was the last time a spy thriller featured a computer genius who refused to perform a function because he objected to violating someones privacy or intellectual-property rights? In Hollywood, it seems, such concerns materialize only after a film is released.
In cinematic or real life, integrity in cyberspace clearly comes down to one important factor: people.
Human beings are the element which will make or break security, Kabay asserts. You cannot secure an organization if the human beings dont want to cooperate. It just cannot be done, because no amount of gear is going to solve the problem.
As Charles Mann points out in his article, Information Insecurity in the September issue of The Atlantic Monthly, lawmakers, law enforcement and the Bush administration all want to boost national security by spending millions of dollars on high-tech gadgetry like digital surveillance and facial-recognition software, smart drivers licenses and retina, iris and fingerprint scanners. But in the long run, Mann asserts, such technocentric fixes make a security system more prone to massive failures.
Though Kabay is hardly anti-technology, he couldnt agree more. I worry about the peculiar attitudes that people seem to have about security, he says. Its a bunch of amateurs who are making up rules on the spur of the moment without ever having thought about it.
He cites as one example the new government protocol since Sept. 11 of asking airline travelers for valid government identification. Timothy McVeigh was no doubt the owner of a valid ID, and he probably showed it to a lot of people, Kabay says. Did it make any difference? None.
Instead, the professor offers a more pragmatic solution to airline security: Hire professional interrogators trained to spot inconsistencies in peoples stories, as the Israelis have done, and then start asking lots and lots of questions. Despite all of the countrys other security woes, an Israeli plane has not been hijacked in decades.
Theres something counterintuitive and comforting about a professor of cyber safety saying that the most effective security interface is the one that happens face-to-face.