Annie Antón began her talk about digital security by asking some questions that had come up in discussions at the Grand Challenges Summit the previous day: “How can engineers inform public policy?” and “Why should an engineer go to law school?”
She is Professor of Computer Science in the College of Engineering at North Carolina State University.
Antón’s talk and the panel discussion on broader security issues left no doubt about the answers. For example: Antón designs software systems that handle information in ways that comply with such regulations as HIPAA (Health Insurance Portability and Accountability Act). “The law dictates a lot of aspects of software and system requirements,” she said. “We want to get to the point where we have regulatory compliance in our software system.”
She and her colleagues are categorizing and codifying the language in HIPAA in order to translate it into software design requirements. “If we can formalize it, we can eventually automate it,” she said, although she added, “It will never be able to be fully automated. It’s a very laborious process.”
She and her students consulted with one of the co-authors of HIPAA, going through the document line by line to ensure they understood all the implications for electronic medical records software. The HIPAA co-author was surprised because, he said, he had never imagined how much work would be required by engineers to design software to be in compliance with the law.
Antón applies her software engineering experience to public policy in many other ways, including serving on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee and testifying before Congress on matters of digital privacy and security. “All of my work in public policy would be impossible were it not for all the engineering research I do,” she said.
In her work, Antón seeks solutions that would provide security from cyber crime and invasions of privacy, which are both increasing rapidly worldwide. Her goal is to design secure systems from the start rather than to have to repair violated systems later.
She’s also interested in educating the general public about how to keep digital information safe.
“My father is prohibited from buying things on the computer—by me!” she said. “He doesn’t understand the difference between a trustworthy and untrustworthy site. It takes a lot of education and awareness. We have to start early—with children.”
Unfortunately, even expert engineering and top-notch education can’t protect all digital information all the time. “As soon as you secure something, someone’s going to find a new way to break into it. We have to try to stay one step ahead,” she said.
The idea that total security is impossible also came up during the panel discussion. William Rees, the former Deputy Undersecretary of Defense for Laboratories and Basic Sciences, said, “I doubt we’ll ever be in a system that is 100 percent terror-proof. With modern connectivity and conveniences, the discussion needs to be changed from controlling terrorism to where we’re comfortable with acceptable risk.”
He pointed out that virtually all Americans accept the risk of driving, despite the fact that tens of thousands of Americans die in car accidents each year.
Rees said the way the government spends money to reduce risks is not always in line with what is known about the reality of those risks. “The first bolus of money sent out when the Department of Homeland Security was set up—there was almost no correlation between the amount of money and risk or the consequences if that risk would have occurred.”
Joe Eyerman, the co-director of the Institute for Homeland Security and a senior research methodologist and the director of RTI’s Health Security Program, agreed. “What is important in policy is not always a function of the best science; it’s a function of politics and government.”
For these reasons and others, all the panelists agreed that scientists and engineers need to be more engaged in public policy. An audience member asked how to get involved in public policy, and whether engineers should run for Congress. Antón encouraged engineering students to study public policy and law, adding that that she has graduate students getting dual degrees in law and engineering. She also suggested that students seek out engineering professors who testify before Congress and volunteer to help them prepare their testimony.
Eyerman chimed in, “Reach out to more social scientists. Social scientists are used to living on scraps. We’re eager to participate in any engineering project. We’re a bargain, and we’re pretty friendly folks. And more engineers in Congress is a great suggestion.”