When the Burlington Electric Department made national headlines late last year after discovering malware on a computer, the small municipal utility immediately called the nationally renowned digital security expert based in its Vermont hometown.
Jonathan Rajewski, a computer forensics consultant and director of the Leahy Center for Digital Investigation, dug into evidence for several weeks and ultimately debunked reports that Russian hackers had broken into the utility’s network and possibly gained access to the U.S. electricity grid.
The breach, it turns out, was isolated to a single laptop and never reached the Burlington Electric system, let alone the nation’s power network.
Rajewski and the LCDI are part of the Cybersecurity & Digital Forensics program at Champlain College in Burlington. With help from U.S. Sen. Patrick Leahy, the college secured two federal grants, totaling $1.15 million, which allowed the LCDI to expand its mission to provide public and private entities with expertise and technical support for cyber investigations — all while training students in the latest techniques for unraveling computer crimes and hazards.
Demand for those with such skills is skyrocketing. While consumers seek unfettered accessibility, it comes with risk, Rajewski says. “There’s this teeter-totter of security versus usability.”
Young people want to upload photos to all of their friends simultaneously. Organizations seek the ease of document-sharing with cloud storage or programs such as Dropbox.
“Companies need to stay productive, to stay competitive in the marketplace,” Rajewski says. “But once you do that, an employee can steal your client list in two seconds. An employee can steal your recipe, your trade secrets, without you even knowing.”
The LCDI includes more than 70 students investigating a variety of cases for government agencies, nonprofit organizations, private companies and police departments across Vermont and beyond. Their clients face outside breaches, employee misconduct and criminal activity.
For its own security, the LCDI investigations lab is cut off from the rest of the center’s building by a code-locked door and an “air-gapped” high-speed network that’s unconnected from the college’s system and the internet.
Today, cyber forensics increasingly involve the Internet of Things, Rajewski says. He recently discovered a webcam, easily purchased at popular electronics stores, that transmits unencrypted video to the internet and sometimes sends data — for unclear reasons — to China.
“There are so many devices that people bring in their homes and are just ignoring the fact that they’re insecure,” he says.
In the lab, Rajewski has taken apart an Amazon Echo to study its Alexa artificial intelligence system. Advanced equipment with spider-like arms can probe the circuitry of a smartphone memory chip, allowing investigators to bypass a PIN code to break into a locked mobile phone, perhaps that of a dead victim in a criminal case.
Student research in the LCDI has attracted international attention. After the Nov. 2015 terrorist bombings in Paris, law enforcement officials contacted a Champlain student about his analysis of Waze traffic-monitoring software.
“This is a 20-year-old,” Rajewski says. “In my opinion, those are the people who are best equipped to deal with this kind of stuff, because they’re inquisitive. They want to find the answers. And we’re teaching them in the classroom what they need to know to do the work.”
Rajewski does private consulting, particularly cases too legally sensitive for the LCDI students, and pops up as a frequent expert in national news coverage. He uses such jobs — including the Burlington Electric incident — as case studies in his classes. These real-world, up-to-the-minute lessons make his students particularly valuable to potential employers. Within six months of graduation, 96 percent of LCDI students land a well-paid job, Rajewski says.
“When I teach mobile-device forensics, the next iPhone’s going to come out, the next Android’s going to come out. I’m going to have to talk about the new version of Snapchat that just updated last week,” he says. “So you need to keep your finger on the pulse.”