“People were like, ‘You’re making a mountain out of a molehill. Relax. The internet needs to be free,’” said the 1994 Fordham Law School grad.

But the article changed the trajectory of Citron’s career. Her groundbreaking scholarship and advocacy on issues involving intimate privacy and online abuse are recognized internationally for their vital importance to an evolving understanding of ethics in the digital age. She earned a MacArthur Fellowship (aka “genius grant”) five years ago, and today she’s a distinguished professor of law at the University of Virginia.

“I was accused of wanting to kill free speech,” Citron said. “But I stuck to my guns. This is important.”

In a world where lawmaking lags behind the rapidly accelerating speed of technology, Citron is aiming to close that gap. She focuses on finding legal solutions to a wide array of online abuses, from cyberstalking and harassment to harmful deepfakes—digitally manipulated videos and images that are becoming increasingly indiscernible from reality. Threats like these disproportionately affect women and minorities, she said, making these issues “the civil rights cause of our time.”  

“That’s the worst—the everyday person who’s targeted. They shut down their LinkedIn, Facebook, X accounts; they literally just go offline,” she said. “When you chase a woman offline, she cannot participate [in society].” 

Since 2013, Citron has been vice president of the nonprofit Cyber Civil Rights Initiative. She has published two acclaimed books, including The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age (2022), and spent more than a decade working with law enforcement, legislators, and large tech companies to create reforms that give recourse to people who are targeted online.

Most recently, Citron partnered with U.S. Rep. Jake Auchincloss to draft a bill that would reform Section 230 of the Communications Decency Act—a law that protects platforms from liability for harmful or false content they host. The proposal includes stricter regulations against digital forgeries, cyber stalking, and intimate privacy violations.

For Citron, the through line across her career is one that was strengthened during her time at Fordham, both as a student and a professor of the law. 

“The work that I do is on behalf of the vulnerable,” she said. “That is so consistent with the Fordham mission.”

A decade ago, Fordham officially became a “changemaker campus.” But the changemaking impulse has been at the heart of a Fordham education for generations. Read more about other Fordham changemakers.

RELATED STORY: How Dr. Suzanne Lagarde Is Expanding Access to Quality Health Care

RELATED STORY: Anthony Martinez Is Bringing Bronxites to the River

Titled “Enhancing Cybersecurity Education through AI-Integrated Curriculum Development for Faculty,” the year-long grant will fund the creation of 10 teaching modules that will be used by other institutions that teach cybersecurity.

Thaier Hayajneh, Ph.D., director of the Fordham Center for Cybersecurity, said that he and Gary Weiss, Ph.D., professor of computer and information science, will work with academics from other universities and private sector experts to create the coursework. They will hold workshops over the next year to solicit feedback and finish in the fall of 2025.

Threat Detection and Response

Hayajneh said a key focus of this new curriculum will be employing AI for rapid threat detection and response.

“What people in the industry are trying to do with AI is automate most of those things that we used to do manually,” Hayajneh said. 

“The readings, the observations, the analytics that we always have been doing—everything has AI being integrated into it,” he said.

“There is now AI-enhanced intrusion detection network security that’s used as a defense. But hackers also use AI to crack passwords and search for vulnerabilities in your system faster than before, so you have to test your systems with traditional attack capabilities but also with AI.”

Teaching the Teachers

The team’s recommended curriculum will be shared with the National Security Agency (NSA) and the Department of Defense for feedback, and the NSA will then make it available to eligible institutions through its digital library. 

“The curriculum is designed for faculty from other institutions, with the goal of bridging the gap between institutions that don’t have the expertise and the capability to develop AI-related cybersecurity courses,” Hayajneh said.

 “The ultimate goal is to teach the teachers.”

The grant is the fourth one of this type that the center has received. In 2017, it was awarded two grants worth $270,000 to develop a cybersecurity core curriculum and help build hands-on lab environments for cybersecurity training. In 2019, it received $300,000 to create a curriculum related to iOS and Android operating systems.

Scholarship Eligibility

Thaier Hayajneh, Ph.D., director of the Center for Cybersecurity, said that the Center of Academic Excellence (CAE) designation for the minor means that undergraduates can apply for scholarships that are funded by certain grants, such as a $4.1 million grant from the National Science Foundation (NSF) the center received in 2022.

That grant money was previously only available to students enrolled in one of the four master’s level cybersecurity degrees the department offers, including undergraduate students enrolled in an accelerated five-year program.

Undergraduates in the cybersecurity minor—open to students in all of Fordham’s undergraduate colleges—can now apply for DoD Cyber Scholarships to offset their tuition. Those who accept scholarships make a commitment to work for at least two to three years for a federal agency such as the National Security Agency.

More Job Opportunities

Upon graduation, students in the minor can expect that job opportunities will expand as well. According to the National Institute of Standards and Technology, there are currently about 3.4 million unfilled jobs in cybersecurity globally, including an estimated 640,000 in the United States. Many of those jobs are only open to graduates from CAE-designated programs.

“All of these federal agencies, like the NSA, the FBI, and the CIA, have special career fairs that are only for CAE-CD accredited programs, so that will give students more opportunities,” said Hayajneh.

“Employers in the private sector will also have more confidence in our graduates when they know that our students have been through a C-designated program. So it’s an exciting opportunity.”

In a collaboration between the Fordham Center for Cybersecurity, the NYC Hispanic Chamber of Commerce, and the NYPD, Chief Ruben Beltran was invited to the Lincoln Center campus on Oct. 19 to speak to aspiring cybersecurity professionals. The commanding officer of the NYPD Information Technology Bureau and founder of the NYPD Real Time Crime Center, Beltran shed light on various aspects of cybersecurity, such as email phishing and key security tools employed by his team, as well as the broader importance of protecting critical information.

Keeping Data Safe

“Right now, a part of our training is how to keep our department assets, data, and computers safe, and also how to keep your own data safe. It’s a little bit different when you’re talking about your personal information on your personal devices,” Beltran said, explaining how vital cybersecurity is at many levels in not only the NYPD, but for every resident of New York City. “I think there’s an opportunity here in terms of creating that awareness for best practices to keep your family’s assets, wealth, and information secure.”

In the landscape of cybersecurity, expertise in business, law, and political science is becoming increasingly critical, he said. In today’s world, effective cybersecurity strategies require cooperation between government agencies, educational institutions, and the private sector, he said, noting that cybersecurity is more than just a lucrative career choice.

Understanding the Need

“It’s cybersecurity—It’s flashy, and a lot of people go into the business thinking that they are going to make a lot of money, and they probably are, especially if they are good at it,” he said. “But, there’s a reason for the need for cybersecurity, and it’s important to know how people get into the business.”

Thaier Hayajneh, a computer science professor and director of the Fordham Center for Cybersecurity, introduced Chief Beltran and also explained how Fordham’s programs align with the demands of the ever-evolving industry.

“One key component of our programs really is [they are truly]interdisciplinary,” he said. “We work across multiple disciplines in business, and law, and political science. We strongly believe that cybersecurity is way beyond just programming and coding and math.”

A Rewarding Career

Reflecting on his own career, Beltran said, “Technology was a passion of mine, and I actually changed my major from criminal justice to computer information systems. But it really did set me up for where I am today.”

He told the students, “It’s important that you know that cybersecurity is going to be a great career; it’s going to be challenging, you’re going to learn a lot, and you’re going to grow.”

According to FBI Director Christopher Wray, they can best be defeated through cooperation between law enforcement agencies, academia, and the private sector. In a speech on Jan. 28, Wray shared with an audience of roughly 1,900 attendees an example less than 36 hours old: the disruption of the Emotet criminal botnet, which was carried out with the European Union Agency for Law Enforcement Cooperation.

“Emotet has for years enabled criminals to push additional malware onto victim networks in critical sectors, like health care, e-commerce, technology, and government. Emotet is one of the longest-running and most pervasive denial-of-delivery services out there,” he said.

The operation was successful, he said, because cybersecurity experts on both continents had applied lessons learned from previous disruptions of botnets, which are networks of internet-connected devices that can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.

“It’s the kind of disruption that demands cooperation,” he said.

Wray made the announcement during a talk titled “The FBI’s Strategy for Tackling Cyber Threats in 2021 and Beyond,” part of a virtual speaker series sponsored by the International Conference on Cyber Security (ICCS), which is jointly presented by the FBI and Fordham. In-person ICCS events, such as those scheduled for July, have been postponed until public health authorities advise that they’re safe.

In addition to Emotet, Wray cited examples such as the bureau’s success in the September prosecution of the Chinese hacking group Apt41, which was targeting private companies, as well as a partnership with the NSA that lead to last year’s discovery of a sophisticated type of malware developed by the Russian military.

Wray answered audience questions that were presented by Joseph M. McShane, S.J., president of Fordham, who served as moderator. Questions ranged from how the bureau retains talent that might otherwise work in the private sector (their attrition rate is very low) to the ways they go about identifying cybercrimes in general. Asked how private industry can help the justice department defeat domestic threats, Wray advocated a preemptive approach.

“There’s a saying that the best time to patch the roof is when the sun is shining. It’s the same concept here. We want people to start to build those relationships with their local FBI field office before they have a major intrusion,” he said.

On the challenge of misinformation campaigns and social media, Wray made it clear that the bureau is concerned with the threat, not the content.

“We’re not the truth police of the internet. What we focus on is the actor,” he said.

He noted that when the bureau learned that Internet Research Agency, the Russian troll farm that was active during the 2016 presidential election, was actively planning to spread disinformation and distrust in 2020, the FBI tipped off Facebook and Twitter in September to its presence on their networks.

“It’s a situation where we, rather than bringing an enforcement action, we’re feeding tips to the social media companies, which were able to take very quick actions themselves using their own terms of service,” he said.

“Because activity that might not readily lend itself to a criminal case or national security action often very readily violates their terms of service.”

It was another example of the private sector and law enforcement working together to defeat a shared enemy, he said.

“The way we do business today, and so many of the changes we’ve made to our strategy are a product of our work with [the private industry]. We’ve been working with your concerns and suggestions and we’ve taken them to heart. We’ve shifted the way we think and the way we operate so we can have a more significant effect on our adversaries.”

Wray’s talk was followed by a discussion with Ed Stroz, GABELLI ’79, the founder of a firm formerly called Stroz Friedberg and now known as Aon Cyber Solutions, and Matt Gorham, assistant director of the FBI’s Cyber Division. Stroz, a former FBI agent himself, focused on the nuts and bolts of how a private company actually works with the bureau.

Gorham echoed Wray’s suggestion to make a connection before an intrusion, as that will establish a baseline level of trust. This will be important because in the near future, he predicted there will be an increase in ransomware and malware-for-hire services. And, he said, people should feel confident that when they call the FBI for help, the bureau knows that they were the victim.

“And we know how to work with a victim,” he said.

“A lot of times this comes down to a level of comfort that we’re not out there to look at your content; what we’re really looking for are those artifacts of intrusion,” he added, noting that people develop trust in the bureau after working with them once.

“It’s been my experience that there may be a hesitancy to call the FBI the first time; it’s a very quick call the second time.”

The DoD Cyber Scholarships will cover the full tuition, health insurance, housing, and related expenses of the students, whose names are being withheld due to the sensitive nature of the work. In exchange, they will intern at DoD-affiliated organizations next summer and will work for a DoD organization such as the NSA for at least a year after graduating. (Update: In August 2020, the NSA allowed for the release of the students’ names. They are Patrick Mayrisch, GABELLI ‘ 20, and Peter Jennings, FCRH ’20.)

The funding for the scholarships represents one of two grants that were secured by University Professor Thaier Hayajneh, Ph.D., founding director of Fordham’s Center for Cybersecurity.

As a result of a successful application to the program, Fordham can now administer the grant to students, who are chosen by the DoD.

The other grant, which the center has secured twice previously, covers capacity building efforts for the University’s cybersecurity program that can be shared with other CAE-CDE partners.

Hayajneh said the scholarships, which are available to undergraduate and graduate students interested in cybersecurity, are a validation of both the students’ outstanding credentials and Fordham’s growing leadership in the field.

“It’s a great recognition for our undergraduate programs, because they’ve selected students who are getting undergraduate degrees at Fordham, one of them in computer sciences at Fordham College at Rose Hill, and the other in information systems at the Gabelli School of Business,” said Hayajneh.

The scholarships can be used for one or two years, so in the future, undergraduates in their junior year can apply for it as well and use it for their senior year of undergraduate studies and one year of a master’s program. The two students who received it this year will complete nine classes during the 2020-2021 academic year and earn their final credits with a practicum at their internship.

The master’s in cybersecurity has been offered since 2016, and is one of three degrees the Graduate School of Arts and Sciences offers with an emphasis on cybersecurity. There is also a minor offered to undergraduates.

Since 2009, Fordham has also partnered every 18 months with the FBI to organize and host the International Conference on Cyber Security (ICCS), a four-day long conference that is regularly attended by the directors of the FBI and the NSA. The NSA designated the University a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE) in 2017.

In keeping with his goal of expanding recruitment of students to fields besides computer science, Hayajneh said that he reached out to all students either minoring or majoring the STEM field.

“The field of cyber has changed a lot. They don’t have to be programmers, they could be anything related to cybersecurity,” he said.

“These two students have really high GPAs, excellent credentials, and have been involved in internships in the past, and that’s why they were selected. Now that we’ve got these first grants, I’m optimistic that next year we’ll get five or even more.”

At “Connectivity and Cyber Safety in Natural Disaster Zones,” a panel discussion held on Jan. 11 at the 2018 International Conference on Cyber Security, panelists discussed the best strategies for promoting cybersecurity in the most chaotic, challenging environments.

It featured:

Jake Schmitter, senior manager, North American Electric Reliability Corporation; Adam Marlatt, founder, Global Disaster Immediate Response Team; Keith Robertory, Director Embedded in FEMA, American Red Cross; Michael R. Singer, assistant vice president, and executive director of technology security at AT&T; and Ron Snyder, senior network engineer, Cisco Tactical Operations.

Trusted partnerships between technology firms and nongovernmental organizations that have been established before natural disasters strike are key, said Robertory. When he was in charge of disaster technology for the Red Cross, he often called telecommunications firms’ emergency teams for help. Although their standard spiel was that they couldn’t direct their priorities, Robertory said there were ways to cut through the red tape by emphasizing the critical needs and players.

“Knowing what your partners can do and cannot do is very important.”

During natural disasters, Robertory said “trying to make things easier for disaster survivors may also make it easier for hackers.” He cautioned that privacy pitfalls await well-intentioned efforts to help reunite displaced people, especially when their status and addresses are made public when they sign in to verify their safety after a disaster. For this reason, he noted that the Red Cross’ Safe and Well system doesn’t reveal a person’s location or any personal information.

“You have situations where landlords say ‘You need to tell me you registered for assistance, prove it by giving me your number.’ Then they can change the routing where the financial assistance goes,” he said.

Singer said a new development called “mobile key” holds promise for safeguarding personal information, especially for rescue workers who have access to command and controls, he said.

“You can look at a lot of things about how a person might hold a device, unlock a device, maybe put a certificate on the device. As you build up more and more things that can check, it builds your confidence that yes, that’s the right person, so let them take the next action,” he said.

Preventing disasters from happening in the first place is equally important, said Schmitter. The 2013 North American blackout was caused in part by human error and failure to follow proper procedures. To prevent it from happening again, the industry holds a large-scale exercises, dubbed “gridmageddon,” where every bad thing that could possibly happen within a two-day period is simulated.

“When the industry has an incident, how do they respond? And how do they reach beyond themselves when they’re in a situation that’s overwhelming?” he said.

“Do they have those preexisting relationships so that when bad things do happen, they know exactly the capabilities they can ask for, what the requirements will be, and how to get power back online as quickly as possible?”

Talk of power grids led to the plight of Puerto Rico after Hurricane Maria. Robertory said it’s difficult to convey how challenging it is to bring power back to the island. High-tension electrical wires in the United States are separated by wide right of ways, for instance, while many in Puerto Rico are not. So in some mountainous regions, it’s easier to reinstall poles by helicopter than by truck.

And, he said, you have to remove the existing infrastructure first.

“There’s a lot of good work going on in Puerto Rico, but it is simply overwhelming.”

In a Jan. 10 session at the ICCS18, Thaier Hayajneh, Ph.D., associate professor of computer and information sciences and director of Fordham’s Center on Cybersecurity, Rien Chy, GSAS ’07, operations manager for Fordham, and Damianos Pinou, GSAS ’07, director of Data Center Operations at BITS, made an impassioned plea for the more attention to protecting the nation’s power grid.

The team cited several past incidents as cause for concern: A 2013 sniper attack on 17 electrical transformers at a transmission substation near San Jose, California; “Dragonfly,” a 2014 cyber espionage campaign that disabled energy-related targets in the United States and Europe; and the attack on a Ukrainian power grid in 2015 that left nearly 230,000 people without power for up to six hours.

“Our grid is extremely old, exceedingly fragile, and expensive to repair. The United States has a total of 55,000 high-voltage transformers or substations, 10 of which represent the main interconnected points. For security reasons, these main ones are in undisclosed locations. But an attack that was planned and orchestrated properly on them could collapse the entire grid,” said Pinou.

In many cases, he noted that high-voltage transformers are only partially protected by metal fences—as opposed to full enclosures like those found in Germany. Such enclosures are one of several proven methods to protect data centers from EMPs, others that the team discussed are: maintaining distance from an attacker, metal lining in hardened walls, and wire mesh covered (or bricked over) windows.

Faraday Cage to the Rescue

To demonstrate why they’re so important, Pinou turned on a prototype EMP device in the vicinity of two laptops; the team had constructed the EMP from over-the-counter parts. One laptop was unprotected and the second was ensconced in a metal mesh “Faraday cage.”

When activated a few inches away, the EMP device shut down the unprotected laptop immediately, while the latter was unharmed as the mesh cage dispersed the energy.

“Imagine anyone with access to critical network, who has certain privileges and is able to identify key components in that infrastructure. That person can easily magnify this and walk into allocation, take down something, and walk out,” he said.

Pinou and Chy conducted the research as part of a capstone project in a cybersecurity course under the supervision of Hayajneh, and are presenting their findings in a forthcoming paper, “Electronic Warfare and Cyber Security Threat.”

“This is a core course in our MS program in Cybersecurity in which we teach the student’s cybersecurity research and analysis methodologies,” Hayajneh said.

They said that first and foremost, the question of who is responsible—government or private industry—for protecting the electrical grid from physical and cyberthreats needs to be resolved.

“Unfortunately, if Congress and the government continue to move at a slow pace, once day it may be too little, too late,” Pinou said.

At its peak in 2015, the anonymous online market AlphaBay had an estimated 200,000 users who used cryptocurrency to buy and sell drugs, weapons, and a myriad of illegal goods and services.

It all came crashing down in July of last year, when U.S. and international law enforcement agencies seized it and arrested Alexandre Cazes, a Canadian citizen who ran the site.

On Jan. 9, FBI Special Agent Nicholas G. Phirippidis told attendees at the ICCS 2018 how “Operation Bayonet,” as it was dubbed, came together.

The bureau’s first break in identifying Cazes came when an agent in Fresno made two arrests of vendors who’d been selling on AlphaBay. Those arrests prompted someone to leak to the agent an e-mail that Cazes had sent to an early user of AlphaBay, and that e-mail revealed both an ISP address and Cazes’ personal Hotmail account.

Phirippidis said that as they began to track down his digital footprint on social media sites around the internet, it appeared Cazes had cleaned up other parts of his name online.

“For the most part, he had a lot of success, but the internet archive and a few other sites that take snapshots through time allowed us to go back and see some of the early uses of the e-mail address affiliated with his name,” he said.

“Like many of these subjects on the dark web, they try to have a firm firewall [to protect their public persona], and every once in a while, they’ll make the smallest mistake. That’s usually how we can attribute a true name to a moniker on the dark web.”

Another feature of AlphaBay that the FBI explored was the site’s so-called “bitcoin mixer,” which was billed as a foolproof way to launder cryptocurrency but which FBI analysts could figure out. They were able to trace the exchangers who Cazes had been using to convert bitcoins into real-world currency.

A Bizarre Coincidence, a Staged Accident

Phirippidis said the bust, which took place from July 2 to 6 in five countries, was as dramatic as a Hollywood thriller. Coincidentally, three days before the scheduled arrest, he and his team were sitting at the bar in the lobby of their Bangkok hotel when a Porsche Panamera E-Hybrid pulled up in front.

“As a joke, one of the prosecutors said ‘Hey look at that car, that looks like one of Cazes’ cars. I’m sure there are more than one of them in Bangkok,’” he said.

“Then we passed Cazes, who was entering through the sliding door in the lobby. It was the most bizarre coincidence I’ve ever been a part of.”

On the day of the arrest three days later, they lured Cazes out of his apartment abruptly by purposely crashing a car into the gate outside his villa. As luck would have it, when they entered the apartment, they found his computer on and already logged onto AlphaBay through his e-mail account.

A week before the FBI took over AlphaBay, European authorities had quietly taken control of Hansa, a similar site to which those fleeing AlphaBay joined on to. They operated it for two weeks to collect information of thousands of users, and then made more arrests.

“The whole point was to throw a curve ball at the dark web community, so they never really know moving forward who they could trust,” Phirippidis said.

“Looking ahead, we want to make sure we can leverage any kind of tactic to hit this thing with a hammer.”

Speaking at the Lincoln Center campus on July 28 at a conference held by Fordham and the FBI, Mayorkas said cyber threat indicators—information used to identify cyber security threats—need to stop being traded by security firms as if they were common commodities.

“Look, we’re all in this together. Some of us are in it as a calling, some of us are nonprofit, and some are for profit. For those of you who are for profit, you have many streams of revenue. The cyber threat indicator should not be one of them. That needs to be a public good,” he said.

“Hopefully, we’ll get to a point where that become a public good and is no longer a for-profit commodity, and we can raise the bar of the entire cyber ecosystem in terms of our defense mechanisms.”

Mayorkas noted that the “seminal announcement” by the White House on Tuesday at Fordham detailed the government’s new approach to responding to significant cyber incidents. The directive features a framework with two priorities: a threat response, which is an effort to identify perpetrators and hold them accountable, and an asset response, in which the goal is to identify the nature of the attack, identify and help expel the perpetrator, identify the vulnerabilities that permitted the intrusion, and identify if there are other victims who need help.

The challenge, he said, is that a core principle of asset response is the dissemination of information as broadly as is needed. It’s extraordinarily important do this at network speed because attacks can be replicated with the click of a button, but he acknowledged that a trust deficit exists between the cyber community and the government, thanks in part to 2013 revelations by former National Security Agency contractor Edward Snowden.

“The idea of voluntarily providing information to the government still requires a bridge for many to cross, and I hope that we will all work very hard to overcome that trust deficit,” he said.

“Words, of course will not do it, but action, and bringing benefit to different communities will achieve it, and it’s a privilege for me to be a part of that effort.”

It’s not here yet, but according to Wences Casares, it’s “inevitable.”

Casares, an entrepreneur and proponent of Bitcoin currency, will join the stellar lineup of cyber security experts for this year’s International Conference on Cyber Security, starting Jan. 5 at Fordham’s Lincoln Center campus.

Casares is the founder and CEO of Xapo, a company that created one of the first storage vaults for a new digital currency known as Bitcoin. The unique feature of this a software-based online payment system (besides the fact that it is exclusive to the digital world) is that it is exchanged peer-to-peer, rather than going through a central repository like a bank.

The exchange does not involve any kind of digital “coin” that is passed around, however. Instead, complex mathematical algorithms log the transaction and transfer the ownership of the Bitcoin from one owner (the spender) to the next (the supplier). The movement of ownership from one person to another is the transaction itself.

As of now, the majority of the six million current Bitcoin users are merely storing it, rather than using it to pay for something. Nevertheless, Casares believes that Bitcoin is destined to become a common payment mechanism.

At ICCS, Casares will explain how Bitcoin storage vaults work, why he believes Bitcoin will soon become a unit of account, and when he predicts Bitcoins will hit one billion users (spoiler alert: very soon).

Sponsored by the Federal Bureau of Investigation and Fordham University, ICCS 2015 is a four-day event featuring more than 60 unique lectures from keynote, distinguished, plenary, and parallel speakers in the disciplines of emerging technologies, operations and enforcement, and real-life experiences. ICCS 2015 presents exceptional opportunities to meet and talk with some of the greatest cybersecurity experts in the world.

Click here to register for ICCS 2015.