U.S. cyber czar warns educators about better security

Despite evidence of al-Qaeda’s research into American utility companies gleaned from laptops seized after the Sept. 11 terrorist attacks, don’t expect the U.S. National Security Agency, U.S. Central Intelligence Agency and U.S. Federal Bureau of Investigation to warn businesses when a cyberattack might take place.

That was the message delivered yesterday by the president’s cybersecurity czar, Richard Clarke, to 300 educators attending the sixth annual National Colloquium for Computer Security Education at Microsoft’s conference center.

“Law enforcement can’t save the private sector,” Clarke said. “We can’t tell the energy companies and the pipeline companies how to configure their systems. At a fundamental level, it doesn’t matter who the threat is.”

What matters, he said, are the vulnerabilities within corporate networks that present risks to national infrastructure. And the most vulnerable networks are those at universities and college systems, many of which have little or no protection — and thus make great launching pads for attacks against infrastructure companies.

Clark challenged the computer security and information assurance program directors to push for better security at their own schools. And he urged them to develop research curriculum around secure operating systems, routers and out-of-line management.

“In three to four years, we will have a billion IP addresses,” he said. “Do we still want to use TCI/IP? Do we still want the same domain naming system? Do we still want the same wireless security we’re using today?”

To champion better security at their own campuses, Clark said attendees needed to become “nudges” by pressing university provosts and boards of regents for better security programs and educational grants.

“An information war is coming some day, and the $15 billion in losses from hacking cited today will seem like nothing when it happens,” he said.

But attendees questioned whether scare tactics would result in better security programs.

“Security already has this image that it’s a pain in the ass,” said Peter Tippett, founding chief technology officer at TruSecure Corp. in Herndon, Va. “From the viewpoint of the CEO, he’s got to open his business in Poland next month and all he’s hearing is pain, pain, pain.”

Instead, security professionals should push their agendas by adhering to the business goals of value-add, something largely missing from security and information program syllabuses offered at the session.

Broader selection of security courses

Most representatives and speakers talked of information assurance programs at the bits and bytes level, with research agendas heavy on technology, including loss-leaders like public key infrastructure. And, while speakers touted forensics programs, intrusion-detection and prevention programs, security standards development and other technical programs, there was little talk about business value and critical thinking.

“Schools are pumping out too many students who approach security mechanically from an engineering perspective,” said Nimal Jayaratna, head of the Curtin University of Technology in Perth, Australia. “There’s no critical thinking being taught.”

Curtin just rolled out three new post-graduate Internet security management programs, and each of the degrees starts with three courses on project and risk management, information security management and problem solving. In the second semester, the programs include a course on client management.

Some educators, such as Alexander Korzyk, assistant professor at the college of business and economics at the University of Idaho in Moscow, Idaho, questioned whether information security should remain in the computer science discipline at all, or be moved to areas of study more reflective of business risk issues.

Several colleges, including Johns Hopkins University in Baltimore, are making information protection part of their multidisciplinary academic programs. Because it’s got the largest campus-based medical teaching center, health care privacy is being introduced at the university’s school of public health. There are also new courses on information security, security architecture and e-commerce security in the school of business and education. And international studies students will be introduced to international cybersecurity and privacy issues.