"Draft" National Strategy To Secure Cyberspace

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

As many of you know, The White House released its "National Strategy To
Secure Cyberspace" at an event held at Stanford University yesterday.
The EDUCAUSE/Internet2 Computer & Network Security Task Force has
created a web site with further information and important links
(www.educause.edu/security/national-strategy).  The draft strategy is
also available at www.securecyberspace.gov

There are several recommendations throughout the report of interest to
those of us in higher education, including training, education, and
certification of IT security professionals and research and development
efforts to improve the security of current and future technologies.   A
section of the draft strategy that contains information of direct
interest to higher education can be found on pages 33-34.  The "agenda"
for higher education is divided into 3 levels:  programs,
recommendations, and discussions.  Below is a recap of that information.

PROGRAMS

-EDUCAUSE and Internet2 established the Task Force on Computer and
Network Security (www.educause.edu/security)
-EDUCAUSE Workshop series with National Science Foundation
-EDUCAUSE Outreach and awareness program to leaders and associations in
higher education

RECOMMENDATIONS (Specific actions that government and nongovernment
entities can take to promote cybersecurity)

-Each college and university should consider establishing a
point-of-contact, reachable at all times, to Internet service providers
(ISPs) and law enforcement officials in the event that the school's IT
systems are discovered to be launching cyber attacks.
-Colleges and universities should consider establishing together:  (a)
one or more information sharing and analysis centers (ISACs) to deal
with cyber attacks and vulnerabilities; (b) model guidelines empowering
Chief Information Officers (CIOs) to address cybersecurity; (c) one or
more set of best practices for IT security; and (d) model user awareness
programs and materials.

DISCUSSIONS (Issues highlighted for continued analysis, debate, and
discussion)

-What are the merits of adopting a model set of authorities for
Institution of Higher Education (IHE) CIOs, the academic institution,
and the nation?  (An example of such authorization can be found at
http://www.itpo.iu.edu/Resolution.html)
-Should consideration be given to tying State or Federal funding to IHEs
to compliance with certain cybersecurity benchmarks?
-Should an ISAC for the higher education community be established?  If
so, how?  What other steps could be taken to improve methods of
information sharing among IHEs at all levels?
-Should IHEs adopt the NIST Information Technology Security Assessment
Framework ("NIST 3") as a standard for information system security
compliance?

The President's Critical Infrastructure Protection Board (PCIPB) is
encouraging comments on the National Strategy by November 18, 2002, via
the feedback link at its web site.  As mentioned in my previous message,
the Security Task Force is organizing additional opportunities for
engaging our community, including use of this discussion list.  We will
also try to coordinate participation of our community in the 8 Town Hall
Meetings that are being planned by the PCIPB over the next few weeks.

Please contact me directly (rpetersen () educause edu or 202.872.4200) if
you have any comments or questions about the strategy.  Otherwise, I
encourage you to attend one of the open meetings at EDUCAUSE2002 or
Internet2 Fall Member Meeting and to contribute to the discussions on
the Security Discussion Group that will follow.

Rodney Petersen
Security Task Force Coordinator
EDUCAUSE

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.