Fred B. Schneider testimony on Cybersecurity Credentials

[Shawn Merdinger <shawnmer () gmail com>]

Testimony of Fred B. Schneider
Samuel B. Eckert Professor of Computer Science
Cornell University, Ithaca, New York
February 19, 2010

http://www.cs.cornell.edu/fbs/publications/SciPolicyHouseArmedServsFeb2010.pdf

<snip>

A Cybersecurity  Credential.

Most professions expect their practitioners to have a  credential
before they are allowed to practice.  But I believe that credentials
by  themselves are not the solution. At best, they are a symptom of a
solution. For example,  you might hope that a credentialed individual
would engage in best practices. But hope is
all you can do. Possession of a credential does not by itself compel
the use of best practices, and it is easy to imagine credentialed
system builders cutting corners by choice  (such as out of laziness)
or by mandate (such as from management trying to cut costs).

Also, the value of a credential depends on the institutions that
define what content must  be mastered to obtain the label. To whom
should society be willing to vest that  responsibility? How do we
ensure that the content and standards enshrined by the  credential
have been selected based entirely on society’s best interests rather
than  financial gain or commercial advantage?

In a fast moving field, content will change rapidly. The credentialing
process must keep  up, as must credential holders. Otherwise,
credentials impede the spread of innovation  because people who employ
practices learned for a credential are soon engaging in  outdated
methods.  So a credentialing scheme must take this into account.

We are not the first group of professionals to face these problems.
Credentialing schemes that the legal and medical professions use, for
example, seem to serve society well.  Therefore, it would be wise to
understand the particulars of those credentialing processes  before
endeavoring to create  one for producers  of trustworthy systems. I
see three  elements as being crucial to the success of these extant
schemes:

• Obtaining a credential requires far more than passing an
examination. To earn a  credential, a candidate undertakes years of
post-bachelors education, in which the  curriculum has been set by the
most respected thinkers and practitioners in the field.

• Credential holders are required to stay current with the latest
developments in the  field by continuing their education through
courses sanctioned by the institution  that issues credentials.

• The threat of legal action to individuals (including malpractice
litigation) incentivizes professionals to engage in best practices.

In sum, using exams to create labels for our workforce might sound
like a way to get  more trustworthy systems, but it’s not. To have the
desired effect, a credential must  bestow obligations and
responsibilities on practitioners. Moreover, curriculum and
educational programs—not an exam—are central to the enterprise.

</snip>

Cheers,
--scm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/