IP: A response from Purdue on Good question NSA TAPS UNIVERSITIES FOR INFO SECURITY STUDIES -- from Edupage

[Dave Farber <farber () cis upenn edu>]

> Date: Mon, 17 May 1999 16:15:31 -0500
> From: spaf () cs purdue edu (Gene Spafford)
>
> As director of the CERIAS at Purdue, the focus of infosec work here, I'll 
> respond.
>
>
> > > Date: Mon, 17 May 1999 11:03:01 -0700
> > > To: farber () cis upenn edu
> > > From: Jim Warren <jwarren () well com>
> > > Subject: Re: IP: NSA TAPS UNIVERSITIES FOR INFO SECURITY STUDIES  -- from 
> > >   Edupage
> > >
> > > > The National Security Agency ... says the
> > > > centers will become "focal points for recruiting, and may create
> > > > a climate to encourage independent research in information
> > > > assurance." The seven universities--James Madison, George Mason,
> > > > Idaho State, Iowa State, Purdue, Idaho, and the University of
> > > > California at Davis--will be formally named at an IBM information
> > > > security systems conference on May 25-29. (EE Times Online 05/12/99)
> > >
> > > But one of the most important questions is -- will those institutions
> > > vigorously pursue public research sharing and enforce open publication of
> > > their research results?  Or will they just grab the NSA money and
> > > obediently trash the most fundamental principle of academic freedom?
>
> First of all, this designation by NSA/DoD has no money associated with it, so any greed we might be accused of is not 
> a factor here. :-)
>
> Purdue does not conducted any classified research: we have no facilities to do it, and no particular interest.  In 
> infosec in particular, with 3/4 of our CS grad students non-citizens (and perhaps 1/2 of our faculty likewise), this 
> would be very difficulty to do.  
>
> Purdue is a public, land-grant institution committed to research in the public good.  Standard policy is to publish 
> our results.  Historically, Purdue has been at the forefront of making scientific research public.  I have (once) been 
> involved in the process of holding back a thesis for a few months and it is onerous to accomplish -- the university 
> system does not support it.  
>
> The CERIAS is supported by 16 commerical entities and the university itself.  All have equal stake in what we do, and 
> our goal is to share information with them.   We explicitly state that we do not perform proprietary research -- that 
> is contrary to our mission.
>
> There is also the factor that I am the director of the CERIAS (and the campus Information Systems Security Officer).  
> My career has been devoted to making security information and research public, whether in my books or articles, or 
> embodied in our software (starting with COPS, and our most recent work in public vulnerability database sharing -- 
> which, by the way, was funded by NSA.).  The only times I have not published information is when publication would 
> result in immediate risk to others -- I am not an advocate of full disclosure until after fixes have been made 
> available -- but even then, I eventually published after fixes were available.
>
> Also, I doubt that anyone who knows me would consider me "obedient." :-)
>
> If yu don't trust the institutions or people involved, it doesn't matter what we say.  And in the end, security 
> (infosec or otherwise) is all about trust.  Draw your own conclusions.  
>
> --spaf