Clarke warns educators about need for better security

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,71714,00.html

By DEBORAH RADCLIFF 
June 05, 2002

REDMOND, Wash. -- Despite evidence of al-Qaeda's research into
American utility companies gleaned from laptops seized after the Sept.  
11 terrorist attacks, don't expect the National Security Agency, CIA
and FBI to warn businesses when a cyberattack might take place.

That was the message delivered yesterday by the president's
cybersecurity czar, Richard Clarke, to 300 educators attending the
sixth annual National Colloquium for Computer Security Education at
Microsoft's conference center.

"Law enforcement can't save the private sector," Clarke said. "We
can't tell the energy companies and the pipeline companies how to
configure their systems. At a fundamental level, it doesn't matter who
the threat is."

What matters, he said, are the vulnerabilities within corporate
networks that present risks to national infrastructure. And the most
vulnerable networks are those at universities and college systems,
many of which have little or no protection -- and thus make great
launching pads for attacks against infrastructure companies.

Clark challenged the computer security and information assurance
program directors to push for better security at their own schools.  
And he urged them to develop research curriculum around secure
operating systems, routers and out-of-line management.

"In three to four years, we will have a billion IP addresses," he
said. "Do we still want to use TCI/IP? Do we still want the same
domain naming system? Do we still want the same wireless security
we're using today?"

To champion better security at their own campuses, Clark said
attendees needed to become "nudges" by pressing university provosts
and boards of regents for better security programs and educational
grants.

"An information war is coming some day, and the $15 billion in losses
from hacking cited today will seem like nothing when it happens," he
said.

But attendees questioned whether scare tactics would result in better
security programs.

"Security already has this image that it's a pain in the ass," said
Peter Tippett, founding chief technology officer at TruSecure Corp. in
Herndon, Va. "From the viewpoint of the CEO, he's got to open his
business in Poland next month and all he's hearing is pain, pain,
pain."

Instead, security professionals should push their agendas by adhering
to the business goals of value-add, something largely missing from
security and information program syllabuses offered at the session.


Broader Selection of Security Courses

Most representatives and speakers talked of information assurance
programs at the bits and bytes level, with research agendas heavy on
technology, including loss-leaders like public key infrastructure.  
And, while speakers touted forensics programs, intrusion-detection and
prevention programs, security standards development and other
technical programs, there was little talk about business value and
critical thinking.

"Schools are pumping out too many students who approach security
mechanically from an engineering perspective," said Nimal Jayaratna,
head of the Curtin University of Technology in Perth, Australia.  
"There's no critical thinking being taught."

Curtin just rolled out three new post-graduate Internet security
management programs, and each of the degrees starts with three courses
on project and risk management, information security management and
problem solving. In the second semester, the programs include a course
on client management.

Some educators, such as Alexander Korzyk, assistant professor at the
college of business and economics at the University of Idaho in
Moscow, Idaho, questioned whether information security should remain
in the computer science discipline at all, or be moved to areas of
study more reflective of business risk issues.

Several colleges, including Johns Hopkins University in Baltimore, are
making information protection part of their multidisciplinary academic
programs. Because it's got the largest campus-based medical teaching
center, health care privacy is being introduced at the university's
school of public health. There are also new courses on information
security, security architecture and e-commerce security in the school
of business and education. And international studies students will be
introduced to international cybersecurity and privacy issues.

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.