[ISN] Clarke warns educators about need for better security

From: InfoSec News (isnat_private)
Date: Thu Jun 06 2002 - 02:30:42 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, June 5, 2002"

    June 05, 2002
    REDMOND, Wash. -- Despite evidence of al-Qaeda's research into
    American utility companies gleaned from laptops seized after the Sept.  
    11 terrorist attacks, don't expect the National Security Agency, CIA
    and FBI to warn businesses when a cyberattack might take place.
    That was the message delivered yesterday by the president's
    cybersecurity czar, Richard Clarke, to 300 educators attending the
    sixth annual National Colloquium for Computer Security Education at
    Microsoft's conference center.
    "Law enforcement can't save the private sector," Clarke said. "We
    can't tell the energy companies and the pipeline companies how to
    configure their systems. At a fundamental level, it doesn't matter who
    the threat is."
    What matters, he said, are the vulnerabilities within corporate
    networks that present risks to national infrastructure. And the most
    vulnerable networks are those at universities and college systems,
    many of which have little or no protection -- and thus make great
    launching pads for attacks against infrastructure companies.
    Clark challenged the computer security and information assurance
    program directors to push for better security at their own schools.  
    And he urged them to develop research curriculum around secure
    operating systems, routers and out-of-line management.
    "In three to four years, we will have a billion IP addresses," he
    said. "Do we still want to use TCI/IP? Do we still want the same
    domain naming system? Do we still want the same wireless security
    we're using today?"
    To champion better security at their own campuses, Clark said
    attendees needed to become "nudges" by pressing university provosts
    and boards of regents for better security programs and educational
    "An information war is coming some day, and the $15 billion in losses
    from hacking cited today will seem like nothing when it happens," he
    But attendees questioned whether scare tactics would result in better
    security programs.
    "Security already has this image that it's a pain in the ass," said
    Peter Tippett, founding chief technology officer at TruSecure Corp. in
    Herndon, Va. "From the viewpoint of the CEO, he's got to open his
    business in Poland next month and all he's hearing is pain, pain,
    Instead, security professionals should push their agendas by adhering
    to the business goals of value-add, something largely missing from
    security and information program syllabuses offered at the session.
    Broader Selection of Security Courses
    Most representatives and speakers talked of information assurance
    programs at the bits and bytes level, with research agendas heavy on
    technology, including loss-leaders like public key infrastructure.  
    And, while speakers touted forensics programs, intrusion-detection and
    prevention programs, security standards development and other
    technical programs, there was little talk about business value and
    critical thinking.
    "Schools are pumping out too many students who approach security
    mechanically from an engineering perspective," said Nimal Jayaratna,
    head of the Curtin University of Technology in Perth, Australia.  
    "There's no critical thinking being taught."
    Curtin just rolled out three new post-graduate Internet security
    management programs, and each of the degrees starts with three courses
    on project and risk management, information security management and
    problem solving. In the second semester, the programs include a course
    on client management.
    Some educators, such as Alexander Korzyk, assistant professor at the
    college of business and economics at the University of Idaho in
    Moscow, Idaho, questioned whether information security should remain
    in the computer science discipline at all, or be moved to areas of
    study more reflective of business risk issues.
    Several colleges, including Johns Hopkins University in Baltimore, are
    making information protection part of their multidisciplinary academic
    programs. Because it's got the largest campus-based medical teaching
    center, health care privacy is being introduced at the university's
    school of public health. There are also new courses on information
    security, security architecture and e-commerce security in the school
    of business and education. And international studies students will be
    introduced to international cybersecurity and privacy issues.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 05:17:23 PDT