Securing Cyberspace: What It Means for Higher Education
Times are changing. President Clinton only sent out two e-mails as President. President George W. Bush stopped using e-mail when he became President, although he said he was looking forward to e-mailing "my buddies" when he left office. But President Obama is a serious e-mail user. Remember all those pictures during the election showing the then-candidate with his Blackberry in hand?
Initially he was concerned that for security reasons he would have to give up his beloved Blackberry. In an interview with CNBC he said, "They're going to pry it out of my hands." But to the relief of the "e-mailer-in-chief," there are some secure PDAs that meet the necessary security requirements. One such device, the L-3 Communications' Guardian, is shown to the left.
Yes, it's a little bit chunky. But it provides portable secure communications.
Tech-Savvy President and Cybersecurity
The real question is: "What does it mean to have a tech-savvy President?" Senator Obama gave one answer at a July 16, 2008, presentation to the Summit on Confronting New Threats, held at Purdue University.
Every American depends--directly or indirectly--on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.
As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information--from the networks that power the federal government, to the networks that you use in your personal lives.
CSIS Recommendations to the President
Those remarks did not occur in a vacuum. Rather they reflect advice given the then candidate from individual security analysts and former cybersecurity officials in the Bush administration as well as groups such as the Technology and Public Policy Program at the bipartisan Washington DC-based think tank Center for Strategic and International Studies (CSIS). Last December the CSIS released Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency. The Commission's three major findings were:
- Cybersecurity is now one of the major national security problems facing the United States;
- Decisions and actions must respect American values related to privacy and civil liberties; and
- Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.
Some of the recommendations and observations in the report are of particular interest for higher education include:
1. Organization: "The president should appoint an assistant for cyberspace and establish a Cybersecurity Directorate in the NSC (National Security Council) that absorbs existing Homeland Security Council (HSC) functions....A new National Office for Cyberspace (NOC) would support the work of the assistant for cyberspace and the new directorate.... The assistant to the president ... would direct the NOC." (p.33)
2. Regulate Cyberspace. "The president should task the NOC to work with appropriate regulatory agencies to develop and issue standards and guidance for securing critical cyber infrastructure, which those agencies would then apply in their own regulations." (p. 7) And, "We believe that cyberspace cannot be secured without regulation." (p. 30) In the executive summary they conclude, "Voluntary action is not enough." (p.2)
3. Identity Management. "The United States should make strong authentication of identity, based on robust in-person proofing and thorough verification of devices, a mandatory requirement for critical cyber infrastructure." And, "The United States should allow consumers to use strong government-issued credentials (or commercially issued credentials based on them) for online activities, consistent with protecting privacy and civil liberties." (p. 8) But the report also underscores the caveat contained in the last clause, "The Federal Trade Commission ... should implement regulations that protect consumers by preventing businesses and other services from requiring strong government-issued or commercially issued credentials for all online activities by requiring businesses to adopt a risk-based approach to credentialing." (p. 61)
4. Privacy: "Privacy and confidentiality are central values that any government cybersecurity initiative must respect. For authentication systems to be widely adopted, privacy concerns must be addressed." (p. 64)
5. Training and Education. "The president should direct the NOC ... to work with the National Science Foundation to develop national education programs." (p. 9) "The simplest approach would be to expand the Scholarship for Service, a National Science Foundation scholarship program that provides tuition and stipends, and reinforce this by requiring accreditation of schools where scholarships are provided for computer security studies." (p. 72)
6. Research and Development. "The NOC, working with the Office of Science and Technology Policy (OSTP) should provide overall coordination of cybersecurity research and development (R&D). As part of this, the United States should increase its investment in longer-term R&D designed to create a more secure ecosystem." (p. 9) "Perhaps the most important game-changing research involves what we call 'rearchitecting the Internet....' Updating the core protocols of the Internet to be more resilient against attack could make cyberspace an environment of greater security and trust. Research on how to make the Internet fundamentally more secure would provide global benefits for security and commerce.'" (p. 75)
Wow! If even some of these recommendations were implemented, our security environment would undergo a dramatic change.
A Higher Education Perspective
To get an academic perspective from someone not involved with Washington policy, over an informal breakfast this month I asked Mary Shaw, the Alan J. Perlis Professor of Computer Science at Carnegie Mellon University, to comment on what she saw as the cybersecurity implications of the Obama presidency. Her response was that she was "pleased to see an administration with the tech savvy to deal with fundamental problems in cybersecurity and was looking forward to progress on two fronts: the integrity of the infrastructure, and the recognition that cyberinfrastructure is now integral to our fabric of life and has become central to our national security."
She went on to stress the importance of "sorting out issues of privacy and jurisdiction." She personally felt that we needed to strengthen privacy requirements, as some European nations have already done, as well as negotiate international agreements with teeth that clearly define jurisdictions. Her concern was that cybersecurity did not recognize national boundaries and required an international response.
She went on to say that she though ID theft would become an increasingly serious problem and would require legislation to force organizations to not only implement better data security but also to make their processes more transparent. She cited the onerous process to correct erroneous credit reporting data as an example.
Finally she concluded with comments about an issue near and dear to all of us in the higher education community--ePiracy. In her opinion the current market model is broken. She said she felt that the government should restore traditional copyright protection with fair use rights and encourage the entertainment industry to find sustainable market models for the distribution of digital content.
Higher Education Action Item
So what does it mean for higher education? In my opinion it means that cybersecurity is no longer being characterized as nuisance e-mail spam, but rather a major national security issue. We need to make sure that our senior management recognizes this fundamental shift and understands the importance of implementing strong authentication and protecting data--even in the face of faculty and student opposition. There is also a tremendous opportunity for higher education to do what it does best--education and research.