|
|
     |
|
|
|
by Gal Shpantzer
With all the attention airport security has been getting in the months since the September 11th attacks, one might think the best way to protect our country from terrorism is to put air marshals on every flight. However, there are additional ways to wreak havoc on the nation's airlines through attacks staged from the Internet, not from on-board the aircraft. To protect the nation against these attacks, a well-educated corps of information security experts is needed.
In March of 1997, a teenager from Massachusetts used his home computer to crack into and disable a critical component of Bell Atlantic's communications grid called a loop carrier system. This shut down radio control for the Worcester airport as well as critical services in the nearby town of Rutland. The controls for the lights on the runways were disabled, as well as phone lines to the emergency services for the airport. The U.S. Secret Service, which has jurisdiction over certain computer fraud cases, investigated the case and found the same vulnerability exploited in this particular attack present in thousands of other locations around the country. If a teenager managed to take out an airport and a small town's communications for several hours, imagine what a few skilled agents of a terrorist group, foreign or domestic, could have done.
Fortunately, a concerted effort is being made to prevent attacks such as these or at least to mitigate their effects, should they occur. Government, business, and academia are aiming to protect critical infrastructure through cooperative efforts. Such collaborations include the FBI's National Infrastructure Protection Center, the prestigious SANS Institute, and the Critical Infrastructure Assurance Office. These agencies work to secure information systems and other critical infrastructure.
So many positions, so few people
All of these agencies and businesses face a common dilemma: a lack of trained and experienced people to help get the job done. Education in technical fields is absolutely essential to safeguarding power plants, phone and Internet communications, financial institutions and emergency services radio nets.
The problem of finding qualified staffers is further compounded by the sensitive nature of the work done by these agencies. Many positions require U.S. citizenship, and some require obtaining security clearances that give the participants access to classified materials. A high percentage of students studying computer science and other technical fields are not U.S. citizens. Although they may have the skills required for information security jobs, they are ineligible to be hired for these positions. The lack of trained personnel to staff critical positions is the weak link in the security infrastructure.
Alan Paller, founder of the SANS Institute, recently gave a talk to an industry group illustrating the nature of the problem. In the last few years, approximately 70 million computers were connected to the Internet. During the same period, only 70,000 system administrators were trained, and of those, perhaps 10% had sufficient security skills and training. Given that each administrator can secure about 10 to 20 machines, there is a tremendous lag between the amount of new hardware being connected to the Internet and the ability to correctly configure and manage it.
Money is not the answer
In the analysis of the Pentagon and World Trade Center attacks, several intelligence agencies revealed that they do not necessarily need more technology or even bigger budgets to intercept communications. Instead, they need more skilled people that can speak the languages of the intercepted communications. Similarly, an infrastructure protection program provided with billions of dollars will not be effective if the people who staff the program are poorly trained or lack the background necessary to carry out the mission.
One of the efforts focusing on the educational aspects of information security is the National Colloquium on Information Systems Security Education (NCISSE). The fifth annual NCISSE colloquium last May centered on the lack of structured information security education at the graduate and undergraduate levels. The National Security Agency (NSA), the intelligence agency responsible for worldwide electronic signals interception, is a major sponsor and supporter of the NCISSE effort to increase awareness of information security education.
The NSA also has a program in place to certify graduate programs that exemplify excellence in information assurance, which includes a comprehensive information security curriculum. The NSA certifies information assurance programs based on national standards. Most of the twenty-three institutions currently certified by the NSA received certification for their computer science department. Others created collaborations between computer science and other departments in order to gather resources to make the program certifiable. The NSA views the field of information assurance as inherently interdisciplinary and encourages universities to develop centers that foster cooperation between departments.
Another program targeted at information security education is the National Science Foundation's Scholarships for Service (SFS) program announced at the May NCISSE conference. Students who receive SFS scholarships for undergraduate or graduate work will have internship opportunities with federal agencies, and, upon graduation, work for the federal government on a basis of one year of service for each year of scholarship, in a manner similar to ROTC programs. At its inception, the SFS awarded $8.6 million in grants over four years to Carnegie Mellon, Iowa State, Purdue, Univeristy of Idaho, University of Tulsa, and the Naval Postgraduate School in Monterey California for SFS scholarships and curriculum development to address information security and assurance issues. Two hundred students at these institutions are receiving SFS scholarships this year. The director of the NSF, Rita Colwell, in announcing the award noted, "The scholarships will encourage young people to enter the field of information security and assurance, and give them the opportunity to put their talents to work at the front lines of government cyber security efforts."
Legal Responsibility for Information Security
Everyone is responsible for being aware of information security issues and policies. Emerging legal theory makes computer owners liable for damage done unknowingly when their computers are broken into by malicious hackers and used to launch attacks on companies' or governments' computers. Gross negligence may also be charged against a university or company whose computers are used as pawns after a security breach. Today the FBI can take an individual's computer away with court-ordered warrants if the machine has been used to launch Internet attacks, and in the future, owners may be sued for not implementing minimum security on their computers.
Critical infrastructure protection is a broad, interdisciplinary field, and one does not have to be a computer scientist to participate in the effort. Less technical aspects of infrastructure protection include planning for recovery from disasters and terrorist attacks, which is perhaps as critical as understanding the intricacies of firewall configuration and monitoring intrusion detection systems. Nevertheless, understanding basic concepts of security management and risk management are crucial to both technical and non-technical people involved in the daunting task of securing the transportation, power and telecommunications infrastructure. In the U.S., dependence on networked computer systems is both our strength and our Achilles' heel. Fortunately information security programs are making great gains toward creating a well-trained cadre of people to create a more secure and stable infrastructure for the global economy.
INSIDE STORIES:
Hacking for the Masses
Securing The Private Sector
FOR MORE INFORMATION:
www.ciao.gov
www.nipc.gov
www.sans.org
www.ncisse.org
www.nsa.gov/isso/
