Dr. Eugene Spafford on Information Security Education
RICHARD SWART: Hi, this is Richard Swart with Information Security Media Group Publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today weâ€™ll be speaking with Dr. Eugene Spafford, Professor of Computer Science and Electrical Engineering, at Purdue University and Director of the Center for Education and Research and Security. â€œSpafâ€ as he is known to his students and colleagues has written extensively about information security software engineering and professional ethics. He is one of the most senior and recognized leaders in the field of computing and has been a senior advisor and consultant on issues of security, cyber crime and policy to a number of major companies, law enforcement organizations and government agencies throughout the world. Hello, Spaf.
DR. EUGENE SPAFFORD: Hello there.
RICHARD SWART: Good to talk to you today. Could you provide us an overview of whatâ€™s happening in cyber security education and research in the United States right now? How good of a job are our universities doing?
DR. EUGENE SPAFFORD: Overall I think weâ€™re not doing very well. Weâ€™re doing better than we were but there are still a lot of gaps available. This is particularly well stated in a very recent report from the National Research Council thatâ€™s entitled â€œA Safer and More Secure Cyberspaceâ€ that was released just about two weeks ago. And their observation echo what has been said and reports and what many of us have been saying for some time: basically we donâ€™t have enough people who are in the pipeline when who are learning about cyber security. We donâ€™t have it mainstreamed enough in the regular computing curriculum, and we donâ€™t have the resources in place to really be looking at a broad enough variety of both near-term and long-term issues.
RICHARD SWART: What factors account for this lack of focus in our programs?
DR. EUGENE SPAFFORD: Well, we have so many different priorities for funding and attention right now and security is something that doesnâ€™t have the cachet or the immediate appeal or threat that any of the other things that weâ€™re spending our money on. So, for instance, many companies are much more interested in Web 2.0 because thatâ€™s where they believe theyâ€™re going to establish some market dominance and some long-term financial leadership. Unfortunately, unless weâ€™re also thinking about how to integrate privacy protection, defenses, law enforcement investigation and other elements that we can lump under cyber security as part of that process weâ€™re going to face a whole new set of problems or some older problems re-emerging in new guise.
RICHARD SWART: You recently posted a blog about the tendency of people in organizations to put off the pain and expense of fixing things because nothing terrible has happened yet. Why arenâ€™t we as a country or in the computing industry addressing the hard problems?
DR. EUGENE SPAFFORD: Thatâ€™s something that I think is involved a little bit in human nature and also is driven by the organization and many companies and government where weâ€™re judged more on near-term results than long-term results. If we put in defenses against threats that donâ€™t materialize in the near future then perhaps weâ€™ve wasted resources that could be better spent on growing business or funding other kind of needs and so it isnâ€™t until weâ€™ve been burned a few times or weâ€™ve seen someone very much like us whoâ€™ve suffered a real loss that we come to the realization that maybe we should put in defenses. This is complicated by the fact we donâ€™t have good metrics for security. So itâ€™s difficult to tell when weâ€™ve put enough in or are we spending our money on the right thing and as well itâ€™s made a little bit more difficult by the rapid change that weâ€™ve seen in the technology and the people with the access to the technology. So itâ€™s difficult for decision makers to decide whatâ€™s appropriate to put into play.
RICHARD SWART: What are some of the key problems that you really think the industry should be focusing on? What are the really hard problems and if you could change the world that you would say that we need to devote our energy and time towards?
DR. EUGENE SPAFFORD: There are so many itâ€™s difficult to pick a few. Again, I would recommend looking at something like the report from a couple years ago or the National Academy study that just came out for a long list of research areas. But I would say that the concern that should be most pressing right now: we have to do a better job on law enforcement, on tracking people down, on being able to know who did what and providing that as a counter-balance to the prevalence of fraud thatâ€™s occurring right now. We have to combine that at the same time with appropriate protection on individual privacy. It has been the trend recently to collect more and more information both for commercial means and for government purposes often without protections or without concern about accuracy. And this is a real danger because once privacy is lost itâ€™s almost impossible to regain. So we need to do better with protecting privacy and building mechanisms that do what we want while protecting privacy. We need to do a better job in partitioning our systems. We aggregate things. We make our systems very homogeneous and the result is that one bad insider or one successful attack from outside tends to propagate quickly and be effective against everything in the enterprise. We need to get back into more diversification. We need to understand better what it means to have internal firewalls and partitions. I think those three things would be my top focus areas if I only had a limited amount to spend but I still complain that there are many more things that need attention.
RICHARD SWART: What about from a senior managerâ€™s perspective, the chief information security officer, the CEO of companies. If you had the opportunity to speak to them where should they be focusing their time and energy?
DR. EUGENE SPAFFORD: I have spoken with several and their concerns clearly are how to know that theyâ€™re spending the right amount and what is it really going to do for business if they do or donâ€™t spend on certain things. I think the first thing that needs to get across to many of these people is that security is not a return on investment kind of expenditure. It isnâ€™t an investment that produces returns. It is an infrastructure cost. It is a cost of doing business the same as providing heat and lights and the guard at front lobby are all part of infrastructure expenses. And you have to invest in appropriate amounts of security to maintain the viability of the organization but to promote public trust and employee comfort. Both of which are important for the bottom line. If the public doesnâ€™t believe that youâ€™re going to protect their information appropriately, that you are not behaving in an ethical manner then they are likely to eventually take their business elsewhere no matter how immediate the crisis are. Government is likely to penalize you as an organization if you havenâ€™t kept appropriate records, and weâ€™ve seen over the last decade the increase of legislation in this arena and certainly employees given the choice in todayâ€™s market where we have far more opportunities than candidates are going to take their business where they feel more comfortable, where they feel that theyâ€™re doing something more ethical, or where they just feel better about the protection of their own information. So I talk to you people at the C level. I stress that the investment isnâ€™t expected to produce a tangible return but itâ€™s to create an environment where customers and employees and other entities are more comfortable doing business with a company because they realize they take care of privacy and security and value quality.
RICHARD SWART: You say that thereâ€™s a large number of opportunities and not as many candidates. How severe is the shortage for trained professionals in information security?
DR. EUGENE SPAFFORD: The shortage is right now that maybe two or three potential positions exist for each person with appropriate training if theyâ€™re willing to relocate and if theyâ€™re willing to learn some new systems. The problems probably are going to get worse though because we donâ€™t have the defenses in place and as more businesses come online, as we do more government work online and fewer students are going into computing than are really needed the shortage is going to increase.
RICHARD SWART: So what advice would you give somebody thinking of starting this career? Where would they want to go for school or what type of major should they look at? Is this still something thatâ€™s a computer science focus or should a business student also be interested in this major?
DR. EUGENE SPAFFORD: There are a number of different ways to approach this. Certainly computer science, computer engineering and business are three potential approaches depending on the aspects that one is interested in. But weâ€™re also seeing some programs coming through criminology for the whole area of cyber forensics and cyber law enforcement as one arena. Iâ€™ve seen some people coming through education schools and information technology programs but that also have very good grounding. It really depends on whether youâ€™re interested in applications in a particular area or management or in research and that really should be the guide.
RICHARD SWART: Well, in the past you have successfully predicted emerging threats and trends in cyber security and cyber crime. What should our listeners being paying attention to over the next five or ten years? What are emerging threats?
DR. EUGENE SPAFFORD: Well, I think the threat from international entities that are using physical orders as a protection for their online activities is only going to get worse. I believe that online fraud and extortion are going to get worse than they currently are. Extortion in particular whether itâ€™s targeted at individuals or organizations. When protected by international boundaries it can be quite effective. On the technology side we are seeing more and more convergence into PDAâ€™s and cell phones so that faster compromise of those is going to be higher value. It is also the case that as we layer more protocols such as Voice Over IP (VoIP) onto these systems and theyâ€™re not well thought of for security not only are they a potential for theft of information but again for extortion purposes. If itâ€™s possible for someone remotely to take down your network and also remove all your phone service for your call center then youâ€™re much more likely to end up paying a blackmail fee than you would be if you were relying on the plain old telephone service with copper wires.