Computer and Network Security
The security of college and university computers and networks will be a significant issue for higher education for 2003. The recent release by the White House of The National Strategy to Secure Cyberspace will continue to attract substantial attention and spark discussion in government, industry, and higher education. Many associations, consortia, and interest groups are debating how to improve information technology security.
Background
The new Department of Homeland Security (DHS) brings together within a
single federal department several of the key agencies with responsibilities for
cybersecurity. DHS will contain a new Information Analysis and Infrastructure
Protection Directorate that will analyze intelligence and information from other
agencies (including the CIA, FBI, DIA and NSA) involving threats to homeland
security and evaluate vulnerabilities in the nation's infrastructure. The deputy
secretary for the Information Analysis Protection Directorate has yet to be
named. It will bring together the following governmental agencies:
> Critical Infrastructure Assurance Office (Commerce)
http://www.ciao.gov/
> Federal Computer Incident Response Center (GSA)
http://www.fedcirc.gov/
> National Communications System (Defense)
http://www.ncs.gov/
> National Infrastructure Protection Center (FBI)
http://www.nipc.gov/
> Energy Security and Assurance Program (Energy)
http://oea.dis.anl.gov/home.htm
On February 28, 2003, the President's Critical Infrastructure Protection Board was dissolved by Executive Order. The Department of Homeland Security will now be responsible for cybersecurity operations and implementation of the Administration's National Strategy to Secure Cyberspace. Cyberspace security policy will continue within the White House under the coordination of the Homeland Security Council. The Council is expected to establish a Policy Coordination Committee to continue much of the work of the prior Board's committees. The Department of Homeland Security also has established the office of an undersecretary for science and technology. This official could become a key player in establishing priorities for research and development in efforts to improve cybersecurity.
The recent establishment at Indiana University of the Research and Educational Networking Information Sharing and Analysis Center is a significant accomplishment that will facilitate information sharing within higher education. It will focus on the high performance network infrastructure dedicated to research and education known as the Abilene network. The Administration's National Strategy to Secure Cyberspace called for establishing information and analysis centers to facilitate communication, develop best practices, and disseminate security-related information. Centers already have been established for the following sectors of the economy: electric power, energy, telecommunications, information technology, banking and finance (financial services), water supply, surface transportation, oil and gas, emergency fire services, food, chemicals industry, and emergency law enforcement.
Securing Campus Networks
The higher education community will be looked to for leadership in the
following areas:
> Improving the security of college and university computers and networks;
> Providing training, certification, and educational curriculum and degree
programs to enhance the cybersecurity workforce; and
> Conducting basic and applied research in the area of computer and network security.
The EDUCAUSE/Internet2 Computer and Network Security Task Force commissioned two research projects: 1) a memo describing legal and compliance issues for computer and network security, and 2) development of an incident classification scheme that can be used to measure security incidents and collect better metrics about the extent of the problem and assess progress over time. The Security Task Force also is looking for opportunities to collaborate with industry and government on ways to improve the security of higher education computers and networks. For example, the NSF Advanced Networking Project with Minority Serving Institutions is working with the Software Engineering Institute and the CERT Coordination Center of Carnegie Mellon University to leverage its expertise and resources.
The use of digital certificates continues to be a promising technology for facilitating secure online financial transactions, private email, and electronically signed forms. It will facilitate trusted electronic communications within and between institutions of higher education as well as with federal and state governments. The use of digital certificates on campuses is expanding. It is worth noting that a recent NSF-funded workshop on technology related to these certificates ("middleware") attracted representatives from 80 colleges, compared to 20 at the same workshop a year ago.
A "bridge" is a computer system that facilitates interoperability between digital certificates issued by different campuses and by state and federal government agencies. With financial assistance from NIH and NSF, EDUCAUSE is sponsoring a group to specify and implement such a bridge, called the Higher Education Bridge Certification Authority (HEBCA). The HEBCA will interact with an analogous system run by the federal government, called the FBCA. The business plan and availability rules for the HEBCA are to be determined. The target operational date for the HEBCA is September 2003.
RECOMMENDATION
HEIT Alliance Members should continue to raise awareness
among their institutional and professional memberships of the importance
of improving the security of college and university computers and
networks. The HEIT Alliance should monitor further legislative developments,
including legislation concerning identity theft and Social Security
number use and related issues, and consider appropriate advocacy positions.
The HEIT Alliance should coordinate activities with the EDUCAUSE/
Internet2 Computer and Network Security Task Force, especially as they
relate to interactions with federal agencies responsible for implementation of
the National Strategy to Secure Cyberspace.
The Security Task Force also is working to monitor and influence regulatory activities related to federal research grants and contracts. To date, NASA is the only federal entity to require certain cybersecurity thresholds for federal contracts and is currently considering extending those provisions to federal grants. It is possible that other federal research agencies will consider the NASA approach a model. The release of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Standards Final Rule on February 13, 2002, also will become an influential model of the types of security standards, policies, and technologies that colleges and universities are likely to deploy. The Federal Trade Commission also has issued a Final Rule for Standards for Safeguarding Customer Information under the Financial Services Modernization Act of 1999, popularly known as the Gramm-Leach-Bliley Act of 1999, with an effective date of May 23, 2003. Additionally, it will be important to monitor the effects of new state laws or the imposition of state regulations on the security practices of public universities.
RECOMMENDATION
HEIT Alliance members should continue to monitor the
development of regulations or standards for improving data security and
assess the campus impact of coming into compliance. Also, the Alliance
should generally oppose any new proposals that tie receipt of federal funds,
for research or other purposes, to IT security requirements.
Education and Training of IT Security Professionals
Significant links have been established during the past year between efforts to
improve computer and network security in higher education and academic
programs designed to provide training and education to cybersecurity professionals.
Several institutions that have been designated as "Centers of Academic
Excellence" by the National Security Agency in Information Assurance and
Education have already established relationships between the campus IT
security professionals responsible for securing campus systems and the faculty
and academic administrators responsible for running the centers. In some
cases, the IT security professionals are enrolled in the professional certification
programs or are serving as course instructors.
RECOMMENDATION
The HEIT Alliance should continue to share information about new academic programs or funding opportunities for enhancing the cyber-security workforce as well as professional development of current campus IT security personnel. The HEIT Alliance and Security Task Force should support and participate in the efforts of the Colloquium for Information
Systems Security Education managed by the James Madison University Center for Research in Information Systems Security Education. The colloquium provides a forum for dialogue among leading figures in government, industry, and academia to work in partnership to define current and emerging requirements for information security education, and to influence and encourage the development and expansion of information security curricula,
especially at the graduate and undergraduate levels.
Cybersecurity Research and Development
Higher education has become home to several cybersecurity research centers
over the past few years. The interest in developing a cybersecurity or homeland
security research focus on campus has been spawned by shifting national
priorities and increased funding opportunities since September 11th. Additionally,
the recent Cybersecurity Research and Development Act promises new
sources of funding for computer and network security research and education.
Organizations such as the Institute for Information Infrastructure Protection, to
which many of the higher education research centers belong, have been
advocating increased federal funding as well as attempting to shape the
research.
To better secure college and university computers and networks, there will be increased attention and emphasis on applied research for cybersecurity over the next year. The National Institute for Standards in Technology (NIST) has become a critical resource for the federal government and private sector in developing practical security resources. The Computer Security Resource Center at NIST contains a wealth of resources and continues to pursue investigation and documentation of research topics of practical benefit to both government and other entities such as higher education. Similarly, the National Science Foundation's Middleware Initiative has been a tremendous stimulus for colleges and universities struggling to develop authentication and authorization mechanisms to better secure their networked resources and the growing amounts of intellectual property available online through licensing arrangements.
RECOMMENDATION
The HEIT Alliance should advocate increased funding of
cybersecurity research and development initiatives and work closely with
the policymakers and federal agencies that will shape the cybersecurity
research agenda. The HEIT Alliance should support the efforts of organizations
whose mission is to strengthen research and education in the computing
fields, expand opportunities for women and minorities, and improve
public and policymaker understanding of the importance of computing and
computing research in our society.
RESOURCES
> Colloquium for Information Systems Security Education
http://www.ncisse.org/
> Computer Security Resource Center, National Institute for Standards in Technology
http://csrc.nist.gov
> Computing Research Association
http://www.cra.org
> Department of Homeland Security
http://www.dhs.gov
> EDUCAUSE/Internet2 Computer and Network Security Task Force
http://www.educause.edu/security
> "Federal PKI Bridge"
http://www.cio.gov/fbca/
> Higher Education Bridge Certificate Authority
http://www.educause.edu/hebca/
> HIPAA Security Standards Final Rule
http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-03.pdf
> NSF Advanced Networking Project With Minority Serving Institutions
http://www.anmsi.org/
> NSF Middleware Initiative
http://www.nsf-middleware.org
> President's Critical Infrastructure Protection Board
http://www.whitehouse.gov/pcipb
> Software Engineering Institute, Carnegie Mellon University
http://www.sei.cmu.edu/
> The Institute for Information Infrastructure Protection
http://www.thei3p.org
> The National Strategy to Secure Cyberspace
http://www.securecyberspace.gov
