Main Nav

Reflections on EDUCAUSE 2004 Annual Conference

It has been just over 5 years since a show of hands at the annual Seminars in Academic Computing indicated that probably less than 10 percent of colleges and universities had a full time security professional.  We know from a survey conducted by the EDUCAUSE Center for Applied Research (ECAR) in April 2003 that 30 percent of our institutions had a full-time dedicated security officer at the time and that there had been a steady increase since about 1994.

I would speculate that the ranks of security staff have grown considerably even since the ECAR study of 1 + years ago.  There are two indicators that support my conclusions:  1) the exponential growth in attendance in our annual Security Professionals Conference (from 100 in its inaugural year in 2003 to 250 last year), and 2) the growing numbers of individuals with the titles of “director of information security” or “chief security officer” who are attending and presenting at our annual EDUCAUSE conference.  It is the later that I find particularly encouraging because it suggests that individuals with responsibility for security are being recognized within the management ranks of their organizations and are increasingly finding EDUCAUSE as a place where they can contribute and grow professionally.

Tags from the EDUCAUSE Library

FTC, NIST to Host Email Authentication Summit

The Federal Trade Commission and the Commerce Department’s National Institute of Standards and Technology (NIST) will co-host a two-day “summit” November 9-10, 2004 to explore the development and deployment of technology that could reduce spam. The Email Authentication Summit will focus on challenges in the development, testing, evaluation, and deployment of domain-level authentication systems.

For more information, see

Tags from the EDUCAUSE Library

Cybersecurity Awareness and the Need for "Cultural Change"

I recently had the opportunity to serve on panel for a Symposium on Cyber Security Policy held at the National Press Club in Washington, D.C., and hosted by the Carnegie Mellon University CyLab. The panel entitled, "Modifying Unsafe Online Behavior and Practices - Moving Beyond Awareness", provided an opportunity to promote National Cyber Security Awareness Month. Additionally, it provided me with an opportunity to share some thoughts about "why security awareness is overrated". Below are some of the personal remarks that I conveyed during the panel discussion:

  • We should look to the awareness campaigns from other social problems (alcohol and other drugs, tobacco, childhood obesity, sex discrimination and harassment, reckless or drunk driving, firearm safety, and sportsmanship) and learn from their successes and techniques.
  • Accountability is an important component of modifying behavior. Therefore, part of the "awareness message" should be a description of the consequences if you do not behave in accordance with laws, policies, or expectations.
  • Awareness is the beginning stage of the "Learning Continuum" and should focus on "conscious-raising" that will influence decisions. Awareness activities typically only invoke our "short-term memory" and grab our attention in the near-term. Therefore, there is a baseline of security awareness that is needed by all users of networked technologies.
  • Training, on the other hand, teaches "job skills" and can provide instruction on tasks or methods that can be stored in our "long-term memory" for recall as necessary. IT staff and the users of information systems that contain sensitive data are good candidates for more focused training activities.
  • Information Literacy and Technology Fluency are goals that schools and institutions of higher education should strive to employ to help students and employees assimilate the need to adapt the use of information technology in their academic pursuits or work. This is often achieved through intensive training sessions for employees or for-credit orientation classes for students.
  • Culture has been described as "shared, learned values, ideals, and behavior - a way of life" (attributed to John Bodley, Washington State University). To improve cybersecurity, you must create a culture where employees have the necessary knowledge (what to do), skill (how to do), and attitude (want to do) (attributed to Melissa Guenther, an independent consultant.) Therefore, to successfully modify or change behavior, security awareness must be part of an intentional, systematic organizational change effort that adjusts "attitudes" and reshapes values and norms.

Following the presentation of these observations and arguments for why cybersecurity awareness programs are overrated without a corresponding effort to invoke cultural change, I concluded with the following policy recommendations:

  • Cybersecurity awareness requires a coordinated national effort and needs the corresponding resources. Specifically, I urged the U.S. Dept. of Education and the U.S. Dept. of Homeland Security to devote one employee full-time to further cybersecurity awareness efforts on behalf of the school-aged children and broader efforts.
  • Cybersecurity training and education requires coordinated national effort and needs the corresponding resources. Noting the importance of current programs that fund the National Centers of Academic Excellence in Information Assurance Education and other efforts, including community college programs and training from the private sector, there is currently no coordination between the programs or a strategic focus on national policy and workforce needs.
  • Accountability for cybersecurity will result from compliance activities that are both voluntary and mandated. No one wants more laws or regulations. Nonetheless, there is little dispute that advances of other social causes were aided by federal or state laws and regulatory requirements. Hopefully, market-based incentives and voluntary efforts will provide the sufficient accountability needed to modify both organizational and individual behavior.

The Symposium also provided an opportunity for dissemination and discussion of the EDUCAUSE/Internet2 Security Task Force press release "Cybersecurity Awareness on the Rise in Higher Education."

Tags from the EDUCAUSE Library

Presidential Candidates on Cybersecurity

CompTIA (Computing Technology Industry Association), a global trade association representing the business interests of the information technology industry, will hold an interactive briefing this week at the National Press Club in Washington, D.C., on the tech policy positions of President George W. Bush and Senator John F. Kerry.  Leading tech policy experts will explain key issues and break down the positions of each candidate on such issues as spam, broadband deployment, tech workforce development, unlicensed wireless spectrum, and cybersecurity (among others).

CompTIA created a voter's election guide from the candidates’ responses (see "Election 2004: Bush and Kerry on Technology"). Here is what the two candidates had to say about cybersecurity.

Bush Response:

Given the enormous importance of e-commerce, Internet-based communications, and the use of cyberspace to control portions of our physical infrastructure, cyber security is critical. The investments being made today in securing out Nation's cyber infrastructure and in cyber security R&D are working to ensure that future generations of network software and hardware are less vulnerable to an attack and can maintain critical operations even when compromised.

I announced the National Strategy to Secure Cyberspace in February 2003. This plan, which complements the National Strategy for the Physical Protection of Critical Infrastructure and Key Assets, depends on both public and private efforts to secure the many elements that comprise the national information infrastructure, including routers, switches, fiber-optic cables, and tens of millions of interconnected computers. The strategy provides five national cyber security priorities: a national security response system; vulnerability reduction program; an awareness and training program; a government cyberspace security program; and national security and international cyberspace security cooperation.

Kerry Response:

In particular, worms and viruses are causing economic losses of billions of dollars a year. Experts have argued that future worms could allow attackers to rapidly control millions of Internet-connected computers. They could then use those computers to launch "denial of service attacks," or steal and corrupt large quantities of sensitive information. Moreover, these worms could reach most vulnerable targets in an hour or less. We need a president who is actively supportive of developing technologies that will automatically detect and respond to these kinds of attacks.

We need a president who will devote the energy of the White House to making our networks - our 21st century infrastructure - stronger and more secure. That means supporting a cyber security intelligence system ready to detect these threats. I will implement global standards and best practices so that weak links are strengthened. And we need a real partnership between the public and private sectors. Most of the infrastructure we need to protect doesn't belong to government - and neither government nor business can fix these problems alone.

Of course, we have seen the track record of President Bush which by many accounts has given insufficient attention to cybersecurity. In fact, many have claimed that the (relatively small) budget devoted to cybersecurity in the U.S. Dept. of Homeland Security (DHS) is a clear indication that it has not received priority consideration under the Bush Administration. Additionally, as "The Revolving Door at DHS Continues" there has not been a continuity of leadership to inspire higher education and the private sector to have much faith in the public sector contributions to implementing the National Strategy. On the other hand, it is not clear what Kerry means when he states that "we need a real partnership between the public and private sectors." The National Cyber Security Partnership and other similar efforts are evidence of an attempt of the private sector to step up to the challenge. However, it is encouraging to hear him promise to "devote the energy of the White House to making our networks stronger and more secure."

There is little doubt that the outcome of the elections could set the stage for future directions of cybersecurity under the White House and DHS. A new administration will mean a new secretary of DHS and other changes (for better or worse). Many expect further personnel changes in DHS even if President Bush wins a second term. And, of course, there is the recent sentiments of Congress, supported in part by DHS's Secretary Ridge, that cybersecurity should be elevated in the DHS management. But the real battles for cybersecurity will continue to be fought in the corporate board rooms, within the management ranks of both private and public sector organizations, and the IT operations centers where the latest vulnerabilities are exposed.

See the CompTIA press release and a related news story by internet news ("Bush, Kerry Agree on P2P").

Tags from the EDUCAUSE Library

What Every President Should Know About Cybersecurity

At the VASCAN conference held yesterday at the University of Virginia, the President of James Madison University, Linwood Rose, observed that the typical president is not informed about information security and challenged the audience to "recruit and engage their institutional president" in the effort to create a culture of security at their institution. Below is a summary of his remarks:

  • Use October, National Cyber Security Awareness Month, as an entre for discussion with your president and her or his cabinet
  • Prepare a primer for your president that outlines your organization's reliance on information and networked technologies
  • Help your president and institutional policy makers understand why policies are not enough - that action and leadership by example are necessary
  • Create clarity and simplicity to your message; don't just share the problem but offer solutions
  • Perform a resource audit to identify requirements and needs that you can clearly articulate and present
  • Conduct awareness campaigns (citing JMU's R.U.N.S.A.F.E. program)
  • Follow-up the meeting with the president; don't let the issue drop following a single meeting with the president and her/his cabinet

In case you are not familiar with Linwood Rose, he is also a member of the President's National Infrastructure Advisory Council so he has a unique appreciation for cybersecurity. Some of his thoughts are captured in a recent EDUCAUSE Review column on Leadership: "Information Security: A Difficult Balance"

The topic of Executive Awareness requires constant vigilance. In February of 2003, David Ward President of the American Council on Education, sent a Letter to Presidents urging them to:

Set the tone: ensure that all campus stakeholders know that you take Cybersecurity seriously. Insist on community-wide awareness and accountability.

Establish responsibility for campus-wide Cybersecurity at the cabinet level. At a large university, this responsibility might be assigned to the Chief Information Officer. At a small college, this person may have responsibility for many areas, including the institutional computing environment.

Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.

Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.

Alan Paller, director of research for the SANS Institute, followed President Rose's remarks by urging the IT professionals in the room to confront their executives with real data - preferably statistics indicating cybersecurity issues experienced at their institutions. Below are some questions that might help outline the content for that part of the conversation:

  • Has your campus network ever experienced downtime that prevented email communications, access to your web site, or the availability of online resources? 
  • Has the personal information of your students, employees, or alumni contained in an institutional database ever been compromised? 
  • Has your institutional computing resources ever been misused by unknown third parties for malicious or illegal purposes? 
  • Has your IT department needed to clean up after a security incident or invest scarce resources in responding to the spread of a new computer virus or worm? 

If you have not experienced any of the situations identified above, then you either have an excellent information security program already in place or you’ve been lucky!  You can point your executives to stories of how colleges and universities across the country continue to fall victim to cyber security threats and vulnerabilities that have created urgency for institutional action.

Finally, if the Security Task Force were conveying messages to presidents today, similar to the letter to ACE President David Ward sent in early 2003, we might stress the following:

Encourage campus cyber security awareness events during October and support awareness activities and training of students, staff, and faculty throughout the year.

Assess your preparedness and determine the degree to which you have established an “information security governance” framework at your institution.  (Note that an Information Security Governance Assessment Tool for Higher Education is forthcoming from the Security Task Force and will provide a method that will help you identify general areas of concern.)

Establish broad information security program principles and assign senior management accountability for information security.  Empower your chief information officer, chief security officer, or the appropriate officer at your institution to address cyber security by giving them the authority and resources necessary to protect critical information assets.  For an example of a policy in this area, see

Specify the information security metrics to be reported to you annually or at appropriate intervals throughout the year.  A carefully chosen set of information security metrics for management reports of information security status will clarify to management what you consider important and on which you wish to be kept informed.

The Education and Awareness Working Group of the Security Task Force will be pursuing a project to equip campus security professionals and CIO's with the information and tools necessary to better engage their executive leadership. We welcome your suggestions and input (send comments to as we pursue this task.

Tags from the EDUCAUSE Library

State and Regional Higher Ed Cybersecurity Collaborations and Events

Many of you have probably heard about the Virginia Alliance for Secure Computing And Networking (VA SCAN). Their unique collaboration and partnership has been featured in a few different EDUCAUSE conference programs. I had the opportunity yesterday to participate in their conference ("Meeting IT Challenges: National Strategies and Local Solutions") that was co-hosted with the Association of Collegiate Computing Services. Below are a few observations:

  • State or regional collaborations are an excellent, cost-effective way to facilitate human networking and resource sharing among institutions with similar interests, possibly including the in common need to respond to the security requirements of state government.
  • Conferences held at the state or regional level also provide an affordable way for institutions to send multiple individuals to participate, often without the need for overnight stays and with minimal travel costs.
  • Although cybersecurity is a global problem and the residents of the East Coast have similar needs with individuals in other parts of the U.S. and around the globe, the growing numbers of security professionals in the U.S. and abroad will require us to fragment into smaller communities over time - and geographic communities will continue to be a natural method by which security professionals will congregate.
  • State or regional conferences allow you to highlight and promote local talent, ranging from Presidents who can serve as cybersecurity advocates (VASCAN conference featured JMU's President Linwood Rose) to policy and technical experts.

Accordingly, despite the efforts of the Security Task Force to create national forums (such as the Security Professionals Conference) or regional professional development opportunities (such as the pre-conference seminars provided at the EDUCAUSE Regional Conferences), we are also eager to support and promote state and regional efforts that are organized by member institutions. A listing of State/Regional Cybersecurity Events for Higher Education is maintained on our web site. Please keep us informed of your activities (send event notifications to and let us know if you need any assistance in identifying speakers or program content.

We are pleased to see local alliances and partnerships emerge that in turn support the broader national and international efforts to secure cyberspace.

Tags from the EDUCAUSE Library

Cybersecurity Summit 2004 Addresses Security of Supercomputing Facilities

Last week was a busy week on the cybersecurity front.  It was so eventful that my blog postings this week are in an effort to catch up with what may already be old news!  However, an event held earlier in the week, the Cybersecurity Summit 2004 organized by the National Center for Atmospheric Research, has not been broadly publicized and is worth a few summary notes and observations.

The purpose of this invitation-only Summit was to share information about recent security intrusions, to emphasize security best practices, and to develop a trust network among participants in which methods of communication for future security events will be explored.  Breakout discussion sessions focused on user education and policies, education and policies for sysadmins, intrusion detection and network security, protection of host computer systems, and security implications for grid computing.

The discussions regarding the security incidents of this past year that impacted supercomputing centers and others was confidential and will not be recanted here.  However, among the most important lessons from those incidents and the corresponding discussions during the breakout groups was the need for better coordination and information sharing among the individuals responsible for incident handling.

A few concluding observations:

  • The security challenges of supercomputing centers are not really all that different from those confronted by institutions of higher education.  However, since many of the centers are co-located at major research universities, there is a lot of similarity between the needs of the centers and those generally experienced by the Internet2 community.
  • While “incident handling” is a broad concept, there were generally two recommendations that emerged from the workshop.  First, the need for more automated tools to assist sysadmins in conducting forensics and analyzing intrusions.  Second, the need for a trusted network of incident handlers for information sharing.
  • There was a general consensus that workshops of this type should be repeated as a way to increase awareness about security incidents and to bring together sysadmins and incident handlers for professional development and human networking.
  • There is a need for security training and professional development opportunities for sysadmins that is not being currently met by EDUCAUSE, Internet2, or other entities.
  • There was a large amount of unawareness about the activities of the EDUCAUSE/Internet2 Security Task Force and the REN-ISAC to address some of the needs identified at the Summit as well as issues raised during previous workshops organized by the task force, also funded by NSF.

The above observations are not meant as criticism of the workshop organizers or the attendees.  There are real concerns that point out that much work remains to be done and there is a need for greater outreach by the Security Task Force to the affected communities.  These observations along with new relationships developed during the Summit will lead to further conversations, I am sure, and a re-assessment of the Security Task Force strategies in light of the issues identified.

Tags from the EDUCAUSE Library

National Cyber Security Awareness Month Outreach Events

The month of October marks the first official observance of National Cyber Security Awareness Month. After several attempts to find a common day or time period to generate a coordinated, national awareness campaign, the National Cyber Security Alliance (NCSA) ( has stepped up to become the focal point for awareness efforts targeted to home users, small businesses, and educational institutions. Cong. Sherwood Boehlert (R-NY), chair of the House Science Committee, introduced H. Con. Res. 502 last week "expressing the sense of Congress with respect to raisng awareness and enhancing the state of computer security in the United States and supporting the goals and ideas of National Computer Security Awareness Month." Accordingly, the EDUCAUSE/Internet2 Security Task Force is a supporter of the NCSA and is working very closely with other organizations on the promotion of National Cyber Security Awareness Month.

At a launch event last Thursday held at the National Press Club, Jack Suess, CIO at UMBC and Cochair of the Security Task Force, read a statement that included the following summary:

. . . we are happy to join in partnership with the NCSA and others dedicated to promoting cyber security awareness in an effort to develop consistent and effective messages that will lead to the establishment of a culture of security in our homes, workplaces, schools, and academia.

An EDUCAUSE Live event this past week focused on "Campus and National Approaches to Improving Cybersecurity Awareness." An archive of the presentation is available at The event included an announcement of the availability of a Cybersecurity Awareness Resources CD for the Higher Education Community that will be distributed to all of the attendees of the EDUCAUSE Annual Conference. Copies of the CD's are also available upon request by sending your postal mailing address to

Below is a summary of other outreach events planned during October:

The conference will provide an up-to-date national perspective on one of the toughest problems IT professionals face - security. Leaders in this field will discuss how far we've come, the challenges ahead, and ways to meet those challenges. Effective security solutions and new ideas that conference participants can put right to work in their own environments will be presented.

Developed as a collaboration between Carnegie Mellon CyLab, the Nation's largest academic center for cybersecurity-related research and education, and InSITeS, the institute within the Heinz School of Public Policy and Management that focuses on Technology and Society, the symposium will examine the role of the government in setting a broad national agenda for improving the state of cybersecurity. The Carnegie Mellon CyLab Cybersecurity Journalism Awards recognize excellence in the journalistic coverage of cybersecurity issues and threats that impact individual citizens, businesses, schools and the nation’s economic security.

Shirley C. Payne, Director, Security Coordination and Policy, University of Virginia
Krizi Trivisani, Chief Security Officer, The George Washington University
Calvin Weeks, Director, Cyber Forensics Lab, University of Oklahoma

This session will offer help in implementing a security awareness program that teaches physical and system security precautions, establishes realistic expectations, and decreases the overall cost of securing an enterprise network by teaching users to share best practices with peers and by improving security in the workplace and in home work environments.

If your campus is planning awareness events for your community during October, please let us know by forwarding more information to so we can compile a list of higher education activities.

Tags from the EDUCAUSE Library

The Privacy of Social Security Numbers

I attended two Congressional hearings last week that underscore the importance of securing information systems that contain Social Security Numbers (SSN) and that further mark the trend to discourage SSN use as identifiers except for limited purposes.

The House Government Reform Subcommittee on Technology and Information Policy in a hearing on identity theft explored the growing instances of electronic data theft. Patrick O'Carroll, Acting Inspector General of the Social Security Administration, in his testimony described how SSN's printed on university student ID cards make the owners of these SSN's potential targets. He also described a recently discovered offer to sell up to 10,000 SSN's with matching names on eBay which were traceable to the University of North Carolina at Pembroke where SSNs serve as the identifiers for its staff, current students, and applicants.

The House Subcommittee on Commerce, Trade, and Consumer Protection also held a hearing on H.R. 2971, the Social Security Privacy and Identity Theft Prevention Act of 2003, that would make it an unfair and deceptive trade practice under the Federal Trade Commission Act for any person to refuse to do business with an individual because the individual will not consent to that person's receipt of the Social Security number. Testimony provided by Barbara Bovbjerg from the U.S. Government Accountability Office warns:

The use of SSNs by both private and public sector entities is likely to continue, but the more frequently SSNs are used, the more likely they are to be misused given the continued rise in identity crimes. In considering restrictions to SSN use, policy makers will have to balance the protections that could occur from such restrictions with legitimate business needs for the use of SSNs.

The GAO Report ("SOCIAL SECURITY NUMBERS: Use Is Widespread and Protections Vary in Private and Public Sectors") is a useful resource, especially the discussion on pages 7-8 of restrictions placed upon SSN use as a result of federal laws and summary of state laws on pages 8-9. Additionally, if you are considering the elimination of SSNs as primary identifiers (a recommendation of the Security Task Force), then I would refer you to the resources that we have assembled at

Tags from the EDUCAUSE Library

Yoran's Replacement Hardly Newsworthy

The Washington Post has reported today:

[Amit] Yoran's deputy, Andy Purdy, will take over as acting director [of the DHS National Cyber Security Division], according to an e-mail memo written by Robert Liscouski, Homeland Security's assistant secretary for infrastructure protection and Yoran's former boss. Purdy previously served as a senior adviser for IT security and privacy to the President's Critical Infrastructure Protection Board. He also served as senior counsel to a special House committee that investigated the assassination of President John F. Kennedy.

This is hardly a newsworthy development or significant in determining the future direction of the cybersecurity strategy for America. Some of you may recall that Purdy's name surfaced as a possible candidate for the lead role after Howard Schmidt left for eBay. Purdy was Schmidt's second in command at the time that DHS was being stood up and before the official creation of the National Cyber Security Division. While Andy Purdy certainly has as much history and continuity as anyone working these issues within the federal government today, it is clear that naming him as "acting director" was an expedient step to putting someone "in charge". Add to this announcement the additional context which explains while DHS will be in a "holding pattern" for some time:

  • The national election in just 4 weeks will determine which political party will be in control of DHS for the next four years and who will stay/who will go.
  • There are competing proposals in Congress to elevate cybersecurity to an assistant secretary position in DHS or move it back to the White House.

So, today's announcement answers the question of who will succeed Yoran in the short-term. But it fails to address the bigger challenges of how to make cybersecurity a greater national priority and how to attract qualified, competent leadership to a post that has such a gray cloud hanging over it.

Tags from the EDUCAUSE Library