Blogs

E-learning attracts the 'usual suspects' ... that's the title of a press release issued today regarding research on the UK's efforts to boost lifelong learning using the net. It would be really interesting to see how results for a similar study of efforts in North America might compare/contrast. It will also be interesting to see if this holds true in ten-to-twenty years.

• http://www.esrc.ac.uk/esrccontent/news/september04-6.asp

Those of you enriching your OPAC with images, TOCs, reviews and other metadata will find a great deal of interest in Bowker's announcement that it has purchased Syndetic Solutions. It will be interesting to see how this affects licensing of their data going forward.

It will also be interesting to monitor the affect on Baker & Taylor's Content Café service and reactions from Ingram, an early partner of Syndetics.

All of Washington is buzzing about Thursday's big event, and the excitement is also escalating in corporate offices from Manhattan to Silicon Valley.

Who will win? Who will lose?

The result will impact our country in ways we can't begin to anticipate. The economy. Our status and stature in the world at large. Empires will rise and fall on the outcome.

The din is rising to fever pitch.

Yes, that's right, I'm talking about the INDUCE Act!

The legislation is aimed at overturning the Betamax decision that has governed the balance between technology and copyright for 20 years, and it's coming up for a vote Thursday in the Senate Judiciary Committee.

Major political, educational, technology, and public-interest organizations have aligned against this bill, but lobbying in its favor is the awesome power of the content industry.

A succinct summary comes from Will Rodger of the Computer & Communications Industry Association:

"Under this bill, who would want to produce a new device that handled copyrighted material without first checking with Hollywood or the record companies, given their history of fighting new business models? Innovation just wouldn't happen."

Our friends at p2pnet even report that the Brits are planning to offer a home for displaced US technologists.

So stay tuned to your favorite Web site on Thursday to see how this vote turns out.

What?

Oh, yeah, I guess there's also a debate down in Florida on Thursday.

That's important, too.

Steve

PS: Another anagram of INDUCE is I DUNCE, but let's not go there.

This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members.

Now this sounds most intriguing. Columbia University's School of the Arts is going to host a series of lectures on Open Source Culture. The lectures will be archived on the net for review.

"The Art & Technology Lectures explore critical issues at the intersection of art and technology. In Fall 2004, the series examines the legal, technological, and conceptual issues that confront artists in the age of open source culture."

The lecturers will include Joy Garnett, Jeffrey Cunard, Siva Vaidhyanathan, Jon Ippolito, and Cory Arcangel. For those of you interested in the convergence of art and technology, this sounds like a don't miss opportuntiy to hear very targeted coverage about the cultural underpinnings of open source.

Congressman Adam Putnam (R.-Fla), commenting upon some of the dialogue between members of his Corporate Information Security Working Group, also had the following to say in his opening statement during the cybersecurity and identity theft hearing:

I am simply tired of hearing that lawyers are advising against the adoption and implementation of cyber security best practices or online privacy policies because they are afraid that they may be creating liability.  My friends…in my estimation, a failure to aggressively address these issues may in and of itself be creating that liability.  While I am not a lawyer, I am a businessman…I am a taxpayer…and I am an involved citizen.  This issue is about national security and economic stability along with sound business practices and deserves your immediate attention.

His sentiments are probably shared by most corporate executives and leaders within the higher education community.  However, corporate counsel, many of which don’t understand information technology, are taking very conservative legal positions that may be harmful in the long-term. 

As many commentators have pointed out, even without security legislation, courts are likely to hold businesses and institutions of higher education to a “standard of care” that is appropriate for the industry.  Additionally, if organizations continue to refuse to take voluntary steps to improve security because of fear of legal liability, we can expect legislators or regulators to step in and create the standard and to devise new forms of liability or accountability.

Colleges and universities may be inclined to put up similar “legal fences” or claim that the “academic culture” will not permit the pursuance of best practices.  Recognizing the legal, political, and cultural tensions that many CIO’s and CISO’s would face, the Security Task Force has developed Principles to Guide Efforts to Improve Computer and Network Security for Higher Education that I would urge institutions of higher education to consider.

A proposal announced yesterday to move cybersecurity offices from the Department of Homeland Security (DHS) to the White House will fall short of the objective to elevate the importance of cybersecurity. Apparently, Republican lawmakers are unhappy with the level of attention paid to cybersecurity by DHS - a concern with which many people empathize. A similar proposal (HR.5068) introduced last week by House members Mac Thornberry (R-Tex.) and Zoe Lofgren (D-Calif.) of the Homeland Security Subcommittee would create an Assistant Secretary position, elevating the director position of the National Cyber Security Division (NCSD)now held by Amit Yoran that reports to the Assistant Secretary for Information Analysis & Infrastructure Protection (IAIP).

There is little dispute among the members of Congress and the private sector that progress has been slow and cybersecurity appears to be taking a back seat to other terrorism or infrastructure protection efforts. However, one has to really question whether moving it into the White House will solve the problems. A few observations about the implications of such a move:

• There is no guarantee, especially in an election year, that cybersecurity will get any more resources or attention in the White House than if it remains in DHS.
• Decoupling cybersecurity from the other homeland security functions currently in DHS is likely to do a disservice to the need for greater coordination between the protection of "physical" and "cyber" assets.
• Congress has observed that the DHS budget devoted to cybersecurity is insufficient and yet senior DHS officials report that their budget requests are consistent with the President's priorities - suggesting that there will be no greater resources if cybersecurity is in the White House.
• Finally, the focus upon the elevation of cybersecurity within the federal government bureaucracy loses sight that some of the most fundamental changes and improvements are likely to come from the private sector, including educational institutions.

Between this latest proposal and the ones floated over the summer to reorganize cybersecurity in DHS, it will be interesting to see where everything falls out after the election. Of course, regardless of whatever shuffling of the organization chart that might occur, the leadership of individuals currently in charge, including the President, DHS Secretary, DHS Assistant Secretary for IAIP, and DHS NCSD Director can go a long way towards making the adjustments and improvements that are behind the intentions of the efforts to realign cybersecurity priorities within the federal government.

See USA Today's account ("House to propose returning cybersecurity offices to White House").

Which of the following acronyms is NOT associated with a “cyber security” organization or initiative currently operating “inside the Beltway”?  

• NCSD
• NCSP
• NCSU
• NCSA
• NCSAM

The answer is NCSU – probably best known in higher education circles as North Carolina State University.

The National Cyber Security Division (NCSD) is located within the U.S. Department of Homeland Security’s Information Analysis & Infrastructure Protection Directorate.

The National Cyber Security Partnership (NCSP) is a public-private partnership "dedicated to advancing the nation's critical information infrastructure through enhanced cyber security". The NCSP is the organizational entity that emeged from the National Cyber Security Summit held in December 2004 that produced a series of working group recommendations issued in the Spring of 2004. The NCSP is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet, and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies and industry experts.

The National Cyber Security Alliance (NCSA) is a unique partnership among the Federal government, leading private sector companies, trade associations and educational organizations.  This partnership aims to educate Americans about the need for computer security and encourage all computer users to protect their home and small business systems.  See www.StaySafeOnline.info

National Cyber Security Awareness Month (NCSAM) will be held in October and is part of a 3 year awareness campaign targeted to home users, schools and universities, and small businesses.  The NCSA is coordinating the effort and NCSAM has received the endorsement of the NCSD and several members of Congress. Several higher education associations, including EDUCAUSE, have also endorsed the initiative.

Last week, Arnold Schwarzenegger signed California Executive Order S-16-04.

Here's the soundbyte, from the Press Release:

Governor Schwarzenegger Prohibits Use of State Resources for Illegal Downloading of Copyrighted Material

Here's the CliffsNotes version, from me:

WHEREAS P2P software (a) exposes confidential data, (b) spreads viruses, (c) consumes bandwidth, and (d) "results in huge losses of revenue to the state's valuable entertainment industry",

NOW THEREFORE no P2P on any California-owned computers or networks.

Here's the real meat, from the Executive Order:

The State Chief Information Officer shall develop a statewide policy for use by each state agency, department, board, commission and office of the executive branch regarding the use of peer-to-peer file-sharing programs on state computers, including a prohibition of such programs that pose risks to the security and integrity of state computer systems.

And here's the dessert:

For the purposes of this order, the University of California and the California State University System are requested to comply with the statewide policy provided for in this Executive Order.

As noted a while ago by CNet and p2pnet, anti-P2P lobbying is heating up at the State level.

Some states are easier than others.

Steve

This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members.

This is the final in a series of introductory postings to describe the goals and initiatives of the Security Task Force.  The strategic goal associated Organization and Information Sharing is “to create the capacity for a college or university to effectively deploy a comprehensive security architecture (people, process, and technology) and to leverage the collective wisdom and expertise of the higher education community.”  As part of the process of developing the National Strategy to Secure Cyberspace, we were asked the following questions:

• How can universities best organize to address the IT security questions they face in common?
• Should best practices or standards be agreed to on a national level?
• Should there be a mechanism for information sharing on threats and vulnerabilities among university CIOs and systems administrators?

In 2002, when these questions were first posed to us by the government, we unfortunately did not have any concrete actions identified.  However, as you will see, a lot of progress has been made.

First, we established the Security Discussion Group as an informal method for information sharing among college and university security professionals and others with an interest or responsibility for security.  Today, that discussion list has almost 1,200 subscribers and is a useful forum for information exchange among member institutions and between the Security Task Force and the higher education community.

Second, the annual Security Professionals Conference is THE EVENT where higher education security practitioners come together to share effective practices and solutions and gain new knowledge.  It also provides an opportunity for professional networking and exposes institutions of higher education to government and industry initiatives. I should also note that the conference replace the previous annual meetings held by the College and University Information Security Professionals when they determined that the community was growing to be too large for the volunteer organization to continue to hold an annual event.  The Security Task Force also promotes the use of state or regional forums for information sharing, networking, and professional development.  A list of state or regional events is highlighted on the task force web site.

Third, the Research and Education Networking ISAC supports higher education and the research community by providing advanced security services to national supporting networks, and supports efforts to protect the national cyberinfrastructure by participating in the formal sector ISAC infrastructure. Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC is an integral part of higher education’s strategy to improve network security through information collection, analysis and dissemination, early warning, and response - specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks.

Finally, the Security Task Force web site was established to serve as a clearinghouse for higher education security practitioners and contains a number of resources, including security officer job descriptions, Effective Security Practices Guide, and presentations or documents on a number of Cybersecurity topics.

There is much work, however, that remains to be done.  For example, the National Strategy encourages higher education to develop “model guidelines empowering chief information officers to address cybersecurity”.  In an earlier letter from ACE President David Ward to college and university presidents, we urged the campus leadership to “establish responsibility for campus-wide Cybersecurity at the cabinet level.” 

We have also been working with institutions to “identify and define the roles of other entities on campus who share responsibility for security (e.g. campus police, internal audit, procurement)”.  The Risk Assessment Working Group of the Security Task Force includes a number of campus stakeholders and is seeking to reach out to functional communities beyond the IT organization.  The working group is “focused on identifying and promoting practices, tools, techniques, and procedures to encourage institutions of higher education in the application of security risk management including risk identification, evaluation, mitigation, strategic and operational planning, and monitoring to address information security and assurance.”

A key initiative during 2004 and 2005 is to provide assistance to small colleges, including a small college security issues discussion session at all of the EDUCAUSE regional conferences and a pre-conference seminar at the EDUCAUSE 2004 Annual Conference.

I should note and thank the National Science Foundation for their generous support that made the development of the strategic goals of the Security Task Force possible.  The goals and corresponding recommendations resulted from four workshops held in 2003 where the advice and input of the community was solicited.  We are grateful to the NSF for their support and thank the higher education community for your ideas and suggestions. You have played a critical role in helping higher education to collectively make significant progress these past several months.

I am amazed at how far we have come since soliciting comments on the original survey questions as part of the National Strategy.  However, as in other areas, we should note it as “progress” but not completion of the task.  Therefore, your ideas and suggestions are welcome (send comments to rpetersen@educause.edu).

The Security Task Force's strategic goal associated with Security Architecture and Technology Tools is "to design, develop, and deploy infrastructures, systems, and services that incorporate security as a priority and to employ technology to monitor resources and minimize adverse consequences of security incidents." The term "security architecture" is the focus of an entire chapter written by Jack Suess (University of Maryland, Baltimore County), who is a co-chair of the Security Task Force, in the book "Computer and Network Security in Higher Education". A section on "Security Architecture Design" is also included in the Effective Security Practices Guide.

The Effective Security Practices Working Group of the Security Task Force is focused on identifying and promoting practices, tools, and procedures that higher education institutions have found to be practical solutions to preventing or responding to security problems with an emphasis on technology and process solutions. SALSA, an initiative of Internet2, is an oversight group consisting of technical representatives from the higher education community who will advise on leading edge technology issues. SALSA is future-oriented and state-of-the-art in nature, focusing on high performance and advanced networks.  The Internet2 Security work is oriented towards improving our ability to integrate our advanced networking requirements with network security in an insecure world.

Another critical aspect of this goal is improving our relationships with IT vendors and the security of software products provided to educational institutions. Therefore, you will not be surprised that proposed solutions in this space include initiatives to "influence the development and delivery of "secure by default" vendor products (e.g. collective purchasing power, support from government), negotiation of higher education-wide site license for anti-virus and host firewall software, and work with government and industry to develop procurement guidelines that enforce secure software requirements." Accordingly, the Cyber Security Forum for Higher Education was established in the Fall of 2003 to "create a forum for the discussion of higher education computer and network security issues between the corporate community and the EDUCAUSE/Internet2 Computer and Network Security Task Force with the goal of improving higher education cyber security through mutual efforts." Additionally, the one-on-one relationships established between the Security Task Force and Microsoft, Symantec, McAfee, and others are in an effort to improve security and to make technology tools more affordable. A current effort that is part of Cong. Adam Putnam's (R-Fla.) Corporate Information Security Working Group is seeking ways to use the procurement power of government and industry to enforce security requirements between buyers and suppliers of IT products and services.

Authentication and authorization are also important ingredients to this goal. Therefore, the Security Task Force is working collaboratively with initiatives such as the NSF Middleware Initiative, NMI-EDIT, Higher Education Bridge Certification Authority, Internet2 Middleware Initiative, and Net@EDU PKI Working Group  Additionally, SALSA has established a working group on NetAuth issues that is being chaired by Chris Misra (University of Massachusetts-Amherst).

Among the recommendations put forward to the Security Task Force are to encourage the "design and development of secure systems" that: 1) require authentication for all campus network connections, 2) are flexible and easy to use, 3) recognize range of user skills, 4) offer choices between degree of security responsibility and level of network access, 5) provide default security tools on the desktop, and 5) employ deterrent mechanisms: secure services, border filters, unit level filters, VPN's, and host based security. Additionally, recommendations to "maintain" secure computing environments include the following: 1) employ detective methods: self-assessment, vulnerability scans, process review, ITD, network monitoring and system audits, 2) take appropriate corrective actions, 3) conduct periodic assessments to determine present level of security and gap between current and desired state, 4) patch systems regularly, and 5) use EDUCAUSE as a body for certifying campus security compliance.

Although several of these recommendations are being pursued at the campus level and by the various working groups, no concrete steps have been taken or are planned for EDUCAUSE or the Security Task Force to become a certification body or compliance agency. Nonetheless, through the promotion of best practices and professional development opportunities, we are hoping that institutions will voluntarily elect to move in the direction of both developing and maintaining more secure environments. And we will continue to put pressure on the vendor community to make our jobs easier - not harder!

The Security Task Force’s strategic goal associated with Education and Awareness is “to increase the awareness of the associated risks of computer and network use and the corresponding responsibilities of higher education executives and end users of technology (faculty, staff, and students) and to further the professional development of information technology staff.”  Recognizing “awareness”, “training”, and “education” as part of a “learning continuum” (see Schou, Frost, and Maconachy), the Security Task Force is primarily focused on cybersecurity awareness and training. 

We also seek to work collaboratively with our academic partners, including the Centers for Academic Excellence in Information Assurance Education, the NSF Advanced Technological Education Centers, the Colloquium for Information Systems Security Education, Association for Computing Machinery, Computing Research Association, and other academic programs or associations committed to cybersecurity training, education, professional development, and research.

Initiatives under this strategic goal are developed and implemented by the Education and Awareness (E&A) Working Group of the Security Task Force that is co-chaired by Mark Bruhn (Indiana University) and Kelley Bogart (University of Arizona).  In January 2004, the working group convened at a workshop in Baltimore, Maryland, to develop a set of recommendations and associated tasks to improve cybersecurity awareness in the higher education community.  The recommendations included, among other things, steps to help colleges and universities observe Cyber Security Day in April 2004, development of a cybersecurity awareness toolkit (CD currently in development), and plans for National Cyber Security Awareness Month in October 2004.  The E&A working group also contributed to the legislative testimony that I delivered in April 2004. 

Because of our focus on awareness, the Security Task Force is a supporter of the National Cyber Security Alliance (NCSA) - a unique partnership among the Federal government, leading private sector companies, trade associations, and educational organizations.  The NCSA aims to educate Americans about the need for computer security and encourages computer users to protect their home and small business systems.  EDUCAUSE is also the home to the new executive director of the NCSA. 

The Security Task Force is addressing the professional development needs of security professionals through the EDUCAUSE & Internet2 Security Professionals Conference.  The 3^rd annual conference will be held on April 3-5, 2005, in Washington, D.C.  This year, the combination of a full-day pre-conference seminar, half-day pre-conference seminars, and a half-day post-conference seminar will permit more training opportunities than in the past.  The E&A working group is also exploring how it can support and promote training and professional development at the regional, state, and campus level, too.

If your institution has cybersecurity awareness initiatives underway or if you are doing creative things in this area, I would appreciate it if you would drop me a line (rpetersen@educause.edu) so I can learn more about your efforts.  Additionally, I would encourage to provide more information about your cybersecurity awareness program by completing the information requested as part of the Effective Security Practices submission form.

More cybersecurity awareness resources are available in the new online Resource Center.

It all started a year ago with Napster at Penn State: A major university attempting to combat what it considered an unacceptable explosion of illegal file-sharing by instead "site licensing" the content and distributing it to the campus community. Today, 15,000 of 72,000 eligible students have signed up for the service, and the number is growing rapidly.

Learning from Penn State's success, many other campuses are making similar deals with an expanding number of providers. In one case, the university is throwing in a free iPod. Here's a selection of recent news articles:

More colleges get cheap online music

Marietta College to offer students legal music, video downloads through Cdigix

Napster makes gains in colleges

Real takes music download battle to college campuses

College P2P use on the decline?

And here's some op-ed commentary from p2pnet:

Big Music in Penn State classes

Napster gets into more schools

Duke gets free iPods

Tennessee says No to Napster

University file sharing report

Yesterday I had the pleasure of interviewing representatives from two such campuses on EDUCAUSE Live!: Russ Vaught from Penn State and Chuck Powell from Yale. The similarities and differences are worth hearing about.

At Yale, for example, the primary motivation for the project was allowing faculty to provide video and music to students for class work in an especially efficient way. "Entertainment" was a bonus, and there's a user charge to sign up for it. No subsidy. At Penn State, on the other hand, while academic use of their Napster system isn't impossible, the driving force was President Graham Spanier's goal to displace the KaZaAs and Groksters with an alternative authorized by the music industry. Streaming and tethered downloads are free to the consumer at Penn State, with funding derived in part from student activity fees.

Another difference worth noting is support for Macintoshes: Yes at Yale, No at Penn State.

The archive of our 60-minute discussion is available online, along with Chuck's and Russ' slides. And if you're attending the EDUCAUSE Annual Conference next month in Denver, you can get the story straight from the source, and other similar stories from their own sources, at these sessions:

Penn State's Legal Online Music Service

Campus Pioneers of Online Music and Movies

Peer-to-Peer File Sharing: Campus Solutions

Comparison of Experiences with Two Innovative Media Programs

See you in Denver.

Steve

This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members.