Security Issues on Campus: Government Initiatives

Rodney J. PetersenUniversity of Maryland

Educause/Internet2 Security Task ForceCopyright Rodney J. Petersen, 2002. This work is the intellectual property of the author. Permission is granted for this

material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or

to republish requires written permission from the author.

A Government View of Security

Homeland Security Protection of “Critical

Infrastructures” Cyberspace Security Fighting Cybercrime Protection of Content Protection of Personal Information

Executive Order on Critical Infrastructure Protection Issued October 16, 2001 Policy: protect against disruption of

information systems for critical infrastructure

Established President’s Critical Infrastructure Protection Board

Chair of Board & Special Advisor to the President for Cyberspace

Established National Infrastructure Advisory Council – critical infrastructures by sector

Critical Infrastructure Protection Board Priorities Delivering National Plan to President Establishing the Cyber Warning

Information Network Focusing More on Research and

Development Improving Education on Ethical

Principles and Appropriate Computer Use

NIPC and IT Security The interagency National

Infrastructure Protection Center (NIPC) at FBI Headquarters serves as a national critical infrastructure entity for threat assessment, warning, vulnerability, and criminal and national security investigation, and response.

See http://www.nipc.gov

NIPC Infragard Initiative Special agents are working with

community-based computer security professionals to determine how to better protect critical information systems in the public and private sectors.

Computer Crimes Task Force http://www.infragard.net

Federal Legislation PATRIOT Act Identity Theft SSN Protection Anti-Spam Measures Security Standards Cyberspace Security Proposals

Cyber Security Enhancement Act – H.R. 3482 Section 102 – expands provisions of

Patriot Act to permit service providers to disclose customers’ communications to any governmental entity if the provider believes in good faith that communications involve a danger of physical injury or death

Implement Parts of Executive Order

Cybersecurity Research and Development Act - H.R. 3394

Authorizes funding for computer and network security research and development and research fellowship programs.

Cyberterrorism Preparedness Act – S. 1900 Directs the National Institute of Standards and

Technology to award a grant to a qualifying nongovernmental entity to conduct a program to support the development of appropriate cybersecurity best practices, long-term cybersecurity research and development, and related activities.

Grantee shall submit a report containing “an assessment of the advisability of requiring the contractors and grantees of the Federal Government to use appropriate cybersecurity best practices.”

State Government Issues Legislation

Privacy Policies and Data Security Computer Crimes Statutes Unsolicited Commercial Email

Policy and Regulations Executive Orders State IT Security Architectures, Plans,

Standards, Policies, and Procedures

National Strategy to Secure Cyberspace Critical Infrastructure Assurance

Office Development of a National Strategy Report to the President To be delivered this Summer Questions:

www.gcn.com/cybersecurity Deadline for Comments - April 20th

National Strategy Questions Level 1 – The Home User and Small Business Level 2 – Major Enterprises Level 3 – Sectors of the National Information

Infrastructure The Federal Government The Private Sector State and Local Government Higher Education

Level 4 – National Level Institutions and Policies

Level 5 - Global

National Strategy & Higher Ed

Preventing attacks from Universities: How can academic freedom of inquiry be maintained while at the same time preventing the large scale computing power of universities from being hijacked for denial of service attacks and other malicious activity directed at other sites?

Public Comment

When it comes to denial of service attacks, we see no indication that University networks are disproportionately used to originate DOS attacks.

Public Comment

The threshold of pain has not been reached to make this a priority. (Unfortunately, the best way to capture the attention of the university provost or president is for someone to file a civil suit or to have the FBI shut down major systems as part of an investigation.)

National Strategy & Higher Ed

Preventing attacks within Universities: What functions on a university system require high levels of IT security (e.g., medical records, research trials, patents) and how is that best achieved within the context of an academic setting?

Public Comment

All universities should have a chief security officer reporting to the CIO and this officer needs to interact with other University systems.

Public Comment

Best practices and standards need to be scalable to smaller colleges also.

National Strategy & Higher Ed

Organization: How can universities best organize to address the IT security questions they face in common? Should best practices or standards be agreed on a national level? Should there be a mechanism for information sharing on threats and vulnerabilities among university CIOs and systems administrators?

Public Comment I see established national security standards

for research computing as the only effective way to bring adequate attention to this issue and see progress made.

Keep the Federal Government completely out of this matter; it is an academic matter, NOT a government matter; there is no need for “best practices or standards” to be agreed to on a “national level”. Again, keep the Federal Government OUT of this matter.

Public Comment Information security is not a

technical matter; it is a policy and political matter.

Sharing the responsibility of security with non-technical administrators is not effective. This is best left to the professional . . .

Public Comment

Perhaps varying levels of implementation should be suggested as in secure, more secure, best practice.