Dr. Eugene Spafford Podcast Transcript
RICHARD SWART: Hi, this is Richard Swart with Information Security Media Group Publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’ll be speaking with Dr. Eugene Spafford, Professor of Computer Science and Electrical Engineering, at Purdue University and Director of the Center for Education and Research and Security. “Spaf†as he is known to his students and colleagues has written extensively about information security software engineering and professional ethics. He is one of the most senior and recognized leaders in the field of computing and has been a senior advisor and consultant on issues of security, cyber crime and policy to a number of major companies, law enforcement organizations and government agencies throughout the world. Hello, Spaf.
DR. EUGENE SPAFFORD: Hello there.
RICHARD SWART: Good to talk to you today. Could you provide us an overview of what’s happening in cyber security education and research in the United States right now? How good of a job are our universities doing?
DR. EUGENE SPAFFORD: Overall I think we’re not doing very well. We’re doing better than we were but there are still a lot of gaps available. This is particularly well stated in a very recent report from the National Research Council that’s entitled “A Safer and More Secure Cyberspace†that was released just about two weeks ago. And their observation echo what has been said and reports and what many of us have been saying for some time: basically we don’t have enough people who are in the pipeline when who are learning about cyber security. We don’t have it mainstreamed enough in the regular computing curriculum, and we don’t have the resources in place to really be looking at a broad enough variety of both near-term and long-term issues.
RICHARD SWART: What factors account for this lack of focus in our programs?
DR. EUGENE SPAFFORD: Well, we have so many different priorities for funding and attention right now and security is something that doesn’t have the cachet or the immediate appeal or threat that any of the other things that we’re spending our money on. So, for instance, many companies are much more interested in Web 2.0 because that’s where they believe they’re going to establish some market dominance and some long-term financial leadership. Unfortunately, unless we’re also thinking about how to integrate privacy protection, defenses, law enforcement investigation and other elements that we can lump under cyber security as part of that process we’re going to face a whole new set of problems or some older problems re-emerging in new guise.
RICHARD SWART: You recently posted a blog about the tendency of people in organizations to put off the pain and expense of fixing things because nothing terrible has happened yet. Why aren’t we as a country or in the computing industry addressing the hard problems?
DR. EUGENE SPAFFORD: That’s something that I think is involved a little bit in human nature and also is driven by the organization and many companies and government where we’re judged more on near-term results than long-term results. If we put in defenses against threats that don’t materialize in the near future then perhaps we’ve wasted resources that could be better spent on growing business or funding other kind of needs and so it isn’t until we’ve been burned a few times or we’ve seen someone very much like us who’ve suffered a real loss that we come to the realization that maybe we should put in defenses. This is complicated by the fact we don’t have good metrics for security. So it’s difficult to tell when we’ve put enough in or are we spending our money on the right thing and as well it’s made a little bit more difficult by the rapid change that we’ve seen in the technology and the people with the access to the technology. So it’s difficult for decision makers to decide what’s appropriate to put into play.
RICHARD SWART: What are some of the key problems that you really think the industry should be focusing on? What are the really hard problems and if you could change the world that you would say that we need to devote our energy and time towards?
DR. EUGENE SPAFFORD: There are so many it’s difficult to pick a few. Again, I would recommend looking at something like the report from a couple years ago or the National Academy study that just came out for a long list of research areas. But I would say that the concern that should be most pressing right now: we have to do a better job on law enforcement, on tracking people down, on being able to know who did what and providing that as a counter-balance to the prevalence of fraud that’s occurring right now. We have to combine that at the same time with appropriate protection on individual privacy. It has been the trend recently to collect more and more information both for commercial means and for government purposes often without protections or without concern about accuracy. And this is a real danger because once privacy is lost it’s almost impossible to regain. So we need to do better with protecting privacy and building mechanisms that do what we want while protecting privacy. We need to do a better job in partitioning our systems. We aggregate things. We make our systems very homogeneous and the result is that one bad insider or one successful attack from outside tends to propagate quickly and be effective against everything in the enterprise. We need to get back into more diversification. We need to understand better what it means to have internal firewalls and partitions. I think those three things would be my top focus areas if I only had a limited amount to spend but I still complain that there are many more things that need attention.
RICHARD SWART: What about from a senior manager’s perspective, the chief information security officer, the CEO of companies. If you had the opportunity to speak to them where should they be focusing their time and energy?
DR. EUGENE SPAFFORD: I have spoken with several and their concerns clearly are how to know that they’re spending the right amount and what is it really going to do for business if they do or don’t spend on certain things. I think the first thing that needs to get across to many of these people is that security is not a return on investment kind of expenditure. It isn’t an investment that produces returns. It is an infrastructure cost. It is a cost of doing business the same as providing heat and lights and the guard at front lobby are all part of infrastructure expenses. And you have to invest in appropriate amounts of security to maintain the viability of the organization but to promote public trust and employee comfort. Both of which are important for the bottom line. If the public doesn’t believe that you’re going to protect their information appropriately, that you are not behaving in an ethical manner then they are likely to eventually take their business elsewhere no matter how immediate the crisis are. Government is likely to penalize you as an organization if you haven’t kept appropriate records, and we’ve seen over the last decade the increase of legislation in this arena and certainly employees given the choice in today’s market where we have far more opportunities than candidates are going to take their business where they feel more comfortable, where they feel that they’re doing something more ethical, or where they just feel better about the protection of their own information. So I talk to you people at the C level. I stress that the investment isn’t expected to produce a tangible return but it’s to create an environment where customers and employees and other entities are more comfortable doing business with a company because they realize they take care of privacy and security and value quality.
RICHARD SWART: You say that there’s a large number of opportunities and not as many candidates. How severe is the shortage for trained professionals in information security?
DR. EUGENE SPAFFORD: The shortage is right now that maybe two or three potential positions exist for each person with appropriate training if they’re willing to relocate and if they’re willing to learn some new systems. The problems probably are going to get worse though because we don’t have the defenses in place and as more businesses come online, as we do more government work online and fewer students are going into computing than are really needed the shortage is going to increase.
RICHARD SWART: So what advice would you give somebody thinking of starting this career? Where would they want to go for school or what type of major should they look at? Is this still something that’s a computer science focus or should a business student also be interested in this major?
DR. EUGENE SPAFFORD: There are a number of different ways to approach this. Certainly computer science, computer engineering and business are three potential approaches depending on the aspects that one is interested in. But we’re also seeing some programs coming through criminology for the whole area of cyber forensics and cyber law enforcement as one arena. I’ve seen some people coming through education schools and information technology programs but that also have very good grounding. It really depends on whether you’re interested in applications in a particular area or management or in research and that really should be the guide.
RICHARD SWART: Well, in the past you have successfully predicted emerging threats and trends in cyber security and cyber crime. What should our listeners being paying attention to over the next five or ten years? What are emerging threats?
DR. EUGENE SPAFFORD: Well, I think the threat from international entities that are using physical orders as a protection for their online activities is only going to get worse. I believe that online fraud and extortion are going to get worse than they currently are. Extortion in particular whether it’s targeted at individuals or organizations. When protected by international boundaries it can be quite effective. On the technology side we are seeing more and more convergence into PDA’s and cell phones so that faster compromise of those is going to be higher value. It is also the case that as we layer more protocols such as Voice Over IP (VoIP) onto these systems and they’re not well thought of for security not only are they a potential for theft of information but again for extortion purposes. If it’s possible for someone remotely to take down your network and also remove all your phone service for your call center then you’re much more likely to end up paying a blackmail fee than you would be if you were relying on the plain old telephone service with copper wires.