Aren’t you tired of seeing the same headlines recycled in newsprint and magazines and blasting over the airwaves,
cable news channels, and Internet? Headlines like “The U.S. is Losing the Information War,” “Cyber Space is the Next Battleground” and “Money Motivates Today’s Hacks”? Articles with these kinds of headlines lay out the plight of the American public, business and government when encountering new vulnerabilities, exploits, credit card frauds, and/or viruses. But are the threats and vulnerabilities truly new? Or are we seeing an ongoing recurrence of the same type of problems because we are not properly addressing security and incorporating long-term solutions into the fabric of our country? Are we, in fact, doomed to repeat history because we do not recognize the pattern and work to avoid the mistakes of the past by continuing to follow the same information security trend?
2013 will mark the 25th anniversary of the Morris worm being released into the Internet and some would argue we are no more secure today than we were then. If we think of the Morris worm signaling the dawn of the cyber-security industry, then we must depict ourselves at high noon in the O.K. Corral of the cyber-security shootout. We continue to see advances in technology solutions and escalations of technological exploits of these solutions. As IT professionals implement the newest piece of hardware or software to protect us from the latest threat, cybercriminals are already working to find shortcomings in these new systems that will allow access to our personal data, credit cards, bank accounts, critical infrastructure, and/or disrupt our daily lives. While advances in technology have plugged holes or slowed the bleeding, they also have caused the criminals to become ever more savvy in their approach and execution.
So, why do we continue to struggle with problems that are similar to the ones we observed nearly a quarter of a century ago? In the simplest of terms, we treat security as a bolt-on feature rather than a core product or function. Because cybersecurity is a top priority, we have appointed committees, added meetings to our days, required cybersecurity certification standards, and sent people to training. Yet security is still often viewed as a separate issue to be addressed. Rarely do we approach a design or system problem with the intent to include security from the start.
It has also become obvious that technology alone will not fix security; people are the real way to make inroads in protecting cyberspace. Consequently, over the past 20 years there has been an increased focus on security education. But have we really educated anyone in cybersecurity and are we making any reduction in cybersecurity attacks on our nation? In government and business we have mandatory security training sessions or put up posters around the office talking about how to be more secure. Some organizations go as far to offer advanced security training for their staff. In academia, where we train young computer engineers and computer scientists, we treat security as a separate topic, offering separate majors in information assurance and network security. When security is covered as part of a course on operating systems or programming it's treated as an add-on topic. It's covered at the end of the semester, if time permits.
In general, we don’t educate our computer engineers and computer scientists to take a holistic approach to security and when these individuals enter the workforce, security is treated with the same separatist approach. Worse yet, computer engineers and computer scientists aren’t the only ones who either ignore or segment security into its own little world. All disciplines suffer from not including security as a core product, but instead bolt it on at the end of the course or product. This leaves those at management decision-making levels just as ignorant of security concerns as those who work for them. So, when we will finally see security as central to all disciplines and avoid the pitfalls of repeating history?
In the coming months, this column will be devoted to examining the difficulties in cybersecurity education at all levels, from formal university education and specialized training and certificates to security literacy for the masses. We hope to spur a national dialogue among the stakeholders in cybersecurity, including universities, training organizations, corporations, and government, and encourage an evolution so security is no longer an afterthought.
About the author:
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education. Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory (ISSL), which provides security training, testing, and outreach to support business and industry. Send comments on this column to firstname.lastname@example.org.