Could you provide some examples of 'clueless legislation?'
Clueless legislation includes the current toothless antispam laws, WIPO [World Intellectual Property Organization] which stifles use of digital media, and Sen. Orrin Hatch's belief that illegal downloaders should have their computers destroyed. Good legislation levels the playing field for businesses and fosters innovation, like legislation that allows digital signatures for contracts. How did you become involved with information security?
I became a computer programmer, and I fell into operating system work and networking and was lucky enough to work on an early secure operating system for networking. That involved all kinds of things -- very high quality programming, analysis, cryptography and formal verification. So, through that, I met people who were working on interesting problems and just retained an association with them in the field. What do you see as the biggest challenge to being a woman in information security? Or maybe you don't view yourself in this manner?
Well, I didn't for a long time view myself as a 'woman' in information security. In fact, it was my observation for a long time that it wasn't particularly unusual to be a woman in computer security. This was, though, 20 years ago. And having gone to MIT 30 years ago, I certainly knew what it was like to be the only woman in a classroom or auditorium, so I felt that information security was a fairly female-friendly field for a while.
Now I think the challenge that's come up is that it's much more a day-to-day adversarial field where you're trying to, in essence, dissuade attacks from teenage boys [from] all over the world. And I think that has given it a much more male kind of influence. I think that there's an image problem for a woman in this field. They'll say, 'Oh, maybe you know some mathematical stuff, but the real nitty-gritty of protecting my server from a hacker, do you know that?' What role should the government play in setting standards?
The National Institute of Standards and Technology is an example. They set standards for cryptography and authentication for the government, but they're available for industry if they want to voluntarily adopt them. I think that's an excellent use of standards, and that could be widened quite a bit. So it's really a problem of deploying a solution? All the tools are there to meet it; it's just a question of can you get them?
Tools are there. Whether or not they're non-draconian tools is another question. And I think that is one challenge -- making the solutions practical, so that they actually save people trouble rather than just causing them false alarms.
But the other major challenge is the Internet. And it's very vulnerable. There are many solutions, but there is no overall plan or solution. And it remains an extremely fragile and vulnerable infrastructure. Do you think federal legislation advances or hinders information security?
Well, as with all legislation, it's double-edged. One of the points that I'm going to make in the panel is that clueless legislation is extremely harmful, and we've certainly seen some examples of clueless legislation. On the other hand, it's a learning process for everyone, even for legislators and for practitioners who have to deal with the consequences of legislation. Some of it is definitely helpful, but I think it focuses far too much on protecting business interests. Legislative momentum is for protecting particular kinds of business on the Internet rather than the Internet. What do you see as some of the biggest threats and obstacles to information security?
There's a lot of talk about insider breaches and how your workers are the weakest link. They're the biggest threat to security.
Well, [workers] certainly are. That's true. And that is a challenge information security is prepared to face, but not many people want to deploy the solutions. And I think that's coming along, but it's very slow. This is a decades-long process. Do you have any advice for young women interested entering the security field?
My advice is don't be distracted by hacking. [Information security] is a highly analytical field. This is especially important for young women to understand. There are extremely interesting problems in the field, and [it's important] to view it as a high quality analytical exercise, not a game.
Hacking often seems to be an aggressive and interesting game, but it is [a] usually simple-minded repetition of mischief. On the other hand, designing or deploying general and useful solutions is a challenging exercise, worthy of creative and analytic minds.
FEEDBACK: Are there challenges to being a woman in information security?
Send your feedback to the SearchSecurity.com news team.