Cybersecurity Discipline Ignored by Universities, Senate Commerce Told
The U.S. can’t develop the cybersecurity expertise it needs in business and government unless universities develop cybersecurity programs, experts told the Senate Commerce Committee at a hearing Thursday. Certifications for cybersecurity also must be developed, they said. Chairman Jay Rockefeller, D-W.Va., who was Intelligence Committee chairman last Congress, said he was working on a bill with Sen. Olympia Snowe, R-Me., to provide funds for the training. But training and standards can’t be one-size-fits-all, said a representative of the control systems industry.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The hearing will be followed by sessions on other sides of cybersecurity, such as control systems, Rockefeller said. As health information technology networks come online, attackers could change people’s prescriptions or “just wreak havoc” on everyday activities. “Some kid in Malawi, some kid in the southern tip of Chile who’s just mad, can do this,” Rockefeller said. President Barack Obama needs to follow through on his campaign promise to name a cybersecurity adviser who can coordinate agency efforts, though not a conventional “czar,” he said. Rockefeller promised to concentrate on the commercial risks from cyberattacks and not poach on the Intelligence Committee’s territory.
The main danger isn’t “explosions, or mad hackers, or bringing the U.S. to its knees in a few hours,” said James Lewis, the director of the technology and public policy program at the Center for Strategic and International Studies. The theft of intellectual property relating to commercial and military technology by competitors abroad is already taking place, undermining the ability of the U.S. to innovate, he said. The stimulus package funding for research and development will “subsidize” foreign industry if networks aren’t secure, Lewis said.
The government needs to require better security controls in federal contracts, said Edward Amoroso, AT&T’s chief security officer. The carrier often responds to requests for proposal with its security plans “appended” to the application, because the requests “generally don’t have sufficient security embedded in.” International cooperation is sorely needed, because “there really is no place for us to turn” when AT&T tries to work with carriers around the world, Amoroso said.
The U.S. suffers a “Hurricane Katrina-style event” every year in commercial losses from cyberattacks, said Eugene Spafford, the executive director of the Center for Education and Research in Information Assurance and Security at Purdue University. “We haven’t done much at all to put up a deterrent” to cybercrime. Law enforcement agencies may not have the authority to pursue attackers, but other avenues, such as diplomatic and economic pressure on countries presumed to harbor attackers, haven’t even been tried, Spafford said.
On the research side, the government needs to fund “risky ideas” that can produce a “breakthrough” in securely designing information systems, Spafford said. The President’s Information Technology Advisory Committee, on which Spafford served, recommended in 2005 tripling the cybersecurity research budget, to no avail, he said. Sen. Tom Udall, D-N.M., said the Los Alamos and Sandia national laboratories in his state could conduct such research. “We really need to be ahead of the curve.”
The control systems industry needs a “seat at the table” because its problems can’t be solved through IT upgrades, said Joseph Weiss, managing partner at Applied Control Solutions. The model pioneered by the U.S. Computer Emergency Readiness Team and sector-specific Information Sharing and Analysis Centers won’t work for control systems, he said. There are fewer than 100 people worldwide “who truly know and understand control systems cybersecurity,” Weiss said, because there’s no university or certification curriculum dealing with control systems. Many suppliers farm out development of source code to “dubious” countries, another risk, he said. The industry needs “vetted” experts, not simply those with security clearances, and its own standards from the National Institute for Standards and Technology. “We have to read between the lines” to identify penetrations, so unique forensic standards would help, too, Weiss said.
‘Not an Exciting Career Path’
Cybersecurity should be the “most fascinating, cerebral, national-security, I'm-a-good-American problem” in research, Rockefeller said, amazed at the low number of professionals cited by witnesses. Science and math education have been “underfunded for years, and now we're reaping” the result, Lewis said. The work doesn’t offer competitive pay, he said, proposing that the government hold competitions to drum up interest among potential professionals. Spafford predicted that 50 to 60 people would get doctoral degrees in cybersecurity in 2009, 10 to 15 of them returning to their home countries because of expired visas and 15 to 20 becoming university instructors. “We are not portraying an image that this is an exciting career path,” he said, pointing to students who have gone into banking or law. Amoroso said he was teaching a program on cybersecurity, and “98 percent” of his students are foreign nationals.
The government got a mixed review in its handling of cybersecurity. Rockefeller said NIST, which would get authority to award scholarships under his bill, is a “national treasure that nobody [in the Senate] goes to visit.” He was “mortified” that only a handful of senators showed up for the hearing. The much-feared “electronic Pearl Harbor” probably took place in 2007, and the government response was, “'Gee, that’s too bad,” Lewis said. “I'm not worried about some crisis in the future.” NIST should also consider revising its “compliance” model for cybersecurity to “attack-based metrics” or similar measures, he said.
Sen. Bill Nelson, D-Fla., complained that the Intelligence Committee, on which he also sits, couldn’t persuade the inspector general of NASA to investigate the “stealing” of rocket designs from the agency. Nelson’s office computers also have been “invaded” three times in the past month, and “one of them looks pretty serious, as if it’s talking to a computer in some international arena,” he said. Carriers have a “stopgap” fix in the form of a “big sponge” that can soak up cyberattacks such as the Conficker worm, the subject of a New York Times article Thursday, Amoroso said. But long term, “we've got to fix computing.”
Weiss took pains to emphasize how neglected his industry is in cybersecurity development efforts. Cybersecurity centers of excellence are based in university computer science departments, not electrical or nuclear engineering, and penetration testing to root out vulnerabilities won’t work for control systems, he said. “You will be your own hacker.” Unlike traditional IT systems, control systems have a 10 to 20 year lifetime, Weiss said. “Once you put these in you are not going to replace them, no matter what you find in terms of vulnerabilities.” Sen. Maria Cantwell, D-Wash., asked whether a four-year degree is needed to master cybersecurity. A semester or a quarter dealing with control- systems cybersecurity would probably suffice to give computer-science students a good background, Weiss said.