Clarke warns educators about need for better security

Computerworld - REDMOND, Wash. -- Despite evidence of al-Qaeda's research into American utility companies gleaned from laptops seized after the Sept. 11 terrorist attacks, don't expect the National Security Agency, CIA and FBI to warn businesses when a cyberattack might take place.
That was the message delivered yesterday by the president's cybersecurity czar, Richard Clarke, to 300 educators attending the sixth annual National Colloquium for Computer Security Education at Microsoft Corp.'s conference center.
"Law enforcement can't save the private sector," Clarke said. "We can't tell the energy companies and the pipeline companies how to configure their systems. At a fundamental level, it doesn't matter who the threat is."
What matters, he said, are the vulnerabilities within corporate networks that present risks to national infrastructure. And the most vulnerable networks are those at universities and college systems, many of which have little or no protection -- and thus make great launching pads for attacks against infrastructure companies.
Clarke challenged the computer security and information assurance program directors to push for better security at their own schools. And he urged them to develop research curriculum around secure operating systems, routers and out-of-line management.
"In three to four years, we will have a billion IP addresses," he said. "Do we still want to use TCP/IP? Do we still want the same domain naming system? Do we still want the same wireless security we're using today?"
To champion better security at their campuses, Clarke said attendees need to become "nudges" by pressing university provosts and boards of regents for better security programs and educational grants.
"An information war is coming some day, and the $15 billion in losses from hacking cited today will seem like nothing when it happens," he said.
But attendees questioned whether scare tactics would result in better security programs.
"Security already has this image that it's a pain in the ass," said Peter Tippett, founding chief technology officer at TruSecure Corp. in Herndon, Va. "From the viewpoint of the CEO, he's got to open his business in Poland next month, and all he's hearing is pain, pain, pain."
Instead, security professionals should push their agendas by adhering to the business goals of value-add, something largely missing from security and information program syllabuses offered at the session.

Broader Selection of Security Courses
Most representatives and speakers talked of information assurance programs at the bits and bytes level, with research agendas heavy on technology, including loss leaders like public-key infrastructure. And while speakers touted forensics programs, intrusion-detection and prevention programs, security standards development and