Subject: Risks Digest 22.63 From: risko@csl.sri.com (RISKS List Owner) Date: Thu, 13 Mar 2003 00:35:14 +0000 (UTC) Newsgroups: comp.risks RISKS-LIST: Risks-Forum Digest Wednesday 12 March 2003 Volume 22 : Issue 63 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/22.63.html and by anonymous ftp at ftp.sri.com, cd risks . Contents: [See other issues for Risks info.] Education and the National Strategy to Secure Cyberspace (Rob Slade) IEEE Symposium on Security and Privacy (Lee Badger) ---------------------------------------------------------------------- Date: Tue, 11 Mar 2003 08:28:07 -0800 From: Rob Slade Subject: Education and the National Strategy to Secure Cyberspace The second version of the National Strategy to Secure Cyberspace has been released. One is reminded of the old joke: someone is in a balloon, and lost, asks a person on the ground where he is, and, upon being told that he is in a balloon, states that the person on the ground is an economist/academic/tech support person/profession to be deprecated since the answer is completely true and completely useless. Much the same critique can be made about the National Strategy to Secure Cyberspace. Given the fanfare and promotion of the strategy, it has been quite disappointing to see the final result. However, the area of education and training, while named as a priority, is particularly weak. I have extracted the relevant portions of the strategy, and interlined commentary. For those who wish to access the full document, without my opining, it is available at: http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf >> From the Executive Summary: >> Priority III: A National Cyberspace Security Awareness and Training Program >> Many cyber vulnerabilities exist because of a lack of cybersecurity >> awareness on the part of computer users, systems administrators, >> technology developers, procurement officials, auditors, chief information >> officers (CIOs), chief executive officers, and corporate boards. Such >> awareness-based vulnerabilities present serious risks to critical >> infrastructures regardless of whether they exist within the infrastructure >> itself. A lack of trained personnel and the absence of widely accepted, >> multi-level certification programs for cybersecurity professionals >> complicate the task of addressing cyber vulnerabilities. This much we knew already. However, the proposed activities are somewhat limited: >> The National Strategy to Secure Cyberspace identifies four major actions and >> initiatives for awareness, education, and training: >> 1. Promote a comprehensive national awareness program to empower all >> Americans -- businesses, the general workforce, and the general population >> -- to secure their own parts of cyberspace; >> 2. Foster adequate training and education programs to support the Nation's >> cybersecurity needs; >> 3. Increase the efficiency of existing federal cybersecurity training >> programs; and >> 4. Promote private-sector support for well-coordinated, widely recognized >> professional cybersecurity certifications. >> THE NATIONAL STRATEGY TO SECURE CYBERSPACE 37 >> PRIORITY III >> Everyone who relies on part of cyberspace is encouraged to help secure the >> part of cyberspace that they can influence or control. To do that, users >> need to know the simple things that they can do to help to prevent >> intrusions, cyber attacks, or other security breaches. All users of >> cyberspace have some responsibility, not just for their own security, but >> also for the overall security and health of cyberspace. While this statement is true, it seems to set a tone of "we can't do it alone, so we're not going to do anything" in this document. >> In addition to the vulnerabilities in existing information technology >> systems, there are at least two other major barriers to users and managers >> acting to improve cybersecurity: (1) a lack of familiarity, knowledge, and >> understanding of the issues; and (2) an inability to find sufficient >> numbers of adequately trained and/or appropriately certified personnel to >> create and manage secure systems. This blanket statement cries out for clarification. There is familiarity, knowledge and understanding--in those relatively few who have taken it upon themselves to study the issues. In regard to the inability to find sufficient numbers of trained individuals, I note that there are plenty of unemployed CISSPs out there. I would say, as I have said in regard to many supposed high tech labour shortages over the past couple of decades, that there is no shortage of skilled people, just a shortage of skilled people willing to work for nothing. To coin a phrase from Juvenal, all wish to know, but none want to pay the fee. >> Among the components of this priority are the following: >> . Promote a comprehensive national awareness program to empower all >> Americans -- businesses, the general workforce, and the general >> population -- to secure their own parts of cyberspace; This is unlikely to happen any time soon. The first step towards such a program would be to determine a "minimum necessary" standard of security awareness. Since we can't even agree on a minimum necessary level of security for products (or street-proofing for children, or intelligence necessary to order coffee, etc), we are unlikely to be able to draw this line with any clarity or speed. >> . Foster adequate training and education programs to support the Nation's >> cybersecurity needs; This would be nice. How will it happen? >> Increase the efficiency of existing federal cybersecurity training >> programs; and More money for sending people for training would probably be a good start. >> . Promote private sector support for well-coordinated, widely recognized >> professional cybersecurity certification. How would this be accomplished? >> Key to any successful national effort to enhance cybersecurity must be a >> national effort to raise awareness (of users and managers at all levels) >> and maintain an adequate pool of well trained and certified IT security >> specialists. The federal government cannot by itself create or manage all >> aspects of such an effort. It can only do so in partnership with industry, >> other governments, and nongovernmental actors. Once again, this seems to say that the government cannot do it all, so it will not do much at all. In regard to maintaining a national pool of talent, I recall that I was approached four or five years ago by someone from a (then Clinton) Whitehouse office in regard to encouraging security experts to teach security courses at universities. My response was that such encouragement required there to be faculty positions for such experts to occupy, jobs for students of such courses to occupy when they graduated, and jobs for the experts to return to when they finished teaching. The jobs weren't there then, and they aren't there now. (I recall a science fiction story of many years back where a nation had devoted itself to developing practical skills and efficient programs. At a crucial juncture, it became apparent that a poet was vital to the survival of the nation. A poet could not be found among the highly skilled, trained, and practical populace. Sometimes skills just can't be created on demand.) >> Many federal agencies must play a part in this effort, which will be led and >> coordinated by DHS. The components of this program will include the >> following federal programs (both existing programs and initiatives which >> will be considered as part of the budget decision making process) and >> activities, which we recommend to our partners. >> A. AWARENESS >> 1. Promote a Comprehensive National Awareness Program to Empower All >> Americans---Businesses, the General Workforce, and the General Population >> -- to Secure their Own Parts of Cyberspace >> In many cases solutions to cybersecurity issues exist, but the people who >> need them do not know they exist or do not know how or where to find >> them. In other cases people may not even be aware of the need to make a >> network element secure. A small business, for example, may not realize >> that the configuration of its web server uses a default password that >> allows anyone to gain control of the system. Education and outreach play >> an important role in making users and operators of cyberspace sensitive to >> security needs. These activities are an important part of the solution for >> almost all of the issues discussed in the National Strategy to Secure >> Cyberspace,from securing digital control systems in industry, to securing >> broadband Internet access at home. >> DHS, working in coordination with appropriate federal, state, and local >> entities and private sector organizations, will facilitate a comprehensive >> awareness campaign including audience­specific awareness materials, >> expansion of the StaySafeOnline campaign, and development of awards >> programs for those in industry making significant contributions to >> security. (A/R 3-1) Increasing awareness and education prepares private >> sectors, organizations, and individuals to secure their parts of >> cyberspace. Actions taken by one entity on a network can immediately and >> substantially affect one or many others. Because the insecurity of one >> participant in cyberspace can have a major impact on the others, the >> actions they take to secure their own networks contribute to the security >> of the whole. For example, a few subverted servers recently enabled an >> attack on some of the Internet Domain Name System root servers and >> threatened to disrupt service for many users. Through improved awareness >> the Nation can stimulate actions to secure cyberspace by creating an >> understanding at all audience levels of both cybersecurity issues and >> solutions. DHS will lead an effort to increase cybersecurity awareness for >> key audiences: While I do not wish to belittle the importance or contribution of the StaySafeOnline program within its purview, it is far too limited to function even as a template for a larger security awareness campaign. An awards program is probably going to have to be cold, hard cash, in large amounts, to counter current levels of apathy. Steve Ballmer's speech from 1997 almost makes the case the Microsoft is the dominant industry player not in spite of the fact that it ignores security, but precisely because it ignores security. Security awareness cannot be promoted by establishing contests where nobody will compete. >> a. Home Users and Small Business >> Home users and small business are not part of the critical >> infrastructures. However, their systems are being increasingly subverted >> by malicious actors to attack critical systems. Therefore, increasing the >> awareness about cybersecurity among these users contributes to greater >> infrastructure security. Home users and small business owners of cyber >> systems often start with the greatest knowledge gap about cybersecurity. Coming from the virus research community as I do, I would say that the first statement here is flatly wrong. Small system *are*, in fact, part of the critical infrastructure. The Slammer worm proves the case. Estimates of the number of systems infected are on the order of 60-70,000. This is insignificant when compared to the hundreds of millions of dedicated machines on the net. Very few "critical infrastructure" machines would have been running the vulnerable system. However, the traffic generated by the infected machines affected every area of the Internet, plus many private systems. While SOHO systems may not be dedicated to infrastructure programs, their security can be just as important to the functioning of the infrastructure itself. (Malicious software often creates problems for traditional models and understanding of security. I frequently point out to students that viruses present one of the few situations where the fact that *I* have been successfully attacked means that *you* have a problem.) >> DHS, in coordination with other agencies and private organizations, will >> work to educate the general public of home users, students, children, and >> small businesses on basic cyberspace safety and security issues. As part >> of these efforts, DHS will partner with the Department of Education and >> state and local governments to elevate the exposure of cybersecurity >> issues in primary and secondary schools. In addition, the Federal Trade >> Commission will continue to provide information on cybersecurity for >> consumers and small businesses through http://www.ftc.gov/infosecurity. Again, this proposal sounds good, but, without details to back it up, I doubt that there will be any impact any time soon. If the government is concerned that there are not enough experts to help secure businesses, where are they going to find those who have not only the necessary security expertise, but the ability to translate the vital concepts to children? >> DHS, in coordination with the Department of Education, will encourage and >> support, where appropriate subject to budget considerations, state, local, >> and private organizations in the development of programs and guidelines >> for primary and secondary school students in cybersecurity. (A/R 3-2) Subject to budget considerations. No further comment needed. >> In recent years, with the spread of ``always on'' connections for systems, >> such as cable modems, digital subscriber lines (DSL), and wireless and >> satellite systems, the security of home user and small business systems >> has become more important not only to the users themselves, but to others >> to which they are connected through the Internet. For example, these >> connections generally mean that larger amounts of data can be sent and >> done so in a continuous stream. These two factors can be exploited and >> used to attack other systems, possibly even resulting in nationally >> significant damage. The Internet service providers, antivirus software >> companies, and operating system/application software developers that >> provide services or products to home users and small businesses can help >> raise their awareness of cybersecurity issues. What incentive do those companies have to do so? In many cases, what ability do they have to do so? >> Home users and small businesses can help the Nation secure cyberspace by >> securing their own connections to it. Installing firewall software and >> updating it regularly, maintaining current antivirus software, and >> regularly updating operating systems and major applications with security >> enhancements are actions that individuals and enterprise operators can >> take to help secure cyberspace. To facilitate such actions, DHS will >> create a public-private task force of private companies, organizations, >> and consumer users groups to identify ways that providers of information >> technology products and services, and other organizations can make it >> easier for home users and small businesses to secure their systems. (A/R >> 3-3) "Make is easier." Such as, not using instant messaging and P2P sharing systems? Not using Outlook and IE? Turning off JavaScript and ActiveX? Not opening attachments? Foreswearing HTML formatted email? And will the companies promoting such technologies be likely to make such recommendations? >> b. Large Enterprises >> The security of large enterprises is important not only to individual >> businesses, but to the Nation as a whole. Large enterprises own major >> cyber networks and computing systems that, if not secure, can be exploited >> for attacks on other businesses in an increasingly interconnected economy, >> and could, in the case of a massive attack, have major economic >> consequences. The cybersecurity of large enterprises can be improved >> through strong management to ensure that best practices and efficient >> technology are being employed, especially in the areas of configuration >> management, authentication, training, incident response, and network >> management. DHS will continue the work of sensitizing the owners of these >> networks to their vulnerabilities and what can be done to mitigate them. How will they sensitize these owners? I suspect that the strongest encouragement will be successful lawsuits against companies that failed to secure themselves. >> DHS, working with other government agencies and private sector >> organizations, will build upon and expand existing efforts to direct the >> attention of key corporate decision makers (e.g., CEOs and members of >> boards of directors) to the business case for securing their companies' >> information systems. Decision makers can take a variety of steps to >> improve the security of their enterprise networks and to ensure that their >> networks cannot be maliciously exploited. Large enterprises are encouraged >> to evaluate the security of their networks that impact the security of the >> Nation's critical infrastructures. Such evaluations might include: (1) >> conducting audits to ensure effectiveness and use of best practices; (2) >> developing continuity plans which consider offsite staff and equipment; >> and, (3) participating in industrywide information sharing and best >> practice dissemination. (A/R 3-4) Most of us in the security field would agree that a business case could be made for security. (After all, our jobs depend upon it.) However, most of us would also agree that such cases are not easy to put together. If the DHS can help put together such a case, it may help. But will this case be the usual one: vague, generic, and uncompelling? One grand business case for security overall will not help. Business cases too often have to be made on a protection system by policy by practice basis, and demand too much time (from those experts who are already, please note, in short supply). >> i) Insider Threats. Many cyber attacks on enterprise systems are >> perpetrated by trusted ``insiders.'' Insiders are people trusted with >> legitimate access rights to enterprise information systems and >> networks. Such trusted individuals can pose a significant threat to the >> enterprise and beyond. The insider threat poses a key risk because it >> provides a potential avenue for individuals who seek to harm the Nation to >> gain access to systems that could support their malicious >> objectives. Effectively mitigating the insider threat requires policies, >> practices, and continued training. Three common policy areas which can >> reduce insider threat include: (1) access controls, (2) segregation of >> duties, and, (3) effective policy enforcement. I'm not sure why the framers of this "strategy" chose to include this material in relation to education, although it does have some relevance. >> . Poor access controls enable an individual or group to inappropriately >> modify, destroy, or disclose sensitive data or computer programs for >> purposes such as personal gain or sabotage. Proper access controls require time and resources to determine, administer, and enforce. Remember those rare experts, again. >> . Segregation of duties is important in assuring the integrity of an >> enterprise's information system. No one person should have complete >> control of any system. Segregation of duties is remarkably difficult to teach. The dividing line between an operational function and an audit function is not immediately obvious in all cases. >> . Effective enforcement of an enterprise security policy can be >> challenging and requires regular auditing. New automated software is >> beginning to emerge which can facilitate efficient enforcement of >> enterprise security. These programs allow the input of policy in human >> terms, translation to machine code, and then monitoring at the packet >> level of all data transactions within, and outbound from, the >> network. Such software can detect and stop inappropriate use of networks >> and cyber-based resources. Programs can help with the enforcement. The establishment of the policy is still as skilled task. We need help in training people skilled in that task. >> c. Institutions of Higher Education (IHEs) >> Awareness plays an especially important role in increasing the >> cybersecurity of IHEs. As recent experience has shown, organized attackers >> have collectively exploited many insecure computer systems traceable to >> the campus networks of higher education as a platform from which to launch >> denial-of-service attacks and other threats to unrelated systems on the >> Internet. Such attacks harm not only the targeted systems, but also the >> owners of those systems and those who desire to use their services. IHEs >> are subject to exploitation for two reasons: (1) they possess vast amounts >> of computing power; and (2) they allow relatively open access to those >> resources. The computing power owned by IHEs is extensive, covering over >> 3,000 schools, many with research and significant central computing >> facilities. Good. DHS gonna spring for some money to help with the administration of security on college systems, or do the colleges have to take resources away from the task of educating students (perhaps in the art of security?)? >> The higher education community, collectively, has been actively engaged in >> efforts to organize its members and coordinate action to raise awareness >> and enhance cybersecurity on America's campuses. Most notably, through >> EDUCAUSE, the community has raised the issue of the Strategy's development >> with top leaders of higher education, including the American Council on >> Education and the Higher Education IT Alliance. Significantly, through >> this effort, top university presidents have adopted a 5-point Framework >> for Action that commits them to giving IT security high priority and to >> adopting the policies and measures necessary to realize greater system >> security: Sounds interesting. >> (1) Make IT security a priority in higher education; We've heard this before, from a variety of institutions. >> (2) Revise institutional security policy and improve the use of existing >> security tools; Uh huh ... >> (3) Improve security for future research and education networks; uh huh ... >> (4) Improve collaboration between higher education, industry, and >> government; and uh huh ... >> (5) Integrate work in higher education with the national effort to >> strengthen critical infrastructure. Didn't you just say that? >> Colleges and universities are encouraged to secure their cyber systems by >> establishing some or all of the following as appropriate: (1) one or more >> ISACs to deal with cyber attacks and vulnerabilities; (2) model guidelines >> empowering Chief Information Officers (CIOs) to address cybersecurity; (3) >> one or more sets of best practices for IT security; and, (4) model user >> awareness programs and materials. (A/R 3-5) We have heard this before. While I would agree that IHEs may be closer to the informed resources who can form such plans, I haven't seen that they are any closer to using them. >> d. Private Sectors >> DHS will work with private sectors on general awareness as well as on >> specific issues impacting particular sectors. Private sectors own and >> operate the vast majority of the Nation's cyberspace. As long time >> partners in the effort to secure cyberspace, many sectors have developed >> plans in parallel with the National Strategy to Secure Cyberspace to help >> secure their critical infrastructures. The sectors can serve a vital role >> in the reduction of vulnerabilities by creating sector-wide awareness of >> issues that affect multiple members. Members can develop and share best >> practices and work together toward common security solutions. For example, >> SCADA systems are a widespread security issue in the energy >> sector. Solutions are being coordinated with the Department of Energy and >> across the sector. The sectors also play a role in the identification of >> research needs. DHS will closely coordinate with private sectors on plans >> and initiatives to secure cyberspace. As anyone who has been involved with security in the long term can attest, "vertical markets" can maintain some remarkably large blind spots. Forcing the sectors to have *outsiders* review their systems could be very beneficial. >> A public-private partnership should continue work in helping to secure the >> Nation's cyber infrastructure through participation in, as appropriate and >> feasible, a technology and R&D gap analysis to provide input into the >> federal cybersecurity research agenda, coordination on the conduct of >> associated research, and the development and dissemination of best >> practices for cybersecurity. (A/R 3-6) This does not really appear to say much. >> e. State and Local Governments >> DHS will implement plans to focus key decision makers in state and local >> governments---such as governors, state legislatures, mayors, city >> managers, and county commissioners/boards of supervisors---to support >> investment in information systems security measures and adopt enforceable >> management policies and practices. Focus or force? >> B. TRAINING >> In addition to raising general awareness, the Nation must focus resources >> on training a talented and innovative pool of citizens that can specialize >> in securing the infrastructure. While the need for this pool has grown >> quickly with the expansion of the Internet and the pervasiveness of >> computers, networks, and other cyber devices, the investment in training >> has not kept pace. Universities are turning out fewer engineering >> graduates, and much of their resources are dedicated to other subjects, >> such as biology and life sciences. This trend must be reversed if the >> United States is to lead the world with its cyber economy. I suspect that this comment relates only to training about info tech in general. The level of training in infosec, we all know, is far less. >> 1. Foster Adequate Training and Education Programs to Support the Nation's >> Cybersecurity Needs >> Improvements in cybersecurity training will be accomplished primarily >> through the work of private training organizations, institutions of >> learning, and the Nation's school systems. DHS will also encourage private >> efforts to ensure that adequate opportunities exist for continuing >> education and advanced training in the workplace to maintain high skills >> standards and the capacity to innovate. Did we not foresee this? "It's your responsibility, not ours." Some strategy. >> The federal government can play a direct role in several ways. First, DHS >> will implement and encourage the establishment of programs to advance the >> training of cybersecurity professionals in the United States, including >> coordination with NSF, OPM, and NSA, to identify ways to leverage the >> existing Cyber Corps Scholarship for Service program as well as the >> various graduate, postdoctoral, senior researcher, and faculty development >> fellowship and traineeship programs created by the Cyber Security Research >> and Development Act, to address these important training and education >> workforce issues. (A/R 3-7) Sounds interesting. Needs development. Show your work. C- >> 2. Increase the Efficiency of Existing Federal Cybersecurity Training >> Programs >> Second, DHS will explore the benefits of a center for the development of >> cybersecurity training practices that would draw together expertise and be >> consistent with the federal ``build once, use many'' approach. DHS, in >> coordination with other agencies with cybersecurity training expertise, >> will develop a coordination mechanism linking federal cybersecurity and >> computer forensics training programs. (A/R 3-8) Linking? How about funding? >> C. CERTIFICATION >> 1. Promote Private Sector Support for Well-coordinated Widely Recognized >> Professional Cybersecurity Certifications >> Related to education and training is the need for certification of >> qualified persons. Certification can provide employers and consumers with >> greater information about the capabilities of potential employees or >> security consultants. Currently, some certifications for cybersecurity >> workers exist; however, they vary greatly in the requirements they >> impose. For example, some programs emphasize broad knowledge verified by >> an extensive multiple-choice exam, while others verify in-depth practical >> knowledge on a particular cyber component. No one certification offers a >> level of assurance about a person's practical and academic qualifications, >> similar to those offered by the medical and legal professions. I note that the emphasis on academic qualifications, while weakened from the initial draft, still exists. I would agree that many security "experts" would benefit from the rigour of more formal study. However, many academics would also benefit from practical experience. I suspect that the needs of security certification do not always require a degree. I rather suspect that a security "profession," along the lines of the medical and legal, is not going to happen. >> To address this issue, a number of industry stakeholders including >> representatives of both consumers and providers of IT security >> certifications are beginning to explore approaches to developing >> nationally recognized certifications and guidelines for certification. >> Aspects that warrant consideration by these organizations include levels >> of education and experience, peer recognition, continuing education >> requirements, testing guidance, as applicable for various levels of >> certification that may be established, and models for administering a >> certification for IT security professionals similar to those successfully >> employed in other professions. DHS and other federal agencies, as >> downstream consumers (prospective employers of certified personnel), can >> aid these efforts by effectively articulating the needs of the federal IT >> security community. DHS will encourage efforts that are needed to build >> foundations for the development of security certification programs that >> will be broadly accepted by the public and private sectors. DHS and other >> federal agencies can aid these efforts by effectively articulating the >> needs of the federal IT security community. (A/R 3-9) OK, the government doesn't want to help or fund certification, but wants to dictate what the certification is for. Most of the following "action items" have already been addressed in the foregoing: >> Priority III: A National Cyberspace Security Awareness and Training Program >> A/R 3-1: DHS, working in coordination with appropriate federal, state, and >> local entities and private sector organizations, will facilitate a >> comprehensive awareness campaign including audience-specific awareness >> materials, expansion of the StaySafeOnline campaign, and development of >> awards programs for those in industry making significant contributions to >> security. >> A/R 3-2: DHS, in coordination with the Department of Education, will >> encourage and support, where appropriate subject to budget considerations, >> state, local, and private organizations in the development of programs and >> guidelines for primary and secondary school students in cybersecurity. >> A/R 3-3: Home users and small businesses can help the Nation secure >> cyberspace by securing their own connections to it. Installing firewall >> software and updating it regularly, maintaining current antivirus >> software, and regularly updating operating systems and major applications >> with security enhancements are actions that individuals and enterprise >> operators can take to help secure cyberspace. To facilitate such actions, >> DHS will create a public-private task force of private companies, >> organizations, and consumer users groups to identify ways that providers >> of information technology products and services, and other organizations >> can make it easier for home users and small businesses to secure their >> systems. I imagine AV and firewall vendors will be delighted that the government will be advertising for them. >> A/R 3-4: Large enterprises are encouraged to evaluate the security of >> their networks that impact the security of the Nation's critical infra­ >> structures. Such evaluations might include: (1) conducting audits to >> ensure effectiveness and use of best practices; (2) developing continuity >> plans which consider offsite staff and equipment; and, (3) participating >> in industrywide information sharing and best practices dissemination. >> A/R 3-5: Colleges and universities are encouraged to secure their cyber >> systems by establishing some or all of the following as appropriate: (1) >> one or more ISACs to deal with cyber attacks and vulnerabilities; (2) >> model guidelines empowering Chief Information Officers (CIOs) to address >> cybersecurity; (3) one or more sets of best practices for IT security; >> and, (4) model user awareness programs and materials. >> A/R 3-6: A public-private partnership should continue work in helping to >> secure the Nation's cyber infrastructure through participation in, as >> appropriate and feasible, a technology and R&D gap analysis to provide >> input into the federal cybersecurity research agenda, coordination on the >> conduct of associated research, and the development and dissemination of >> best practices for cybersecurity. >> A/R 3-7: DHS will implement and encourage the establishment of programs to >> advance the training of cybersecurity professionals in the United States, >> including coordination with NSF, OPM, and NSA, to identify ways to >> leverage the existing Cyber Corps Scholarship for Service program as well >> as the various graduate, postdoctoral, senior researcher, and faculty >> development fellowship and traineeship programs created by the Cyber >> Security Research and Development Act, to address these important training >> and education workforce issues. >> A/R 3-8: DHS, in coordination with other agencies with cybersecurity >> training expertise, will develop a coordination mechanism linking federal >> cybersecurity and computer forensics training programs. >> A/R 3-9: DHS will encourage efforts that are needed to build foundations >> for the development of security certification programs that will be >> broadly accepted by the public and private sectors. DHS and other federal >> agencies can aid these efforts by effectively articulating the needs of >> the Federal IT security community. rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Tue, 11 Mar 2003 08:42:28 -0500 From: Lee Badger Subject: IEEE Symposium on Security and Privacy Lee Badger, Program Manager, Information Processing Technology Office DARPA voice: 571.218.4327 fax: 703.248.1879 2003 IEEE Symposium on Security and Privacy, PRELIMINARY PROGRAM May 11-14, 2003, The Claremont Resort, Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) For more information, see www.ieee-security.org/TC/SP-Index.html Monday MORNING Anonymity: Mixminion: Design of a Type III Anonymous Remailer Protocol George Danezis (Cambridge Univ.), Roger Dingledine, Nick Mathewson (Free Haven Project) Probabilistic Treatment of MIXes to Hamper Traffic Analysis Dakshi Agrawal (IBM Watson), Dogan Kesdogan, Stefan Penz (Aachen Univ. Tech.) Defending Anonymous Communication Against Passive Logging Attacks Matt Wright, Micah Adler, Brian Neil Levine, Clay Shields (U. Mass.) Intrusion Detection: Active Mapping: Resisting NIDS Evasion Without Altering Traffic Umesh Shankar (UC Berkeley), Vern Paxson (ICSI) Anomaly Detection Using Call Stack Information Henry Hanping Feng (U. Mass.), Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee (Georgia Tech.), Weibo Gong (U. Mass.) Monday AFTERNOON Invited talk Operating Systems: Defending Against Denial-of-Service Attacks with Puzzle Auctions XiaoFeng Wang, Mike Reiter (CMU) Pi: A Path Identification Mechanism to Defend against DDoS Attacks Abraham Yaar, Adrian Perrig, Dawn Song (CMU) 5-minute talks Tuesday MORNING Formal Methods: A Unified Scheme for Resource Protection in Automated Trust Negotiation Ting Yu, Marianne Winslett (U. Illinois, Urbana-Champaign) Beyond Proof-of-compliance: Safety and Availability Analysis in Trust Management Ninghui Li (Stanford), William H. Winsborough (NAI Labs), John C. Mitchell (Stanford) Intransitive Non-Interference for Cryptographic Purposes Michael Backes, Birgit Pfitzmann (IBM Zurich) Hardware: Specifying and Verifying Hardware for Tamper-Resistant Software David Lie, John Mitchell (Stanford), Chandramohan Thekkath (Microsoft Research), Mark Horowitz (Stanford) Using Memory Errors to Attack a Virtual Machine Sudhakar Govindavajhala, Andrew W. Appel, (Princeton) Tuesday AFTERNOON Invited talk Hardware & Crypto: Secret Handshakes from Pairing-Based Key Agreements D. Balfanz, G. Durfee (PARC), N. Shankar (U. Maryland), D.K. Smetters, J. Staddon, H.C. Wong (PARC) Random Key Predistribution Schemes for Sensor Networks Haowen Chan, Adrian Perrig, Dawn Song (CMU) Wednesday MORNING Distributed Systems: Hardening Functions for Large Scale Distributed Computations Douglas Szajda, Barry Lawson, Jason Owen (U. Richmond) A Practical Revocation Scheme for Broadcast Encryption Using Smart Cards Noam Kogan, Yuval Shavitt, Avishai Wool (Tel Aviv Univ.) Using Replication and Partitioning to Build Secure Distributed Systems Lantian Zheng, Stephen Chong, Andrew C. Myers (Cornell), Steve Zdancewic (U. Pennsylvania) Vulnerabilities in Synchronous IPC Designs Jonathan S. Shapiro (Johns Hopkins) Garbage Collector Memory Accounting in Language-Based Systems David W. Price, Algis Rudys, Dan S. Wallach (Rice) ------------------------------ End of RISKS-FORUM Digest 22.63 ************************