Creating the New Cybersecurity ProInterview with Cornell Computer Science Professor Fred Schneider
Schneider, in an interview with GovInfoSecurity.com (transcript below), contends that to produce not only the teachers, but the practitioners themselves, American universities need to create innovative graduate-level programs that provide training that encompasses not just an understanding of IT security technologies, but an understanding of why the technology is needed as well.
The solution to our nation's cybersecurity challenges is not entirely technical, Schneider says. "Simply educating a group of people about how to fix the top 20 vulnerabilities in web-facing application is just a short-term fix," he said. "In the longer term, when you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making and understanding about business models."
In the interview, Schneider also discusses the impact of government-backed academic and scientific research on developing new approaches to cybersecurity.
Schneider spoke with Eric Chabrow, GovInfosecurity.com managing editor.
ERIC CHABROW: Before a House committee in June, you and other experts testified of a shortage of qualified expert educators to teach undergraduate and graduate level cybersecurity. How serious is this shortage and what does that mean to the training of future cybersecurity professionals to work in government and the private sector?
FRED SCHNEIDER: The shortage is significant. I estimate that in order to do a good job of teaching a college graduate there is probably two or three courses you would like to cover for sure and that means two or more cybersecurity experts on a faculty. Today probably there is at most one at all but say 20 universities. That means that many graduates aren't getting exposure to material they need and there aren't people there to teach them.
CHABROW: Are you aware of any kind of studies that quantify this shortage or is this just from your own observations?
SCHNEIDER: I know of no studies. The National Academy issued a report about a year ago that gives some data. The basis of my data is information about how many people are being funded for research in cybersecurity by the federal government. Most of the money comes from National Science Foundation and some of it comes from Department of Defense, and the program managers are generally willing to tell how many different PIs (principal investigators) they are funding and I am basing my calculations on that.
CHABROW: You have discussed the idea of a cybersecurity professional degree that would involve more than training students in technology of information security. Please explain the curricula for such a program and why non-technical course must be incorporated into it?
SCHNEIDER: Technical content is an important ingredient, but I have come to appreciate that the solution to our nation's cybersecurity problems are not entirely technological. If you build technology without understanding the policy context in which it is going to be deployed, there is a significant risk that you worry about the wrong problems or something in a way that it is unlikely to be adopted. I think you have only to look at the kinds of laws that are getting passed to appreciate that policy makers who try to make law ignorant of technology are likely to get it wrong.
Both sides of the house need expertise in the other's area. That suggests to me that simply educating a group of people about how to fix the top 20 vulnerabilities in web-facing application is just a short-term fix. In the longer term, when you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making, and understanding about business models, whether this consistent with the business model or not.
I have come to appreciate that in order to be a professional in cybersecurity and there is a whole cadre of people who have titles that sound that way - chief information officer, chief information security officer, chief privacy officer - you need to have a fairly broad appreciation. The analogy: if you want to be a professional you should look at what the other professionals in our society are. There are doctors, lawyers, accountants and MBAs, and they all have taken a broad set of courses that educate them about the landscape, far broader landscape than they might be working at any given time. I was hoping that we should start a professional education for cybersecurity folks, and as far as I am concerned, that should be broad-based in the technology and in the non-technological aspects.
The technology, for sure, is going to cover things that you would find in a computer security force, but you also need to understand a little bit about algorithms, about networks, about operating systems, distributed systems and compilers in programming languages because a lot of the newer defense mechanisms are based on these languages, and something about formal methods because a whole collection of very cool tools are coming on the market that allow you to analyze code for vulnerabilities based on formal methods.
Then, on the non-technical side of the house, you need to understand something about economics and it would be helpful to take a course in ethics; one only has to read the newspaper to realize the absence in ethics in education of people are making decisions. And understand enough law so that you can appreciate those issues and that's not only privacy law but also intellectual property protection, copyright and law about contracts because one engages in business relationships as part of security applications. It probably wouldn't be a bad idea to take a course in organizational behavior because management and organizations are a big part of our lives.
SCHNEIDER: It would be great if there could be a practicum at the end, and expect somebody to perform some form of internship the way a medical doctor does working with somebody in the field who understands what is going on.
CHABROW: This would be a graduate level program, a master degree program?
SCHNEIDER: Yes. I would see this as post-bachelor program.
CHABROW: Let's switch over to some of the discussion a little bit about the research and development. Before Congress, you testified that a cybersecurity mentality exists around defending against known attacks, IT security is reactive and it should become more proactive, how can cyber defenders become more proactive in their thinking in the ways to design IT security?
SCHNEIDER: We tend to react to attacks and the result is we are always at the loosing end of that proposition. Somebody has to suffer before we have a way to deploy a defense. It seems like a bad way to go about making trustworthy systems.
The only way to do it is to anticipate attacks and there are two ways to anticipate attacks, either you can have great intelligence about your attacker, and to some extent to some extent the federal government is changing their view and trying to exploit that. That is information they do learn about pending attacks they are going to be more willing to disseminate amongst people who might be able to profit from that information.
And the other approach you could use is to anticipate attacks by building systems that are secure by construction, secure from first principals rather than secure because we've patched the vulnerabilities that we heard about that the attackers know about.
The trouble with taking this proactive approach is it only works if you understand the basis from which security follows, and we don't understand that. There is no real scientific basis for security. There are some results but the field by and large has concentrated on trying to identify vulnerabilities and trying to develop defenses for those vulnerabilities. It has been reactive and it is a sensible approach given our needs.
I advocated that we start making investments in the science base and it is going to be a long process but it is the only hope that we have of getting ahead of things. I think there is an analogy with the medical science works.
In medical science, nobody imagines that we are ever going to be done, right? There is always going to be medical research and it is because in their area there are always new diseases appearing and old methods stop working. Our latest antibiotics become ineffective against new strains of diseases. Also, in medical research, there is a belief that you need to have a strong science base in order to understand the underlying mechanisms by which disease works. The whole war against cancer has been effective to the extent it has because people understand the underlying mechanism.
We don't have that knowledge of the underlying mechanism, and until we have it, we are not going to be effective about deploying defense.
CHABROW: You testified about a disconnect between research being funded and what is needed. Please explain that disconnect.
SCHNEIDER: The disconnect with research funding is simply that research funding agencies have a tendency to respond to what the community says is interesting and the community has been focused on reacting to the latest set of vulnerabilities, or building point defenses for those vulnerabilities.
The research funding agencies haven't taken the leadership and said we are going to allocate a big chunk of money for people to think of the science base, and the community hasn't been active in asserting this. You need to understand that the context of research funding in security is kind of a bit of a hit and miss history. In the '60s, there was a considerable amount of funding available because the Defense Department was worried about the problem. In the '70s, the Defense Department lost interest in funding public universities to investigate security issues. And only recently has the federal government come to appreciate that we are incredibly vulnerable because of these security problems.
The vulnerability is not only in military systems, it is also in private sector and civilian systems, because we depend on things like the power grid and the phone systems and so on. Also, the dynamic has changed, so that the military increasingly buys the same systems that you and I use on our desktops. It is a lot cheaper to buy an existing system than to try to develop your own desktop system. So, the federal government has a lot more reasons to invest in security now than it did, say 10 years ago.
On the other hand, the lack of continuity of funding has meant that the community hasn't built up, and it is only now that it is starting to achieve some kind of a critical mass, and as a critical mass, it will take a broader view of the problems faced.
CHABROW: In your testimony you pointed out competing interest in R&D investment, the needs of the overall government versus those of individual agencies. Is that a problem and how can that be resolved?
SCHNEIDER: There is this difficulty with the ecology of funding agencies. One of the nice things about the United States method of funding research is different agencies all fund research. In other countries, there is a single agency responsible for funding all research.
When you have different agencies, you create a kind of market affect and the different agencies are able to have different value systems and different cultures, and as a result they fund different styles of work. So on the one hand you have any agency like DARPA (Defense Advanced Research Projects Agency), which tends to funds things where it accelerates an idea into something that almost reaches a product, say in a 10-year cycle, so they are aggressively focused on taking specific ideas and reducing them to practice, where practice means it could be deployed.
And on the other end, you have something like the National Science Foundation, which is concerned with curiosity-driven work. If somebody has a cool idea, the NFA is willing to fund it even without evidence that it will ever be practical, because what becomes practical and what becomes important often surprises us.
When we have a diverse ecology of these funding agencies, then different kinds of work can be done concurrently and one is often surprised at what turns out to be the most useful. Over the last decade or so, the way funding has gone, it has become concentrated in one agency and that is because other agencies have dropped out, being more concerned about their short-term needs, and the research community has suffered. This is a problem in security, but it is a problem in computer science more generally. I advocated that this kind of diversity be restored.
CHABROW: If the diversity is restored, should there be some kind of collaborative system developed so the other researchers know what each other is doing?
SCHNEIDER: Yes, there absolutely has to be some basis by which these different agencies can talk with each other and make sure they are not duplicating efforts. You have to be careful about what duplicating effort means in this context, though. They might all think they are funding the same thing and by virtue of their diversity they would end up funding things that to you and me look very different.
There is an organization in the federal government called NITRD (Networking and Information Technology Research and Development), which is an over-arching coordination agency for research and networking and information and that form exists. It has a sub-form, where representatives from many more agencies than actually fund real research attend regularly, and periodically they issue a list of what they think the hard problems are. So, organizations do exist in the federal government for this coordination and they are coordinating, it is just that they don't have the mandate or the funding outside of, say the National Science Foundation. In the case of DARPA, they have the funding they just have different priorities now to be funding work in computer security.
CHABROW: Do you see a change in the way research and development will be conducted that will benefit cybersecurity?
SCHNEIDER: Though I don't see a big change in the community of researchers, except to say that it is being funded and getting larger; and, that is going to be helpful. I do see a change in the way people in Washington respond to the problem. It is being taken very seriously and for years it wasn't. We see the White House weighing in and making a speech on the topic. I suspect that there are going to be budget decisions that support this. It is possible that there will be some activist presence in the White House staff and that has got to help the situation. I expected five years ago or so, when we became very concerned with critical infrastructure prediction and there was a White House presidential decision directive issued, that would be the beginning of a government appreciation of the problem, but it turned out to be fairly narrow. It was mostly focused on classified content, and although the problems were articulated, nobody had articulated good solutions.
We still don't have solutions. There is a lot of interesting dynamics associated with getting the private sector to cooperate with itself because various players are competing and yet it would be good for them to share vulnerability information and it would be good for them sometimes to limit their offerings, which is inconsistent with competition. It is difficult for the private sector to allow government intrusion, yet the government may understand some things about the threat or some things about an attack that an individual player in the private sector won't.
So we still have a very complicated social problem before us, namely how we can manage public/private partnerships, but Washington is taking quite an interest in this and now that they are interested, I think the chances that something gets done are greater. That is going to result I believe in additional research because part of the problem is we don't know how to solve pieces of it.