With America on high alert for possible terrorist activity at the outset of war with Iraq, schools are being asked to do their part to help secure the nation’s critical computer infrastructure from cyber attacks that could cripple the country’s central nervous system.

Schools should perform security audits of their computer networks and should implement programs that teach students about the importance of cyber security, the federal government said. In addition, colleges and universities should establish information centers to deal with cyber attacks and vulnerabilities, as well as on-call points of contact to internet service providers (ISPs) and law enforcement officials in case their technology systems are used as launching points for attacks.

These recommendations are part of the Bush administration’s “National Strategy to Secure Cyberspace,” the final draft of which was released last month. The document provides a blueprint for responding to cyber attacks against America’s computer systems; reducing the nation’s vulnerability to such attacks; increasing awareness and training to prevent them from occurring; securing the government’s computer networks; and enlisting the cooperation of the international community.

Although the goals themselves appear to be logical ingredients for a more secure digital society, the path to achieving them depends on the ability of federal, state, and local governments to work in concert with private-sector businesses and public institutions—including K-12 schools, colleges, and universities—to address awareness, provide proper training, make technical improvements, protect infrastructures, and develop stronger recovery operations, according to the strategy.

“The cornerstone of America’s cyberspace security strategy is and will remain a public-private partnership,” said President Bush in a letter introducing the document. “The federal government invites the creation of, and participation in, public-private partnerships to implement this strategy. Only by working together can we build a more secure future in cyberspace.”

On the federal side, the majority of this responsibility will be shouldered by the newly created Department of Homeland Security (DHS) and its secretary, former Pennsylvania Gov. Tom Ridge.

Under the president’s strategy, DHS is charged with developing a comprehensive national plan for securing key United States infrastructures by managing the response to attacks on critical information systems; supplying technical assistance with respect to infrastructure failures and contingency plans; and coordinating with other federal agencies to provide more specific warnings about possible cyber attacks, including what protective measures should be applied to lessen their effects.

The department also will fund and oversee research that the Bush administration hopes will provide new scientific understanding and technologies in support of better cyber security, the report said.

Schools also have a role

But the federal government alone doesn’t have the ability to police computer systems nationwide, notes Mark Luker, vice president of EDUCAUSE, a nonprofit organization seeking reforms in higher education through the integration of technology.

“The government does not control most of the computer networks in the country,” Luker said, adding that the largest and most easily accessible computer networks are found on college campuses and in other such public institutions—which is why it’s critical for colleges and K-12 school districts to secure their own networks to keep them from being used to launch or spread an attack.

On March 7, for example, the Associated Press (AP) reported that more than 55,200 people had their Social Security numbers and other personal information stolen or compromised following a two-day computer breach at the University of Texas (UT) in February that left network technicians there searching for ways to safeguard student and faculty data more effectively.

According to the AP report, the attack also exposed eMail addresses, job titles, and telephone numbers of students, staff members, and several alumni. However, no academic information or health records were compromised, university officials said.

Authorities filed charges March 14 against 20-year-old Christopher Andrew Phillips, a computer science major at UT, in connection with the attack. The incident bore no relation to terrorism, but it underscores the vulnerability of many school networks to attacks.

On Feb. 28—the same day the UT cyber attacks reportedly ceased—Dave Ward, president of the American Council on Education, wrote a letter to college presidents nationwide calling on them to take a more proactive role in developing plans for increased cyber security on college campuses.

“Although maintaining cyber security is a complex problem, only a small part of the solution comes from hardware and software,” Ward wrote. “As with any major institutional initiative, success depends on education, resources, people, management, policies, and above all, leadership.”

The letter outlined several steps schools should take to ensure their networks are resistant to potential attacks. These include increasing awareness and accountability; designating a high-level administrator to take the lead on enacting and overseeing network security initiatives; completing periodic risk evaluations of existing infrastructures; and constantly updating cyber security plans in response to the evolution of new technologies, vulnerabilities, threats, and risks.

Ward’s letter echoes many of the same points in the president’s national strategy. Specifically, this strategy recommends that colleges in particular take these and other steps toward improved cyber security:

  • Develop Information Sharing and Analysis Centers (ISACs) to monitor for cyber attacks directed against their infrastructures. These centers will exist on college campuses to provide a means for universities and other institutions to share information about attack trends, vulnerabilities, and best practices, the report said.
  • Establish an on-call contact with the school’s ISP and law enforcement officials, who can be notified the moment a cyber attack does occur or is launched using a school’s network infrastructure.
  • Make cyber security a prime responsibility of the school’s chief information officer (CIO) or technology official.
  • Establish one or more sets of best practices related to network security and employ these tactics where possible.
  • Model user awareness programs for student, faculty, and other potential computer users where possible.

But higher-learning institutions aren’t the only schools that bear a responsibility in the cyber security effort.

“Every [K-12] school and school district has an inherent responsibility to protect its networks both from the inside and the outside,” said Charlie Reisinger, director of technology for the Penn Manor School District in Pennsylvania. “It’s very easy for schools to push network security out of the way.”

Reisinger said he supports the idea of commissioning government agencies and other public and private institutions—including schools and universities—to share information regarding network security.

The idea, he said, is a boon for smaller K-12 schools, because it opens new channels of communication between local schools and neighboring universities. “Any time schools can take advantage of information sharing on other networks, they should do it,” he said, adding that the exchange of best practices related to network security would be particularly helpful.

A K-12 school system isn’t going to traffic highly classified government documents across its networks, but it still is responsible for ensuring that the personal information of its students is secure and that its networks are running without interruption, Reisinger said. Even low-end attacks to school eMail servers potentially could wreak serious havoc with other systems nationwide, he added.

Other aspects of the plan

Luker said Bush’s plan does right to stress a need for American citizens to remain vigilant on issues of cyber security. For instance, he said, it’s important to make sure computer systems and networks are constantly updated with the latest security patches and virus protection measures.

In keeping with the spirit of public-private partnerships, the strategy also recommends that schools and businesses work in tandem to ensure that proper network protection updates occur. One recommendation: the creation of a “patch clearinghouse” where agencies—public and private—could turn to install the latest updates and safeguards.

The federal government said it would take the lead on this effort by employing the U.S. General Services Administration (GSA) and DHS to create a similar clearinghouse for use by federal agencies. Although it isn’t likely that non-government institutions would have access to the tool, the federal clearinghouse could serve as a blueprint for private-sector firms and schools to work from.

The president’s plan also makes it a priority for more colleges to train students for future positions in network security and protection agencies, and it gives more resources to institutions of higher education for increased research efforts related to securing the nation’s cyber networks.

According to the document, DHS will work closely with the U.S. Department of Education (ED) to support state, local, and private organizations in the development of cyber security programs and guidelines for primary and secondary school students. This includes additional contributions to such awareness initiatives as the national StaySafeOnline program to protect home, school, and business computers against future attacks.

Luker anchored his support of Bush’s strategy on what he referred to as a “gradual shift” in national culture—the result of what he said was a general decline in public trust. “It’s like back in the day when no one used to lock their car doors,” he said. “You simply can’t do that anymore.”

Still, the national strategy is not a piece of legislation. Although it recommends the creation and implementation of certain safeguards, the inclusion of such measures into law requires an act of Congress, the report said. Without support from lawmakers, the recommendations—although insightful—will be implemented only in those rare instances where room is left to maneuver under local, state, and federal budget caps, the strategy warned.

So far, a few bills already have been proposed to fortify America’s network infrastructures against cyber criminals. The Cyber Security Enhancement Act of 2002 (H.R. 3482), originally introduced during the 107th Congress in December 2001 by Rep. Lamar Smith, R-Texas, conveyed a vision not unlike the president’s strategy.

That bill, which eSchool News reported on in April 2002 (see “New computer-crimes bill could boost school security,” http://www.eschoolnews.com/news/showStory.cfm?ArticleID=3599), would shield ISPs from potential lawsuits if they shared information exchanged across their servers pertaining to possible life-threatening situations with school officials or government authorities. The bill also would impose more stringent penalties for cyber hackers.

But the bill, which jumped from the House to the Senate in July 2002, has yet to emerge from review by the Senate Judiciary Committee, where it has remained tied up since the 108th Congress convened in January.

The national strategy won’t force schools and other institutions into action, but the least its many recommendations might do is raise awareness of the issue, Luker said: “At least now, everyone is moving in the same direction. This is the right approach.”

Links:

National Strategy to Secure Cyberspace
http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf

Department of Homeland Security
http://www.dhs.gov/dhspublic/index.jsp

EDUCAUSE
http://www.educause.edu

American Council on Education
http://www.acenet.edu

Letter to College Presidents Regarding Cybersecurity
http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm

Penn Manor School District
http://www.pennmanor.net