The United States loses billions of dollars every year to cyber-crimes, such as identify theft. Yet when it comes to developing a cadre of highly educated and trained cyber-security experts to combat this growing crime wave, we look the other way. Professor Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University, points out that each year, fewer than 100 people graduate with a Ph.D. in cyber-security in the United States. Purdue, which has one of the largest graduate programs for information security in the country, issues only about 15 doctoral degrees in the field every year.

Spafford, who also serves on the President's Information Technology Advisory Committee (PITAC) and acts as security adviser to more than a dozen federal agencies and major corporations, believes strong cyber-security policies not only benefit information assurance and trust in cyber-space, but also can act as a bulwark against terrorist actions as well.

But Spafford -- who chairs the U.S. Public Policy Committee of the Association for Computing Machinery, an agency that advises legislators and regulators about the impact of policy on computing technology and vice versa -- is worried about the ongoing lack of support for fighting this growing problem. He took time to speak with Government Technology's Public CIO about his concerns, the nature of cyber-security, protecting information systems against intrusion and training security professionals.


Cyber-security seems to get sufficient attention, but are there one or two less obvious threats to cyber-security that people aren't talking enough about? I can't say I have a firm handle on what all government CIOs are doing, but the kinds of things I've seen most often overlooked generally are a result of people looking outward for threats. They're worried about viruses getting in. They're worried about firewalls being breached. They're worried about intrusions coming in.

But the insider threat -- putting appropriate controls in place against insider abuse often suffers as a result, and in particular, partitioning internal networks to contain failures and limit access on a need basis. Those are well understood in some government agencies, but I'm not sure how well they're understood in all government agencies.

A second thing that comes from that same mindset is a failure to appropriately manage the physical security aspects of the enterprise. This includes not only appropriate inventory and control over computer system equipment, but also things having to do with printouts, CD-ROMs, USB disks -- other kinds of media and auxiliary devices -- to make sure they're accounted for or protected appropriately. In cases where you have control over how either programs come in or information goes out, things like USB disks and the like are being used to circumvent those controls.

That's all in the operational and physical security arena.

There is a third thing. Too often, systems that are provided for use -- because managers are sometimes overly insistent on using mass-market, COTS [commercial off-the-shelf] products at the cheapest price -- are deployed with lots of software and options enabled that aren't needed, and are actually pathways for abuse over a network or in person.

The attempt to make it easier by using a large cookie cutter leaves systems more vulnerable than they should be. Patching doesn't necessarily catch that because patches only fix flaws in what's installed; it doesn't limit the installations.


You've spoken about an overemphasis on standards and how standards can breed cyber-attacks because what you call a monoculture is created. One position that often appears in media coverage of cyber-security is the argument that Linux and other types of operating systems are needed to avoid that monoculture. The problem is a little more complex than that. It's not that I'm opposed to standards,