Future Perspectives10
THOMAS A. JOHNSON
In preparing this text onForensic Computer Crime Investigation, the authors outlined the challenges our law enforcement and legal community confronted in developing the skills and knowledge required to address this growing problem of computer crime withinour nation. The procedures required to process an electronic crime scene, as well as the staffing of a computer crime unit, were also analyzed. Training strategies and the use of forensic utilities were explored, as were challenges to digital forensic evidence. The emergence of Internet Crimes Against Children (ICAC) units and child exploitation issues were discussed against the background of criminal investigative analysis and behavioral characteristics of computer criminals. The international aspects of cybercrime and the issues involved in cyber intelligence and cyber terrorism were also described in terms of contemporary challenges facing not only our nation but societies throughout the world. In short, the global nature of computer crime and the digitalenvironment, which has eclipsed the ability of any one department, state, or nation to individually manage this new paradigm change in crime, now requires more skilled and educated personnel.
The provision of these new skilled and educated employees, not only for our forensic computer investigation units but also for a range of subdisciplines within the emerging body of knowledge — sometimes referred to as computer forensics, information assurance, computer security, and software security — will have to come from our nation’s universities.
Candidly, our nation has been ineffective in producing the scholars, creating the academic discipline, and developing the research necessary to provide uswith the security requisite to our dependence on these computer
229
systems that are the engines that permit our critical infrastructure and society to function so effectively.
Thus, one of our nation’s most important challenges for the future is to create and to support the emergence of an academic discipline that will produce the next generation of faculty, university researchers, industry professionals, and national security experts. These are the professionals who will all work to ensure the integrity of our computer and information systems. This effort will require an investment of an immediate nature because so many of the academicians who are capable in this area are now inan age cohort close to retirement, with few standing ready to replace them.
Despite this paradox, our nation continues to rely on our computer systems to operate our financial institutions, our electric and power grid systems, our water, our food production systems, and almost all of our critical infrastructures that have made our nation one of the richest in the history of the world. Yet, the computer systems and networks connecting our interdependent economy are so vulnerable to attack.
I.Network Infrastructure: Security Concerns
Government, industry, and all institutions that have created computer networks to operate within their respective spheres of operation have confronted the problem of securing their computer information systems. The task of providing access control through the use of passwords, tokens, biometrics, or public-key encryption is designed to authenticate the user of the computer system. The need for creating a firewall system of both hardware and software to create a safe boundary for the operation of the information resources is an additional and necessary responsibility for securing our resources. Unfortunately, these efforts in and of themselves are not enough; we must also apply intrusion detection systems to identify and send analert if someone is attempting to gain unauthorized access to the computer system. Intrustion detection systems must be designed to protect against an ever-growing range of attacks. The virus scanners, which are designed to capture malicious code and detect and isolate worms, Trojans, and viruses, require constant monitoring and updating to further protect our information resources. Finally, in some cases, it is even necessary to rely on encryption algorithms to protect data packets in transit so as to assure for the security of the information being processed by our computer systems.
The requirement for securing our computer systems adds an immense cost to our production systems, because we must not only acquire this hardware and software but also educate and train our personnel to design and use the systems.
II.The Role of Education and Training
Bill Spernow has articulated the differences between education and training with his compelling chart, which clearly delineates the continuum in functional responsibilities between knowledge and skills; abstraction and application; developing tools and using tools; establishing procedures and applying procedures; developing theory and implementing a practice based on this theory (Spernow 2004).
Table 10.1The Education Training Matrix
Functional Responsibilities Differentiating Each Area
| Education | Training |
|---|---|
| Knowledge | Skills |
| Abstraction | Application |
| Developing Tools | Using Tools |
| Establishing Procedures | Applying Procedures |
| Theory | Practice |
This Education Training Matrix (see Table 10.1) reveals the symbiotic relationship that exists between education and training. Clearly, the roles and functional responsibilities of trainers are dependent on their knowledge and information derived from theoretical constructs developed within the educational environment. On the other hand, pure theory and application of abstract concepts is improved by the need for training and trainers abilities to implement theory into meaningful professional practice in which there is an application of concepts to best practices and standards of the professional practitioner.
We expect our universities to produce graduates with the requisite knowledge to visualize the need for new and secure software and to advance both theory and knowledge resulting in an enlightened individual capable of improving society’s access to effective and secure computer and information systems. More specifically, in the field of computer forensics, we expect our graduates to assume critical rolesin teaching, research, and guiding our nation in securing our critical infrastructure by producing the next generation of practitioners and professionals who will assume important roles within our homeland security enterprise. Furthermore, we believe ourgraduates must understand and appreciate our legal systems, fully embracing our Fourth Amendment rules of criminal procedure, laws of evidence, and search and seizure. At the same time, we expect our graduates to possess a rich understanding of computer science and to have attained competencies in the following areas:
Knowledge of computer operating systems, such as Windows, UNIX, and LINUX
Knowledge in disk structure and file systems
Use of forensic utilities, such as image acquisition tools
Knowledge of network hardware and software topology
Knowledge of network security concepts, intrusion detection systems, and firewall boundary methodologies
Knowledge of network packet sniffers and the ability to capture and analyze data packet traffic to detect networkanomalies
Knowledge of static and dynamic routing tables and TCP/IP (transmission control protocol/Internet protocol)
Knowledge of configuration and management of domain name servers, e-mail, and Web servers
Capable of writing windows and Perl scripts for analyzing audit logs for various exploits
Knowledge of routing protocols as they relate to traffic flow on the Internet over access provided by common carriers
Knowledge and capability of identifying and acquiring evidence from production servers without disrupting the ongoing business process
Knowledge of computer viruses and malicious code, and the ability to create a new virus in a controlled laboratory experiment to appreciate how to defend and implement intrustion detection software
Knowledge of secure enterprise computing and, in a laboratory setting, the construction, deployment, and testing of a firewall against common Internet-based attack methods
Knowledge of audit-based computer forensics and techniques for tracking attackers across the Internet and capturing forensic information from computer systems
Knowledge of cryptographic and stenographic systems and the major types of cryptosystems and cryptanalytic techniques and how they operate (Spernow 2004)
In addition to the knowledge and proficiency in both our legal system and computer systems, we expectour graduates to fully understand our forensic investigation process and to not only be capable of implementing it but also to contribute to its advancements in both science and technology.
III.The Emergence of a New Academic Discipline
Academia’s rolein providing our nation with graduates capable of producing secure software and secure information systems has never been more important than the present. Educational support grants and research funding at universities in this area have been inadequate tosustain both full-time faculty and the production of new graduates. Compared to areas such as computer graphics, analysis of algorithms, and distributed computing paradigms, the budgets related to computer security and software security are, and have always been, minuscule. Computer science departments have focused on so many subdisciplines within their area of study, with the resulting impact of little to no emphasis on information assurance and computer security. In fact, with few academic courses and little research in this area, the production of scholars who might be inclined to pursue computer security as a career path is severely constrained. Furthermore, the design and emergence of a new academic discipline in this important area is even less feasible without the academicians who dedicate their academic career to this subject matter. It should hardly be a surprise, then, to learn that little progress has been made in this area and that academia has not sustained information protection as a discipline.
Although our recommendations provide some ways in which limited short-term improvements can be made through education, the quick-fix approach to information protection has been shown time and again to lead to the very situation we are in today. This is tosuggest that paying billions of dollars per year for patching software and operating systems that remain insecure even after they are patched is not a viable long-term solution. The increased use of less-skilled and less-trusted people to build increasingly critical systems with higher consequences for their failure is also an unacceptable option, despite its financial attractions of outsourcing strategies to nations where computing costs are less than in the United States. Similarly, if a training approach is used to mitigate immediate challenges, the result will be no different than the situation as it stands today. Although training is certainly a necessary component of a national strategy, it will fail to accomplish the objectives of increased softwaresecurity unless an educational effort is undertaken to combine the advancement of knowledge with the creation of expertise. We cannot rely on training strategies to relieve a problem we have historically ignored within our educational institutions, and thetime for action is critical.
If educational institutions are to be successfully engaged in meeting the national needs, the way they operate must be understood. Unlike training academies, industry, and government, which all have a more or less hierarchicalstructure, institutions of higher education are run by the faculty. The faculty in higher education is responsible for the lion’s share of the decision making: They create and implement the curriculum; they lead the research efforts; they propose the grants; and they lead the educational efforts. Academic accreditation of academic institutions is done by faculty from other comparable institutions that send their faculty to observe the programs and assure that they meet the standards set forth by national groups of faculty.
Advanced degrees involve personal interactions between experienced faculty and advanced students in a mentoring relationship over periods of years. Although a master’s degree in some institutions can be earned in as little as a year of full-time effort, most master’s students take 2 years or more to achieve their degree, and in-service students often take 3 or 4 years. A doctorate typically takes several years of full-time effort after a master’s degree is completed. Even the smartest people take years of concerted effort to reach a level where they even qualify for an entry-level position as an assistant professor. Although it can be argued that the number of people required to possess the knowledge levels associated with advanced degreesfor implementing secure software is limited, creating a curriculum, teaching it in universities, producing research results that will advance the state of the art, writing textbooks, and similar activities cannot be done effectively by people with less expertise.
The tenure process that assures academic freedom for faculty to pursue their areas of research normally comes only after approval by existing tenured faculty. This process typically requires a long-term commitment to academic excellence, publishingwork in refereed professional journals, teaching classes at suitable levels within the curriculum, and obtaining successful research funding and performing that funded research. After the 4 years of undergraduate education, 2 years of master’s study, 3 to5 years of doctoral-level study, and the 7-year tenure process, faculty members typically begin to pursue the most advanced work of their career. If they are exceptional, they gain stature over time and are granted full professorships. These professors are then considered the most influential of the faculty members and leaders within their departments, are recognized around the world for their excellence, become members of accreditation boards, and are considered in the prime of their academic careers. This is the career path for the best in academia, and these are the people that the nation requires in order to bring about the changes required in information protection.
In order to engage faculty in universities in an area such as information assurance andcomputer security, there must be a discipline and a career path that will last them throughout their career. There is a very large body of knowledge that has to be understood in order to achieve excellence. It requires in-depth understanding of many different subfields of computer science and computer engineering, as well as substantial knowledge about a wide range of other fields from forensic investigation and law.
Although a doctoral-level mathematician with expertise in number theory can do some limited work in theoretical cryptography and protocol analysis, and a person with a doctorate in computer engineering with a specialization in computer architecture can design new structures to support operating system enhancements, these and many other subspecialties are required for the systems-level understanding required to meet requirements for high-security systems. To be successful, a collaborative effort among many experts is required. No single person can be expected to have all of the necessary expertise to do all of these things well. Thus, there is a need for a national community of professors with the combined understanding of these issues and a collaborative structure to produce the next generation of practitioners and scholars who will be responsible for building the high-security systems required for the future security of the United States (Cohen 2004b).
IV.Our Nation’s Investment in Cyber Security Research
The costs associated with computer software security lapses are estimated to be in the tens of billions of dollars per year. The GAO estimates the U.S. losses to be about $38 billion, and Microsoft’s tracking of virus incidents alone run in the range of $80 billion per year worldwide. Another way to look at this issue is to compare the funding levels for research in information protection to funding levels in other areas. The NSF budget, for example, has about $18 million in information protection research funding. This funds about 15 projects per year as well as a small number of graduate students. Of this work, software security research is only covered in two or three of these projects. So the nation has a $38 billion problem, and we are spending $3 million to research ways to solve it, or about 1/10 of one cent per dollar of loss. Human-computer interaction and information management gets funded at $44 million. Almost $25 million goes to software design, but none of that involves high-security softwareresearch. Almost $35 million goes to software for improving education, but none of it is related to information protection. Advanced computational infrastructure gets more than $71 million, but none of it is associated with making that infrastructure meetsecurity requirements. Roughly $50 million goes to intelligent systems — intelligent perhaps, but not secure (Cohen 2004a).
There can be little doubt that without a very substantial amount of long-term funding to support academic research in information protection, the situation will continue to deteriorate. The only real question is when it will deteriorate to the point of total collapse.
V.Recommendations
The main problem we face is generating the capacity necessary to do the appropriate research and education to move this field forward. The capacity to do this does not exist today, and it will never exist without the necessary backing of government and industry. Without the people with state-of-theart knowledge, research support, and educational commitment, we will not create secured computing systems and secured software systems and infrastructures that meet the national security requirements of the United States (Cohen 2003). The following are some recommendations for how to support research and development of secured computing and software systems:
Fund long-term fellowships in universities to support their research and educational efforts. These positions should be at the full professor level and should be provided to qualified individuals with substantial industry expertise, adequate publications, and academic credentials to meet the challenges of research and education in information protection. The funding and qualifications should be designed to assure that high-quality mid-career and late-careerindividuals can spend the rest of their careers working on these issues and to assure that they have adequate funding to support both a rigorous ongoing research program and a strong teaching and graduate education component.
Create a computer security education/training summer session to educate the instructors in intensive sessions. This recommendation will support summer education of instructors from junior colleges, community colleges, and other undergraduate institutions so that these educators will have the knowledge necessary to infuse information protection into their courses and to teach specialty courses in these areas to their students. Over time, this will produce a national momentum and change the undergraduate curriculum to bring information protection into line with other elements taught in our computer science departments. During these programs, these professors will participate in research, attend graduate programs with other faculty, and gain access to teaching materials and the knowledge required to effectively use them.
Develop educational material and capabilities that can be used across the nation to educate new students and assist properly trained educators in teaching the most critical material in this area. These materials will includea range of items such as texts, collections of classic articles in the field, standards, technical examples, worked examples of problem sets, and online simulations.
Faculty should engage in research that demonstrates a process to monitor outcomes, validate results, and refine methodologies for change to the content over time. This includes a strict requirement for experimental validation of results in keeping with the scientific method and the development of repeatable tests with metrics to measure the efficacy of results.
Progress will be measured in the number of fellowships developed, in curriculum development, in institutional accreditations, in the production of graduates at each level; and, finally, in research results.
VI.Conclusion
The need for academic institutions to refocus their limited resources and develop curricula and research agendas that will substantially improve the production of scholars and graduates interested and focused in computer security and information protectionwill be of invaluable assistance to our nation. As we focus more effort on developing interdisciplinary academic programs that embrace and include computer science, engineering, law forensic investigation, and national security, we will be in a position to meet the challenges of the next decade.
In essence, we as a nation need to develop academic programs that will permit research and education across major academic disciplines that will enhance the protection of our information assets and the security ofour nation’s computing resources and systems. Our nation requires additional capacity in designing and building defensible information system security architecture, and this will require not only multidisciplinary academic programs but also the emergence of new academic disciplines. Our university community will and properly should assume the leadership role in addressing this imperative need of our nation. The commitment of our academic community will be a major step forward in enhancing our national capability for improved research, education, training, and analysis that will provide strategic benefits for many years to come. With a renewed focus on computer security and information protection and assurance, a multidisciplinary structure that provides a fusion of critical academic core disciplines will enlighten and enhance those who have the responsibilities for protecting our nation’s critical infrastructure and computing resource.
References
Cohen, Fred. 2004a. Cyber Security Task Force Education Subgroup, February, 13, 2004.
Cohen, Fred. 2004b. Personal conversation discussing the challenges confronting higher education in computer security, February 10, 2004.
Cohen, Fred. 2003. Discussions regarding improvements in computer security education, November2003.
Spernow, Bill. 2004. Cyber Cop Training, Southeast Cyber Crime Summit, Data Forensics Track, March 2–5, 2004.