Purdue's Spafford on Educating Executives
Overcoming Misperceptions About Key Security Issues
The ethical issues involved in IT have been brought to the forefront by former National Security Agency contractor Edward Snowden's leaks of classified details on a number of top-secret government surveillance programs.
"This is an area that's still being developed by those of us in the [IT] profession," says Purdue University's Eugene Spafford, a computer science professor and recent inductee into the National Cybersecurity Hall of Fame.
"If we're really going to develop as a profession, we have to have behavior that's generally agreed upon that allows society at large to place a certain kind of trust in us," he says in an interview with Information Security Media Group [transcript below].
IT practitioners have guidelines for modes of behavior from organizations such (ISC)², the Association for Computing Machinery and the IEEE Computer Society, Spafford says.
The need for trust is essential, because IT practitioners often run critical equipment, manage large amounts of personal data and protect intellectual property, he says.
And the fundamental attitudes of IT and IT security professionals surrounding ethics has remained largely unchanged over the decades, Spafford says.
But he says the situations that they confront and their awareness of various issues has changed. "They're aware of different uses of computing than what we saw two decades ago," he says. "That does create different discussions, but the underlying values have remained relatively consistent."
At Purdue, course work and materials addresses the concept of ethics. "Even within our interdisciplinary program, there's a required course on technology and ethics for students to have to take to be able to graduate," he says. "We do stress it because security is the study of how to increase trust, and trust at its basis comes from people," Spafford says. "People's behaviors are very important for that."
In the interview, Spafford also:
- Identifies three major contributions he has made to the IT security field;
- Discusses the changes in IT security during his three-decade career; and
- Addresses the evolution of ethics among IT security practitioners.
Spafford was inducted into the National Cybersecurity Hall of Fame on Oct 9. He was recognized, in part, for his co-development of the first free intrusion detection system distributed on the Internet and for originating the term "firewall." The hall of fame "was created, and is being supported, by companies and organizations committed to recognizing the individuals that played a key role in the creation of the cybersecurity industry," according to the group's website.
Spafford is known for his writing, research and speaking on issues of security and ethics. He has brought that expertise to Washington, as a witness testifying before Congress and as a former member of the President's Information Technology Advisory Committee. He also serves as executive director of Purdue's Center for Education and Research in Information Assurance and Security.
Contributions to IT Security
ERIC CHABROW: There's much more to your contribution to IT security than cited by the Hall of Fame. What within the field has given you the most satisfaction?
EUGENE SPAFFORD: There are three general areas where I believe I made contributions, and all have provided satisfaction. One where I'm very well-known is cybersecurity education. I've long been a proponent of an interdisciplinary approach to that, increased resources and greater professionalism in what's taught. That's one area that continues to bring me a great deal of satisfaction as I work with students and I see some of my graduates do well.
The second area is public policy. As you noted, I spend quite a bit of time in Washington and I work with various agencies and officials, [and] testified before Congress, trying to raise their awareness of what's involved in cybersecurity and what some of the limitations are in computing. [It] has been an area where I believe I've had some impact, and that makes me feel good about it.
The third area is, certainly, over the years I've been working in research on a number of different concepts, and intrusion detection basically helped get digital forensics as a field started. I've done work in network defenses, malware and a number of other kinds of things, and seeing some of those ideas take root in both industry and other research has also been very gratifying.
Approaching Security: Then and Now
CHABROW: Your active involvement as a leader in IT security dates back to the 1980s, a time when the Internet was unknown to most people and used by a select few in the government, military and academia. What's similar to the approach to IT security back then that continues today?
SPAFFORD: In the 1980s, the majority of the population was known and were largely trusted on systems. Controls weren't exercised as well in all but select environments. In those select environments, there was significant concern about who had access in keeping the systems up-to-date. Some of that now has become more widespread. That's a change where awareness of what's running on systems is important, as is authentication. Most things about security back then - the risks, threats, assets that were under guard and the types of systems - have all changed so dramatically that, other than basic underlying fundamental principles, there's not a lot left that's really the same.
CHABROW: Taking that obviously into account, can you discuss your evolution in thinking about IT security? Were there certain theories when you got your graduate degree back in the '80s? And as you look at things now, how have you changed in your approach to IT security?
SPAFFORD: When I was getting my Ph.D., one of the big concerns I had was about the correctness of software and how flaws in developing software could lead to either accidental or malicious shutdowns and alterations. That has been an underlying concept of my thinking in all the years since because it's still the case that systems that aren't built and designed with care are susceptible to faults and to attacks. The industry as a whole and much of the research has pulled back from that and is more focused on guarding the perimeter or regulating who has access. Some of my research certainly has gone to methods in those stand-back defenses, but I continue to return to the problem of how we make sure that the system as written is as strong as we can make it.
Lack of Focus on Fundamentals
CHABROW: Why do you suspect many people in the IT security field don't go back to the kinds of fundamentals that you just described?
SPAFFORD: There are intrinsically hard problems for protecting systems from the very beginning, designing with security in mind. There appears to be some low-hanging fruit from addressing certain kinds of current threats and building some stand-off defenses. Particularly, the reason that's attractive is because they would cost less and they would require less disruption of the current user environment than going back and designing basically from the hardware up to make systems more resistant.
CHABROW: This low-hanging fruit you speak of, how much of that has to do with the change of the threat landscape?
SPAFFORD: It has some relationship to the threat landscape and also a little bit to the asset landscape. When there were only a half dozen large computers in an enterprise, it was very easy to see that protecting those systems by building them to be strong was important. As we've gone to more and more distributed systems - at first desktops, then laptops and now tablets and smart phones - there are so many endpoints to protect that it's much more difficult to administer the security when those are largely being run by people with no background and the goal is to produce as many of them as possible at lowest cost. It's a combination both of the threats being much more organized and trying to do many systems at once, tag many systems at once, but also the underlying architecture of what it is we're protecting.
CHABROW: One of the areas that you have expertise in is in ethics and the ethical standards of IT, and IT security practitioners have been brought to the forefront by the leaks of classified details of a number of top-secret government mass surveillance programs essentially leaked by NSA contractor Edward Snowden. What's the state of the ethics within the IT and IT security fields?
SPAFFORD: This is an area that's still being developed by those of us in the profession. There are a number of things that are generally recognized as appropriate modes of behavior that the public has pressed upon us. These are embodied in organizational tenants of ethics. (ISC)² has some that people with those certifications are required to adhere to. Organizations like the ACM and the IEEE Computer Society have modes of conduct. Those are recognized by many, although perhaps not really held out as a good example to younger people joining the field.
But if we're really going to develop as a profession, we have to have behavior that's generally agreed upon that allows society at large to place a certain kind of trust in us because we're running critical equipment, managing critical data for them, respecting privacy, doing what we can to protect the security and longevity of the information, protecting intellectual property and providing systems that react fairly. Those are all things that we should hold in high regard.
CHABROW: The students that you teach go from several decades ago to those of today. Do they discuss these types of ethics?
SPAFFORD: We include it in our course work and our material around the program in general. We talk as well about issues of research ethics and respecting people's differences and their autonomy. Even within our interdisciplinary program, there's a required course on technology and ethics for students to have to take to be able to graduate. There's a required test that all our graduate students have to go through after working through some online modules on issues of ethics. We do stress it because security is the study of how to increase trust, and trust at its basis comes from people. People's behaviors are very important for that.
CHABROW: Are the attitudes of students today any different from those of two or three decades ago?
SPAFFORD: Fundamentally, what I've seen is that the general attitudes of students are very similar to what they were several decades ago, but the situations that they confront and their awareness of various issues has changed. They're aware of different uses of computing than what we saw two decades ago and a different impact on people's lives. That does create different discussions, but the underlying values have remained relatively consistent.
State of IT Security
CHABROW: Finally, what gives you hope and what perhaps torments you about the current state of IT security?
SPAFFORD: I continue to have hope by the increasing numbers of concerned, intelligent individuals who are getting involved in the area who want to actually do the right thing in a fundamental way, even if they don't know what it is yet. Our concern with trying to make our systems and our computing environment better, something that has been a bright light in motivating me to continue on in this area, is because of all those wonderful people that I continue to work with and meet. What sometimes discourages me, however, is the attitude by so many in business and government that this has to be done as cheaply as possible, the solutions should somehow just be an add-on to whatever currently exists, and that we can somehow work magic with software on top of fundamentally unsound platforms. There's a learning curve there to get over that. Also, [there's] the mistake in concept [that] privacy has to be sacrificed for better security. It's those kinds of misapprehensions and continually trying to educate the public and particularly policymakers about that that's discouraging. It can be done, but it's discouraging and we need more people working at it.