Dartmouth’s Institute for Information Infrastructure Protection, in collaboration with members of the United States Senate, is in the process of creating a cyber-security research and development summary report for the next presidential administration, according to Martha Austin, the program’s executive director. The institute organized three technology forums in Washington, D.C., earlier this term for a group of business executives, government officials and academics in order to conduct research for the report. Sen. Joseph Lieberman, I-Conn., and Sen. Susan Collins, R-Maine, the Chairman and Ranking Member of the Senate Homeland Security Committee, respectively, served as honorary co-chairs for the I3P forums.
In coordinating with I3P, Lieberman and Collins have asked the organization to write a culminating report with recommendations and policy proposals in accordance with the forums’ findings. The report will go to the U.S. Senate Committee on Homeland Security and Governmental Affairs for review and implementation, according to Eric Johnson, a professor at Tuck School of Business and moderator of the forum focusing on economic issues in security.
Anything from regulation laws to economic incentives to research funding could possibly come from the government’s use of this report, Charles Palmer, research director and chair of the I3P, said. He added that he hopes the report will generate discussion in Washington and add a new perspective to major security issues.
“The I3P brought the stakeholders, the real industrial people, to the table and listened to them in coloring our recommendations with what they perceive to be the biggest problems troubling their industries,” Palmer said.
Representatives of the government, economic and academic sectors also attended the meetings and contributed their views. Participants included representatives from the Department of Homeland Security, Government Accountability Office, General Motors Corporation, Providence Health and Services, and The Dow Chemical Company. In addition to Dartmouth staff, professors from University of Maryland and University of Virginia also participated in the I3P forums.
The first forum, held on Sept. 29, focused on what Palmer called the “human infrastructure” of cyber security. The forum concentrated on insider threats and identification management, Austin said. The second forum, held Oct. 6, addressed physical infrastructure and security issues with pipelines and electric grids.
The third forum, held Oct. 15, aimed to understand the impact of cyber-security problems on individual companies and the U.S. economy as a whole, according to Johnson, who moderated the forum. Several manufacturers were present, although most attendees were representatives of businesses that depend on technology, like Staples and H&R Block, Johnson said.
“What they really were getting at was the cost of security to mainstream U.S. companies,” Johnson said. “Many companies are worried about regulation and what the government may do to regulate them.”
Large retailers who experience security breaches in which costumers’ personal information, like credit card or social security numbers, are leaked are required by state laws to report the breaches.
These governmental regulations are problematic for national companies because they lack consistency from state to state, Johnson said.
“As most states have different regulation laws, for U.S. companies, it is a daunting task to comply,” Johnson said. “We therefore must work on formulating one clear standard to enforce on a national level.”
The forum also addressed companies’ concerns about potential security liabilities from employees who use social networking sites like Facebook, according to Johnson.
“We must better understand how technology impacts security and how social networking will impact the workplace,” Johnson said.
Small firms, which make up a larger portion of the economy, are less technologically sophisticated, Johnson said, and therefore experience a number of security breaches, although they are not as publicized as larger businesses.
According to Austin, there were several common themes prevalent throughout the series.
“There were many concerns about cyber security education in that there are not enough educational programs or types of curricula needed to address the implications,” Austin said.
The generational gap in understanding computer security creates a separate layer of issues that were discussed at the forums, according to Austin. College students, for example, are more confident in the security of the web and many “don’t think twice about putting information on MySpace,” whereas older generations are more skeptical, Austin said.
“There is a very broad spectrum of beliefs about what constitutes security,” she added.
Cyber security is a multi-disciplinary field and thus sociology and psychology must be considered, Palmer said.
“People are key to any security system, and they are the ones that will make the decisions whether or not to make systems secure,” Palmer said. “If they are making decisions without sufficient information, they might not use it properly or do it at all.”
I3P is a federally-funded organization at Dartmouth that researches cyber-security issues, Austin said. I3P recently completed a draft of the first chapter of its cyber security research and development report, and they expect to publish the full report in January, Austin said.
I3P organized the forums under a grant from the National Institute of Standards and Technology.