EGHAM, England: As the Internet becomes more and more essential to our lives, securing the data traveling through digital networks, and even defending the networks themselves, has become an increasing concern. But the awareness that threats exist doesn’t mean that easy, effective protection is at hand, and an international figure in the information security field warns that in terms of solutions, information security is on the whole still quite reactionary.
“That’s slightly unfair, but there are so many things happening that you have to react to regarding information security, that there isn’t that much time to be proactive,” commented Professor Fred Piper, director of External Relations, Information Security Group, Royal Holloway, University of London. Piper has lectured worldwide on information security and has published more than 100 papers.
“While it might take half an hour for an attack to materialize it could take two years to change the infrastructure needed to protect against that attack,” he explained. “Take smart cards — if it turns out that there is an inherent flaw in a smart card that’s being used, then there’s no short term answer. It’s out there and people are using it and to re-issue so many cards would take one or two years.”
Piper advised that currently, there is a massive conflict between security and openness. If consumers are using the Internet for no other purpose than information collection, many of them don’t understand why they need to be concerned about information security. These Internet surfers feel that it’s not their problem because they have no personal data at risk. But if a computer is accessing the Internet without effective security engaged, then that machine has the ability to affect the security of others. The unprotected computer could be taken over and become part of a botnet, a zombie army that spews SPAM and carries out criminal activities.
“Looking at the situation in regards to compelling people to use information security solutions, I often turn to the analogy of road safety,” Piper said. “The object of the road system is not, number one, to be safe. It is to enable transport. But you want the roads to be safe so that transport proceeds smoothly. So there are international codes, laws and technology, and people are very accepting of them. Sadly, we haven’t got the same cultural belief that information security is as important as road safety. That’s why the term ‘human factor’ has come right up the information security agenda and the goal now is to make information security a cultural issue.”
In fact, the aim is to make information security a global cultural issue; one that transcends national borders. Until now it has been largely the developed world that has been working to create and implement information security resources. As the Internet spreads to every hamlet in the developing world, that strategy is clearly in need of revision. Piper pointed out the importance of international efforts such as IMPACT (www.impact-alliance.org), a private/public cooperation with the International Telecommunication Union (ITU), headquartered in Cyberjaya, Malaysia. He is also pleased with the spread of information security courses to universities in the Middle East, Africa and Asia. He cautioned however that there is no international standard for what should be included in degree programs in information security.
“There are some very good courses that have begun recently, but there are some courses that are so bad that they are bad under every definition of the word,” Piper remarked. “You see programs where you know that the people designing the course have no security experience whatsoever. It took me five years to set up the program at Royal Holloway (www.rhul.ac.uk) and although this was in part because ours was first, it was also due to the need to ensure the quality of the program on offer. Students choosing an information security program need to look beyond the course titles and examine the details of the syllabus and the experience of the instructors.”
