Embed Size (px)
Citation preview
Computer Security, Government and Civics in
K-12 Education
3/12/04
Mark Lachniet, Analysts International
Introductions
• Mark Lachniet, Technical Director of Analyst International’s Security Services Group
• Technical lead developing for services, methodology, quality control, technical presales
• Certified Information Systems Auditor (CISA) from ISACA
• Certified Information Systems Security Professional (CISSP) ISC^2
• Linux LPIC-1, Novell Master CNE, Microsoft MCSE, Checkpoint CCSE, TruSecure ICSA, etc.
• Former I.T. director of Holt Public Schools• Frequent speaker for local organizations
Agenda
• My approach to the topic
• Issues with computer security
• Classroom exercises
• The economics of computer security
• About government regulation
• Current computer security regulations
• Curriculum alignment
• Discussion
My Interest
• As a student (and secondary education student) I am fascinated by how humanity deals with technological issues
• I am also a geek by nature, and a computer security engineer by profession
• In this capacity, I have had occasion to do security audits on a number of organizations, including financial institutions such as insurance companies, credit unions, and publicly traded companies
• During this work, I have noticed a distinct and dramatic increase in the role of governmental involvement in the regulation of technology
• I see this presentation as a way to share my observations with people who can make good use of the information
My Approach Today
• Since I am not a classroom teacher, I will not pretend to understand all of the issues of teaching this information
• However, I am a SME and can present my observations in an organized fashion
• I can also make an attempt to align these topics to K-12 curriculum
• In particular, I have attempted to map topics in this presentation to the Michigan Curriculum Framework, especially the Social Studies topic areas of Government and Economics
• I’m not a curriculum guru, so please help me out! Lets have a dialog, not a lecture
About Computer Security
• The first topic to address is computer security in general – what is it, and why is it important?
• There is a lot of “hype” surrounding computer security, especially in the media
• If its on CNN, it must be a “real” problem• This is good in the sense that it draws attention to a
real need• It is bad in the sense that it sometimes distorts risks
and the reality of the situation• Most of us have had personal experiences with
worms, viruses, identity theft, etc.• We also know that there is a cost, both personal and
to our organizations for computer security issues
How Did We Get Here??
• Clearly, the “bad guys” are winning when it comes to computer security
• There aren’t enough resources for most organizations to have an adequate security posture – it takes a high-end skill set, and time
• Meanwhile, there is a global pool of potential attackers out there, many of them our students
• IMO, it is like the “wild west” out there – the bad guys are winning (in general) and the sheriffs are focusing on the worst offenders
• For this reason, enforcement is not effective, which leaves us with prevention as a means of dealing with the problem
Classroom Exercise - Discussion
• What is computer hacking?• What is a hacker? Do you know one? What
kind of hacking did they do?• What motivates a hacker?• What is the “profile” of a hacker?• Is hacking ethical? Why or why not?• Have your parents ever talked to you about
computer security or hacking?• Do they understand the issues?
Parents
• Parents might not have a clue…..
Classroom Exercise – Talking Points
• Students are likely to know someone who is a “hacker”, but the definition of what a hacker is might be a moving target
• Students are likely to take the perspective that most hacking is a victimless crime (some of it is)
• Students are likely to think of hacking as something glamorous, for “props” (respect)
• May bring up some interesting side issues, such as hacking school systems, intellectual property issues (such as trading MP3’s and movies) and cyber ethics
Types of Hackers
• Hackers are generally regarded as being motivated by one of four primary reasons:– Economic gain (espionage, embezzlement)– Egocentric (to prove they can do it, play god, get
recognition from other crackers)– Ideological (to prove a political point – attacking
the World Trade Organization or NATO web sites for example)
– Psychotic (they are just sick in the head and probably destructive)
• IMO, most students will probably relate to Egocentric – young people are in general not empowered and in control of their world – hacking may give them power and control
Hacking and Economics
• Although there are some direct ethical issues that pertain to hacking (such as deleting another student’s work or copying music) the real issue of hacking is economic
• IMO, the correlation between crime and economics is not one that is well understood by young people because they haven’t been out in the business world
• Computer hacking can have immense economic impacts!
• Lets look at some statistics
The CSI Computer Crime Survey• The CSI survey, released 4/7/2002 has some very
interesting pieces of information:• 90% of respondents detected a security breach within
the last 12 months. Have you? If not, it is probably happening without your knowledge!
• 44% of respondents were able to quantify their losses due to a security breach. The result was $455,848,000 over 223 respondents, for an average loss of $2,044,161 each
• The 2003 CSI/FBI Computer Crime & Security Survey reports overall losses from 530 survey respondents totaled more than $201 million, with only 47% of respondents quantifying their losses.
• Extrapolate this out from a sampling of 530 people…
Governmental Response
• Our government is designed to help us be a safe, stable and economically viable nation
• As such, the role of government includes taking action (through the rule of law) to minimize risk to its populace
• This is true of computer security, just as it is of violent crime, and fraud
• Thus, it has fallen to government to help protect our interests by creating laws and regulations
• This includes criminal laws (laws against hacking)• Also includes industry regulations (to minimize fraud
and risk, and to make the economy more predictable and stable)
The History of Governmental Regulation
• The government has been passing regulations to protect us since its inception
• Good examples of this include:– Workplace safety (OSHA)
– Food and drugs (FDA)
– Monopolies (“robber barons”, Microsoft)
– Privacy (medical records, criminal history)
– The media (FCC, frequencies, outlet ownership)
– Munitions (real and encryption!)
– Trade (interstate, international)
– Environmental (EPA)
Classroom Exercise
• Why does the government create regulations?• Are the regulations effective?• What would happen without regulation?• Group activity – take one area of regulation and
analyze it. – What would be the cost of not regulating?– What would be an alternative to regulation?– What were arguments for/against a specific piece
of regulation before it was passed? Debate ?• What are the costs of regulation (cost of
government, and to those who are regulated)?
Classroom Exercise – Talking Points
• One alternative to governmental regulation is self-regulation – does it work?
• What is the tension between political factions in America in regards to regulation?– Libertarian? – Republican? – Democrat?
• What is “big government” and how does it get that way?
• Are all regulations are necessary? Can we do without some? Do regulations need to change? When do you add or discard?
Self-Regulation
• One (viable) alternative to governmental regulation is self-regulation
• For example, professional standards and practices by work groups / bodies
• This may be advantageous:– Cheaper– More sensible (created by SME’s)– Easier to change– Less burdensome to enforce
• There may also be problems:– Reduced threat of punishment (disbarred?)– May not have “teeth” due to conflicts of self-
interest
Financial Scandals
• One example of where self-regulation went wrong can be clearly seen in the Enron / WorldCom fiascos
• In these modern examples, a form of self-regulation was in place, in the form of external financial auditors
• These external auditors had a set of standards that were used to define appropriate practices
• The basis is the Generally Accepted Accounting Practices (GAAP)
• Any accountant who flagrantly went against GAAP was out of line and liable
Financial Scandals
• There were, however, some problems with the “big 5” accounting firms (now the “big 4” since Arthur Anderson is now broken up)
• For one, the accounting firms had a significant financial interest in keeping their business with big companies
• Thus, they were under economic pressure to work with the companies to be as competitive as possible
• As such, they may have been “creative” in the interpretation of regulation of GAAP, assisting companies in skirting the law
• Once a creative precedent was established, it was difficult to leave it behind due to inertia (and fear of openly calling past behavior inappropriate?)
Classroom Exercise
• What happened with Enron and WorldCom?• What is the harm of financial scandals such
as Enron / WorldCom?• How do scandals such as this affect the Stock
Market?• How do changes in the stock market affect
economic stability and prosperity in America?
• What affect do these changes have on the global economy? Are other countries dependant upon American financial stability?
• What is the effect on individual employees and their families?
Classroom Exercise – Talking Points
• The fact of the matter is that these types of incidents do have an impact on our financial well being
• If we cannot have faith in what companies are reporting in terms of financial health, how can we make informed investment decisions?
• If we cannot make good investment decisions, why should we trust the stock market?
• If we don’t trust the stock market, it will not be a viable form of commerce
• Currently, the stock market is critical to the economic well being of America
• The rest of the world depends upon it also! When the American stock market has problems, global markets may as well
• The butterfly effect – could one corrupt auditor create a global economic depression??
Governmental Response
• In response to these scandals, the government passed some laws to:– Restore faith in the stock market– Make criminal any intentional misrepresentation of
financial statements– Make auditors and corporate officers more
accountable
• The most obvious of these is the Sarbannes-Oxley Act of 2002
• See http://www.sec.gov/about/sox2002 for a description, as well as a list of past regulations from the SEC
The Sarbannes-Oxley Act (SOX)
• Requires that the CFO and CEO of publicly traded corporations personally certify their financial statement
• Auditors must also certify that they believe the statements are correct
• This was done to make the top executives of the corporation personally accountable (at risk of going to jail) for misdeeds
• To eliminate a potential loophole, the act (section 404) also requires that executives certify that their internal controls are adequate enough to provide accurate data
• Thus, the boss can’t blame “bad software” or “bad processes” to get out of trouble
The Sarbannes-Oxley Act (SOX)
• One of the main components of section 404 is that they must certify their computer systems
• Thus, all publicly traded corporations must now go through a significant effort to:– Identify weaknesses in their internal controls
(including computers)– Make disclosures as to their internal controls– Perform ongoing analysis of internal controls
• As interpreted, this means that computer security is in scope, and therefore must be evaluated and strictly controlled
• Thus, the government is (indirectly?) protecting the economic well being of the American people through regulation of computer security
HIPAA
• In order to protect American’s privacy, the government established the Health Insurance Portability and Accountability Act (HIPAA)
• See the U.S. Department of Health and Human Services (http://www.hhs.gov)
• Part of this act requires medical organizations to establish privacy policies and protect the privacy of confidential information (already in place)
• A second part of the act requires computer security sufficient to ensure that this privacy is protected
Gramm-Leach-Blily Act (GLBA)
• This law is specifically designed to make sure that financial institutions protect personal and private financial information
• See http://www.ftc.gov/privacy/glbact/ • Section 314.3 requires that subject
organizations “develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards”
• Thus, adequate computer security is mandated, and failure to do so could lead to action being taken
California Bill 1386
• Put in place due to many compromises of personal identification going unreported for fear of bad publicity or lawsuits
• See http://www.sb-1386.com/• Requires those who maintain licenses or computerized
‘personal information’ to disclose security breaches• May have been intended, in part, to protect people
from identity theft and fraud• Touches on issues such as maintaining an incident
response plan, what constitutes a compromise, how people must be informed, and how to work w/ media
• Also affects all companies that do business in California, not just those based there
• Interestingly, European countries seem much more sensitive to these issues of information disclosure
CAN-SPAM Law of 2003
• Believe it or not, SPAM e-mail is a drag on our economy
• 45% of all e-mail may be spam, average 13.3 / person / day (I get 15 per hour)
• Economic estimates vary, but include:– $874 / person / year– $10, $20 or $87 billion per year
• For details on the law see:• http://www.spamlaws.com/federal/108s877.html• Intended to put some “teeth” behind attempts to stop
spammers• In the last week, a consortium of big ISPs have brought
suit against a number of the most egregious spammers.• Not much criminal action yet to my knowledge
Putting it Together
• These laws are all fairly new, and are in response to society’s current needs
• IMO, there are bound to be more and more regulations as people get “burned” from identity theft, credit card fraud, and economic impact from hacking
• May be a particularly ripe career area –a lawyer with good technical and business skills could make a very good living
• Also topics that are likely to be very extremely topical when our current students leave the K-12 system
Curriculum Alignment
• There are many areas of the Michigan Curriculum Framework that align with these issues
• Working from http://www.michigan.gov/documents/MichiganCurriculumFramework_8172_7.pdf
• Primarily the Social Studies Content Strands, starting on page 35.
• Will attempt to identify relevant areas, and how they relate to the issues we have just covered
• Page numbers are from PDF (strange disconnect of page numbers???)
Strand I – Historical Perspective (pg.35)
• “Students use knowledge of the past to construct meaningful understanding of our diverse cultural heritage and to inform their civic judgments.”
• Relevant - how has technology changed society?
• How has our government adapted to a changing society (and technology) over time?
• What are some historical examples of regulation?– Illegal drugs (cocaine was once legal)– Environmental (once there weren’t laws)– Conservation (the start of national parks)
Strand III – Civic Perspective (pg.38)
• “Students will use knowledge of American government and politics to make informed decisions about governing their communities.”
• Standard III.3 Democracy in Action • “All students will describe the political and
legal processes created to make decisions, seek consensus, and resolve conflicts in a free society.”
• Q: What is the conflict that regulation of computer security resolves?
Strand III – Civic Perspective (pg.50)
• Content Standard 1: Later Elementary– 3. Give reasons for limiting the power of
government
• Content Standard 1: Middle School– 3. Explain how the rule of law protects
individual rights and serves the common good– 4. Explain the importance of limited government
to protect political and economic freedom
• Content Standard 3: High School– 1. Using actual cases, evaluate the effectiveness
of civil and criminal courts in the United States
Strand IV – Economic Perspective (pg.40)
• “Students will use knowledge of the production, distribution, and consumption of goods and services to make personal and societal decisions about the use of scarce resources.”
• Standard IV.3 Role of Government****• “All students will describe how government
decisions on taxation, spending, public goods, and regulation impact what is produced, how it is produced, and who receives the benefits of production.”
Strand IV – Economic Perspective
• Standard IV.4 Economic systems• “All students will explain how a free market
economic system works, as well as other economic systems, to coordinate and facilitate the exchange, production, distribution, and consumption of goods and services.”
• Standard IV.4 Economic systems• “All students will explain how a free market
economic system works, as well as other economic systems, to coordinate and facilitate the exchange, production, distribution, and consumption of goods and services.”
Strand IV – Economic Perspective
• Content Standard 1: Middle School– 3. Analyze the reliability of information when
making economic decisions• Content Standard 1: High School
– 3. Analyze ways individuals can select suppliers of goods and services and protect themselves from deception in the marketplace
• Content Standard 2: Middle School– 3. Describe the effects of a current public policy on
businesses• Content Standard 2: High School
– 2. Evaluate ways to resolve conflicts resulting from differences between business interests and community values
Strand IV – Economic Perspective
• Content Standard 3: Middle School– 3. Use case studies to assess the role of
government in the economy• Content Standard 4: Middle / High
– 2. Describe the roles of the various economic institutions which comprise the American economic system such as Governments, business firms, labor unions, banks and households
• Content Standard 5: Middle School– 2. Examine the role of the United States
Government in regulating commerce as stated in the United States Constitution
Strand VI - Public Discourse
• “Students will analyze public issues and construct and express thoughtful positions on these issues.”
• Standard VI.I Identifying and Analyzing Issues
• “All students will state an issue clearly as a question of public policy, trace the origins of the issue, analyze various perspectives people bring to the issue, and evaluate possible ways to resolve the issue.”
Strand VI - Public Discourse
– Virtually all content standards apply– Primarily deal with discourse
Strand VII – Citizen Involvement
• Strand VII. Citizen Involvement• “Students will act constructively to further
the public good.”• Standard VII.I Responsible Personal
Conduct• “All students will consider the effects of an
individual’s actions on other people, how one acts in accordance with the rule of law, and how one acts in a virtuous and ethically responsible way as a member of society.”
• Q: Relation to self-regulation and personal responsibility (i.e., auditors?)
Discussion
• This presentation to be available at:http://lachniet.com/powerpoint
Mark LachnietCISSP, CISA, MCSE, MCNE, CCSE, LPIC-1, TICSATechnical Director, Security GroupAnalysts International(517) 336-1004 (voice)(517) 336-1100 (fax)mailto: [email protected]
