Posts in Policies & Law

Failures in the Supply Chain

Saturday, November 15, 2008 by spaf in Kudos, Opinions and Rants, Policies & Law, Secure IT Practices,

[This is dervied from a posting of mine to Dave Farber's Interesting People list.]

There is an article in the October Businessweek that describes the problem of counterfeit electronic components being purchased and used in critical Defense-related products.

This is not a new threat. But first let's reflect on the past.

Historically, the military set a number of standards (MIL-SPEC) to ensure that materials they obtained were of an appropriate level of quality, as well as interoperable with other items. The standards helped ensure a consistency for everything from food to boots to tanks to software, as well as ensuring performance standards (quality).

The standards process was not without problems, however. Among issues often mentioned were:

Standards were sometimes not revised often enough to reflect changes in technology. The result was that the military often had to acquire and use items that were generations behind the commercial marketplace (esp. in software/computers);
Knowing and complying with so many standards often caused companies considerable extra time and effort in supplying items, thus raising their cost well above comparable commercial equivalents;
Incompatible standards across military agencies and services, especially when compared with commercial items used by civilian agencies, led to waste and increased cost, and lack of flexibility in implementation;
Imposition of rigid standards cut down on innovation and rapid development/acquisition/deployment cycles;
The rigidity and complexity of the standards effectively shut out new vendors, especially small vendors because they could not match the standards-compliance efforts of large, entrenched defense vendors.

Thus, in June of 1994, William Perry, the then Secretary of Defense, issued a set of orders that effectively provide a pathway to move away from the standards and adopt commercial standards and performance goals in their place. (cf. the Wikipedia article on MIL-SPEC). One of the rationales expressed then, especially as regarded computing software and hardware, was that the competition of the marketplace would lead to better quality products. (Ironically, the lack of vendor-neutral standards then led to a situation where we have large monocultures of software/hardware platforms throughout government, and the resultant lack of meaningful competition has almost certainly not served the goals of better quality and security.)

In some cases, the elimination of standards has indeed helped keep down costs and improve innovation. I have been told, anecdotally, that stealth technology might not have been fielded had those aircraft been forced within the old MIL-SPEC regime.

As a matter of cost and speed many MIL-SPEC standards seem to have been abandoned to choose COTS whenever possible without proper risk analysis. Only recently have policy-makers begun to realize some of the far-reaching problems that have resulted from the rush to abandon those standards.

As the Businessweek article details, counterfeit items and items with falsified (or poorly conducted) quality control have been finding their way into critical systems, including avionics and weapons control. The current nature of development means that many of those systems are assembled from components and subsystems supplied by other contractors, so a fully-reputable supplier may end up supplying a faulty system because of a component supplied by a vendor with which they have no direct relationship. One notable example of this was the "Cisco Raider" effort from a couple of years ago where counterfeit Cisco router boards were being sold in the US.

As noted in several press articles (such as the ones linked in, above) there is considerable price motive to supply less capable, "grey market" goods in large bids. The middlemen either do not know or care where the parts come from or where they are being used -- the simply know they are making money. The problem is certainly not limited to Defense-related parts, of course. Fake "Rolex" watches that don't keep time, fake designer shoes that fall apart in the rain, and fake drugs that either do nothing or actually cause harm are also part of the "gray market." Adulteration of items or use of prohibited materials is yet another aspect of the problem: think "lead paint" and "melamine" for examples. Of course, this isn't a US-only problem; people around the world are victimized by gray-market, adulterated and counterfeit goods.

These incidents actually illustrate some of the unanticipated future effects of abandoning strong standards. One of the principal values of MIL-SPEC standards was that it established a strict chain of accountability for products. I suspect that little thought has been given by policy-makers to the fact that there is considerable flow of items across borders from countries where manufacturing expertise and enforcement of both IP laws and consumer-protection statutes may not be very stringent. Buying goods from countries where IP violations are rampant (If there is little fear over copying DVDs, then there is little fear over stamping locally-produced items as "Cisco"), and where bribes are commonplace, is not a good strategy for uniform quality.

Of course, there are even more problems than simply quality. Not every country and group has the same political and social goals as we do in the US (or any other country -- this is a general argument). As such, if they are in a position to produce and provide items that may be integrated into our defense systems or critical infrastructure, it may be in their interests to produce faulty goods -- or carefully doctored goods. Software with hidden 'features" or control components with hidden states could result in catastrophe. That isn't fear-mongering -- we know of cases where this was done, such as to the Soviets in the 1980s. Even if the host country isn't subtly altering the components, it may not have the resources to protect the items being produced from alteration by third parties. After all, if the labor is cheaper in country X, then it will also be cheaper to bribe the technicians and workers to make changes to what they are producing.

The solution is to go back to setting high standards, require authentication of supply chain, and better evaluation of random samples. Unfortunately, this is expensive, and we're not in a state nationally where extra expense (except to line the pockets of Big Oil and Banking) is well tolerated by government. Furthermore, this alters the model where many small vendors acting as middlemen are able to get a "piece of the action." Their complaints to elected representatives who may not understand the technical complexities adds even further pressure against change.

In some cases, the risk posed in acquisition of items may warrant subsidizing the re-establishment of some manufacturing domestically (e.g., chip fabs). This doesn't need to be across the board, but it does required judicious risk-analysis to determine where critical points are -- or will be in the future. We must realize that the rapid changes in technology may introduce new patterns of production and acquisition that we should plan for now. For instance, once elements of nanotechnology become security-critical, we need to ensure that we have sufficient sources of controlled, quality production and testing.

I'm not going to hold my breath over change, however. Some of us have been complaining about issues such as this for decades. The usual response is that we are making a big deal out of "rare events" or are displaying xenophobia. The sheer expense frightens off many from even giving it more than a cursory thought. I know I have been dismissed as an "over-imaginative academic" more times than I can count when I point out the weaknesses.

One of the factors that allegedly led to the decline of the Roman empire was the use of lead in pipes, and lead salts to make cheap wine more palatable for the masses. The Romans knew there was a health problem associated with lead, but the vendors saw more profit from using it.

Once we have sufficiently poisoned our own infrastructure to save money and make the masses happier, how long do we last?

[If you are interested in being notified of new entries by spaf on cyber and national security policy issues, you can either subscribe to the RSS feed for this site, or subscribe to the notification list.]

Presidential Politics

Sunday, October 19, 2008 by spaf in General, Kudos, Opinions and Rants, Policies & Law,

If you are in the United States, it has been nigh-on impossible to watch TV, read a newspaper, follow a blog, or (in some states) get your paper mail without something about the upcoming election being present. Some of this has been educational, but a huge amount of it has been negative, vague, and often misleading. That's U.S. politics, unfortunately -- the majority of voters don't really bother to educate themselves about the issues and the media does an uneven job of reporting the truth. For many voters, it comes down to only one or two issues they care passionately about, and they vote for a candidate (or against one) on those simple issues. For instance, there are many voters who will base their votes solely on a candidate's perceived position on gun control, access to legal abortions, tax policy, or other single issues without thinking about all the position issues. (And, as I note below, most of these single issues aren't really under the control of the President no matter who is elected.)

Of course, the US political system tends to reinforce this binary choice procedure, as we have long had only two really major parties. Parliamentary systems seem to encourage more parties, although even then there appears to be only two major ones, often oriented around the same approximate social/political poles: a conservative party, and a liberal (labor) party.

So, in the U.S. we have candidates from both major parties (and many minor ones) campaigning -- explaining their positions, offering their plans for when they are in office, and trying to instill voter confidence and trust. (And too often, offering innuendo, misquotes and outright untruths about their opponents.)

What none of them say, and the media doesn't either, is that very few of the promises can really be certain of being kept. And in large part, that is also a nature of government.

The President has a limited set of powers under the Constitution. He (or she) is responsible for the execution of the laws of the United States. The President is the Commander-in-Chief of all the armed forces and is responsible for commanding them in defense of the country and upholding the law (including treaties). The President is the chief executive agent of all the various Cabinet agencies, and of a number of offices and commissions. The President appoints a large number of officials (including judges and ambassadors), but doesn't have the power to remove many of them.

Most importantly, the President does not make new laws. Laws are passed by Congress, usually with the assent of the President, although a 2/3 majority of both houses of Congress may pass laws to which the President objects. The President is then responsible for ensuring that those laws are carried out, with recourse to the Courts if there are questions. If the President fails to enforce the laws, Congress may take some punitive actions, or even impeach the President...if they have the political will.

So, back to the candidates. If you listen to their speeches, they offer to change tax law, spend more on energy issues, change health care, and a number of other important domestic issues. What they don't point out, however, is that they will have no authority as President to do most of those things! Instead, Congress will need to pass authorizing legislation that is signed by the President. The President can certainly propose that Congress enact those changes, but Congress needs to craft and pass legislation that enables the President to act, and that allocate necessary funds, and that also create/remove administrative structures that may be involved. This legislation can include whatever other items that Congress adds in to the bill, including items that may be completely unrelated to the main topic. The President then must decide whether to sign the bill and act to implement its provisions.

So, the most a new President can do is to propose legislation to embody his/her campaign promises, and to work for its passage. What usually happens is that the size of the win in the election serves as a political measure of how much the population is aligned with the new President's positions, and this can help get a particular agenda passed...or not. Of critical importance is also the issue of whether one or both houses of Congress are controlled by the same party as the new President, and by what margin.

Thus, there should probably be more attention paid to the candidates running for Congress and their particular positions on important issues. In many venues, however, the majority of the attention is focused on the Presidential contest. Some other states are also dealing with contentious state initiatives, tight governor races, and other local issues that help further obscure the Congressional races.

Now, how does this apply to cybersecurity, the ostensible topic of this blog? Or education? Or privacy? Or other topics we focus on here?

Well, as I will address in my next posting, the two main Presidential candidates have made some comments on cyber security, but I have not been able to find any coverage of any current candidate for Congress who has mentioned it. It is basically invisible. So is privacy. Education has gotten a little mention, but not much. And given the more overt, pressing issues of the economy, the deficit, health care, energy dependence, and war in the Middle East, it seems unlikely that any Congressional candidate has bothered to think much about these cyber issues, or that they have received much further thought from the Presidential candidates. (Too bad cyber security can't be part of the mud slinging -- it might raise its profile!)

Of course, with the economy in such sad shape, and some of the other severe problems being faced by the U.S., one might ask whether cyber should be a priority for the new President. I would answer yes, because the problems are already here and severe (although not as obvious as some of the other problems), and it will take years of major effort simply to keep even with the current sad status. The problems in cyber cannot be fixed in a crash effort devoted at any future time, and until they are addressed they will be a drain on the economy (in 2006, the FBI estimated the loss to computer crime in the US to be $67 billion -- almost 10% of the recent economic bailout), and a threat to national security. Thus, deferring action on these issues will only make the situation worse; we need to initiate a sustained, significant program to make some important changes.

There are some things that the new President can do, especially as they relate to the military, law enforcement, and some other agencies in the Executive Branch. This is potentially cause for some glimmer of hope. I intend to blog some on that too, with a list of things that should be considered in the new administration.

Barack Obama, National Security and Me, Take II

Thursday, October 09, 2008 by spaf in General, Kudos, Opinions and Rants, Policies & Law,

Over the last month or so, many people who read my first post on Senator Obama's "security summit" at Purdue have asked me about followup, I've been asked "Did you ever hear back from the Senator?", "Has the McCain campaign contacted you?", and "What do you think about the candidates?" I've also been asked by a couple of my colleagues (really!) "Why would they bother to contact you?"

So, let me respond to these, with the last one first.

Why would someone talk with you about policy?

So, I haven't been elected or served in a cabinet-level position in DC. I haven't won a Nobel prize (there isn't one in IT), I'm not in the National Academies (and unlikely to be -- few non-crypto security people are), and I don't have a faculty appointment in a policy program (Purdue doesn't have one). I also don't write a lot of policy papers -- or any other papers, anymore: I have a persistent RSI problem that has limited my written output for years. However, those aren't the only indicators that someone has something of value to say.

As I've noted in an earlier post, I've had some involvement in cyber security policy issues at the Federal level. There's more than my involvement with the origins of the SfS and Cyber Trust, certainly. I've been in an advising role (technology and policy) for nearly 20 years with a wide range of agencies, including the FBI, Air Force, GAO, NSA, NSF, DOE, OSTP, ODNI and more. I've served on the PITAC. I've testified before Congressional committees a half-dozen times, and met with staff (officially and unofficially) of the Senate and House many times more than that. Most people seem to think I have some good insight into Federal policy in cyber, but additionally, in more general issues of science and technology, and in defense and intelligence.

From another angle, I've also been deeply involved in policy. I served on the CRA Board of Directors for 9 years, and have been involved with its government affairs committee for a decade. I've been chair or co-chair of the ACM's US Public Policy committee for a dozen years. From these vantage points I have gained additional insights into technology policy and challenges in a broad array of issues related to cyber, education, and technology.

And I continue to read a lot about these topics and more, including material in a number of the other sciences. And I've been involved in the practice and study of cyber security for over 30 years.

I can, without stretching things, say that I probably know more about policy in these areas than about 99.995% of the US population, with some people claiming that I'm in the top 10 or so with respect to broad issues of cyber security policy. That may be why I keep being asked to serve in advisory positions. A lot of people tend to ask me things, and seem to value the advice.

One would hope that at least some of the candidates would be interested in such advice, even if not all of my colleagues (or my family :-) are interested in what I have to say.

Have any of the other candidates contacted you?

Simply put -- no. I have gotten a lot of mailings from the Republican (and Democratic) campaigns asking me to donate money, but that's it.

I'm registered as an independent, so that may or may not have played a role. For instance, I can't volunteer to serve as a poll worker in Indiana because I'm not registered in one of the two main parties! I don't show up in most of the databases (and that may be a blessing of sorts).

To digress a moment.... I don't believe either party has a lock on the best ideas -- or the worst. I'm not one of those people who votes a straight-ticket no matter what happens. I have friends who would vote for anyone so long as the candidate got the endorsement of "their" party. It reminds me of the drunken football fans with their shirts off in -20F weather cheering insanely for "their" team and willing to fight with a stranger who is wearing the wrong color. Sad. Having read the Constitution and taken the oath to defend it, I don't recall any mention of political parties or red vs. blue....

That said, I would be happy to talk with any serious candidate (or elected official) about the issues around cyber, security, education, and the IT industry. They are important, and impact the future of our country...and of much of the world.

So, has anyone with the Obama campaign contacted you since his appearance at Purdue?

Well, the answer to this is "yes and no."

I was told, twice, by a campaign worker that "Someone will call you -- we definitely want more advice." I never got that phone call. No message or explanation why. Nothing.

A few weeks after the second call I did get a strange email message. It was from someone associated with the campaign, welcoming me to some mailing list (that I had not asked to join) and including several Microsoft Word format documents. As my correspondents know, I view sending email with Word documents to be a bad thing. I also view being added to mailing lists without my permission to be a hostile act. I responded to the maintainer of the list and his reply was (paraphrased) "I don't know why you were added. Someone must have had a reason. I'll check and get back to you." Well, I have received no more email from the list, and I never got any followup from that person.

So, in summary, I never got any follow-up from the campaign. I don't think it is an issue with the Senator (who wouldn't have been the one to contact me anyhow) but a decision by his staff.

So, depending your level of cynicism, the mentions of my name, of CERIAS, and of follow-up was either (a) a blown opportunity caused by an oversight, or (b) a cynical political ploy to curry local favor.

(My daughter suggested that they are waiting until after the election to appoint me to a lofty position in government. Uh, yeah. That probably explains why I haven't gotten that MacArthur "genius grant" yet and why Adriana Lima hasn't called asking me to run away with her -- the timing just isn't right yet. :-)

What are your opinions on the Presidential candidates?

I'm not allowed to be partisan in official Purdue outlets. So, in some further posts here over the next week or two I will provide some analysis of both major candidates (NB. Yes, I know there are over 300 candidates for President on the ballots across the country. However, I don't think there is much chance of Baldwin, Barr, McKinney, Nader, Paul or the rest getting into office. So, I'll limit my comments to the two main candidates.

If you really want to know who I'm probably voting for, you can see my Facebook page or send me email.

[Update 10/16: After this was published I sent a link to this entry to several people associated with the Obama campaign. Only one responded, and it was clear from his email that there had been a mixup in getting back to me -- but no interest in rectifying it.]

Centers of Academic .... Adequacy

Thursday, September 18, 2008 by spaf in Infosec Education, Kudos, Opinions and Rants, Policies & Law,

History

Back in 1997, the year before CERIAS was formally established, I testified before Congress on the state of cyber security in academia. In my testimony, I pointed out that there were only four established research groups, and their combined, yearly PhD production was around 3 per year, not counting cryptography.

Also in that testimony, I outlined that support was needed for new centers of expertise, and better support of existing centers.

As a result of that testimony, I was asked to participate in some discussions with staff from OSTP, from some Congressional committees (notably, the House Science Committee), and Richard Clarke's staff in the Executive Office of the President. I was also invited to some conversations with leadership at the NSA, including the deputy director for information security systems (IAD) (Mike Jacobs). Those discussions were about how to increase the profile of the area, and get more people educated in information security.

Among the ideas I discussed were ones expanded from my testimony. They eventually morphed into the Scholarship for Service program, the NSF CyberTrust program, and the NSA Centers of Academic Excellence (CAE). [NB. I am not going to claim sole or primary credit for these programs. I know I came up with the ideas, briefed people about them, discussed pros & cons, and then those groups took them and turned them into what we got. None of them are quite what I proposed, but that is how things happen in DC.]

The CAE program was established by the NSA in late 1998. The CAE certification was built around courses meeting CNSS requirements. Purdue was one of the first seven universities certified as CAEs, in May of 1999. We remained in the CAE program until earlier this year (2008). In 2003, DHS became a co-sponsor of the program.

Why Purdue is No Longer a CAE

In 2007, we were informed that unless we renewed our CNSS certifications by the end of August, we would not be eligible for CAE renewal in 2008. This prompted discussion and reflection by faculty and staff at CERIAS. As noted above, the mapping of CNSS requirements to our classes is non-trivial. The CAE application was also non-trivial. None of our personnel were willing to devote the hours of effort required to do the processing. Admittedly, we could have "faked" some of the mapping (as we know some schools have done in the past), but that was never an option for us. We had other objections, too (see what follows).As a result, we did not renew the certifications, and we dropped out of the CAE program when our certification expired earlier this year.

Our decision was not made lightly -- we nearly dropped out in 2004 when we last renewed (and were not grandfathered into the new 5 year renewal cycle, much to our annoyance), and there was continuing thought given to this over intervening years. We identified a number of issues with the program, and the overhead of the mapping and application process was not the only (or principal) issue.

First, and foremost, we do not believe it is possible to have 94 (most recent count) Centers of Excellence in this field. After the coming year, we would not be surprised if the number grew to over 100, and that is beyond silly. There may be at most a dozen centers of real excellence, and pretending that the ability to offer some courses and stock a small library collection means "excellence" isn't candid.

The program at this size is actually a Centers of Adequacy program. That isn't intended to be pejorative -- it is simply a statement about the size of the program and the nature of the requirements.

Some observers and colleagues outside the field have looked at the list of schools and made the observation that there is a huge disparity among the capabilities, student quality, resources and faculties of some of those schools. Thus, they have concluded, if those schools are all equivalent as "excellent" in cyber security, then that means that the good ones can't be very good ("excellent" means defining the best, after all). So, we have actually had pundits conclude that cyber security & privacy studies can't be much of a discipline. That is a disservice to the field as a whole.

Instead of actually designating excellence, the CAE program has become an ersatz certification program. The qualifications to be met are for minimums, not for excellence. In a field with so few real experts and so little money for advanced efforts, this is understandable given one of the primary goals of the CAE program -- to encourage schools to offer IA/IS programs. Thus, the program sets a relatively low bar and many schools have put in efforts and resources to meet those requirements. This is a good thing, because it has helped raise the awareness of the field. However, it currently doesn't set a high enough bar to improve the field, nor does it offer the resources to do so.

Setting a low bar also means that academic program requirements are being heavily influenced by a government agency rather than the academic community itself. This is not good for the field because it means the requirements are being set based on particular application need (of the government) rather than the academic community's understanding of foundations, history, guiding principles, and interaction with other fields. (E.g., Would your mathematics department base its courses on what is required to produce IRS auditors? We think not!) In practice, the CAE program has probably helped suppress what otherwise would be a trend by our community to discuss a formal, common curriculum standard. In this sense, participation in the CAE program may now be holding us back.

Second, and related, the CNSS standards are really training standards, and not educational standards. Some of them might be met by a multi-day class taught by a commercial service such as SANS or CSI -- what does that say about university-level classes we map to them? The original CNSS intent was to provide guidance for the production of trained system operators -- rather than the designers, researchers, thinkers, managers, investigators and more that some of our programs (and Purdue's, in particular) are producing.

We have found the CNSS standards to be time-consuming to map to courses, and in many cases inappropriate, and therefore inappropriate for our students. Tellingly, in 9 years we have never had a single one of our grads ask us for proof that they met the CNSS standards because an employer cared! We don't currently intend to offer courses structured around any of the CNSS standards, and it is past the point where we are interested in supporting the fiction that they are central to a real curriculum.

Third, we have been told repeatedly over the years that there might be resources made available for CAE schools if only we participated. It has never happened. The Scholarship for Service program is open to non-CAE schools (read the NSF program solicitation carefully), so don't think of that as an example. With 100 schools, what resources could reasonably be expected? If the NSA or DHS got an extra $5 million, and they spread it evenly, each would get $50,000. Take out institutional overhead charges, and that might be enough for 1 student scholarship...if that. If there were 10 schools, then $500,000 each is an amount that might begin to make a difference. But over a span of nearly 10 years the amount provided has been zero, and any way you divide that, it doesn't really help any of us. Thus, we have been investing time and energy in a program that has not brought us resources to improve. Some investment of our energy & time to bolster community was warranted, but that time is past.

Fourth, the renewal process is a burden because of the nature of university staffing and the time required. With no return on getting the designation, we could not find anyone willing to invest the time for the renewal effort.

Closing Comments

In conclusion, we see the CAE effort as valuable for smaller schools, or those starting programs. By having the accreditation (which is what this is, although it doesn't meet ISO standards for such), those programs can show some minimal capabilities, and perhaps obtain local resources to enhance them. However, for major programs with broader thrusts and a higher profile, the CAE has no real value, and may even have negative connotations. (And no, the new CAE-R program does not solve this as it is currently structured.)

The CAE program is based on training standards (CNSS) that do not have strong pedagogical foundations, and this is also not appropriate for a leading educational program. As the field continues to evolve over the next few years, faculty at CERIAS at Purdue expect to continue to play a leading role in shaping a real academic curriculum. That cannot be done by embracing the CAE.

We are confident that people who understand the field are not going to ignore the good schools simply because they don't have the designation, any more than people have ignored major CS programs because they do not have CSAB accreditation. We've been recognized for our excellence in research, we continue to attract and graduate excellent students, and we continue to serve the community. We are certain that people will recognize that and respond accordingly.

More importantly, this goes to the heart of what it means to be "trustworthy." Security and privacy issues are based on a concept of trust and that also implies honesty. It simply is not honest to continue to participate in (and thereby support) a designation that is misleading. There are not 94 centers of excellence in information and cyber security in the US. You might ask the personnel at some of the schools that are so designated as to why they feel the need to participate and shore up that unfortunate canard.

The above was originally written in 2008. A few years later, the CAE requirements were changed to add a CAE-R designation (R for research), and several of our students did the mapping so we were redesignated. Most of the criticisms remain accurate even in 2012.

Barack Obama, National Security, and Me

Thursday, July 17, 2008 by spaf in General, Kudos, Opinions and Rants, Policies & Law,

[Update 7/17: Video of the Senator's opening remarks and the panel session (2 parts) are now online at this site. I have also added a few links.]

This story (somewhat long) is about Senator Barack Obama's summit session at Purdue University today (Wednesday, July 16). on security challenges for the 21st century. I managed to attend, took notes, and even got my name mentioned. Here's the full story.

Prelude

Monday night, I received email from a colleague here at Purdue asking if I could get her a ticket to see Senator Obama on campus. I was more than a little puzzled -- I knew of no visit from the Senator, and I especially didn't know why she thought I might have a ticket (although there are people around here who frequently ask me for unusual things).

Another exchange of email resulted in the discovery that the Senator was coming to Purdue today (the 16th of July) with a panel to hold a summit meeting on security issues for the 21st century. Cyber security was going to be one of the topics. The press was told that Purdue was chosen because of the leading role our researchers have in various areas of public safety and national security -- including the leading program in cyber security -- although some ascribed political motives as the primary reason for the location.

I found it rather ironic that security would be given as the reason for being at Purdue, and yet those of us most involved with those security centers had not been told about the summit or given invitations. It appears that the organizers gave a small number of tickets to the university, and those were distributed to administrators rather than faculty and students working in the topic areas.

I found this all very ironic and interesting, and expressed as much in email to several friends and colleagues -- including several who I knew had some (indirect) link to the Senator's campaign. I had faint hope of getting a ticket, but was more interested in simply getting the word back that there was a misfire in the organization of the event.

Late last night (I was in the office until 6:30) I got a call from someone associated with the Obama campaign. He apologized for the lack of an invitation, and informed me that a ticket was awaiting me at the desk the next day.

The Event

I went over to the Purdue Union at 11:30; the official event was to start at 12. I encountered a number of Purdue administrators in the crowd. Security was apparent for the event, including metal detectors at the door run by uniformed officers, some of whom I believe were with the Secret Service uniformed division. The officers everywhere were polite and cheerful, but watchful. I found a seat in the back of the North Ballroom with about 500 other guests...and nearly as many members of the press, entourage, ushers, protection detail, and so on.

I won't try to summarize everything said by the Senator and panel -- you can find the full video here (in two parts). I will provide some impressions of specific things that were said.

The event started almost on time (noon) with Senator Evan Bayh introducing Senator Barack Obama. Sen. Obama then read from a prepared set of remarks. His comments really resonated with the crowd (I encourage you to follow the link to read them). His comment about how we have been "fighting the last war" is particularly appropriate.

He made some very nice comments about Senator Richard Lugar, the other Senator from Indiana. Senator Lugar is a national asset in foreign policy, and both Senators Obama and Bayh (and former Senator Nunn) had nothing but good things to say about him -- and all have worked with him on disarmament and peace legislation. One of the lighter moments was when Senator Obama said that Senator Lugar was a great man in every way except that he was a Republican!

Early in his statement, he deviated from his script as reproduced in the paper, and dropped my name as he was talking about cyber security. I was very surprised. He referred to me as one of the nation's leading experts in cyber security when he mentioned Purdue being in the lead in this area. Wow! I guess someone I sent my email to pushed the right button (although my colleagues and our students deserve the recognition, as much or more than I do).

His further comments on officially designating the cyber infrastructure as a strategic asset is important for policy & legal reasons, and his comments on education and research also seemed right on. It was a strong opening, and there was obviously a lot in his comments for a number of different audiences, including the press.

Panel Part I

The first 1/3 of the panel discussion was on nuclear weapons issues. The experts present to talk on the issue were (former) Senator Sam Nunn (who joked that in Indiana everyone thought his last name was actually Nunn-Lugar), Senator Bayh, and Dr. Graham Allison, the director of the Belfer Center at Harvard. There was considerable discussion about the proliferation of nuclear materials, the need for cooperation with other countries rather than ignoring them (viz. North Korea and Iran), and the control of fissionable material.

There were some statements that I found to be a bit of hyperbole: For instance, the statement that a single bomb could be made by terrorists to destroy a whole city. Not to minimize the potential damage, but without sophisticated nation-state assistance and machining, a crude fission weapon is about all that a terrorist group could manage, and it wouldn't be that large or that easy to build. A few tens of kilotons of fission explosion could definitely ruin your day, but a detonation at ground level wouldn't destroy a whole city of any size. (Lafayette, IN would be mostly destroyed by one, but that isn't a major city.) Plutonium is too dangerous to handle, so over 100 pounds of U-235 (or U-233) would be needed, and machined appropriately, for such a weapon. Without accelerators and specially shaped charges & containers, getting fission fast enough and long enough is difficult and....well, there is a very serious threat, and the nuances may be lost on the average crowd, but the focus on terrorists building a significant bomb seemed wrong to me.

There were some excellent remarks made about opportunity cost. For instance, the one figure that stood out was that we could fully fund the Nunn-Lugar initiative and some other plans to secure loose nuclear materials by spending the equivalent of 1 month of what we now spend in Iraq over the next 4 years around the world; the war in Iraq is breeding terrorists and making US enemies, while securing loose nukes would help protect generations to come around the world. As both a taxpayer and a parent (as well as someone immersed in defense issues), I know where I would prefer to see the money spent!

One other number given is that currently less than 1/4 of 1% of the defense budget is spent on containing nuclear materials, despite it being a declared priority of President Bush. Professor Allison said that despite grade inflation at Harvard, the President still gets an "F" in this area.

Another interesting factoid stated was that about 10% of the lights in the US are powered by electricity generated from reprocessed fissile material taken from Russian nukes rendered safe under the Nunn-Lugar initiative. That sounds high to me given the amount of nuclear power generated in the US, but even if off by a factor of 10, darned impressive.

Panel Part II

The second part of the panel was on bio weapons. The panelists were Dr. Tara O'Toole of the Center for Biosecurity at Pitt, and Dr. David Relman of Stanford. Their discussion was largely what I expected, about how bio-weapons can be produced by rogue actors as well as rogue states. They made the usual references to plague (with a funny interchange about prairie dogs being carriers, and keeping the Senator's campaign away from them), anthrax and Ebola.

Again, there was a bit of exaggeration coupled with the dialog. It was pointed out that there has still been no apprehension of the perpetrator of the 2001 anthrax attacks. It was then stated that the anthrax in the envelope sent to Senator Daschle was enough to kill a billion people. No mention was made about how impossible it would be to meter and deliver such dosages in the most appropriate manner to achieve that. In fact, no discussion was made about the difficulty in weaponizing most biological agents, limiting their use as a targeted weapon over a large area. And furthermore, no mention at all was made of chemical weapons.

The conclusion here was that investment in better research and international cooperation was key. The statement was made that better integration of electronic health records would be important, too, although some studies I recall indicate that their utility is probably not so great as some would hope. It was also concluded that benefits in faster medical response and better vaccine production would help in non-crisis times as well. I don't think we can argue too much with that, although the whole issue of how we pay for medicine and health issues looms large.

Panel Part III

The last panel featured Alan Wade, former CIO of the CIA, and Paul Kurtz of Good Harbor Consulting, speaking on the cyber threat. I've known Paul for years, and he is a great person to talk on these issues.

The fact that cyber technology is universal and ubiquitous was highlighted. So was the asymmetry inherent in the area. Some mention was made about how nothing has been done by the current administration until very recently. Sadly, that is clearly the case. The National Strategy in 2002, the PITAC report in 2005, and the CSTB report in 2007 (to name 3 examples) all generated no response. As a member of the PITAC that helped write the 2005 report, I was shocked at the lack of Federal investment and the inaction we documented (I knew it was bad, but didn't realize until then how bad it was); the reaction from the White House was to dissolve the committee rather than address the real problems highlighted in the report. As one of today's panelists put it -- the current administration's response has been "...late, fragmented, and inadequate." Amen.

I was disappointed that so much was said about terrorism and denial of service. Paul did join in near the end and point out that alteration of critical data was a big concern, but there was no mention of alteration of critical services, about theft of intellectual property, about threats to privacy, or other more prominent threats. Terrorism online is not the biggest threat we face, and we have a major crisis in progress that doesn't involve denial of service. We need to ensure that our policymakers understand the scope of the threat.

On the plus side, Senator Obama reiterated how he sees cyber as a national resource and critical infrastructure. He wants to appoint a national coordinator to help move protection forward. (If he is elected I hope he doesn't put the position in DHS!)

Paul pointed out the need for more funds for education and research. He also made a very kind remark, mentioning me by name, and saying how we were a world-class resource built with almost no funding. That's not quite true, but sadly not far off. I have chafed for years at how much more we could do with even modest on-going support that wasn't tied to specific research projects....

Conclusions

I was really quite impressed with the scope of the discussion, given the time and format, and the expertise of the panelists. Senator Obama was engaged, attentive, and several of his comments and questions displayed more than a superficial knowledge of the material in each area. Given our current President referring to "the Internets" and Senator McCain cheerfully admitting he doesn't know how to use a computer, it was refreshing and hopeful that Senator Obama knows what terms such as "fission" and "phishing" mean. And he can correctly pronounce "nuclear"! :-) His comments didn't appear to be rehearsed -- I think he really does "get it."

(Before someone picks on me too much.... I believe Senator McCain is an honorable man, a dedicated public servant, and a genuine American hero. I am grateful to have people like him intent on serving the public. However, based on his comments to the press and online, I think he is a generation out of date on current technology and important related issues. That isn't a comment related to his age, per se, but to his attitude. I'd welcome evidence that I am mistaken.)

Senator Obama is a great orator. I also noticed how his speed of presentation picks up for the press (his opening remarks) but became more conversational during the panel.

Senator Obama kept bringing the panel back to suggestions about what could be done to protect the nation. I appreciated that focus on the goal. He also kept returning to the idea that problems are better solved early, and that investments without imminent threat are a form of insurance -- paying for clean-up is far greater than some prudent investment early on. He also repeatedly mentioned the need to be competitive in science and technology, and how important support for education is -- and will be.

After the session was over, I didn't get a chance to meet any of the campaign staff, or say hello to Paul. I did get about 90 seconds with Senator Bayh and invited him to visit. After my name had been mentioned about 3 times by panelists and Senator Obama, he sort of recognized it when I introduced myself. We'll see if he follows up. I've visited his office and Senator Lugar's, repeatedly, and neither have ever bothered to follow up to see what we're doing or whether they could help.

Several people in the audience commented on my name being mentioned. I'm more than a little embarrassed that they didn't refer to CERIAS and my colleagues, and in fact I was the only Purdue person mentioned by name during the entire 2 hours, and then it happened multiple times. I'm not sure if that's good or not -- we'll see. However, as P.T. Barnum said, there's no such thing as bad publicity ... so long as they spell my name correctly. %-P None of the local or national press seem to have picked it up, however, so even spelling isn't an issue.

The press, in fact, hasn't seemed to focus on the substance of the summit at all. I've read about 15 accounts so far, and all have focused on his choice of VP or the status of the campaign. It is so discouraging! These are topics of great importance that are not well understood by the public, and the press simply ignores them. Good thing Angelina Jolie gave birth earlier in the week or the summit wouldn't have even made the press. :-S

I wish more of the population would take the time to listen to prolonged discussion like this. 15-second sound bites serve too often as the sole input for most voters. And even then, too many are insufficiently educated (or motivated) to understand even the most basic concepts. I wonder if more than 5 people will even bother to read this long a post -- most people want blogs a single page in length.

As for my own political opinions and voting choices, well, I'm not going to use an official Purdue system to proselytize about items other than cyber security, education, research and Purdue. You can certainly ask me if you see me. Now, if only I had confidence in the electronic voting equipment that so many of us are going to be forced to use in November (hint: I'm chair of the USACM).

Last Tongue-in-Cheek Word

And no, I'm not particularly interested in the VP position.

Posts in Policies & Law

Failures in the Supply Chain

Recent Blogs

Blog Archive

Posts in Policies & Law

Page Content

Failures in the Supply Chain

Recent Blogs

Blog Archive