Overview and Purpose
Vermont has long been committed to its telecommunications infrastructure and using it to promote "clean" industry and good-paying jobs in the state. The Vermont Telecommunications Agreement (VTA) was merely a harbinger of the high-speed communications revolution to come including, but not limited to, the Internet. The creation of the Vermont Telecommunications Application Center (VTAC) and, more recently, the Vermont Information Technology Center (VITC) are all indicators of the continuing belief that telecommunications and information technology (IT) are key to the economic expansion and health of the state.
And, indeed, the infrastructure in Vermont has grown and matured. The Internet, in particular, has affected every industry in Vermont and most Vermont businesses and organizations. But there are many well-known vulnerabilities of computers and networks that expose users' data and systems to theft, alteration, and destruction. As more and more entities in Vermont depend upon the Internet and other data communications networks, the security aspects of those networks and systems become critical to the very survival of the users' networks, the organization owning the data, and even the very infrastructure itself.
The Internet has already entered the mindset of just about everybody. And in recent months, "security" is now entering the collective consciousness of the user community. Even before attackers hit Yahoo!, Amazon.com, E-Bay, and CNN earlier this year, mainstream magazines such as Time and Newsweek were already talking about security. And the problems are about to become much worse. Now that homes and home offices are getting their own direct, full-time connections to the Internet via such technologies as Digital Subscriber Line (DSL) and cable modems, small office/home office (SOHO) computers will become new, largely unprotected, targets for attackers.
This proposal calls for the creation of a Vermont Information Security Coordination Center (VISCC). The overriding purpose of the VISCC is to fill the security needs of various constituencies/stakeholders in Vermont. The space is large and the needs enormous.
VISCC Mission
It is proposed that the VISCC operate, at least initially, as a component of the Vermont Information Technology Center. Just as VITC is chartered to promote and provide information about various aspects of IT, the VISCC will direct efforts specifically at securing the IT resources of Vermont. Vermont currently has no central resource center from where to obtain information about computer and network security; in fact, there are very few resources in Vermont about this subject area at all.
Information technology is vital to the future of Vermont's economy and most companies today increasingly depend upon their computer systems, many just to stay in business. Some companies in Vermont could not even exist in Vermont if it were not for the Internet. Protecting the data associated with these companies, then, becomes imperative to fostering the use of IT, protecting the underlying infrastructure, and maintaining economic growth. The creation of the VISCC will also be a proactive step that sends a strong signal to the business community that Vermont cares about this infrastructure.
The mission of the VISCC is consistent with the mission of its parent organization, VITC. Strong information security is essential to achieve a "nurturing environment for information technology," one of the fundamental components of the VITC's mission. The VISCC's main function is to increase awareness about information security issues and solutions in three ways:
Goals and Objectives
There are a large number of potential roles that a state-wide information security center can fill in addition to the generic IT goals of the VITC, including:
Disseminate security-related information relevant to Vermont organizations in a timely manner via a Web page and/or e-mail.
Provide information security awareness training for business individuals and organizations, via regularly scheduled public seminars, periodic courses, and/or ad hoc training sessions.
Act as a response center for acute security incidents.
Be a clearinghouse for security incidents in Vermont. Ideally, it would be a repository for organizations, ISPs, and individuals with the aim of spotting trends and helping to devise tools for protection.
Be an information resource to State government agencies and the Governor, both for policy issues as well as security practices for State-run data networks (e.g., K12net, GovNET, and other State government networks).
Form a Vermont security incident response team to act as a response center for acute security incidents and to assist organizations in developing their own security incident response teams.
Be a resource for law enforcement agencies in Vermont, from providing courses at the Police Academy to acting as an information resource for forensics and investigations. (Law enforcement professionals in computer-based criminal investigation in Vermont have already stated that such a center would be invaluable to both local and State police agencies.)
In conjunction with Champlain College's computer, network, and telecommunications curricula, teach courses about the vulnerabilities of the protocols and operating systems, as well as hacking and cracking. Not only will this "profession" be invaluable in the future, but it also provides an opportunity to train "white hat" attackers. In the last few months, President Clinton and others in his administration have suggested that such curricula are necessary.
Build a product test center capability and provide a test lab for use by "member" organizations.
Build a database of network security professionals practicing in the state.
Form a state-wide information security advisory council, possibly in conjunction with the Vermont Business Roundtable's Technology Committee, VTAC, or VITC.
Work with Vermont Internet Service Providers (ISPs) to encourage their use of best industry practices in protecting their customers, a particular concern for small businesses and SOHO customers.
Provide security services to "member" organizations, ranging from policy review and creation to recommendation of security tools and procedures. Security tools, in this context, includes administrative security tools, firewalls, intrusion detection, log analysis and reporting, vulnerability testing, virtual private networks (VPNs), cryptography, secure e-mail, etc. (The intent of this goal is not to compete with private industry but to offer a service that a client might not otherwise be able to afford, keep the VISCC staff active in the field, and to provide training for interns.)
Administrative Actions
As suggested above, the information security space is enormous and the needs in Vermont immense. At this time, however, VITC is able to provide only modest funding for security projects and no other organization has yet stepped forward to provide personnel or financial resources.
The information security roundtable discussion held in September 2000 was one of two mechanisms to determine the need and direction for a VISCC-like center. The meeting definitely showed that there is an active information security community in Vermont, providing many necessary services. The second mechanism was a survey of users to determine the need for such a center; the survey results will be posted on the Web site soon.
Both the meeting and survey show that there are many infosec needs going unaddressed. It seems, then, that the best course of action for VISCC at this time is to determine precisely what needs are most critical, which could be uniquely provided by such a center and how those activities would be funded. The immediate course of action should be to:
Form an advisory committee to provide direction to the VISCC.
Continue to offer and participate in statewide meetings addressing infosec, both from an awareness perspective as well as helping to provide solutions.
Develop short- and long-term business plans for the VISCC.
Develop revenue sources to support the business plan.
The VISCC will not be able to successfully achieve its mission and goals without close collaboration with a broad range of partners from the public and private sectors. Information technology is, by its very nature, a collaborative industry; information security is even more so. Funding for the VISCC, therefore, must come from several representative sources, including federal and state agencies as well as private individuals and organizations.
At this time, the appropriate funding sources have yet to be specifically identified; a better definition of the VISCC's specific actions is needed to determine candidate funding programs and that will be one of the important initial tasks. Possible revenue/funding sources include:
Federal grants: National Science Foundation (NSF, particularly in conjunction with Internet2 and other education efforts), Department of Justice (DOJ, particularly in conjunction with law enforcement agencies), Department of Defense (DoD, particularly for infrastructure protection and research). Champlain College's Development Office and Senator Leahy's office have already helped identify some possible federal grants that we should consider.
State
Private partnerships and sponsors
User fees: Some nominal user fees will probably be necessary to demonstrate that any projects we undertake have value to the recipients. This will be particularly important during the startup phase; creating a database of security vulnerability information, for example, has the highest incremental cost at the startup. Even seminars ought to have some fee associated with it to at least cover costs.
There are a number of possible operational models for the VISCC. Operating under the auspices of an existing organization — such as VITC — obviates the need to duplicate administrative management. The technical direction and staffing should come from infosec professionals.
It is a goal of the VISCC to be economically self-sufficient, working on research and project grants for its activities and/or by generating revenue by charging fees for any services rendered to area businesses, including eventual consulting, training, technical assistance, or creating test bed solutions in a "neutral" laboratory.
Comments on this proposal are welcome and solicited! Please forward any comments to the author and/or Dave Binch, Director, VITC (802-865-6439, binch@champlain.edu).
About the Author
Gary C. Kessler, the author of this proposal, is currently the Program Coordinator for the Computer Network & PC Support major at Champlain College in Burlington, Vermont, and an independent consultant and writer. He has been in the computer/networking field since the early 1970s and involved one way or the other in computer and network security for over 20 years. His primary areas of interest are the Internet and TCP/IP applications and technologies, computer and network security, e-commerce, virtual private networks (VPNs), ISDN, and fast packet switching technologies. Gary was instrumental in the introduction (1977) and eventual passage (1999) of Vermont's Computer Crime Law. He is a frequent speaker at industry conferences on security-related matters, has written two books and over 50 articles for industry publications, and is an adjunct faculty member at Champlain College and St. Michael's College Prevel School of Business. Gary holds a B.A. in mathematics and an M.S. in Computer Science.
|
Champlain College 163 S. Willard Street Burlington, VT 05401 Phone: 802-865-6460 Fax: 802-865-6447 kesslerg@champlain.edu http://poodle.champlain.edu |
50 Creek Glen Colchester, VT 05446 Phone: 802-879-3375 Fax: 630-604-5529 kumquat@sover.net http://www.garykessler.net |