News From Terre Haute, Indiana

July 19, 2008

At least one guy at Purdue security summit was paying attention

By Stephanie Salter

TERRE HAUTE — Purdue computer science professor Eugene Spafford had the best line about media coverage of Barack Obama’s extensive national security seminar in West Lafayette last week:

“Good thing Angelina Jolie gave birth earlier in the week or the summit wouldn’t have even made the press.”

“Spaf,” as he is known by his students, colleagues, associates and fellow experts in international cyber security, is always good for a humorous, big-picture observation that lasers in on the truth.

As director of Purdue’s CERIAS program — the Center for Education and Research in Information Assurance and Security — he has served on numerous national research teams, testified before Congress and advised presidents. His name is synonymous around the world with cyber security.

Who better to summon to the invitation-only Obama security summit at Purdue. Ah, but no one thought to invite Spaf until the night before.

“The press was told that Purdue was chosen because of the leading role our researchers have in various areas of public safety and national security — including the leading program in cyber security …” Spaf wrote on his long blog entry about the summit (http://snipurl.com/obpugs). “I found it rather ironic that security would be given as the reason … and yet those of us most involved with those security centers had not been told about the summit or given invitations.”

A few e-mails about this irony apparently woke up the proper people. Tuesday night Spaf was invited to join about 500 other folks the next day in the Purdue Memorial Union to listen to panel discussions on three big security threats — nuclear weapons, bioterrorism and cyber manipulation.

His richly informed reactions to the first two panels are useful reading. For example, a financial element mentioned during the nuclear panel particularly caught Spaf’s attention:

“[T]he one figure that stood out was that we could fully fund the [Sam] Nunn-[Richard] Lugar initiative and some other plans to secure loose nuclear materials by spending the equivalent of 1 month of what we now spend in Iraq over the next 4 years around the world … One other number given is that currently less than 1/4 of 1% of the defense budget is spent on containing nuclear materials, despite it being a declared priority of President Bush …”

Because newspaper space is uber-finite, I must cherry pick Spaf’s impressions. I’ll concentrate on those of the cyber panel and of the news media’s obsession with the summit presence of two possible Obama running mates, Sen. Evan Bayh and former Sen. Nunn.

“The press, in fact, hasn’t seemed to focus on the substance of the summit at all,” Spaf wrote. “I’ve read about 15 accounts so far, and all have focused on his [Obama’s] choice of VP or the status of the campaign. It is so discouraging! These are topics of great importance that are not well understood by the public, and the press simply ignores them.”

The cyber threat panel featured Alan Wade, former CIO of the CIA, and Paul Kurtz of Good Harbor Consulting, an expert Spaf has known and admired for many years. Part of what we missed:

“Some mention was made about how nothing has been done by the current administration until very recently. Sadly, that is clearly the case,” Spaf wrote.

Referring to several reports, including one by the President’s Information Technology Advisory Committee and another by the National Academy of Science’s Computer Science and Telecommunications Board, Spaf noted:

“The National Strategy in 2002, the PITAC report in 2005, and the CSTB report in 2007 (to name 3 examples) all generated no response. As a member of the PITAC that helped write the 2005 report, I was shocked at the lack of Federal investment and the inaction we documented (I knew it was bad, but didn’t realize until then how bad it was); the reaction from the White House was to dissolve the committee rather than address the real problems highlighted in the report. As one of today’s panelists put it — the current administration’s response has been ‘… late, fragmented, and inadequate.’ Amen.”

True to his club of genuine cyber security experts, Spaf was “disappointed that so much was said about terrorism and denial of service” during the summit.

Despite what we see in movies or hear from virus protection software salesmen and some politicians, the people who actually study global information technology know that the major threats to our stable way of life do not come from an apartment full of al Qaida operatives with laptops plotting to blow up an airliner.

“Paul did join in near the end and point out that alteration of critical data was a big concern,” Spaf wrote, “but there was no mention of alteration of critical services, about theft of intellectual property, about threats to privacy, or other more prominent threats. Terrorism online is not the biggest threat we face, and we have a major crisis in progress that doesn’t involve denial of service. We need to ensure that our policymakers understand the scope of the threat.”

Spaf told his blog readers that Obama “reiterated how he sees cyber as a national resource and critical infrastructure” and plans “to appoint a national coordinator to help move protection forward.” Referring to the unwieldy Department of Homeland Security, Spaf added, parenthetically, “(If he is elected I hope he doesn’t put the position in DHS!).”

Regardless of the last-minute invitation, some statistics he found to be “a bit of hyperbole,” and all the focus on cyber terrorism, Spaf’s general review of the summit was positive.

“I was really quite impressed with the scope of the discussion, given the time and format, and the expertise of the panelists,” he wrote. “Senator Obama was engaged, attentive, and several of his comments and questions displayed more than a superficial knowledge of the material in each area.

“Given our current President referring to ‘the Internets’ and Senator McCain cheerfully admitting he doesn’t know how to use a computer, it was refreshing and hopeful that Senator Obama knows what terms such as ‘fission’ and ‘phishing’ mean. And he can correctly pronounce ‘nuclear’! His comments didn’t appear to be rehearsed — I think he really does ‘get it.’”

Stephanie Salter can be reached at (812) 231-4229 or stephanie.salter@tribstar.com.