Possible changes toFederal Grant Language &

Computer Security

Bob Mahoney- MIT Network Security bobmah@mit.edu

Common Solutions Group, January 2002

January 10, 2002 Grant Language Changes?

Background

• Possible changes to federal grant language to address concerns about the security of campus systems.

• February 2000 - large scale DOS attacks on eBay, Yahoo, Amazon, etc. puts university networks on the radar in a security context.

• Perception in some quarters that higher education sites are an evil swamp of “hacker bad guys”.

January 10, 2002 Grant Language Changes?

More Background

• Reports of university IT organizations complaining they cannot control security behavior of independent researchers.

• Characterized by authors as an “attempt to adjust the balance of power” in IT-researcher relationships

January 10, 2002 Grant Language Changes?

“Safe Computing Environment”

• ‘straw man’ proposal (initiated by SANS Institute’s Alan Paller) to unisog and SANS newsbites lists in October 2001.

• Proposed as amendment to Circular A-110, based on the ‘drug-free workplace’ requirements.

• Initial proposal was fairly insane, at least in terms of specific actions required (specific patch application deadlines, etc)

• Most recent draft shows improvement

January 10, 2002 Grant Language Changes?

Some high points:• Grantees are required to certify that they will

provide a “safe computing environment”.• SCE refers to both initial config and ongoing

maintenance of covered systems.• Changes to SC environment must be reported.• Requires statements of appropriate use to be given

to all employees.• Requires prompt notifications of “significant

events”.• Specifies actions to be taken for security events.

January 10, 2002 Grant Language Changes?

Quick Questions

• Is this real?

• Who is behind this?

• Where’s this going?

• Is legislation coming?

January 10, 2002 Grant Language Changes?

If you hear MIT referenced… Some proponents have referred to MIT as

displaying “best practices” in controlling security problems. This apparently refers to our response to discovered vulnerable/compromised hosts:

• Vulnerable hosts are warned/advised on next steps, then given response deadline. (EXCEPT for Windows/IIS,which are treated as compromised)

• Compromised hosts are disabled immediately; then advised on recovery steps.

January 10, 2002 Grant Language Changes?

Concerns

• More grant oversight imposes costs.

• Specific requirements troublesome given wide variety of systems and environments.

• General FUD

January 10, 2002 Grant Language Changes?

Response?

• Do we believe campus networks are a significant problem? (do we need help?)

• If so, are there less-burdensome approaches to increasing security?

• Community standards?

• Educating legislators/regulators?