Spafford was part of a panel of educational and industrial leaders asked to address the U.S. House of Representatives Science Committee.
"We cannot hope to protect our information infrastructure without a sustained commitment to research and the development of new experts," Spafford said. "The incredible growth of our society's deployment of computing has too often been conducted with concerns for speed or lowest cost rather than with concern for issues of safety, security and reliability. Security cannot be easily or adequately added on after-the-fact, and this greatly complicates our overall mission."
Spafford told committee members the number of incidents of malicious software, system attacks and cybercrime are more than doubling each year, and current estimates of losses are in the tens of billions of dollars per year.
"The software and hardware being deployed today is often designed by individuals with little or no security training and is poorly tested," he said. "This is being added to the fault-ridden infrastructure already in place and operated by personnel with insufficient awareness of the risks. Therefore, none of us should be surprised if we continue to see a rise in break-ins, defacements and viruses in the years to come."
Spafford, professor of computer sciences and director of Purdue's Center for Education and Research in Information Assurance and Security, spoke on behalf of the Association for Computing Machinery's Committee on U.S. Public Policy. ACM is an educational and scientific computing society made up of computer professionals and educators. Spafford serves as co-chair of the organization's Committee on U.S. Public Policy, which seeks to assist policy-makers on legislative and regulatory matters of concern to the computing community.
He outlined five areas of greatest concern to those conducting research and education in information security: support for research, development of infrastructure, access to real-world data, personnel shortages and legal impediments.
He noted that funding from industrial and government sources often focuses on short-term results or narrowly defined initiatives. Few, if any, of these funding sources provide the kind of long-term, ongoing support needed to address the problems of information security, he said.
"Of more concern, in recent years cost-cutting measures have driven funding agencies to focus more on short-term research than on basic research," Spafford said. "Instead of finding ways to design new systems resistant to attack, we thus find most of the research being directed to how to apply newer patches to the same old buggy code. This does not serve to fix the long-term problems, nor does it serve to help build the capacity of educational institutions to do further research."
To perform relevant research and education, universities and other research institutions need up-to-date hardware and software and adequate space to house equipment and personnel. "However, because of the nature of the field and the speed of its evolution, few institutions have the resources necessary to continuously support and evolve the infrastructure needed for current research in this area," he said.
Researchers also need more access to real-world data for analysis and validation, he said.
"Companies and government agencies are unwilling or unable to provide access because they consider the data sensitive or proprietary. It is not possible to construct valid models or solutions unless we can properly analyze the actual problems."
Securing the nation's information infrastructure also means addressing legal impediments that limit or curtail research efforts.
"Content owners have stridently lobbied for greater and greater protections for their on-line property," he said. "Unfortunately, the evolution of the law has led to unintended consequences for those of us working in security. In several instances, research into novel forms of information security has been curtailed because patent holders have threatened researchers. University faculty members do not have the resources to fight such threats."
More recently, provisions of the Digital Millennium Copyright Act have led to faculty being threatened with lawsuits for publishing their security research, he said.
"Some faculty, myself included, have had to curtail or stop our research in security forensics because of the potential of our being arrested or sued," he said.
Legislation scheduled to be introduced into the Senate may further restrict what research is conducted in information security, Spafford said.
Spafford said industry shouldn't be depended upon to find solutions to solve the security problems. "Industry is concerned with getting products to market as quickly as possible, at the lowest cost," he said. "The result is often software with extraneous, poorly designed and poorly tested features. In addition, many software companies have disclaimed all liability in their licenses, and sought to insulate themselves from adverse reactions and scrutiny of their software through laws enacted at the state and federal levels."
Writer: Susan Gaidos
Purdue University
News Service
1132 Engineering Administration Building
West Lafayette, IN 47907-1132
Voice: 765-494-2096
FAX: 765-494-0401
NOTE TO JOURNALISTS: Eugene Spafford is in Washington, D.C., this week. To make arrangements for interviews, contact Susan Gaidos, (765) 494-2081, home: (765) 463-0596; sgaidos@purdue.edu. Also, a publication-quality photograph of Eugene Spafford is available at http://news.uns.purdue.edu or at ftp://ftp.purdue.edu/pub/uns/. It is called Spafford.jpeg.