Who's Watching the Store?

very sector is becoming increasingly dependent on information technology, especially the Internet, to conduct business and to stay competitive. That dependence has been accompanied by a growing threat from those who seek to disrupt Internet activities for personal gain or mischief.

Look at some recent stories:

• High-visibility Web sites at Yahoo and CNN were blasted off the Internet through "denial of service" attacks.
• Fourteen computers at the Agriculture Department were put out of service for several weeks because of an intrusion.
• The State Department Web site that supports political operations around the world was compromised, its information altered and backdoors installed twice in less than eight months.
• The federally sponsored Internet2 Site at the University of Minnesota was brought down for nearly two days by 232 infected computers at other sites being used to attack it. At four other commercial and academic sites, more than 1,400 computers were infected. The FBI issued a warning that potential attacks from infected computers put the Internet at risk.
• Navy and NASA computers have been infected in the same way.

Computer security breaches no longer are someone else's problem. Protecting valuable computer and telecommunications resources requires trained professionals who understand the latest techniques for protecting against, detecting and recovering from intrusions.

Agency managers who allow their systems to be compromised can expect to find themselves squarely in the sights of congressional watchdogs and others who believe that private information should be kept private or that federal systems should not be compromised. More importantly, these managers risk undermining public confidence in government and the Internet. And, even worse, they may be closed down. That's what happened to the Environmental Protection Agency's Web site recently, as a result of congressional pressure that suggested the risk of compromise was so high that all public access should be denied.

Finding Trained Professionals

Technology managers have no way to determine whether people claiming to be computer security professionals know what they are doing. But the challenge of finding trained professionals does have analogs.

When we engage in high-risk or high-stakes activities such as flying in airplanes, obtaining medical services or assuring the financial integrity of our operations, well-understood and widely accepted credentialing processes give us confidence that we are relying on competent professionals. Those processes have five elements in common:

1. Individuals must have completed a formal training program accredited by an independent professional organization.

2. They must have demonstrated their ability to apply the concepts they learned through managed apprenticeship programs. Medical doctors have to complete internships and pilots have to fly airplanes.

3. They must pass a rigorous examination that includes both theory and practice administered by an independent professional organization.

4. To retain their professional credentials they must meet continuing education requirements.

5. Practitioners must subscribe to a professional code of ethics.

Potential employers and/or consumers then can have reasonable assurance that the professional with whom they are dealing is properly trained. For some fields, such as accounting, successful completion of an accredited training program may be sufficient. But for most jobs, all five components are required before an individual is entrusted with a critical task.

Casting Credentials

The information technology profession has long struggled with the concept of professional certification, dating back to the certified data processor (CDP) created by the Data Processing Management Association. Many educational organizations have created certification programs in sub-specialties, such as project management, but none has all the components of a professional certification outlined above. And most seek, as their primary objective, to promote a particular training curriculum.

Software and hardware vendors have established certification programs to ensure clients know how to use their products, but these programs have been damaged by promises of certification without much work. Today, few employers are even aware of certification programs and even fewer make them a requirement when hiring a job candidate or a consultant.

Since 1978, the Information Systems Audit and Control Association (ISACA) (www.isaca.org) has issued the certified information system auditor (CISA) credential to those who pass its exam, have the requisite experience, subscribe to its code of professional ethics and meet continuing education requirements. The International Information System Security Certification Consortium (ISC2 ) (www.isc2.org) developed a certification for professionals with at least three years of experience who pass its exam and subscribe to its code of professional ethics. Recertification every three years is based on a continuing education requirement. The Information Systems Security Association (ISSA) Web site (www.issa-intl.org/certification.htm) lists other professional certificate programs. Even the federal government, under the leadership of the National Security Agency, has developed standards for measuring mastery of various security skills.

Programs like those sponsored by ISACA and ISC2 are valuable for auditors and security managers. Unfortunately, they do not measure whether people can handle the technical tasks required to keep systems secure: intrusion detection, firewall tuning, incident handling, and Cisco, NT and Unix security, for example. For that, a new level of education and certification is required.

What Is Missing

Like flying airplanes, practicing medicine or handling large financial assets, running computer systems is inherently a high-risk activity requiring trained professionals. Passing a rigorous exam and having substantial experience, at least on paper, are important but not sufficient. There is no substitute for completing a thorough, independently accredited education program and demonstrating skills in simulated and actual conditions.

Requiring completion of an accredited training program reduces the risk that unqualified individuals will obtain the credential and enhances the credibility of the professional certification. These programs also help employers determine which job candidates are prepared for junior or entry-level positions.

It is time for the IT security profession to develop a scheme for accrediting training programs both at colleges and universities and at training institutes. Professional associations, such as ISC2 and ISSA, and groups of system and network administrators-the ultimate beneficiaries of the education-must be involved.

Until accredited programs and skills-based certifications are in place, the only path available to agency managers is to hire outside reviewers to test their systems for security vulnerabilities. But that is often expensive and incomplete. A recent General Accounting Offfice-sponsored test of NASA's information security by the National Security Agency audited only a tiny fraction of the computers managed by NASA.

On Jan. 7, the President announced an initiative to fund security education. Some of us are old enough to remember the questionable programs that sprang up in the 1940s and 1950s under the GI Bill, offering training in everything from electronics to flying airplanes. Do we really want the products of similar programs securing our computers?

Alan Paller is director of research for the SANS Institute, an organization of technical security professionals

Franklin S. Reeder teaches, writes, and consults on public management and information technology issues. He headed OMB's information policy staff.