Cybercenter fills security niche

George Mason University National Center for Technology and Law

Officials from George Mason and James Madison universities announced May 14 that they will create a federally funded center to provide resources and research for government and industry organizations that protect the nation's critical infrastructure.

The Critical Infrastructure Protection (CIP) Project, funded by a $6.5 million federal grant, will be led by a partnership between James Madison University and the George Mason University School of Law's National Center for Technology and Law.

The institutions applied together for the grant from the National Institute of Standards and Technology to provide solutions that combine the technical, policy and legal issues involved in CIP and information security.

"This will give us a strength that does not exist anywhere else in the country," said Linwood Rose, president of James Madison University.

The Virginia-based project will serve as a center of expertise and knowledge on cybersecurity. It will sponsor research within the two universities and at other academic institutions and will develop a Web portal for information on CIP issues and research, said John McCarthy, executive director of the project. "There is clearly a need to centralize and organize all research findings," he added.

In 1998, President Clinton issued Presidential Decision Directive 63, which requires that both the public and private sectors protect information systems that support the nation's critical infrastructure, such as communications, transportation and finances.

Many agencies and organizations still have not identified what CIP includes, but the issue has gained momentum since the Sept. 11 terrorist attacks. Richard Clarke, President Bush's cyberspace security adviser, directs the new CIP Board, which is the federal government's lead organization on such issues.

"The work [the two schools] have done is very important. The work they will be doing is very, very important," said Rep. Frank Wolf (R-Va.), chairman of the House Appropriations Committee's Subcommittee on Commerce, Justice, State and the Judiciary. "We are behind the curve, and hopefully what will be done here...will get us even, or get us ahead."

Wolf encouraged the universities to apply for the NIST grant last year, and he will be working with the CIP Project and NIST to ensure future funding, McCarthy said.

The CIP Project is working closely with the government's CIP Board and other groups to determine research needs that the project can fill, McCarthy said. That model of outreach and communication with CIP organizations is how the project will ensure that its research is being put to good use. "My goal is for the CIP Project to be seen as a useful resource," he said.

The CIP Project is working with the National Association of State Chief Information Officers to help form an information sharing and analysis center for each state, McCarthy said. State and local governments are just beginning to identify information sharing needs. The centers will share information and warnings about security vulnerability among members, with companies in their states and with the federal government.

Many industry sectors have formed their own centers under PDD 63, and to advance those efforts, the CIP Project plans to start a program that focuses on their issues and needs.

James Madison University's CIP Project Research and Support Center is working on three research initiatives, the results of which will be made available to both the public and private sectors. They include designing a network security risk assessment model and developing a portable analysis tool to collect information that will feed into a risk assessment system.

Project leaders also will work with industry officials to identify what research or assistance the project can provide for the private sector, said Brad Brown, chairman of George Mason University's National Center for Technology and Law.

***

Focus areas

The Critical Infrastructure Protection Project's four focus areas are:

Outreach and education — Conduct seminars, workshops, and professional education and training for specific groups, including the auditing and business communities. The project will also hold periodic discussions with representatives of government, industry and academia.

Repository of expertise — Provide information to promote better understanding of information security issues. This could include everything from developing model legislation to supporting panels or working groups.

Research sponsorship — Identify and sponsor research into information security matters in technology, law and policy.

Development of special programs — Focus on specific areas of need and interest, such as information sharing and analysis centers, the link between homeland security and information security, and the issue of cybersecurity liability coverage and insurance.