Bush to U.S. Colleges: Send in the CIOs

Security plan calls for designees to aid feds in collecting, sharing data.

The Bush administration is expected to call on U.S. colleges and universities to put people and processes in place to further help the government collect and share data.

The plan, which is part of a draft of the National Strategy to Secure Cyberspace and was crafted by the Presidents Critical Infrastructure Protection Board, also suggests lawmakers consider tying state and federal funding to each schools compliance with the new rules.

According to a draft of the plan obtained by eWeek, the board recommends each college and university designate a CIO with well-defined enforcement powers. The plan is due to be released Sept. 18.

Bastions of free-flowing information and cutting-edge research and testing, institutions of higher education are a natural target for the federal governments cyber-security efforts. The National Strategy to Secure Cyberspace names higher education as one of five critical sectors in need of improved security measures. According to sources at several Big 10 universities, the strategys proposals stem largely from suggestions offered by the Task Force on Computer and Network Security, a higher-education initiative formed two years ago. However, the education community does not support the suggestion that government grants be linked to compliance.

While most schools have information officers in place, their powers vary considerably, and in many cases they do not have the authority to enforce campuswide standards. To spur more-enforceable policies, the education community should establish model guidelines empowering CIOs, according to the draft.

"CIO responsibilities differ widely by college," said Kim Milford, information security manager at the University of Wisconsin, in Madison. "For example, Indiana University has a good model, and theyre thinking of moving it up to the chancellor level. But there are other places where security is still at the administrative level."

Whether it is the CIO or another officer, a single point of contact at every university and college should be available at all times to ISPs and law enforcement agents, the strategy recommends. While many institutions have such a designee, the individual is not always readily identifiable in a crisis.

"A lot of times, this person is buried within the administration," said Mark Bruhn, chief IT security and policy officer at Indiana University, in Bloomington. "They might be too low in the organization to wield authority."

The draft also recommends that colleges and universities set up a formal ISAC (Information Sharing and Analysis Center) of their own.

In general, network security managers in education applaud expanded efforts at collaboration. Some are concerned, however, that establishing a higher-education ISAC could divert resources and duplicate efforts.

"My guess is that the first reaction to this idea will be: Great idea, but whos going to pay for it?" said Brian Remer, IT management consultant at the University of Wisconsin. "If it comes with dollars, thats another thing."

Eager to improve security, education IT administrators are nonetheless universally wary of government proposals that will mandate the way they allocate scarce resources. While the administration does not formally recommend that government grants be tied to compliance with cyber-security benchmarks, the draft strategy suggests the issue be raised for discussion and resolution in a future iteration.

Most university IT specialists already know where they stand. "The loss of flexibility would be a problem," Bruhn said. "We would rather decide for our community what the community needs to do, rather than have the federal government impose a mandate on us. If we do things right, it should not be necessary for the imposition of rules."