Q&A: Eugene Spafford on Cybercrime, Security Research

Q&A: Eugene Spafford on Cybercrime, Security Research
Q&A: Eugene Spafford on Cybercrime, Security Research 

By Dennis Fisher
Threat Post
December 14, 2009

Threatpost editor Dennis Fisher talks with Eugene Spafford of Purdue's 
CERIAS center about cybercrime, funding for long-term security research 
projects and whether the federal cybersecurity coordinator position 

Fisher: Do you see any indications that there will be more funding 
coming from the federal government for longer term research projects in 
the near future?

Spafford: Not really. There are provisions for more research money in 
some draft legislation that's in Congress right now, but they are 
authorizations, not appropriations. And that's a big distinction. There 
are a lot of other priorities right now, obviously. We have two wars 
going on. I don't have high hopes of there being an influx of new money.

Fisher: You wrote a blog post a couple of months ago about the lack of 
leadership on cybersecurity in the federal government. At some point 
Obama will appoint the cyber coordinator. But will that even matter?

Spafford: I don't see how. It's a position that's going to report up to 
the economic council and the security council. It won't have any 
statutory authority. It won't have any budgetary authority. That does 
not give it much authority of any kind. The problem is that there are 
organizations in the government that have some part of the problem 
space, like DHS, Defense, the NSA. They have good people on it and 
they're making headway. But the structure of the government response 
misses portions of the problem. It isn't a coordinated effort and 
there's no awareness of the magnitude of the problem. There's certainly 
a recognition in the military that there needs to be a better response, 
and that's what we're seeing in the establishment of the cyber 
sub-command. That could be good. But a lot of it will depend on the 
managing authority. But it does show progress. The downside is that the 
military views the protection of military assets as their job and the 
protection of other assets is someone else's job. They're not going to 
protect the banks and the utilities and the telcos and the power grid 
and everything else. So whose job is it? Where's the coordination and 
overall picture of how this works? So when I hear that there are 
supposedly people who have been interviewed for this cyber coordinator 
job and didn't take it, I'm not surprised. It's not a winning position. 
I'm not at all surprised by the fact that it's empty. That position is a 
blame-taking position.


Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods