Autumn '06-07
Course Information
  Description As the U.S. and the world become increasingly reliant on digital systems and the public Internet, the security and reliability of these complex systems is more critical than ever. Meeting the nation's escalating demands of digital infrastructure requires both the right technology and the right public policy. This interdisciplinary seminar will draw on speakers and research from the fields of engineering, public policy, law and economics to investigate whether today's Internet is an appropriate platform on which to operate critical infrastructure services that affect U.S. national security.

There are no technical or policy prerequisites; curiosity and interest are the only requirements.
Faculty sponsor William J. Perry
  Course leaders Martin Casado and Keith Coleman
  Contact Email with questions or comments.
  Date & time Thursdays, 4:30 - 6:30 PM
  Location Wallenberg Hall - Bldg 160 Room 325   (Note: the room has changed from Terman 152 to Wallenberg 160-325)
  Course number Management Science & Engineering 91si
  Grading and units 2 Units, P/NC
Additional materials For access to more cybersecurity readings and resources, please visit our online library
Tentative Schedule  (Schedule and readings from Autumn 04-05, Spring 03-04 )
  September 28 Introduction: the cybersecurity challenge

Lecture slides ( pdf | ppt )

Course info handout ( pdf | doc )

  October 5 Technology and policy 101

Technology 101 - Lecture slides ( pdf )

Policy 101 - Lecture slides ( pdf | ppt )

Required readings

How Does the Internet Work? : An introductory yet in-depth description of how major components of the Internet infrastructure operate.

CNET: Bush unveils final cybersecurity plan : Overview of the National Strategy to Secure Cyberspace, and includes optional links to critiques of the plan.

2005 GAO Congressional Report: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities : A review of the Homeland Security department's progress to date on cybsercurity, including an interesting back-and-forth with DHS. Only the "Results in Brief" section (pp. 6 - 8 in the PDF) is required.

  October 12 An industry perspective on cybersecurity
    Guest speaker: Stephen Hansen, former security officer at Google and Stanford

Lecture slides ( pdf )

Required readings

How to spend a security dollar : One view of how a company should spend its budget for IT security. While reading, make a note of areas you think need either more or less money than the author suggests.

The Enemy Within : Discusses internal threats that companies face.

Companies adapt to a zero day world : Article describing the challenge faced by corporations by the potential for a "zero-day exploit", one which is release before a patch is available. 

  October 19 Information security reality in the enterprise
    Guest speaker: Tim Mather, VP of Technology Strategy, Symantec
      Lecture slides ( pdf )
  October 26 Cybersecurity and law
    Guest speaker: Jennifer Granick, Stanford Law School

Lecture slides ( pdf )

Required Readings

18 U.S.C. 1030 - The Computer Fraud and Abuse Act : US federal law outlining illegal behavior on computer systems, serving as an introduction to the concept of unauthorized access.

eBay, Inc v. Bidder's Edge : A 2000 court case in which eBay claims that the use of automated querying of their auction database by auction-aggregation site Bidder's Edge constituted unauthorized access.  Pay particular attention to the case background (Section I) and the portion of the case dealing directly with trespass (Section II.B.1).

Breach case could curtail web flaw finders : An article about a security consultant who was prosecuted after uncovering flaws in USC's online application software. A complement to Jennifer Granick's Wired News column on the topic.

  November 2 Market incentives and security metrics
    Guest speaker: Kevin SooHoo, PacketMotion

Lecture slides ( pdf )

Required Readings

The Role of Economic Incentives in Securing Cyberspace: Draft paper authored in part by our guest speaker that examines the economic incentives of critical infrastructure protection and makes an argument for a change in direction for national cybersecurity policy. 

A Guide to Security Metrics: Introduction to the important field of security metrics, from the SANS Institute. 

Optional Reading

Why Information Security is Hard - An Economic Perspective: An often cited paper by Ross Anderson on the impact of economic incentives in information security. 

Rootkits: The growing threat : A McAfee white paper on rootkits.

SAGE Report: Report on open source and threats..

  November 9 Cybersecurity threats
    Guest speaker: Lieutenant Commander Chris Eagle, U.S. Naval Postgraduate School

Lecture slides ( not yet available )

Required Readings

Organization for Internet Safety: Guidelines for security vulnerability reporting and response

Full Disclosure Policy (RFPolicy) v2.0

Is finding security holes a good idea? : Well-known RTFM paper by Eric Riscola.

The 3 Dirty Little Secrets of Disclosure No One Wants to Talk About : A Securosis op-ed on full disclosure.

Mac Wi-FI: Gruber Needs to Let It Go (and Maynor and Ellch Should Ignore the Challenge) : A Securosis op-ed on the Mac Wi-Fi hack debate.

Thread on D.J. Bernstein's hacking course project : Please your way through thread using "next in thread").

eEye Upcoming Advisories : eEye site that tracks vendor responses to security vulnerabilities.

The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)
: A Time Magazine article about the TITAN RAIN attack on U.S. military computer systems.

  November 16 A future critical information infrastructure
    Guest speaker: David Alderson, California Institute of Technology

Lecture slides ( pdf )

Required Readings

FIND (Future Internet Network Design) is a major new long-term initiative of the NSF NETS research program to provide funding for “clean slate” redesign of a next-generation Internet. The kickoff meeting was held December 5, 2005. Have a look at the following:

Robustness and the Internet: Design and Evolution: A paper looking at complexity and robustness issues within the Internet infrastructure and how we can change the architecture to meet future design requirements.

GovNet, What is it good for? : Wired article looking at another approach. GovNet is a proposal for the creation of a separate and highly secure network infrastructure for government use.

  November 30 Liability, negligence and cyberinsurance
    Guest speaker: Erin Kenneally, San Diego Supercomputing Center
    Lecture slides ( not yet available )

Required Readings

Stepping on the Digital Scale: Duty and Liability for Negligent Internet Security : Overview of liability law, and analysis of the potential effects on liability on cybersecurity stakeholders. 

  December 7 Cybersecurity debate
    Final Assignment: Legislative Policy Analysis (due in class December 7)

Corporate Information Security Accountability Act of 2003 (CISAA): Text of Legislation, Congressman Adam Putnam. U.S. House of Representatives. 2003.

"Cybersecurity legislation may go to Congress," Grant Gross. Computer World. September 2003.