Autumn '04-05
Course Information
  Description As the U.S. and the world become increasingly reliant on digital systems and the public Internet, the security and reliability of these complex systems becomes increasingly critical. Ensuring that our digital infrastructure can meet these escalating demands necessitates development of both the right technology and the right public policy. This interdisciplinary course will draw on speakers and research from the fields of engineering, public policy, law and economics in an effort to investigate and determine whether today’s Internet is an appropriate platform on which to operate critical infrastructure services that affect U.S. national security.

There are no technical or policy prerequisites; curiosity and interest are the only requirements. The course is particularly relevant for students interested in independent research or honors thesis work in the area of cybersecurity.
Faculty Sponsor William J. Perry
  Course Leaders Martin Casado, Keith Coleman, Dan Wendlandt
  Contact Email with questions or comments.
  Date & Time Thursdays, 4:15 - 6:30 PM

Lane Hall - Bldg 200, rm 105

  Course Number Management Science & Engineering 91SI
  Grading and Units 2 Units, P/NC
Main Course Text
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues (view online or purchase)
Stewart D. Personick and Cynthia A. Patterson, Editors, Committee on Critical Information Infrastructure Protection and the Law, National Research Council
Additional Cybersecurity Materials For access to more cybersecurity readings and resources, please visit our Stanford Cybersecurity Library (NEW)
Tentative Schedule  (last year's schedule and readings)
  September 30 Introduction: The Cybersecurity Challenge
    Lecture Slides
Click here to download lecture slides.

Course Info Handout

October 5 (Tuesday) Tech Breakout I: Internet Basics

Lecture Slides
Click here to download lecture slides.

Suggested Readings

How Internet Infrastructure Works :  A description from “How Stuff Works” providing a high-level overview of the Internet architecture. 

How Does the Internet Work? :  An introductory yet in-depth description of how major components of the Internet infrastructure operate. 


October 7 How To Think About Cybersecurity

Required Readings

How to Hack a Bank : An older article describing vulnerabilities and losses within the banking industry due to Internet attacks. Only the first 14 numbered sections are required reading.

UCITA - A Security Threat : Outlines a controversial piece of proposed legislation that allow software-makers to legally install backdoors in commercial software.

What You Need to Know About Phishing : An overview of the phishing problem from Microsoft. Take note of how the article outlines the many different actors that come into play when attempting to fix this vulnerability.

Gambling Sites, This is a Holdup : Describes the current threat posed to online businesses by Denial-of-Service extortion threats.

Monopoly Considered Harmful
Monocultures are Hard to Find in Practice
Point, counter-point articles by leading experts discussing the threat of monoculture within cybersecurity.

License PC Users? It's a Thought
Article discussing the oft-mentioned proposal to require a license to use the Internet, in hopes of curbing security issues caused by unknowledgeable users.

New Hope for a Security Lock-down
Takes a look at the role government can play in defining security standards and using its significant buying power to influence the security of commercial products.


October 12 (Tuesday) Tech Breakout II: Viruses, Worms, Firewalls and Crypto

Lecture Slides
Click here to download lecture slides.

Suggested Readings

Sans Top 20 Vulnerability List
An evolving list citing the top 10 vulnerabilities in both Windows and Linux systems.  Scan this article and pay particular attention to the description of the vulnerability and the details of what must be done to mitigate the vulnerability. 


  October 14 An Operational Perspective of Cybersecurity
Video Lecture : Arthur Pyster, Federal Aviation Administration (FAA) Deputy Chief Information Officer

Required Readings

How to Spend a Security Dollar
This article provides one view of how a company should spend its budget for IT security.  While reading, make a note of areas you think need either more or less money than the author suggests.

Suggested Readings

Companies Adapt to a Zero Day World
Article describing the challenge faced by corporations by the potential for a "zero-day exploit", one which is release before a patch is available. 


  October 21 Cybersecurity Policy

Lecture Slides
Click here to download lecture slides.

Required Readings

Critical Information Infrastructure Protection and the Law (pages 8-24) : Covers a brief introduction to critical information infrastructure protection and explores the key issue of information sharing within a public-private cybersecurity partnership. 

The National Strategy to Secure Cyberspace : The guiding document for the US government’s cybersecurity efforts.  Outlines the threat and the government’s initiatives focusing on a public-private partnership and information sharing.  The 10 page Executive Summary is required, but the remainder of the document will be extremely helpful in being able to critically analyze the ideas presented in the plan. 

Suggested Readings

US Cybersecurity Chief Resigns : Article covering the resignation of Amit Yoran as the head of DHS cybersecurity efforts, citing frustrations concerning the importance of cybersecurity within DHS. 

DHS moves ahead with cybersecurity R&D efforts : Article outlining major DHS R&D initiatives within cybersecurity. 

Progress and Challenges in Securing the Nation’s Cyberspace : A July of 2004 report by the Office of the Inspector General analyzing the progress DHS has made toward improving national cybersecurity. 


  October 28 Cybersecurity and Law:  The End-to-End Principle and Unauthorized Access
Guest Speaker: Jennifer Granick, Stanford Law School

Required Readings

18 U.S.C. 1030 - The Computer Fraud and Abuse Act : US federal law outlining illegal behavior on computer systems, serving as an introduction to the concept of unauthorized access.

eBay, Inc v. Bidder's Edge : A 2000 court case in which eBay claims that the use of automated querying of their auction database by auction-aggregation site Bidder's Edge constituted unauthorized access.  Pay particular attention to the case background (Section I) and the portion of the case dealing directly with trespass (Section II.B.1).

Intel v. Hamidi Considers Trespass in Cyberspace : Article covering a case dispute between Intel and a former employee using Intel's email system to contact former employees.   The text is very readable and provides an interesting and comparison to the notion of unauthorized access presented in eBay, Inc v. Bidder's Edge. 

Suggested Readings

Intel v. Hamidi : Full text of  the California Supreme Court 2003 decision an the Intel v. Hamidi appeal. 


  November 4 Market Incentives and Security Metrics
Guest Speaker: Kevin Soo Hoo, Sygate

Lecture Slides
Click here to download lecture slides.

Required Readings

The Role of Economic Incentives in Securing Cyberspace: Draft paper authored in part by our guest speaker that examines the economic incentives of critical infrastructure protection and makes an argument for a change in direction for national cybersecurity policy. 

A Guide to Security Metrics: Introduction to the important field of security metrics, from the SANS Institute. 

Suggested Readings

Why Information Security is Hard - An Economic Perspective: An often cited paper by Ross Anderson on the impact of economic incentives in information security. 

Sarbanes-Oxley Explained: A whitepaper explaining the responsibility of a company's IT personnel resulting from SOX legislation.  


  November 11 Assessing the Threat
Guest Speaker: Peter Neumann, SRI

Required Readings

Is There a Cybersecurity Threat to National Security : A compilation and analysis of some of the risks faced by the United States as a result of its dependence on the Internet.   The paper is authored by Sean Gorman, a graduate student who's thesis of mapping physical telecommunication lines was classified in a highly publicized incident.  The text contains many interesting references, but the overall analysis is best read critically.   

Nations use Net to spy, plot attacks: ex-Bush aide : Brief article citing former cybersecurity chief Richard Clarke talking to concerns about current malicious use of the Internet by nation-states. 

Suggested Readings

How Real is the Cybersecurity Threat? : Video of a 2002 panel including members from the Office of Cyberspace Security, Microsoft, backbone provider Genuity, Verisign, and a financial services company.  Based on their personal background and experience, each offers a different perspective of the current threat and who is responsible for improving the security of the Internet. 

Frontline Cyberware!  : A well-known and quite dramatic video created by PBS looking at the threat faced by the United States in cyberspace.  This fun presentation of the cyberthreat is best viewed critically but does offer worthwhile insights.  The site also contains many worthwhile interviews with experts from fields related to national security, critical infrastructure protection and Internet security.

Computer-Related Risks and the National Infrastructure : Congressional testimony by our guest speaker Peter Neumann.  While the testimony is from 1997, much of the high level content remains very pertinent today.    

  November 18 What Do We Want in a Future Information Infrastructure?
Guest Speaker: David Alderson, CalTech

Lecture Slides
Click here to download lecture slides.

Required Readings

Critical Information Infrastructure Protection and the Law (Chapter 4)  : The text's brief final chapter entitled "Looking Forward" considers a host of concerns and questions as we consider how the Internet will evolve in the future, both for users and operators.  Pay particular attention to the discussions of economics/insurance, the importance of trust, and the relationship between security and privacy.

GovNet, What is it good for? : Wired article looking at another approach:  GovNet is a proposal for the creation of a separate and highly secure network infrastructure for government use.  Consider hat problems this such a strategy both raises and solves. 

Suggested Readings

Robustness and the Internet: Design and Evolution:  A paper looking at complexity and robustness issues within the Internet infrastructure and how we can change the architecture to meet future design requirements.

Cyber Security Research & Development Agenda: The Institute for Information Infrastructure identifies what it considers to be the major challenges facing researchers in disciplines relating to cybersecurity .  This is a large document, both is worth scanning for sections of interest. 


  November 22 Liability, Negligence and Cyber-Insurance
Guest Speaker: Erin Kenneally, San Diego Supercomputing Center

Lecture Slides
Click here to download lecture slides.

Required Readings

Stepping on the Digital Scale: Duty and Liability for Negligent Internet Security : Internet security and legal expert Erin Kenneally provides a strong background in liability law and then analyzes how major cybersecurity stakeholders may be impacted by liability in the future. 

Suggested Readings

Critical Information Infrastructure Protection and the Law (Chapter 3)  : The text's third chapter entitled "Liability for Unsecured Systems and Networks" looks at the three high-level means for securing network assets:  criminal law, civil law, and regulation.  A particularly valuable portion looks at how best practices would impact the use of tort law to drive others to secure their networks.


  December 2 Legislative Debate

Final Assignment: Legislative Policy Analysis (due in class Dec. 2nd)

Case Study 1: Corporate Information Security Accountability Act of 2003 (CISAA)
Text of Legislation Congressman Adam Putnam. U.S. House of Representatives. 2003.

"Cybersecurity legislation may go to Congress," Grant Gross. Computer World. September 2003.

Case Study 2: Internet Service Provider Security and Accountability Act of 2004 (ISPSAA)
Overview of Legislation The Honorable Senator Daniel Keith Martin. U.S. Senate in Exile. 2004.