From Fear-Monger To Consensus-BuilderFrom Fear-Monger To Consensus-Builder

Fear-monger. Chicken Little. That's the kind of criticism Michael Vatis took when, as founding director of the National Infrastructure Protection Center, he warned of potential hacking attacks with the arrival of the new millennium. After 2000 dawned without a single significant millennium cyberattack, he fell under attack himself, in the media. But Vatis, now director of the Institute for Security Technology Studies at Dartmouth College, isn't complaining. Because addressing national IT infrastructure security problems is a critical mission that's become only more important since Sept. 11.

Finding ways to secure IT infrastructure is the toughest shared challenge facing private business and government. There are problems in the design and programming of software, as well as in the ways various applications interact on a network. There are issues of how to convince business and government to share sensitive, closely held security information-and to spend on security initiatives without the promise of a direct return on investment. There's also the question of how laws will be enforced in a cyberworld that knows no geographical boundaries.

Arguably, no one in the country knows those problems more intimately than Vatis. After directing the NIPC for three years, Vatis, 38, decided earlier this year that he could address the information-security issue to greater effect as a cybersecurity evangelist and as head of security research at Dartmouth. The research under way at the Institute for Security Technology Studies includes the development of a system-security-evaluation simulator to help organizations understand the interplay of cybersecurity applications in complex networks, a monitoring system that would report the real-time health status of the Internet, and a warning mechanism to detect the early stages of cyberattacks.

The threats to business and critical infrastructure are profound: Telecommunications, energy, financial systems, and air-traffic control are all vulnerable to attack. That's why Vatis is establishing the Institute for Information Infrastructure Protection (I3P). Its mission: to develop a national R&D agenda for information-infrastructure protection that will identify and prioritize the top security needs. With a total of $6 million that Congress has appropriated for fiscal years 2001 and 2002, Vatis is approaching other academic research centers and leaders in business and government to participate.

As Vatis envisions the group's growth, the IT-security agenda would be reassessed annually to help researchers decide where to focus most of their efforts. "It could also be used as an assessment and measuring tool by government agencies that provide funding for cybersecurity research," he says. "Private companies also could use the agenda to develop ideas for their research."

It's his background of building a consensus around the importance of information security that positions Vatis to bring his vision for I3P to fruition. And it's the high stakes that make achieving the goal a must, says Michael Erbschloe, author of Information Warfare: How To Survive Cyber Attacks (McGraw Hill Professional Publishing, 2001). "It's a formidable task, but one that must be done," Erbschloe says. "You couldn't have picked a more prepared, dedicated person than Vatis to get this job done."