Social Advances

Although advances in technology might assist the incident response team, this is often a two-edged sword. The rapid pace of technology and the increase in networking also make the attacker's job easier. The same is true of changes in nontechnical areas. Changes in legal statutes and precedents might make it easier to prosecute or to improve international or interjurisdictional cooperation. Changes might also introduce new risks (as in the case of some of the privacy regulations).

Legal Issues

One of the major challenges in incident response has been the coordination of legal efforts across jurisdictions. Major steps have been taken to alleviate this, but the problems remain . The Council on Europe treaty discussed in Chapter 7,"Legal Issues," is a good example of this.

There are still major jurisdictions in the world, however, where laws against hacking are either nonexistent or poorly enforced. Agencies might not have the technical skills or the infrastructure to investigate these crimes. Cliff Stoll, in his classic book The Cuckoo's Egg , gives excellent examples of the difficulties in coordinating an investigation across international borders. He also illustrates the problems in doing a phone trace in a country where the switches are still manual.

It would be nice to state that the situation has improved, and it has in many locations. However, there are still other areas where the state of affairs is much the same. For example, following the outbreak of the Love Bug worm in early 2000, investigators detained people in the Philippines. At the time, there was no law on the books that prohibited the writing or release of a computer virus in that country.

Consumer protection and privacy laws will also continue to impact incident response. Financial and healthcare organizations are now required to protect personal information. The European Union has extensive privacy regulations that, among other things, prohibit the transfer of personal data to any country that does not explicitly comply with the EU regulation.

Cooperative Response

One of the major problems with large-scale incident response is securing the cooperation of all the parties involved, especially where multiple legal and political jurisdictions are concerned . Incident response tends to be insular, limited to the specific organization involved (and perhaps local law enforcement agencies).

Large-scale, cooperative efforts could be the single most effective step in improving incident response. Unfortunately, these do not appear likely in the short term . Politics ‚ at all levels, including corporate, national, international, and within organizations ‚ makes it difficult to formalize a cooperative process. Lack of resources (both in terms of money and trained personnel) might impede these efforts as well, and it is likely that attackers will continue to choose venues that cannot or will not cooperate as the source of their attacks.

There might also be issues with the disposition, ownership, and release of information gathered during incidents. Technical information about the networks or the attack could be dangerous if released. Private information about individuals or organizational proprietary data might be protected in some jurisdictions and not in others.

Education

In recent years , the growth of the computer security field has prompted a similar growth in formal education programs. It is now possible to study information security as a discipline at the graduate level. James Madison University in Virginia offers a program that leads to a Master of Science in Computer Science (MSCS) with a concentration computer security. ^[2] The program consists of a number of seven-week Internet-based classes. Students have up to six years to complete the program. Other educational institutions appear to be following suit.

^[2] More information is available on the JMU web site at www.infosec.jmu.edu/program/html/program.htm.

JMU also sponsors the Center for Research in Information Systems Security Education (CRISSE, www.crisse.org), which facilitates information security education through all levels of education including K ‚ 12, undergraduate , graduate, and doctoral. Part of the activities of the center includes the sponsorship of an annual conference called the National Colloquium for Information Systems Security Education in conjunction with other educational institutions and government agencies.The 2001 colloquium was held at George Mason University and counted the Critical Information Assurance Office, Ernst &Young, George Mason University, Idaho State University, ISC2, James Madison University, Microsoft Corporation, the National Security Agency, andVirginia Center for Innovative Technology among its sponsors.

Conferences are also presenting courses in incident response. Systems Administration, Networking, and Security (SANS, www.sans.org), for example, now offers specific tracks in incident response at most of its conferences. The MIS Training Institute (MISTI, www.misti.com) covers incident response in both its conferences and its executive symposiums.