[Full-disclosure] Fred B. Schneider testimony on Cybersecurity Credentials
shawnmer at gmail.com
Sat Feb 5 21:33:27 GMT 2011
Testimony of Fred B. Schneider
Samuel B. Eckert Professor of Computer Science
Cornell University, Ithaca, New York
February 19, 2010
A Cybersecurity Credential.
Most professions expect their practitioners to have a credential
before they are allowed to practice. But I believe that credentials
by themselves are not the solution. At best, they are a symptom of a
solution. For example, you might hope that a credentialed individual
would engage in best practices. But hope is
all you can do. Possession of a credential does not by itself compel
the use of best practices, and it is easy to imagine credentialed
system builders cutting corners by choice (such as out of laziness)
or by mandate (such as from management trying to cut costs).
Also, the value of a credential depends on the institutions that
define what content must be mastered to obtain the label. To whom
should society be willing to vest that responsibility? How do we
ensure that the content and standards enshrined by the credential
have been selected based entirely on society’s best interests rather
than financial gain or commercial advantage?
In a fast moving field, content will change rapidly. The credentialing
process must keep up, as must credential holders. Otherwise,
credentials impede the spread of innovation because people who employ
practices learned for a credential are soon engaging in outdated
methods. So a credentialing scheme must take this into account.
We are not the first group of professionals to face these problems.
Credentialing schemes that the legal and medical professions use, for
example, seem to serve society well. Therefore, it would be wise to
understand the particulars of those credentialing processes before
endeavoring to create one for producers of trustworthy systems. I
see three elements as being crucial to the success of these extant
• Obtaining a credential requires far more than passing an
examination. To earn a credential, a candidate undertakes years of
post-bachelors education, in which the curriculum has been set by the
most respected thinkers and practitioners in the field.
• Credential holders are required to stay current with the latest
developments in the field by continuing their education through
courses sanctioned by the institution that issues credentials.
• The threat of legal action to individuals (including malpractice
litigation) incentivizes professionals to engage in best practices.
In sum, using exams to create labels for our workforce might sound
like a way to get more trustworthy systems, but it’s not. To have the
desired effect, a credential must bestow obligations and
responsibilities on practitioners. Moreover, curriculum and
educational programs—not an exam—are central to the enterprise.
Full-Disclosure is hosted and sponsored by Secunia.