Managing the Impact of Academic Research on Industry/Government: Conflict or Partnership?
by Kenny Paterson and Fred Piper - Information Security Group, Royal Holloway, University of London - Tuesday, 21 February 2006.
Given our uncertainty about the true impact of our research, we felt that headline grabbing would have been easy but irresponsible. Our solution was to contact staff at the UK’s National Infrastructure Security Co-ordination Centre (NISCC) and invite them to Royal Holloway for a demonstration of our attacks and a discussion about the best way forward. That meeting took place in mid-April 2005. We immediately began work with NISCC's vulnerability team to write a vulnerability announcement; this was released by NISCC to the vendor and user communities in late April and generated enquiries from around a dozen companies, large and small. We worked with NISCC to assess the impact of our research for each of these companies on an individual basis.

Then, on May 9th 2005, NISCC made a High Severity Vulnerability Announcement about our IPSec work. This announcement was relayed by US-CERT, Aus-CERT, and other agencies, and picked up by the likes of zdnet, eweek, The Register, and cnet news. It then went on to generate plenty of speculation and conspiracy theory on slashdot and other on-line discussion sites. Also on May 9th, a research paper describing our attacks was circulated to selected researchers and submitted to a major international conference. A revised version of the research paper was later posted on the web; this improved version incorporated significant feedback from vendors, standards writers and the academic community.

From our perspective, working through NISCC gave us an improved understanding of the impact of our research. It also acted as a valuable relationship building exercise for us, both with NISCC and the Information Security industry. For vendors and users, our choice to work with NISCC ensured they had prior knowledge of the IPSec vulnerabilities before any public announcement was made, and gave them a head start in assessing the impact on their IPSec products and deployments.

This partnership approach required a bit more time and effort on our part. But with national and commercial security interests potentially at stake, applying a precautionary principle seemed to us to be the right way forward. Ultimately, the approach we took had the unexpected benefit of generating feedback that improved the quality our research. And we are now, literally and metaphorically, on the Christmas card lists of a few more important commercial and governmental organizations.

Spotlight

Almost 1 in 10 Android apps are now malware

Posted on 28 July 2014.  |  Cheetah Mobile Threat Research Labs analyzed trends in mobile viruses for Q1 and Q2 of 2014. Pulling 24.4 million sample files they found that 2.2 million files had viruses. This is a 153% increase from the number of infected files in 2013.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //