If you believe a public library is a majestic bastion of encyclopedic tomes, then you have not been inside one for a very long time.
The overwhelming majority of libraries in the U.S. provide the general public with free, unrestricted internet access – which presents a serious challenge to information security.
The library serves the public as an internet conduit, but the public is not generally security aware. Instead, they are naive and unenlightened, often subject to scams and social engineering ploys, and easily deceived, misdirected and misled. Most people are lazy and are not committed to keeping up with the latest security patches, updates, service packs, virus definitions or best practice. The "success" of Blaster, Korgo and the proliferation of mass-mailing malware demonstrates the havoc that the general public can wreak on the online environment.
Any security officer will agree that it does not require a hacker to bring down a server, a remote site, an office LAN or a corporate WAN. One dumb user can do the job. Hence, users must be protected from themselves. The effective CIO can enforce this for their subordinates, but who will do it for the people?
Libraries should be the guardians and gatekeepers of secure public internet access. Part of their public-service mandate should be to encourage safe computing practices in their respective communities both by education and by example. Support for the "three R's" (reading, writing and arithmetic) should be updated to include the "three I's" (information security, information literacy and information awareness).
This mandate is slowly but inexorably permeating the online community. The public is being informed. That being said, who trains the trainers?
Librarians are information professionals, not security professionals. Few, if any, have ever taken a SANS course or set up an anti-virus server. Quarantines are for measles and Honey Pots are for Pooh Bears. There is justifiable pride in community service and well-intentioned information access, but this is not enough, especially now the telecoms industry openly markets broadband with its pervasive ads and commercial messages. Even TV sitcoms exploit the use and abuse of the online world.
There is a regrettable paucity of training in the rudiments of security protocols or practices at the library. This is well illustrated by a true story:
A patron walks into a library. He tells the librarians that he has "contracted" MyDoom. What should he do? The first librarian tells him to contact the vendor. Librarian number two rushes to Google.com. Librarian three simply shrugs her shoulders.
Any seasoned security professional knows that all three responses are ineffective. Hardware vendors generally do not support solutions to consumer virus problems. A Google search produces more than a million hits. Shrugged shoulders accomplish nothing.
An experienced security professional selects an authoritative anti-virus web site (www.symantec.com, www.mcafee.com, www.cert.org, www.ciac.org and so on), searches for the object in question, reads the affected platforms and then downloads the removal tool. Total time used for such a process? Around 20 seconds. The problem is easily solved (and one more virus or worm infection averted) but, for lack of focused training, the problem continues.
So what is the public to do? This is very real issue for the IT security professional because the propagation of malware throughout the public sectors makes control a ceaseless challenge. The conclusion is self-evident: the library should be a first line of defense for information security.
Library managers will insist that they just do not have the budgets for all this, but there is an efficient and effective solution – big business could subsidise the cost of security training for the library and educational community.
The public wants more, and faster, terminals, not the invisible costs of security training. Corporate support and sponsorship makes good sense in dollars and good sense in community public relations.
A CIO might well see their network infected by a nasty worm introduced by their staff, passed along and originating from the public conduit. They might even be held liable for its propagation. CIOs should take the enlightened, progressive approach: security training is not a cost. It is an investment in the network and the community.
Many IT security folk will dismiss such support as being insignificant and inconsequential. The naysayers (and perhaps mercenary consultants) exhort: "Leave it to the security professionals!"
Given the scope of internet use by the general public, this is no longer a relevant or cogent argument. This attitude is comparable to a recalcitrant physician who views an emergency medical technician or paramedic as an underling, rather than as an ally.
Promoting the mandate of information security is important and imperative, not only to corporate managers, but also to information professionals who serve the public interest. Public libraries can be and will be powerful leaders for security awareness in their local communities. We will all be better and safer for it. Libraries should be at the forefront of information security.
Dr Lee Ratzan is a systems analyst at a major healthcare agency in New Jersey and teaches information systems courses at the School of Communication, Information and Library Studies, Rutgers University