PITAC Cybersecurity Town Hall Meeting

Nils Janson writes "The President's Information Technology Advisory Committee's Cybersecurity Subcommittee will be holding a town hall meeting on cybersecurity at the GovSec conference at the Washington Convention Center in Washington, DC from 8:00AM to 10:00AM on July 29 (this Thursday). The meeting is open to the public and people interested in cybersecurity are encouraged to attend. It should be a pretty interesting time -- the subcommittee members are actually trying to solicit opinions from people who're interested in and passionate about this sort of stuff."

Sounds good, but:

[Giant+Ape+Skeleton]

Will there be snacks?

Re:Sounds good, but:

[krital]

Yes, there will -- light refreshments will be served beginning at 7:30 :)

PITAC

[bobv-pillars-net]

How many people besides me initially parsed the acronym as "Pain In The Ass Committee" ??

Re:PITAC

[e9th]

I did, and it has the potential to become one. But the PITAC Members" actually look fairly impressive.

Re:PITAC

[Alsee]

Ahhh! COMMITTEE! Thanx!
I was wondering what the hell that "C" was doing there.

-

Re:PITAC

[bill_mcgonigle]

Yup. I took it as self-deprecating, since PITA is what Security is so often. Somebody has a good sense of humor.

Since we recently learned that Security guys like to listen to The Dead, you can imagine how the conversation went when they were picking a committee name. Lots of pizza was involved, no doubt.

Focuses

[Dachannien]

Hopefully this committee will take up issues of spy/mal/adware and identity theft, and will reach the conclusion that outlawing software that doesn't make its purpose and installation known to even the stupidest user is the only way to go.

On the other hand, it's unfortunate that there's not a similar committee to focus on issues of copyright/fair use.

Re:Focuses

[Alsee]

On the other hand, it's unfortunate that there's not a similar committee to focus on issues of copyright/fair use.

Oh, but they *are* addressing copyright and fair use implicitly.

When they talk about "Trustworthyness" and "cyber security" and "securing the national information infrastructure" they are reffering to Trusted Computing.

Trusted Computing exterminates fair use, and it is an attempt to abandon copyright protection and replace it with DRM enforcement.

At an earlier Washington DC Global Tech Summit, Richard Clarke Special Advisor to the President for Cyberspace Security called on hardware manufacturers to embed Trusted Computing in all devices and for ISP's to make plans to deny internet access to anyone not using Trusted Computing compliant system. Read his speech from last two paragraphs on page 11 through page 14. Trusted hardware is already hitting the shelves, and I figure about 4 years for the routine replacement of substantially all existing machines to make it possible to enforce Trusted Computing compliance as part of internet access terms of service.

The PITAC Cyber Security is all about Trusted Computing. Many (all?) of the PITAC members are involved in Trusted Computing. In particular Spafford jumps out at me, he is the author of the PDF's defending TCPA (the original Trust chip).

-

Re:Focuses

These things are scams on the public.
Nothing is ever accomplished, except to placate the public with the myth that the government is listening to them.
No policy changes of any kind will result from these "meetings".

Oh, and this is true regardless of which party is conducting them.

C'mon, be serious

[nusratt]

I have absolutely no interest in saying anything which anyone appointed by Dubya would be interested in hearing.

Re:C'mon, be serious

[krital]

That's quite possibly the most inane sentiment I've ever heard. If you'd taken two seconds to research this, you would've realized two things:

1. The PITAC was actually created by President Clinton. The council appointed while Clinton was in office stayed there until 2002, which, I might note, is minimally a year after Bush took office.

2. The PITAC is composed of real, interesting, professional people who collectively have a huge breadth of experience in the industry. Having been appointed to the PITAC while Bush was in office does absolutely nothing to diminish their credentials.

Realize that I'm not sticking up for Bush, but I'm sticking up for the PITAC and pointing out that your blanket comment was completely off the mark and ridiculous. It's that sort of knee-jerk idiocy that helps Bush's supporters write off all of his opponents as worthless. Stop, take a second, and think; when you come back with a halfway intelligible response I'll be ready to listen.

Re:C'mon, be serious

[nusratt]

You're (mostly) right,

-- in that I hadn't even "taken two seconds".
But I'm not even sure that I feel apologetic about that. In the atmosphere of the last three years, now I see anything associated with Bush and/or his ilk and then just automatically assume that it's going to be bad news and raise my bp.

The man's a cynical condescending clown, but what's worse is that he and his gang are dangerous -- not just for peace & IR, not just for reason and science and medicine, not just for domestic security or social unity;
worst is that they're dangerous for our freedom & liberties, for separation of powers, and for open, honest uncynical governance.

They've done so much damage since 9/11, that I sincerely fear that even a Demo prez will be unable to undo enough of the damage for me to change my mind about emigrating.

In all my life, I've never been in such fear and despair for my country.

-- in that I made a blanket comment. My post, in summary, *intended* to convey nothing about those "real, interesting, professional people" or their credentials.
I'm just completely devoid of hope for the END RESULT of anything which will eventually be touched by the Gang Of Bush.

-- in that my reaction WAS "knee-jerk", as explained above, and "helps Bush's supporters write off all of his opponents as worthless" -- but that doesn't make it "idiocy", in the circumstances.
As for how I'm perceived by the Gang's supporters, it's irrelevant: I ORIGINALLY WELCOMED HIS ARRIVAL, thinking (for the most regrettable superficial reasons) that he'd be another Reagan, mostly innocuous.
A LOT of people who welcomed his ascendance, including some staunch conservatives, are aghast at what the Gang has done to the 1st, 4th, 5th & 6th Amendments to the Constitution. The people who are still his supporters at this point, are unlikely even to be exposed to -- let alone affected by -- anything *I* do.

Finally, as for "a halfway intelligible response", I think you meant "intelliGENT". It's pretty apparent that you didn't find my post unintelligible, nor should you have.

Re:C'mon, be serious

[krital]

I agree with you wholeheartedly. Even with my misuse of "intelligible". The one thing I take issue with is being devoid of hope for _anything_ that will be touched by Bush & Co. -- there are still some good things happening out there, even with the PATRIOT Act, the (now-defunct, IIRC) Total Information Awareness program and other things of that ilk. Not that I feel up to naming the good things right now; it's always much easier to concentrate on (and remember) the bad.

Re:C'mon, be serious

[Alsee]

now-defunct, IIRC) Total Information Awareness program

Defunct in name only. Pretty much all of the projects under the TIA heading were spun off into various government departments.

PITAC is also pushing Trusted Computing, and Trusted Computing is using similar tactics - they are both publicly unpopular and attacked under the main name, so they use guerilla tactics and sneak in under a slew of different names while concealing the fact that they are related to the main objectionable issue. Trusted Computing is now PITAC's "Cyber Security" and HP's "ProtectTools" and Cisco's SelfDefendingNetwork Working to Block Viruses at the Router, and on and on. And all of them concealing their connection to Trusted Computing. All of the TIA projects are trying to hide their connection to TIA.

The public can't get angry about and attack and kill a million little anonymous projects with no obvious connection to the offending issue. Guerilla tactics.

-

re "PITAC?"

[nusratt]

"How many people besides me initially parsed the acronym as "Pain In The Ass Committee" ??"

Actually, at first I thought it had something to do with Near Eastern finger-food.

My .02

[mbstone]

4. What are the biggest obstacles in developing pervasive trustworthiness in the Federal and private sector cyber infrastructure?

Stop placing non-technical people (e.g. political appointees who do not personally use computers or perceive them as having value) as managers overseeing Federal government IT operations and budgets.

5. What are the most essential, the most challenging, and the most promising technical research problems that need to be solved in order to substantially improve the security of the nation's cyber infrastructure?

I would start by establishing a national-level forensic disassembly lab, one that could analyze hard drives from a random statistical sample of servers and workstations and that would provide definitive answers as to how many machines are infected with malware and of what kind.

8. What are the advantages and disadvantages of the open source software model in supporting improved cyber security?

Theoretically OSS would be an advantage. But you have to learn to crawl before you can learn to walk.

9. How well do the operational practices within organizations manage the risk from cyber security threats?

Enumerating risks is easy. It's also a pointless exercise unless there is management buy-in as far as mitigating known risks.

11. Is the pool of knowledgeable researchers, developers, and managers in cyber security adequate to protect the nation's cyber infrastructure? If not, how does the pool need to be strengthened?

No. As just one example, there are thousands of job vacancies in the government cyber security field that require pre-existing security clearances, but very few sponsorship opportunities. One solution would be to allow individuals to apply for their own clearances.

Also, the government should provide its cyber security personnel with the same job security and dignity as its other employees, by hiring us as Federal employees. Hiring us through contractors wastes money and deprives us of important workplace protections.

12. What are the major legal issues that need to be addressed that would promote the development and deployment of cyber security technologies? What can be done to enhance the capabilities of law enforcement to prevent and prosecute cyber space attacks?

As it stands now, it's too much hassle for many government IT shops to report incidents or initiate prosecutions -- the response protocols can involve "freezing" production systems and other procedures that are inherently disruptive to business operations. IT shops need to have backup hard drives/machines for those incidents that truly require "frozen" machines -- and less disruptive protocols for less serious incidents to encourage incident reporting and to allow prosecution of more badguys.

13. Where and how should the Federal government invest its cyber security R&D funds? Is the Federal government investing enough in cyber security R&D? Is the allocation for research vs. development optimal?

In my experience lots of money gets spent on hardware, usually at the end of the fiscal year. But there is none available for training personnel to use the new gizmos.