PITAC Cybersecurity Town Hall Meeting

Nils Janson writes "The President's Information Technology Advisory Committee's Cybersecurity Subcommittee will be holding a town hall meeting on cybersecurity at the GovSec conference at the Washington Convention Center in Washington, DC from 8:00AM to 10:00AM on July 29 (this Thursday). The meeting is open to the public and people interested in cybersecurity are encouraged to attend. It should be a pretty interesting time -- the subcommittee members are actually trying to solicit opinions from people who're interested in and passionate about this sort of stuff."

Re:Sounds good, but:

[krital]

Yes, there will -- light refreshments will be served beginning at 7:30 :)

PITAC

[bobv-pillars-net]

How many people besides me initially parsed the acronym as "Pain In The Ass Committee" ??

My .02

[mbstone]

4. What are the biggest obstacles in developing pervasive trustworthiness in the Federal and private sector cyber infrastructure?

Stop placing non-technical people (e.g. political appointees who do not personally use computers or perceive them as having value) as managers overseeing Federal government IT operations and budgets.

5. What are the most essential, the most challenging, and the most promising technical research problems that need to be solved in order to substantially improve the security of the nation's cyber infrastructure?

I would start by establishing a national-level forensic disassembly lab, one that could analyze hard drives from a random statistical sample of servers and workstations and that would provide definitive answers as to how many machines are infected with malware and of what kind.

8. What are the advantages and disadvantages of the open source software model in supporting improved cyber security?

Theoretically OSS would be an advantage. But you have to learn to crawl before you can learn to walk.

9. How well do the operational practices within organizations manage the risk from cyber security threats?

Enumerating risks is easy. It's also a pointless exercise unless there is management buy-in as far as mitigating known risks.

11. Is the pool of knowledgeable researchers, developers, and managers in cyber security adequate to protect the nation's cyber infrastructure? If not, how does the pool need to be strengthened?

No. As just one example, there are thousands of job vacancies in the government cyber security field that require pre-existing security clearances, but very few sponsorship opportunities. One solution would be to allow individuals to apply for their own clearances.

Also, the government should provide its cyber security personnel with the same job security and dignity as its other employees, by hiring us as Federal employees. Hiring us through contractors wastes money and deprives us of important workplace protections.

12. What are the major legal issues that need to be addressed that would promote the development and deployment of cyber security technologies? What can be done to enhance the capabilities of law enforcement to prevent and prosecute cyber space attacks?

As it stands now, it's too much hassle for many government IT shops to report incidents or initiate prosecutions -- the response protocols can involve "freezing" production systems and other procedures that are inherently disruptive to business operations. IT shops need to have backup hard drives/machines for those incidents that truly require "frozen" machines -- and less disruptive protocols for less serious incidents to encourage incident reporting and to allow prosecution of more badguys.

13. Where and how should the Federal government invest its cyber security R&D funds? Is the Federal government investing enough in cyber security R&D? Is the allocation for research vs. development optimal?

In my experience lots of money gets spent on hardware, usually at the end of the fiscal year. But there is none available for training personnel to use the new gizmos.

Re:C'mon, be serious

[krital]

That's quite possibly the most inane sentiment I've ever heard. If you'd taken two seconds to research this, you would've realized two things:

1. The PITAC was actually created by President Clinton. The council appointed while Clinton was in office stayed there until 2002, which, I might note, is minimally a year after Bush took office.

2. The PITAC is composed of real, interesting, professional people who collectively have a huge breadth of experience in the industry. Having been appointed to the PITAC while Bush was in office does absolutely nothing to diminish their credentials.

Realize that I'm not sticking up for Bush, but I'm sticking up for the PITAC and pointing out that your blanket comment was completely off the mark and ridiculous. It's that sort of knee-jerk idiocy that helps Bush's supporters write off all of his opponents as worthless. Stop, take a second, and think; when you come back with a halfway intelligible response I'll be ready to listen.

Re:Focuses

[Alsee]

On the other hand, it's unfortunate that there's not a similar committee to focus on issues of copyright/fair use.

Oh, but they *are* addressing copyright and fair use implicitly.

When they talk about "Trustworthyness" and "cyber security" and "securing the national information infrastructure" they are reffering to Trusted Computing.

Trusted Computing exterminates fair use, and it is an attempt to abandon copyright protection and replace it with DRM enforcement.

At an earlier Washington DC Global Tech Summit, Richard Clarke Special Advisor to the President for Cyberspace Security called on hardware manufacturers to embed Trusted Computing in all devices and for ISP's to make plans to deny internet access to anyone not using Trusted Computing compliant system. Read his speech from last two paragraphs on page 11 through page 14. Trusted hardware is already hitting the shelves, and I figure about 4 years for the routine replacement of substantially all existing machines to make it possible to enforce Trusted Computing compliance as part of internet access terms of service.

The PITAC Cyber Security is all about Trusted Computing. Many (all?) of the PITAC members are involved in Trusted Computing. In particular Spafford jumps out at me, he is the author of the PDF's defending TCPA (the original Trust chip).

-