Slashdot Mirror
Cybersecurity Chief Resigns
Doc Ruby writes "AP is reporting that 'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.' Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job. Maybe the job can't be done." In a possibly related story, individuals take cybersecurity lightly: Ant writes "This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday. More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."
Yoran has privately confided to industry colleagues his frustrations in recent months over what he considers the department's lack of attention paid to computer security issues, according to lobbyists and others who recounted these conversations on condition they not be identified because the talks were personal.
Of course they aren't paying any attention. People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack. Why should they diversify right now? They might bore the public with their "crying wolf" on dirty-bombs and airplane searches and would need another shiny object to get everyone to pay attention to.
About 90 percent of computer users interviewed remembered the name of the performer from the last Super Bowl halftime show, while only 60 percent knew when they last updated their computer security program.
No fucking way, people remember the name of a performer from the Super Bowl after it was banged into their heads on every media outlet for two months straight? OMFG, I cannot believe it. You mean that these same people who are so concerned with the atrocities being fed to them on TV aren't concerned or knowledgeable about their computer? I can't believe it!
Face it, people don't give two flying fucks about being educated in computer know-how. They want to flip the switch and have it work. If it doesn't work they want to call up their ISP and have them fix it. Their computer is a dumb terminal for their ISP's webpage and http://www.thehun.com. As far as people guessing their chances at being hit by malicious code... They probably seriously believe that malicious code means that they bring home a disk and put it in their drive and run a program that will be an old-sk00l virus. They have no idea that there are programs out there "spying" on them every minute of their surfing experience. They just don't care enough to know. Plus these same people probably do think that their chances of hitting the lottery are good as they are dumb enough to ignore real news for their own realm of importance (Reality TV).
He was also heard to say "linux is teh l33t and m$ feerz their mad penguin sk1llz".
Get your own free personal location tracker
Without a Digital Pearl Harbor attack hitting us, it is unlikely that anyone will take him seriously, and since Digital Pearl Harbors was just Richard Clark FUD in the first place, his resignation was inevitable.
We now return you to your regularly scheduled thread.
More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."
The problem is that many PC users are doing the cybersecurity equivalent of what some idiot did near my home about fifteen years ago.
He was in his boat out on a lake when a thunderstorm moved in. When others on the boat suggested that they should go to shore for fear of lightning he scoffed, stood up on the bow of the boat, stretched his arms upward and shouted "Take me now, God!".
God complied.
Connecting an unpatched PC to a broadband connection is pretty much the same thing.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I think we all know it's a ridiculously HUGE mistake to underestimate the importance of cypersecurity. Whoever is responsible for "not paying enough attention" to it needs to be outright fired... We're talking about every classified document in existence being at risk. Frankly i don't blame him a bit for quitting. I think it's ridiculous to blame the problem on the bush administration because i think we all know that's not the case, but obviously someone needs to get their act together....
As I said at a meeting one day as people were pulling their hair out over the latest MS worms, and the failures of all of the "automatic patch deployment"-type tools out there, "Maybe the large numbers of Microsoft workstations present an intractable problem". Stunned silence. I half expected to be stoned to death as a heretic. When Corporate America stops sucking on the Microsoft Tit, we'll finally see real improvements in security. As long as paper-engineers and golf-club-wielding PHBs are entrusted with decision making, I see no chance for improvement.
I want to delete my account but Slashdot doesn't allow it.
Given frequent updates, ZoneAlarm, a firewall/router, precautions about not opening things I don't know about, VPNs, and other things, I probably AM more likely to be struck by lighting than hit by malicious code. But I'm a /. reader... :)
All politics is about power, the obtaining of it and the maintaining and expanding it. The focus when running for office is to say and promise whatever it takes to get you into office. Once there, the focus becomes hanging on to power at all costs. The way to do that is to play on voter's fears, desires, insecurities, in such a way as to get them to think you will solve their problems better than the next guy. Thereby saving your job.
This is true no matter the topic, and no matter the importance of the topic. Right now, Topic A is security, and boy is that a vital topic. So vital, you'd think politicians would put their usual partisan techniques and actually get something done. But no, even here with lives at stake, it's politics as usual. Is computer security a hot-button issue for the average voter? Not enough to throw someone out of office over. So does this get priority? Nope.
Look at the vulnerability of chemical plants to attacks. There were proposals to beef up security, the chemical industry squawked at the costs, the plan got scaled back. Why? Isn't security important? Sure, just ask Union Carbide about Bhopal. More importantly, ask thousands of Indians about Union Carbide in Bhopal. It is important, but it's not attacting votes, so it gets shunted aside. That's all that matters, folks. It's about maintaining power. So no matter how many security czars they get, unless that becomes a hot-button issue for the voters, it'll never be a hot-button issue for the Bush White House (or any other president that comes along).
Defending your country includes domestic and foreign defense both off and online. The fact that the military and various government agencies use the Internet is justification for including cyber security as part of defense. Cyber security should be part of the DoD's job.
In a possibly related story, individuals take cybersecurity lightly
To be honest, maybe it's hard to take seriously because we're busy trying to distort its meaning and importance with silly buzzwords like "cybersecurity." Why does everything have to be "cyber"-this and "cyber"-that? In my mind this doesn't sound any different than putting e- in front of everything and trying to market it during the dot-bomb bubble, and I imagine that it has a similar effect on the public. We've been conditioned since 1998 to ignore anything with e- or cyber- as a prefix. Why are we surpised that people don't take "cybersecurity" seriously, when we show by our vocabulary that we don't, either?
Instead of "cybersecurity," how about "computer security," or "personal computer security"? See, it's possible to communicate what you mean in a simple, effective way without fancy buzzwords, and people might even pay more attention. ("You mean my computer might be in danger?")
Secession is the right of all sentient beings.
Just getting people to pay attention in a corporate environment is hard enough, even with HIPAA and now Sarbanes-Oxley. Hell, if it weren't for Sarbanes-Oxley my company wouldn't even give a damn about security. That's sad, and frightening.
I can only imagine the nightmare it must be trying to be in charge of security in a beauracracy like the federal government. If you've never dealt with the feds as an employee or contractor, you have no idea how many layers thick it goes. You can't even fart without pushing paperwork and dealing with red tape.
Remember the Alamo, and God Bless Texas...
More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.
Time to go buy a ticket...
Sounds like he feels he was being setup to fail. That or they have the department wrapped so tightly with red tape that it makes the department ineffective. As most effective CIO/information directors will tell you, they're not interested in maintaining anything. They want to innovate and if you make that impossible or do not require innovation, they will leave.
-Randy
More than a third of the 493 PC users surveyed...said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.
It should be noted that these people are probably thinking of being "hit" in the physical sense of the word...
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
If there is one marketing term I despise more than any other, it's "cyber". Well that and putting the letter "e" or "i" in front of terms.
:)
You might like to spare some loathing for http://www.eCyber.com/ and http://www.iCyber.com/ then
It can be very frustrating to someone who just wants to accomplish something when politics prevent it from happening.
Hopefully the hydra will not spring forth another head to take its place. The question we need to ask ourselves here is: should the government even be involving itself in "regulating the Internet" to "improve security"? Considering the free market has a better track record at accomplishing nearly everything (compare the DMV to 7-11) why the hell do we need a useless figurehead like this in the first place? He's ex-Microsoft for God's sake.
If the government actually wanted to promote cyber security, the best way to do it would be to put a bounty system on the evildoers and let the market compete to catch them. Microsoft but a bounty on some virus authors and look how fast they were caught! Imagine if we had a bounty on web defacers, worm authors, and other such vermin. System administrators worldwide have the legal right to read their customers mail but until no profit motive, so they don't do it. All that would change. You think 802.11 wardrivers can't be caught? What if information leading to their arrest was worth $50,000 - how many Slashdot readers would be patrolling their neighborhood for wardrivers? It's not too hard to spot the goon with the notebook and the high power 802.11 antenna connecting to every network in his path.
Personally I'd love to put "Internet Bounty Hunter" on my resume. I'd probably start with the goon at 66.35.250.150 who keeps proxy scanning me.
If guns kill people, then CmdrTaco's keyboard misspells words.
...than winning the lottery: well, you're about 250 times more likely to be involved in a car accident than to win the lottery. And about 10 times more likely to be murdered.
(That's over a whole year, assuming you buy a ticket every week).
Virtually everything is more likely than winning the lottery. Their poll just shows that people don't really understand probability... (hmm. You're also more likely to be hit by lightning than to win the lottery.)
They should outsource this National Cyber Security job to India.
God spoke to me:
www.geocities.com/James_Sager_PA
God spoke to me.
Bruce Schneier should have this job. As a matter of fact he should be Secretary of Homeland Security.
Imagine someone walks up to you and starts talking to you about your car insurance:
"Well, here's the thing. Your car needs to be safe, and since 1997, with more highways available, more ISEC 45 systems can't accomodate Goodyear telecons. Car insurances? In your glove box, you can find your insurance info several tachometers. Make sure to astagate the TFGG Nationwide proteases for the next fifteen days, and then every fifteen days -- dirkonite 1997 malfunctions could lead to superfinite hexagon and then your gas mileage Liberty Mutual goes down. But the car is fine, it's a good car. It's going to explode and your dog will die. Just call the state RT-678 system box accelerator engine spark plug twice, after frubbing the seats and air conditioner. So, yes, Ford and Honda are a risk, but you have filters, GM just needs shafts -- in Japan."
That's basically what the average person hears when you start talking about computer security. They seem to understand some terms, but for the most part their eyes glaze over. Then they say "OK" and go back to looking on eBay for that autographed baseball. Even running Ad-Aware is a pain for most people. There's about 20 different options and if they click the wrong one they don't know what just happenned.
Small potatoes make the steak look bigger.
*political rant* An administration that has lied so many times it doesn't even know the truth, doesn't need security. Seriously though most of the leading edge work on cyber security and detection is being done by the gov't or under gov't supervision.
Really, same old - does ANYONE (I exclude the obvious hardcore security concious techies out there from this, obviously) take cybersecurity seriously? Companies dont. Home users dont. Hell, there are even Sys Admins out there that think security is just disabling the FTP server!
What I find odd though, is the differences in the way the media shows cybersecurity. Although it's been quite common in the media lately - movies (too numerous to bother counting - you know them anyway), news releases on viruses, phishing, etc. all have had (at least in Australia) an increase of media exposure in recent times. There's a lot of very serious attention out there to this issue, but it's not working!
People see a movie that examines cybersecurity, which may be discussing a real issue in the same way every other mainstream movie does (ie. somewhat realistic... Willing suspension of disbelief and all that). What I don't understand though is that movies about other topics make people stop and look at the bigger issue being discussed. People watch a war movie and go "oh hay, war is bad/good/hell". People watch a horror flic and go "oh hay, i'm going to buy me an axe and board my doors up to keep those psychos out". People watch a "cybersecurity" movie (or even news) and go "hah, it'll never happen to me - I know everything about my computer!".
Until we fix this problem, and get across to the public (and hence Governments) that this IS a major issue (and that it isn't going away), the problem is just going to get worse.
I guess part of the problem is the fact that the topics are usually quite abstract. Often, you can't explain how or even WHY these things happen without getting into some fairly abstract details. What do you mean people can talk to my computer? But it's listening to multiple things at once? And some might be good? But why would they want to use my computer to talk to websites?
AAAaaarrrrghhh....
Regardless, something needs to be done, as this is an all to common event.
[root@GRIFFIN root]# rpm -e coffee-1.22.3-1a.i386.rpm
error: removing these packages would break dependencies:
Granted, its not like I'm in a highly-influential government job, but I do work in Computer Security. As a low-level grunt with delusions of grandure, I can certainly understand the feelings of frustration, particularly when people don't do the right thing (i.e. what I tell them to). Maybe those of us in the trenches just have the clarity to realize that the job is hard, there are no quick fixes, and trying to convince people who bought their computer the same way they bought their toaster is a really, REALLY hard job.
On the other hand, I've been doing this for 8 years, 7 years at my present company. Maybe the Baby Bush should hire me, since I'm not such a candy-ass :-)
The "Director of Terrorist pwnage" just quit today, citing impossible attitudes towards his job...
If my answers frighten you, stop asking scary questions.
If a story were to come out that Amit say wanted to implement more DMCA-like restrictions on the Internet and was frustrated because the administration wouldn't let him we'd all have a different attitude. But since this guy quit the BUSH administration, he obviously was suffering in his job trying to do right by all Americans and was being squashed by the man. The fact that he gave effectively 1 day's notice points to a character problem. What's the over and under he starts popping up on talk shows and campaign stops with "a revealing look into the Bush administration" soon?
The average Joe does want to learn. They're just under no obligation to think that the things you want them to learn are worth learning. My mom gets on my case left and right about how culturally ignorant I am--I've only heard Monteverdi's Vespers of the Virgin Mary once, and how is it that I can hate The Marriage of Figaro when I've only heard half of it? But I'm not oblivious because I don't like opera. I've prioritized. I've made sacrifices.
The average person isn't apathetic or stupid.
Instead, the average person is not you and probably doesn't want to be you.
The average person cares a lot about things which affect their lives. Ask a farmer what he/she thinks about the latest pesticides, or if terracing has conserved as much soil as environmental proponents say. You'll get an easy hour of discussion out of a farmer that way. It'll bore you to freaking tears, but you'll get an easy hour of discussion out of a farmer that way.
Ask a teacher what he/she thinks about No Child Left Behind. Ask an automotive engineer what he/she thinks about the disappearance of shade-tree mechanics.
Kid, you are an elitist geek. The world's a much bigger and more interesting place than you give it credit for.
Open your eyes. Open your eyes and enjoy the world as much as you can while you're young. Don't do what I did and spend the first 25 years as a pessimist before realizing how empty and useless pessimism is.
I'm a cynic. A cynic is someone who's seen enough of humanity's beauty to be thoroughly convinced that it exists--and enough of humanity's ugliness to be thoroughly appalled at how rarely humanity's true beauty shows through.
But take my word for it. The beauty exists, if you're willing to open your eyes. And the beauty will take your breath away.
Have a nice life. Really. I mean that.
These are the people whose computers are being used to send spam while they sleep.
This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday
For all the money they probably pump into cybersecurity, can't they start a nationwide campaign to educate users?
The purpose of Homeland Security is to centralize all information about YOU and ME and then use it... for something they never tell us.
... the truth is that even a patriot can see that the GWB White House is a criminal organization that has brought the USA to it's worst since the Vietnam Conflict, and this tim enext year you'll WISH it was only as bad as 1967. And we all know how well that turned out for those who opposed that war too. Of course, back then you only had to worry about the FBI, the CIA, the NSA, the cops... man, you'd think the USA was a nation of criminals.
Homeland Security cannot function without the Patriot Act to give it it's power. All of this is just like the purpose, and genesis, of the Gestapo. Back in 1933 it made sense to create new State Police only if you wanted to oppress disent.
And as we know, Homeland Security is really only famous for arresting artists, academics, hackers, musicians, and Tommmy Chong! wtf!
So of course people like Richard Clarke are "resigning"
Damn straight skippy! I've been dreaming of this for years
Sure, maybe. Or perhaps they have no idea what "malicious code" is in the first place. BTW: They shouldn't have to care about malicious code! It's like asking Joe-on-the-street what the US strategic and tactical strategies should be in the Middle East. What kind of background/training does Joe have? Why in the world would I give a crap about his answers on any polls.
Ahhh yes, IT snobiness strikes again. The average person shouldn't have to "give two flying fucks" . The PC industry should get its act togeather and deliver "dumb" terminals that do exactly what people expect them to do. Chances are, you don't know anything about natural gas fittings, but you still use a stove. I don't know anything about generating and containing microwaves, but I still eat frozen burritos. Why the hell should we burden Joe-average with patches, virus updates, malicious code, .dll's, conflicting IRQs, etc...? Especially when all they want to do is read e-mail, download pr0n, and play games. It's not like the average PC user is trying to develop a new OS kernel.
This one gang kept wanting me to join cause I'm pretty good with a bo staff.
>Face it, people don't give two flying fucks about being educated in computer know-how.
I dont care how my fridge and toaster work, at least on the level of maintaining them properly and repairing them. Along with my car. You're being too geek-centric here and blaming the victim.
Why aren't Mac users having the massive security problems Windows and Unix users have? The problem is the product and the vendor. We are at a point where you can make a safe OS you dont have to babysit. The market has delivered it in the form of OSX, for the most part. Linux is no magic bullet either as it runs so many services, is very user unfriendly, etc. Come on, face facts here before I get modded down for diverging from the "party line."
What people need is a better product, not four CS classes on network security. What people need is to do their work and shut the thing off and not worry about it. What people need and what they are getting from Dell et al are two very different things. If we're going to blame the Bush administration, lets blame them for letting MS go when they could have broken them up into two or three different companies.
For every field there's someone like you who blames the user. Be it the mechanic who is pissed that "stupid drivers" can't figure out how to change a fuse or their own tire. Or plumbers sick of doing midnight calls because landlords put off maintenance and something breaks in the middle of the night. Or local telco/power companies sick and tired of triming your trees for you when your tree breaks a power line.
IT should work for people. People shouldnt be working for their computers. Blaming the user is the wrong way to go about it. Blame the designers for not making a user-centric design. Blame the designers for shipping code riddled with security holes.
If my experience with the TSA and the DHS is any indication, then I'd have to say that this problem is not at all surprising.
The people who are in those positions seem more interested in keeping things from changing and keeping their jobs. They want a government paycheck but they aren't interested in actually doing their jobs. The problem with that attitude is that since the DHS is so new, there is no "keeping things the same." It's about growth and forming an organization. It's amazingly ridiculous how things operate (or fail to operate) within the places I've been exposed to.
Anyone that refuses to see the problem that MS is and continues to embrace MS software products in spite of more secure alternatives is stupid, corrupt, owns too much MS stock, or all of the above.
You are being MICROattacked, from various angles, in a SOFT manner.
Amit tried to do this right - he had some very good people and had a solid vision for what needed to be done to secure primarily the government networks. He is a very sharp person and his executive experience was a plus - he was not an empty suit or political appointee.
Two key political issues:
1) This office was expected to shift to the new intelligence chief that reports to the president as the recommendation from the 9/11 committee- new boss + new plan = waste of his first year
as everything would start over...
2) No clear authority in his position. As mentioned in the articles, he was too low in HS to get anything done in DC. Cybersecurity could recommend solutions, but could not force ANY of the government departments to coordinate systems / procedures / etc. and adopt best practice solutions. At this level of government, each fiefdom will do their own thing and the whole point of having a security chief is eliminated.
I have four different programs protecting my computer at the moment (admittedly, I'm using Windows 2k, due to software considerations), and I STILL have daily... nay, almost HOURLY notices that I've been breached at some point or another. At one point, I had to resort to almost 24 hours of purging to rid my system of unwanted, illicit, and interferring spyware in my system. Call it unwise surfing, but by my mind, the net should be as free as Yahoo or Google... but ever notice that Spybot blocks TONS of spyware on MSNBC? Hmmmmm.... Not seen any comments about THAT on here... Bill? You listening?
When the going gets weird, the weird turn pro. ~~ Hunter S. Thompson
I guess the answers their scoring system didn't like were
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
No, you're probably a bit spoiled by being a Mac user - but you're not wrong at all!
As just one (of countless!) examples I run across in my line of work (on-site PC service), I was trying to help a guy out this afternoon who had spyware/virus problems crippling his Windows XP machine.
He's no dummy either. He has a PhD in Physics, and works from home as an editor for college textbooks.
This is about the 5th. time in 6 months or so that I've had to help him fix these types of issues. Originally, he was running Windows ME on his Gateway Pentium 4 system, and viruses pretty much made the computer unusable. I spent the better part of an afternoon removing the viruses and all the spyware I could find - but a lone remaining virus was a "downloader trojan horse" and apparently re-downloaded and installed numerous virii after I left.
After a second round of cleanup, I seemed to have it all fixed - but about a month later, it seems a few things got past his Symantec Personal Firewall and started causing tons of pop-up ads and other issues, so I was called out yet again!
Finally, he just asked us to wipe the drive and start fresh. We did, and made sure to do every possible Windows update, install the latest ZoneAlarm firewall, etc. etc.
So then, he decides to take the plunge and upgrade to Windows XP (since ME was a regularly crashing/blue-screening piece 'o junk anyway). We did that for him, and applied Service Pack 1 and everything else available at the time.
Well, after a couple weeks, voila - more rampant spyware/virii problems! He already tried both SpyBot and Ad-Aware SE 1.05, the very latest AVG Anti-Virus updates, and more, yet he couldn't eliminate the problems - and it was hindering him from doing his work.
I tried everything I could think of, including hours of manually deleting things. (XP likes to keep temporary files inside hidden sub-folders under the "Documents and Settings" directory, and I've found many viruses hide out in there, for example.) I got everything clean that I could find, and all the scanners report it clean, yet each time you launch Internet Explorer - it redirects you to some spyware/ad-ware web site and starts trying to install a bunch of garbage via Active-X!
Nobody should have to go through all of this B.S. just to get some work done from home! This is a disgrace. This guy isn't even "surfing porn sites" or any of the stuff people like to point fingers and accuse people of if their PC gets infected....
I've already suggested maybe he should make his next computer a Mac.... Several of his co-workers made the switch recently, already, and seem to be pleased. He's just concerned with the fact he owns so many PC only software packages and doesn't want to buy the same things over again to get a Mac native version....