Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cybersecurity Chief Resigns

Posted by michael on from the told-he-had-to-install-all-patches-personally dept.

Doc Ruby writes "AP is reporting that 'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.' Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job. Maybe the job can't be done." In a possibly related story, individuals take cybersecurity lightly: Ant writes "This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday. More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

13 of 367 comments (clear)

  1. I just don't believe it! by garcia · · Score: 5, Insightful

    Yoran has privately confided to industry colleagues his frustrations in recent months over what he considers the department's lack of attention paid to computer security issues, according to lobbyists and others who recounted these conversations on condition they not be identified because the talks were personal.

    Of course they aren't paying any attention. People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack. Why should they diversify right now? They might bore the public with their "crying wolf" on dirty-bombs and airplane searches and would need another shiny object to get everyone to pay attention to.

    About 90 percent of computer users interviewed remembered the name of the performer from the last Super Bowl halftime show, while only 60 percent knew when they last updated their computer security program.

    No fucking way, people remember the name of a performer from the Super Bowl after it was banged into their heads on every media outlet for two months straight? OMFG, I cannot believe it. You mean that these same people who are so concerned with the atrocities being fed to them on TV aren't concerned or knowledgeable about their computer? I can't believe it!

    Face it, people don't give two flying fucks about being educated in computer know-how. They want to flip the switch and have it work. If it doesn't work they want to call up their ISP and have them fix it. Their computer is a dumb terminal for their ISP's webpage and http://www.thehun.com. As far as people guessing their chances at being hit by malicious code... They probably seriously believe that malicious code means that they bring home a disk and put it in their drive and run a program that will be an old-sk00l virus. They have no idea that there are programs out there "spying" on them every minute of their surfing experience. They just don't care enough to know. Plus these same people probably do think that their chances of hitting the lottery are good as they are dumb enough to ignore real news for their own realm of importance (Reality TV).

    1. Re:I just don't believe it! by museumpeace · · Score: 5, Insightful

      People just aren't knowledgeable enough about the threat of cybersecurity to give a shit. These people think that there is a real threat that their house may be singled out in a dirty-bomb attack because the Bush administration is happy to have them think that. As long as the Bush administration can keep people's minds on a single track of terrorism there's no need to bring to light other avenues of attack.

      What you say is true enough about the the Joe and Jane Consoomer types that are referred to in latter part of the article but the "people" we are talking about here are the govmint folks whose job and is and whose claim on our loyalty and obedience is their duty TO PROTECT US. If those people don't know Internet Protocol from Intellectual Property we should fire their asses rather than let them drive every competant person they can away from the job.
      Any body with a cable modem who took a minute to look at their firewall log could tell you how many times per hour their house WAS singled out for molestation by bots and hackers. Watching some pimple working from behind a Korean ISP try to telnet a home computer in Massachusettes IS a little creepy and the kind of thing that would alarm the average homeowner who would be all over 911 if he saw a person physically prowling about in his back yard...if only they were looking!

      --
      SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
    2. Re:I just don't believe it! by Anonymous Coward · · Score: 5, Insightful
      ...The worst that could happen is that their credit card numbers are stolen. A real monetary loss, but it'd be a stretch to compare it to a bomb of any kind...

      So when those "terrorists" start sucking money from those compromised credit cards to fund their continuing activities, thats ok because Joe Sixpack thinks "it doesn't affect me, I don't care". Joe Sixpack is in essence the biggest security threat to the US.

  2. What else he said. by caluml · · Score: 5, Funny
    'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency.

    He was also heard to say "linux is teh l33t and m$ feerz their mad penguin sk1llz".

    --
    Get your own free personal location tracker
  3. no Digital Pearl Harbors by Igloodude · · Score: 5, Insightful

    Without a Digital Pearl Harbor attack hitting us, it is unlikely that anyone will take him seriously, and since Digital Pearl Harbors was just Richard Clark FUD in the first place, his resignation was inevitable.

    --
    We now return you to your regularly scheduled thread.
    1. Re:no Digital Pearl Harbors by LanMan04 · · Score: 5, Insightful

      A digital Pearl harbor is not FUD. One day our increasing reliance on automated and interconnected systems to run or critical infrastructure is going to bite us in the ass, and HARD.

      It doesn't have to be terrorist related, it could be incompetence or not rebooting your aging Windows system once a month, a-la the recent air traffic control blackout. And we're in serious shit if a tech-savvy threat manages to penetrate power distribution, emergency call, or air-traffic control systems, or who knows maybe all three, and shut it all down right before a devestating physical attack. It's a huge force-multiplier, but in addition it can be a force unto itself. Imagine the whole country going without grid power for a month or two. Not a pretty picture.

      As usual, no one will do anything serious until there is a major incident (involving loss of life), after which "computer security" will be beat into our skulls every minute of every day, even if it's draconian and won't actually make people much safer, just like transportation security is today.

      --
      With the first link, the chain is forged.
  4. Lightning is like a virus by swillden · · Score: 5, Insightful

    More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."

    The problem is that many PC users are doing the cybersecurity equivalent of what some idiot did near my home about fifteen years ago.

    He was in his boat out on a lake when a thunderstorm moved in. When others on the boat suggested that they should go to shore for fear of lightning he scoffed, stood up on the bow of the boat, stretched his arms upward and shouted "Take me now, God!".

    God complied.

    Connecting an unpatched PC to a broadband connection is pretty much the same thing.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Taking it lightly by jdavidb · · Score: 5, Insightful

    In a possibly related story, individuals take cybersecurity lightly

    To be honest, maybe it's hard to take seriously because we're busy trying to distort its meaning and importance with silly buzzwords like "cybersecurity." Why does everything have to be "cyber"-this and "cyber"-that? In my mind this doesn't sound any different than putting e- in front of everything and trying to market it during the dot-bomb bubble, and I imagine that it has a similar effect on the public. We've been conditioned since 1998 to ignore anything with e- or cyber- as a prefix. Why are we surpised that people don't take "cybersecurity" seriously, when we show by our vocabulary that we don't, either?

    Instead of "cybersecurity," how about "computer security," or "personal computer security"? See, it's possible to communicate what you mean in a simple, effective way without fancy buzzwords, and people might even pay more attention. ("You mean my computer might be in danger?")

    --
    Secession is the right of all sentient beings.
  6. Security is a hard job by GodBlessTexas · · Score: 5, Insightful

    Just getting people to pay attention in a corporate environment is hard enough, even with HIPAA and now Sarbanes-Oxley. Hell, if it weren't for Sarbanes-Oxley my company wouldn't even give a damn about security. That's sad, and frightening.

    I can only imagine the nightmare it must be trying to be in charge of security in a beauracracy like the federal government. If you've never dealt with the feds as an employee or contractor, you have no idea how many layers thick it goes. You can't even fart without pushing paperwork and dealing with red tape.

    --
    Remember the Alamo, and God Bless Texas...
  7. Good. by Exmet+Paff+Daxx · · Score: 5, Insightful

    Hopefully the hydra will not spring forth another head to take its place. The question we need to ask ourselves here is: should the government even be involving itself in "regulating the Internet" to "improve security"? Considering the free market has a better track record at accomplishing nearly everything (compare the DMV to 7-11) why the hell do we need a useless figurehead like this in the first place? He's ex-Microsoft for God's sake.

    If the government actually wanted to promote cyber security, the best way to do it would be to put a bounty system on the evildoers and let the market compete to catch them. Microsoft but a bounty on some virus authors and look how fast they were caught! Imagine if we had a bounty on web defacers, worm authors, and other such vermin. System administrators worldwide have the legal right to read their customers mail but until no profit motive, so they don't do it. All that would change. You think 802.11 wardrivers can't be caught? What if information leading to their arrest was worth $50,000 - how many Slashdot readers would be patrolling their neighborhood for wardrivers? It's not too hard to spot the goon with the notebook and the high power 802.11 antenna connecting to every network in his path.

    Personally I'd love to put "Internet Bounty Hunter" on my resume. I'd probably start with the goon at 66.35.250.150 who keeps proxy scanning me.

    --
    If guns kill people, then CmdrTaco's keyboard misspells words.
  8. A simple way to think about security by The-Bus · · Score: 5, Insightful

    Imagine someone walks up to you and starts talking to you about your car insurance:

    "Well, here's the thing. Your car needs to be safe, and since 1997, with more highways available, more ISEC 45 systems can't accomodate Goodyear telecons. Car insurances? In your glove box, you can find your insurance info several tachometers. Make sure to astagate the TFGG Nationwide proteases for the next fifteen days, and then every fifteen days -- dirkonite 1997 malfunctions could lead to superfinite hexagon and then your gas mileage Liberty Mutual goes down. But the car is fine, it's a good car. It's going to explode and your dog will die. Just call the state RT-678 system box accelerator engine spark plug twice, after frubbing the seats and air conditioner. So, yes, Ford and Honda are a risk, but you have filters, GM just needs shafts -- in Japan."

    That's basically what the average person hears when you start talking about computer security. They seem to understand some terms, but for the most part their eyes glaze over. Then they say "OK" and go back to looking on eBay for that autographed baseball. Even running Ad-Aware is a pain for most people. There's about 20 different options and if they click the wrong one they don't know what just happenned.

    --

    Small potatoes make the steak look bigger.

  9. Re:I AM more likely to be struck by lightning by Waffle+Iron · · Score: 5, Informative
    I probably AM more likely to be struck by lighting than hit by malicious code.

    I wouldn't be so sure about that. This report says that the US has lightning injuries+fatalities of around 500 per year. That means the average person gets hit by lightning about once every 600,000 years.

    The odds that somebody is going to develop a blockbuster zero-day exploit are much higher than that. For example, what if some person or organization discovers something like new flaws in both Cisco routers and the standard JPEG rendering .DLL or .so? And instead of posting it to security mailing lists, they write effective exploits to hijack the routers to serve up infected JPEGs?

    Most of the computers on the Internet could be compromised within minutes just by ordinary browsing. No amount of patching, firewalls or care on the part of the user would prevent the attack. That is just one scenario; it's not hard to think up countless variations. It may be unlikely that this will happen in any given year, but I doubt that it would be as rare as once every 600K years.

  10. He did try for a year... by Anonymous Coward · · Score: 5, Informative

    Amit tried to do this right - he had some very good people and had a solid vision for what needed to be done to secure primarily the government networks. He is a very sharp person and his executive experience was a plus - he was not an empty suit or political appointee.

    Two key political issues:
    1) This office was expected to shift to the new intelligence chief that reports to the president as the recommendation from the 9/11 committee- new boss + new plan = waste of his first year
    as everything would start over...

    2) No clear authority in his position. As mentioned in the articles, he was too low in HS to get anything done in DC. Cybersecurity could recommend solutions, but could not force ANY of the government departments to coordinate systems / procedures / etc. and adopt best practice solutions. At this level of government, each fiefdom will do their own thing and the whole point of having a security chief is eliminated.