U.S. Cybersecurity Report Available

Kaelem writes "Kevin Rose put up a copy of the report Cybersecurity for the Homeland (pdf), due to be released tomorrow. It talks about some interesting things, like expanding the US-CERT website as well as funding for colleges to develop cybersecurity curriculum."

Cyber? give it a rest

[spoonyfork]

References to computer network infrastructure as "cyber" sound very amateur to me. 1995 already happened. Could we please get an adult vocabulary and start talking about serious subjects with maturity? Thank you.

Cyber security curriculum.

[eeg3]

Kind of a broad term. Don't most colleges already have courses similar to this? I know my college had something that could fit into that term. Anyone else seen "cyber security classes" at their college?

Re:Wide range of topics ...

[The+Cisco+Kid]

Unfortunately, their probably solution will be to mandate hardware changes that prevent 'unauthorized' software from running. (And some large IT company such as MS will be in charge of deciding whats authorized, of course). So MS will lock out its competition, and lock everyone in to running vulnerable crap that is in itself the source of most of the zombie armies.

...due to be released tomorrow

[R.Caley]

Security advice from people who can't manage a simple press release process. I'm sure you all feel safer already.

Actually, come to think of it, perhaps incompitence in a secret po^H^H^H^H^H^H^H^H^Hhomeland security department is not such a bad thing.

Roadmap for the future

[amigoro]

1. Assitant Secretary for Cyber security
2. Budget and Program
3. Private Sector Outreach and Information Sharing
4. Risk Assement and Remediation
5. NCSD/NCS
6. R&D and Education

Why do I see more bureaucracy and less action?

Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny

Re:Which department?

[canuck57]

More like from the U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know About Security

No one cares about security until they get burned. Once burned the battle cry goes for awhile and fizzles as most don't give a rats ass about security beyond looking politically correct. It is why so many sites and users get hacked.

And here is a hint, most get hacked from the inside out, that is - some twit loads a spyware or malicious program and claims ignorance when it happens. More like carelessness but management often overlooks it.

Safe computing is like safe sex, use some precaution and don't be a slut and download everything you can click on.

I doubt that.

[dexterpexter]

Really? As someone who just finished studying and reading the CERT guide for System Administration and Accreditation (yes, it was torture), I find that most system administrators do not know the principles within, or recklessly choose to disregard some of the most helpful ones. Many system administrators are seat-of-the-pants, self-taught individuals who learn along the way as issues come up, and sometimes miss some of the fine points of securing a system. A lot of admins push large upgrades on production systems, or use test systems still connected to the main network (the recent 60,000 computer fiasco reported in /. is a good example), don't practice isolation, choose their products on budget or because of a last minute need (although sometimes this is unavoidable), do not configure firewalls correctly, do not lock down their systems tightly, etc. Sometimes they do everything they should, but out of order. A lot of people don't realize the importance of order in bringing systems online. Many times, these are on critical systems or systems which contain confidential information. Customer information is put at risk, simply because the administrators do not know any better.
A lot of companies hire admins who are actually unqualified, but who can do a "good enough" job because they don't understand what to look for in an admin.
Not all admins are this way, but a suprising number of them are.

If admins out there honestly knew everything there was to know about security, and administer their system to the CERT guide specs, then I would be impressed. Because my experience in observing everything from large university systems, health care systems, tag agency (all-you-need-for-identity-theft-agencies, more appropriately) systems, corporate systems (credit card information and personal information), is that this simply isn't so.
A lot of penetration testing reveals vulnerabilities in areas that are clearly stated in that CERT guide.

Re:I doubt that.

[chris_mahan]

It all comes down to money. Really.

Would you put a $50,000 alarm system in your $30,000 car?

Would you pay $300,000 a year to protect your company's data?

Answer: It depends how much the company data is worth.

For a lot of companies, especially smaller companies, the answer is no. The data might be compromised, but unless they deal with sensitive data whose loss could cause public embarrassment, they will not spend a lot of money to protect it.

Would you hire a top-notch guy for $130k plus 1 helper at $70k plus overhead ($100K) to protect a bunch of tractor part orders?

Re:I doubt that.

[dexterpexter]

Perhaps not, unless customer contact information was involved, specifically credit card information, addresses, names, etc.

But in my examples:

-large university systems
-health care systems
-tag agencies

and such and such. Yes, the protection of that information is extremely important.
Just think about the information that someone would have on you by compromising just your local tag agency.
When companies collect and store information about their customers, they owe it to their customers to protect that information.

But you are absolutely correct in stating that, in most cases, budget is the deciding factor. But its amazing what good administration can do to counter budget issues. A lot of times, but not always, it is poor administration (again, putting things online out-of-order) and such and such that causes these compromises.

If a company doesn't want to take extra steps to protect information, they they should consider not storing that information on a system accessible to the outside.

cyberia

[Doc+Ruby]

Does it mention why every cybersecurity "czar", starting with Richard Clarke, through this Fall, has quit in disgust? I didn't think so.

my 2 cents

[TheLibero]

PATRIOTISM, n.
Combustible rubbish read to the torch of any one ambitious to illuminate his name.

In Dr. Johnson's famous dictionary patriotism is defined as the last resort of a scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. (from The Devil's Dictionary)

Yes and no

[dexterpexter]

That is the problem. Prior to 9/11, there had been no comparable act of terrorism. While right now, things have been mostly peachy in the realm of cyber security (and when it's not, the public is not likely to hear about it), there is a general feeling in the cyber security community that our day will come. This time, however, they are actually attempting to prepare for it; how can that be a bad thing? Even if ineffective, there is effort being applied.

You would be suprised at who sits behind those computer screens and what their intention is. If the United States has an entity for electronic and cyber warfare, it seems that our enemies would have something similar. Now, back to the teenager thing... it is a sad truth that many compromises of confidential systems have been made by a teenager that is "just curious," but also some of these teens have developed an angsty hatred of the U.S. government and consider it a game to take it down.

You might not see it as terrorism... until the 911 systems go down. Until the IRS systems are compromised and your entire identity is stolen and abused. Until major systems are undergo a DDoS when you suddenly need them. That is why these preventative measures need to be in place, and why our youngest and brightest are being trained to take on this endeavor.

However, I don't think that 12 year old terrorists was the focus here. It is the damage that can be caused by even a 12 year old in context with what can be achieved by a highly trained individual who applies it for malicious purposes.

Re:Yes and no

[dave420]

You DO realise you're playing directly into their hands, right?

If you think Al Qaida could wreak more havoc cracking some government system and stealing some personal info, than by blowing something big up, you're grossly mistaken.

Fuck. You're seeing what the US is doing, and then going "Oh, well, if they're doing that, then there must be an enemy doing the same" - no. No, no, no, no, NO. That's how governments coerce the people. If the Army erected a massive cannon and pointed it at a hill, you'd assume that hill was dangerous. That's exactly what they're doing here. They're conjouring up threats to make their policies seem essential. If the Bush/Cheney administration doesn't hype up the enemy's potential, then they're out of a job. They fought the entire election over defense. It's their only perceived strength.

Where is the evidence that any terrorist organisation around the world is targetting the US en masse? Exactly.

Please, please, PLEASE don't buy into this. Look for some third-party information from someone not selling anything, who wants nothing in return. These guys have a vested interest in hyping danger, as more danger = more budget.

I'm sorry if I sound like a dick about this one, but from Europe, it's so blatantly obvious what your government is trying to evoke from you that it tears me up inside to see so many Americans swallowing it hook, line and sinker. I guess WWI && WW2 didn't feature too heavily in history classes over there. Or, if they did, they obviously missed out a bunch!

Everytime I read the term "Homeland"...

[BrianMarshall]

it reminds me of the term "Fatherland".

Re:Which department?

[cshah+1]

It's more like, no one cares about security until they loose their privacy.

RTFA - information density is very low in this...

[syrinje]

Very Helpfully(tm), the executive summary says "September 11, 2001, changed the life of each and every American..." as the first sentence in the report. As if we needed to be reminded yet again.

Just in case the reader forgot this fact while reading the rest of the exec summary, the next chapter, the Introduction, starts with "On a fateful day in September 2001, our lives changed forever as a handful of terrorists proved they had the means to destroy on a level equal to their hatred.".

Having grabbed the readers attention, the rest of the report goes on to do the following
a. Narrate an administrative history of the establishment of DHS and the cybersecurity divisions within it
b. Provide volkswagen loads of justification for the existence of said departments - based on various criteria, all liberally illustrated with suitably scary numbers
c. Lay the groundwork for greater control and monitoring by the departments, of all computing and telecommunication resources in the country, regardless of who owns/operates them.
d. Attempts a definition of cybersecurity - which is a good thing.
e. Provides more volksvagens full of information designed to prove that legislative and administrative machinery are acting diligently and responsibly along the road to better security. This also absolves the departments themselves from any potential blame in the event of a screw-up - "all our bases are covered"
f. Throws in some pseudo-wise statements about educating mom-n-pop about how to protect their store computers and generously mentions that it will fund education in related matters. Remains to be seen if they will just restructure existing funding, reallocate under a new head and claim a job well done there.

Not at all the level of analysis, detail or accountability information you'd expect. Of course, John Q.Public is told that his representatives are in the loop, so don't worry, sleep tight. Its almost as if the report was specifically designed to NOT reveal any information. We'd rather not tell you any more, thank you, cuz you and your neighbors might all be security risks.

Re:Are our lives really changed?

[dave420]

Seeing as the pentagon was having drills for what to do should airliners be used as weapons against them, and the previous G8 meeting earlier in the year when anti-aircraft armaments were deployed, to defend against rogue aircraft, their claim they didn't know about airplanes==weapons is just pathetic lying.

For a country that loves democracy so much, America doesn't seem to give a flying shit when their politicians lie. Unless it's about a blowjob, in which case it's TREASON, I tells ya! TREASON!

Sort it out, America. It's time for torches and pitchforks, and a nice stoll down to Washington DC... Unless you do that, the rest of the world will simply look on and laugh at the mess you've got yourself in ;)