U.S. Cybersecurity Report Available

Kaelem writes "Kevin Rose put up a copy of the report Cybersecurity for the Homeland (pdf), due to be released tomorrow. It talks about some interesting things, like expanding the US-CERT website as well as funding for colleges to develop cybersecurity curriculum."

Which department?

[wcitechnologies]

More like from the U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know About Security

Re:Which department?

[canuck57]

More like from the U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know About Security

No one cares about security until they get burned. Once burned the battle cry goes for awhile and fizzles as most don't give a rats ass about security beyond looking politically correct. It is why so many sites and users get hacked.

And here is a hint, most get hacked from the inside out, that is - some twit loads a spyware or malicious program and claims ignorance when it happens. More like carelessness but management often overlooks it.

Safe computing is like safe sex, use some precaution and don't be a slut and download everything you can click on.

Wide range of topics ...

[ProfaneBaby]

They're definitely focusing on a wide range ... something I didn't expect to see in the report was the DDoS / zombie bot armies:

Just as 1920s gangsters evolved into organized crime syndicates, a sophisticated command and control network is emerging within the Internet with agreed-upon boundaries of control and "gangs" working for a "boss." These modern criminals and terrorists often don't know or meet the crews who carry out the actual cyber attacks, making it even more difficult to track and prosecute them.

Definitely something worth investigating, just wondering what a few billion in research dollars is going to reveal - hopefully more than "it's a problem that's difficult to fix" report.

Re:Wide range of topics ...

[ProfaneBaby]

They've also identified that much of the problem comes from outside of their jurisdiction, so I'm actually optimistic that their solution won't be that stupid...

I could see something along the lines of mandated filters on international links, though. Time for MCI and Level3 to break out the lobbying money, else their international business may get much more expensive (can you imagine the peering complications if you have to enforce content filtering at the ISP level?)

Re:Wide range of topics ...

[Saeger]

I'm afraid you're right.

In order for the control-freaks of the world to keep their socio-economic power, it's in their best interest to turn the open internet into a "Secure Internet" dystopia where only "Trusted Computing" devices are permitted to communicate.

As usual, they'll spin total-accountability as a good thing necessary for combatting the evil cyber-terrahists, economic pirates, and pedophiles. But I, for one, will NEVER bow to DRM mandated by government and/or pushed by monopoly interests.

Cyber? give it a rest

[spoonyfork]

References to computer network infrastructure as "cyber" sound very amateur to me. 1995 already happened. Could we please get an adult vocabulary and start talking about serious subjects with maturity? Thank you.

Cyber security curriculum.

[eeg3]

Kind of a broad term. Don't most colleges already have courses similar to this? I know my college had something that could fit into that term. Anyone else seen "cyber security classes" at their college?

...due to be released tomorrow

[R.Caley]

Security advice from people who can't manage a simple press release process. I'm sure you all feel safer already.

Actually, come to think of it, perhaps incompitence in a secret po^H^H^H^H^H^H^H^H^Hhomeland security department is not such a bad thing.

Yes, there are programs

[dexterpexter]

The National Science Foundation (NSF) and the Department of Defense (DoD) already sponsor Scholarship For Service (SFS) programs like the Cyber Corps to train students in aspects of cyber security with the intention of placing them in government information assurance positions.

And many colleges are developing Centers for Information Security (CIS), and among those, that is where you see the government encouraging these programs.

The tag line, I believe, is "Defending America's Cyberspace."

More information on the SFS program can be found here:
http://www.sfs.opm.gov/ScholarshipMain.asp

Roadmap for the future

[amigoro]

1. Assitant Secretary for Cyber security
2. Budget and Program
3. Private Sector Outreach and Information Sharing
4. Risk Assement and Remediation
5. NCSD/NCS
6. R&D and Education

Why do I see more bureaucracy and less action?

Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny

Computer Science programs.

[dexterpexter]

That is very true. Many colleges simply have a few security courses, and that is it.

But there are some colleges with offer the five major security certifications and offer network security, ecommerce security, network programming, penetration testing, operational security, forensics, enterprise security managment, and more courses which basically make up a secondary Computer Science program. Those students still have to learn all of the fundamentals, but also push themselves to learn the security aspects. These courses are also often taught by ex-government workers, ex-hackers, and such. I know of at least one that is also broadening their program to include electrical engineering and hardware aspects as well, so things like biometric sensors are covered in addition to programming databases.

I was suprised at how many programs there are in the nation which gear into this stuff; unfortunately, it is probably not enough. Most CS or IS programs focus on the theory and some practical implications, but stop at the security implications.

I doubt that.

[dexterpexter]

Really? As someone who just finished studying and reading the CERT guide for System Administration and Accreditation (yes, it was torture), I find that most system administrators do not know the principles within, or recklessly choose to disregard some of the most helpful ones. Many system administrators are seat-of-the-pants, self-taught individuals who learn along the way as issues come up, and sometimes miss some of the fine points of securing a system. A lot of admins push large upgrades on production systems, or use test systems still connected to the main network (the recent 60,000 computer fiasco reported in /. is a good example), don't practice isolation, choose their products on budget or because of a last minute need (although sometimes this is unavoidable), do not configure firewalls correctly, do not lock down their systems tightly, etc. Sometimes they do everything they should, but out of order. A lot of people don't realize the importance of order in bringing systems online. Many times, these are on critical systems or systems which contain confidential information. Customer information is put at risk, simply because the administrators do not know any better.
A lot of companies hire admins who are actually unqualified, but who can do a "good enough" job because they don't understand what to look for in an admin.
Not all admins are this way, but a suprising number of them are.

If admins out there honestly knew everything there was to know about security, and administer their system to the CERT guide specs, then I would be impressed. Because my experience in observing everything from large university systems, health care systems, tag agency (all-you-need-for-identity-theft-agencies, more appropriately) systems, corporate systems (credit card information and personal information), is that this simply isn't so.
A lot of penetration testing reveals vulnerabilities in areas that are clearly stated in that CERT guide.

Re:I doubt that.

[dexterpexter]

Perhaps not, unless customer contact information was involved, specifically credit card information, addresses, names, etc.

But in my examples:

-large university systems
-health care systems
-tag agencies

and such and such. Yes, the protection of that information is extremely important.
Just think about the information that someone would have on you by compromising just your local tag agency.
When companies collect and store information about their customers, they owe it to their customers to protect that information.

But you are absolutely correct in stating that, in most cases, budget is the deciding factor. But its amazing what good administration can do to counter budget issues. A lot of times, but not always, it is poor administration (again, putting things online out-of-order) and such and such that causes these compromises.

If a company doesn't want to take extra steps to protect information, they they should consider not storing that information on a system accessible to the outside.

cyberia

[Doc+Ruby]

Does it mention why every cybersecurity "czar", starting with Richard Clarke, through this Fall, has quit in disgust? I didn't think so.

Yes and no

[dexterpexter]

That is the problem. Prior to 9/11, there had been no comparable act of terrorism. While right now, things have been mostly peachy in the realm of cyber security (and when it's not, the public is not likely to hear about it), there is a general feeling in the cyber security community that our day will come. This time, however, they are actually attempting to prepare for it; how can that be a bad thing? Even if ineffective, there is effort being applied.

You would be suprised at who sits behind those computer screens and what their intention is. If the United States has an entity for electronic and cyber warfare, it seems that our enemies would have something similar. Now, back to the teenager thing... it is a sad truth that many compromises of confidential systems have been made by a teenager that is "just curious," but also some of these teens have developed an angsty hatred of the U.S. government and consider it a game to take it down.

You might not see it as terrorism... until the 911 systems go down. Until the IRS systems are compromised and your entire identity is stolen and abused. Until major systems are undergo a DDoS when you suddenly need them. That is why these preventative measures need to be in place, and why our youngest and brightest are being trained to take on this endeavor.

However, I don't think that 12 year old terrorists was the focus here. It is the damage that can be caused by even a 12 year old in context with what can be achieved by a highly trained individual who applies it for malicious purposes.

Re:Yes and no

[dave420]

You DO realise you're playing directly into their hands, right?

If you think Al Qaida could wreak more havoc cracking some government system and stealing some personal info, than by blowing something big up, you're grossly mistaken.

Fuck. You're seeing what the US is doing, and then going "Oh, well, if they're doing that, then there must be an enemy doing the same" - no. No, no, no, no, NO. That's how governments coerce the people. If the Army erected a massive cannon and pointed it at a hill, you'd assume that hill was dangerous. That's exactly what they're doing here. They're conjouring up threats to make their policies seem essential. If the Bush/Cheney administration doesn't hype up the enemy's potential, then they're out of a job. They fought the entire election over defense. It's their only perceived strength.

Where is the evidence that any terrorist organisation around the world is targetting the US en masse? Exactly.

Please, please, PLEASE don't buy into this. Look for some third-party information from someone not selling anything, who wants nothing in return. These guys have a vested interest in hyping danger, as more danger = more budget.

I'm sorry if I sound like a dick about this one, but from Europe, it's so blatantly obvious what your government is trying to evoke from you that it tears me up inside to see so many Americans swallowing it hook, line and sinker. I guess WWI && WW2 didn't feature too heavily in history classes over there. Or, if they did, they obviously missed out a bunch!

Are our lives really changed?

[joeljones]

Am I the only person who is tired of the rhetoric "Since September 11th, each and every American's life has changed"? For those outside of the goverment, and particularly the military, has it really? Certainly we have mangled the Bill of Rights beyond recognition, but am I the only one whose reaction to the 2nd attack on the WTC was "well, it finally happened?" And the notion that using commercial airliners as weapons was unthought of? Given that Tom Clancy is a best selling author, the odds that no one in our security infrastructure read about that scenario is close to zero.

Re:Are our lives really changed?

[dave420]

Seeing as the pentagon was having drills for what to do should airliners be used as weapons against them, and the previous G8 meeting earlier in the year when anti-aircraft armaments were deployed, to defend against rogue aircraft, their claim they didn't know about airplanes==weapons is just pathetic lying.

For a country that loves democracy so much, America doesn't seem to give a flying shit when their politicians lie. Unless it's about a blowjob, in which case it's TREASON, I tells ya! TREASON!

Sort it out, America. It's time for torches and pitchforks, and a nice stoll down to Washington DC... Unless you do that, the rest of the world will simply look on and laugh at the mess you've got yourself in ;)

RTFA - information density is very low in this...

[syrinje]

Very Helpfully(tm), the executive summary says "September 11, 2001, changed the life of each and every American..." as the first sentence in the report. As if we needed to be reminded yet again.

Just in case the reader forgot this fact while reading the rest of the exec summary, the next chapter, the Introduction, starts with "On a fateful day in September 2001, our lives changed forever as a handful of terrorists proved they had the means to destroy on a level equal to their hatred.".

Having grabbed the readers attention, the rest of the report goes on to do the following
a. Narrate an administrative history of the establishment of DHS and the cybersecurity divisions within it
b. Provide volkswagen loads of justification for the existence of said departments - based on various criteria, all liberally illustrated with suitably scary numbers
c. Lay the groundwork for greater control and monitoring by the departments, of all computing and telecommunication resources in the country, regardless of who owns/operates them.
d. Attempts a definition of cybersecurity - which is a good thing.
e. Provides more volksvagens full of information designed to prove that legislative and administrative machinery are acting diligently and responsibly along the road to better security. This also absolves the departments themselves from any potential blame in the event of a screw-up - "all our bases are covered"
f. Throws in some pseudo-wise statements about educating mom-n-pop about how to protect their store computers and generously mentions that it will fund education in related matters. Remains to be seen if they will just restructure existing funding, reallocate under a new head and claim a job well done there.

Not at all the level of analysis, detail or accountability information you'd expect. Of course, John Q.Public is told that his representatives are in the loop, so don't worry, sleep tight. Its almost as if the report was specifically designed to NOT reveal any information. We'd rather not tell you any more, thank you, cuz you and your neighbors might all be security risks.