Slashdot Mirror
US Cybersecurity Chief Beckstrom Resigns
nodialtone writes with a Reuters report that Rod Beckstrom, director of the National Cybersecurity Center (NCSC), has tendered his resignation, citing clashes between the NCSC and the NSA with regard to who handles the nation's online security efforts. In his resignation letter (PDF), he made the point that "The intelligence culture is very different than a network operations or security culture," and said he wasn't willing to "subjugate the NCSC underneath the NSA." He also complained of budget roadblocks which kept the NCSC from receiving more than five weeks of funding in the past year. Wired has a related story from late February which discusses comments from Admiral Dennis Blair, director of National Intelligence, who thinks cyber security should be the NSA's job to begin with.
good
Security is like virginity...once compromised it is lost forever.
From Mr Beckstrom's resignation letter: "In addition, the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization (either directly or indirectly."
Amen, brother.
If the NSA is "put in charge" (I fail to see how this occurs) then many, who presumably already do this, will just have their own secure networks. I'm sure the military branches use their own methods, which are even resistant to NSA spying. Individuals who are concerned can currently use their own encryption or other methods to best secure their networks (it isn't illegal). If the NSA is in charge, one can rest assured that the copy and archive everything they can. How big "everything they can" is depends on some technical limitations and possibly some sort of legal oversight, but I don't really know.
I'm sure the military branches use their own methods, which are even resistant to NSA spying
The entire point of the NSA is to secure government (and thus military) communications. DES, hello? That was developed so that the government could send shit privately, not for you and me.
The NSA takes charge of development of all the various devices used, and probably gives recommended policy and procedure too. For example, secure communications between embassies? That gear was designed by the NSA, as were the protocols for programming them. Same goes for the encrypted comms on military planes and whatnot. The military uses these fancy boxes to "load" encryption keys into radios and such- and assure their security, chain of custody, blah blah. NSA developed.
If you think the NSA has secret access and is running counter-ops or some bullshit like that, you've been watching too many bad movies and reading too many bad (Tom Clancy) novels.
Please help metamoderate.
The current government cyber security system is broken by design. There is no way that one super organization can make every government network in the country secure. Each department and division in the government will have different needs. The only reasonable method to do this would be to have those departments and divisions implement their own security systems while the government at a whole creates a technology/advisory branch and a regulatory branch. Sort of like the DOE/NRC to nuclear reactor safety. The regulatory branch would audit the security (and potentially fine) the highest risk government agencies while the technology/advisory branch would be a big IT desk at which each department or branch could shop.
Perpetrate and facilitate are not high on an actual security agenda.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
Who here actually thought that these new posts by the new administration are more than puppets? Reinventing the wheel is stupid enough, and it has relatively few features. Reinventing security? WTF already.
The fact that the NSA has been working on this for some time and the results we've seen only highlight that the previous system was broken, no matter that it did produce some good results. Change is needed, but you can't make it happen by decree, it only looks like you did something when that happens and now you can blame who you want for the failure. This resignation may have been planned?
To think the NSA is not part of obscure security operations is fucking naive at best, dangerous at worst. When the people of the US have transparent oversight of all branches of government it might be okay to say such a thing. Till then such assumptions are dangerous.
Support NYCountryLawyer RIAA vs People
"...director of National Intelligence, who thinks cyber security should be the NSA's job to begin with."
Geezus, the would be like putting the thieves in charge of the banks! Uhhh, wait...
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
The US security system(s) always amaze me. OkOk so the military gets infantry, navy and special ops divisions. But in the US you guys have like at least 10 other organizations. And all of their objectives are vague. Why not just close/merge a bunch of them. CIA FBI NSA NCSC US SS DoH DIA NRA really I could just start picking random letters (and i'm sure there are more than i've listed). They each get like 10billion a year. You see the same things happening with science. Cept the total for science is like 30b instead of 100. Its kind of amazingly wasteful. Even assuming they worked together well with no overlap. It is hard for a government to properly overview that many pointless departments if you don't even know what they are supposed to be doing.
There should be a focus and funding on implementing BGPSEC and DNSSEC since this is where many of the major vulnerabilities lie, and developing new and improved encryption systems and so on. The goal being to assure the internet is a platform of freedom of expression where some cannot oppress the viewpoints of others.
Sounds like a good position to eliminate completely. Take the whole DHS with you on the way out the door. And possibly a good chunk of NSA too.
When blueprints and stuff for Marine 1 show up in Iran because some contractor wanted to download Britney Spears mp3s, yeah. I'd throw my hands up and walk away too. Things are only handled as intelligently as the dumbest person involved, and the leading cause of aneurism these days is having to deal with dumb people.
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
and am probably not the only one who is.
First we have, "The NCSC is your only national body created to fulfill your responsibility to protect networks across the civilian, military, and intelligence communities."
Next, "In addition, the threats to our democractic processes are significant if all top level government network security and monitoring are handled by any one organization (either directly or indirectly)."
But, the point of having DHS focus primarily on civilian government networks and NSA and the intelligence community as whole focus on military network and their networks respectively, seems to make sense. This setup would probably require a very close working relationship between interested parties.
Also, there was a ton of news about the DHS getting $355 million in cyber security funding last week.
You know, I could have joined the NSA, but they found out my parents were married.
~Philly
than you military oldtimers can ever comprehend. cyberspace also doesnt go well with the military mindset. military mindset requires control over the venues that needs securing. cyberspace, internet, is a venue that refuses control. because it is against its nature. even if you try and succeed in getting an iron stranglehold over internet in your country, the rest of the world will keep a free internet. which will mean that your security issues will continue. because, internet IS people. its not an empty network with consoles attached. its no different than your own society with its people.
you should leave cybersecurity to people who understand online world and its people. you cant accomplish shit with military mindset. even more, heavy handed or controlling approaches lead to social online backlashes and spontaneous actions. portray yourselves as anti freedom fascists trying to control internet in a 1950s manner for any reason, and you may gain the attention of a varying multitude of people from hacking crowd, each of which could undermine whatever budget you can throw at security. portray yourselves as a friend of the people, and they harrass your enemies. (a la pirate bay case).
remember - internet is an infinite chaotic space in which individuals can outdo thousands. best security approach is to be 'friend of the people'. and no military knows shit about that.
so, NSA, leave it to people who know internet.
Read radical news here
The object of cybersecurity is to prevent people from interfering with out computers. The NSA's JOB is to interfere with our computers. They can hardly do both at the same time.
I piss off bigots.
Carpenter's Hall is air conditioned now. Thankfully.
Giving your money supply completely over to money lenders. Doh!
Deleted
Did it mean "detainee"??
For the record, the NSA concerns itsel with ALL intel, not simply military. In fact, the majority of its intel covers both corporate, commercial as well as civilian....
Okay, so I'm not a member of the security community. What is a detailee again? (ff doesn't think it's a word)
No, cyber insecurity is the NSA's job, that is, getting hold of your secret communications.. Remember when they tapped into the main fibre link in that telco, here also. Another way of getting their hands on your data is to set up fake cyber security research consultancys who will come in and 'secure' your installation :) shoosh ... No Such Agency ...
davecb5620@gmail.com
"One of the key reasons that there are so many agencies is that there is a clear dividing line in US law between the military and civilian agencies. "
It has a lot more to do with historical accident than separation of powers. The agencies each formed from different power bases, with slightly different but overlapping missions, and have grown into institutions.
DHS is a *great* recent example. DoD, NSA, CIA, FBI, NRO, NCSC... what, we didn't have *enough* agencies that were already supposed to be protecting us for threats? But there was a crisis, so the existing power base creates a new organization to solve all the problems, rather than trying to fix the existing organizations.
And frankly, the whole "military" vs "civilian" thing is fairly specious. If we're worried about abuse of government power, the fact that the NSA is a nominally "civilian" agency doesn't really matter. They can still abuse their power just as well. What difference does it make that their CO is a "Director" rather than a "General"?
I should state that I'm not an anti-government nut. I just think there's too much overlap in all this. The NSA, CIA, NRO, and Army/Navy/AF intelligence should all be one damn organization. When it comes to computer security, there should be one agency with authority and one set of rules and documentation. As it is now, we've got NSA, NCSC, DISA, DSS, CIA DCI, NIST, and each service's SAPCO each with their own way of doing things! It's insane! Should I be writing my security plan to NISPOM standards, or JAFAN, DCI 6/3, or NSA SNAC, or DISA STIG, or ...? And $DEITY help you if you want to use one information system for multiple government programs under different authorities!
Hell, there shouldn't be separate field command structures for Army vs Navy vs AF vs USMC. Do away with this Joint Command bullshit and put one damn power structure in place. But holy Internet gods, you suggest merging the service branch departments, and you get treated like you just suggested burning the Constitution and making the leader of the US Communist party dictator for life in place of the President.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"There should be a focus and funding on implementing BGPSEC and DNSSEC since this is where many of the major vulnerabilities lie,"
Huh?
DNS and BGP are generally run by people who know what they are doing. While there are protocol vulnerabilities, they've historically been pretty resistant to attack. Compromises have been local and stayed local, like they should.
Compare that to the massive data breaches that major financial, health care, and government organizations have reported. Compare that to the hundreds of thousands -- if not millions -- of compromised home computers service as spam cannons and botnet members.
DNS and BGP are not nearly as big a concern as that.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
so, NSA, leave it to people who know internet
Um, yah. Do you have any real idea what you're talking about?
The NSA is full of very smart people. They employ more mathematicians and computer scientists than any other organization in the world. Their IA division is very good. They publish lot of very good, public computer security guidance. The computer world would be a more secure place if most organizations tried to adopt some of their recommendations.
Check out http://www.nsa.gov/ia/guidance/security_configuration_guides/ some time. Chances are, the computers you're using to post your mindless spiel could benefit from following the instructions there.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
The object of cybersecurity is to prevent people from interfering with out computers. The NSA's JOB is to interfere with our computers.
Actually, the NSA is charged with the security of the nation's communications, including the private sector. "National Signals Agency" would be a better expansion ("signals" including communications and computers in the GOVSEC world). Sure, they spy on everybody. How much spying they should do is a quagmire of a political debate I'm not about to involve myself in here. But they also work to make sure the nation's signals infrastructure is secure.
As I pointed out in another post, the NSA publishes a lot of security guidance. It's very well written, very real-world oriented, and public. The private sector would do well to take lessons from it.
http://www.nsa.gov/ia/guidance/security_configuration_guides/
They've largely given up on controlling crypto. Of course, that just leads one to wonder -- is that because they've recognized it as a lost cause, or because they don't need to control it to crack it anymore?
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"Disobeying a corrupt director won't get you hanged."
In fairness, disobeying a corrupt order will generally not lead to hanging. It likely will lead to a Court Martial, but if the order truly was corrupt, you'll be let off. Not that "I don't agree" does not make an order corrupt.
Still, I think you do make a fair point, so touche. Generals do command large forces with large weapons. The DCI commands a rather smaller force, most of whom don't have weapons, and most of those who do have much smaller weapons.
Of course, the CIA used to operate its own air force (the U-2 and SR-71 were originally CIA programs). Whether they still do, of course, is a matter of public speculation. :) But even then, the U-2 and SR-71 were never fitted with weapons systems. Well, not that the public knows about, anyway. Publicly, the SR-71 was intended to have the option of weapons capability; the option was simply never exercised. The neat thing about black ops is that there's always the possibility that they did something and just never told us.
"How common is it for a coup d'état to come from a minister of interior security?"
Well, since the "minister of interior security" in many authoritarian governments actually wields quite a lot of power, it's actually not uncommon. Look at the 1991 coup attempt in the USSR: That came from the KGB (Committee for State Security). The NKVD (KBG's predecessor under Stalin) likewise was the organization for administered the deaths or "disappearance" of millions of people.
But let's just look at the US (which, despite all its fault, is far from authoritarian). None of the organizations I named, aside from maybe the FBI, is concerned solely with interior security. Some of them are chartered explicitly to not be concerned with interior security.
But that itself is another fallacy: A great many security threats (I'm tempted to say the majority of them) know no border. So it's not practical to draw a line and say "this agency will only concern itself with interior threats". Sure, it would be nice to say the FBI should only concern itself with domestic cases, but the problem is that you generally don't know the full extent of the case until the case is solved.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
You have a security hole.
You are being MICROattacked, from various angles, in a SOFT manner.
They had a few years, what have they done? Did they even fund any of the researchers making progress in this area? If they did, then why can't another group that is given the same responsibility but less prone to Cyber hype? Just plain outright fraud has been renamed to Cyber Terrorism by clowns like these - I'm not buying it unless there really is a robot with a bomb.
The NSA should be thought of as two houses. One side of the house is the signals intelligence gathering operation that everyone is suspicious of. The other side of the house is the research and development side. The NSA was one of the first to publish security guides for operating systems: http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml . The NSA funded the SE-Linux research, along with I am sure giving input to the TrustedBSD work: http://www.trustedbsd.org/sebsd.html .
The NSA does a lot of good. Lets give credit where credit is due.
developing new and improved encryption systems
Really? What I hear people say at various security conferences is that you don't go through the crypto, but around it. You scan the guy's disk for things that looks like a password, then you try all of them. Or you do a timing attack. Or you...
None of it breaks the mathematical properties of the encryption function. Why do we need new mathematics?
... for your replies.
Now we can see you.
Stand in the middle of the room. Stand back to back. Put your hands behind your heads. Do not touch each other...
I wish journalists would do a little research. NSA has had the lead role in cybersecurity since before he term was invented, back to the National Computer Security Center when Bob Morris the Elder was Chief Scientist. Mid-80's, in other words. Communications security since Truman.
What this guy is complaining about is that he wasn't able to wrest control of cybersecurity away from NSA.
"Wait, NIST? You mean the guys who sit around and define the meter and mile and kilogram? ;)"
The National Institute of Standards and Technology, yes. Check out the NIST Computer Security Resource Center: http://csrc.nist.gov/ It's actually good stuff, but again, redundant with the eleventeen other US Federal agencies publishing guidance. Confusion over authority helps nothing, least of all security.
Oh, and BTW: It's actually the BIPM that defines the SI units like meter and kilogram. (BIPM = Le Bureau international des poids et mesures, the International Bureau of Weights and Measures, headquartered in France.)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Er, yes, I should I have written, "The NSA has given up on controlling crypto through legislation". Sorry for the unclarity.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I'd dispute your claim that hierarchy is at a disadvantage for defense. Loose groups are good for offense because you can't just counter-attack the command and control structures. But for building a foundation for attack, you want something strong and solid.
I say "your claim" because while I haven't read that RAND report in completeness, a cursory examination suggests that they don't particularly favor an unstructured defense.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Yeah, they have realized it was pointless to try to restrict encryption methods by calling them arms. Too difficult to control and nothing stopped people from developing equivalent stuff outside of the US.
That's a great example of a bad sentence. Did they receive five weeks of funding, or less than 47 weeks?
Uh-oh, have to read TFA to find out...
I would like to point out that what he was objecting to was the chain of command. You could use the analogy of a large company building. Like where I work.
I am in IT and we take security seriously but I don't answer to the building security personnel or their supervisors. This was the old mindset. I have seen old org charts where security, IT, and janitors are all lumped under facilities.
I administer the servers that control the badging and access cards. I work closely with them on many projects involving those systems. They make the call on what goes into the system and I make it work. That is only about 10% of what I do. I wouldn't dream of asking them anything about securing our network or the print/file servers. Nor would I expect them to know anything about how.
From NSA's point of view security is everything as well it should be.However, the vast majority of work I do, although it's secure, is not "security" related. I also work closely with HR, the Engineers and other special crews that use server data in their work.
Most companies in the private sector have realized Information Technology is no longer a part of any other department it is it's own department. With it's own specific needs.
"The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." -Thomas Szasz
Pu Pu, Pu Pu, run away, run away.
We are still waiting for HSD to issue Atomic Red Light Red, for Death Allert.
The TSA has a great black market going on, thanks to George Walker Bush. They can, "Glad Hand" items out of checked luggage, and at the "Star Gate" can demand $$$$ in Cold Cash for "passage."
What a Rip!
Now there's a money making enterprise, "the old fashion way."