Slashdot Mirror
Schneier Says We Don't Need a Cybersecurity Czar
Trailrunner7 writes "Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. 'Really what I think is it shouldn't be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn't a dictator in charge, when there isn't one organization in charge. My feeling is there shouldn't be one organization in charge. Not only shouldn't it be the NSA, it shouldn't be anybody,' Schneier said."
Our economic and political systems work best when there isn't a dictator in charge
Next in News: Bruce Schneier asked to be member of a Cybersecurity Tribunal.
The internets are decentralized (mostly), so why shouldn't the security model be?
Linux, you magnificent bastard, I read the fucking manual!
I, for one, would be happy without an overlord.
He won't make any friends with the government research grant people with that attitude, though. Seriously, if you only occasionally read what Schneier has to say, and follow his advice and guidelines, you'll be more "secure" than 99% of everyone else. That's because 99% of the people (and companies) don't follow his advice, which is often simple and just requires a little effort and awareness. It's the "effort and awareness" thing that most people find challenging.
Is that he would love to do it if they asked him, but they HAVEN'T.
Amen
I couldn't agree more. I wrote this blog post a few months ago arguing the exact same thing. There will always be crisis situations where government intervention and coordination may be necessary, but the first line of governance and management should be at the personal, community, and company level.
DHS is a hodge podge of federal agencies that performs like the Keystone Cops in Gestapo uniforms. Not only is the NSA more qualified to take over federal infosec in a time of crisis, but it is statutorally safer for the general public because as a member of the intelligence community, it is not legally a part of the law enforcement apparatus. In order for information to flow to law enforcement, the NSA would not only have to be willing to cooperate, but have to jump a large number of hoops and hurdles to hand off the information. There are a lot of restrictions on the intelligence community with respect to information about Americans that simply don't exist for law enforcement like DHS.
The real reason why we don't need a Cybersecurity Czar is that 99 times out of 100, the systems that are getting hacked are not sensitive systems. Who cares if the Department of Labor or Interior gets hacked here and there since the intelligence community and military are generally competent at securing their classified networks?
I could see someone who will do testing and be the point person for the money. We need someone to do penetration testing with a white hat on.
Any volunteers?
So, let me see if I understand correctly. If a person opposes expensive, gargantuan, highly centralised, omnipotent government programs then you would consider that person to be a "right wing nut". Then, with no qualification you tack on the 'possibility' that he might be a racist. Is that because he isn't a socialist?
It is 'possible' that you spend your evenings participating in 'donkey shows' and turning tricks as a transgendered hooker, but I will not imply that it is likely without any evidence to back it up.
Better question is why the USA needs Czars of anything?
Weren't they leaders of imperialist Russia?
Why would that label seem appropriate?
Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.
Bottom up works too -- for tasks that involve things that are too complex and fluid for a single person or chain of command to comprehend and react to. Where creativity is at a premium, bottom up is the way to go.
No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.
It seems to me that something like cybersecurity needs a bit of each approach. It's organizationally difficult, if not impossible to approach such a problem perfectly. However, I think the rough appearance of a structure to handle this would be top down with expertise pushed out to the various groups in the organization and discretion allowed.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
that I can see why you want another one.
All regulatory agencies, oversight committees, etc. are taken over by the regulatees.
This is a law of human social system-level nature as inexorable as the law of gravity.
History is full of layers and layers of oversight, none of which substitute for the self-interest of the operational group doing their job 'right'.
That doesn't happen very often even in large corporations, is rare in government : precisely what you expect from the relative levels of self-interest of employees in these orgs.
I have worked in organizations from startups through state and federal governments. I am currently in a 30-person small network products company. As a generalization, I find that startups generally work, small organizations do quite often, but the larger the organization and the less connected the employees with management, the worse they execute,
There is already a set of standards and an agency with responsibility for setting and updating them, namely the Computer Security Division of the National Institute of Standards and Technology. We don't need another czar; we're running out of Fabergé eggs and gaudy uniforms.
What they need is a solid system of IT auditing to make sure the standards are followed. To the extent they are done now, IT audits are done within each agency and rarely receive attention at the department secretary level. Each department has an inspector general with oversight responsibilities, but they don't seem to put IT audits at the top of their agendas. GAO does not do much with this, either. Why not?
A White House directive for IT audits and request for reports of results would really be sufficient. Let them know the president is taking the issue seriously and they would do so as well.
She said it many times. Loudly. With seashells on the sides of her head.
"We shall grapple with the ineffable, and see if we may not eff it after all." - Douglas Adams
In capitalist America, Czar disappoints BRUCE!!
First, it's not a dictator.
Second, Government works best when it's open and has a top down functionality.
Third, Do you propose that some account be in charge of handling his own security? that every agency works in a bubble?
Do we need a Cybersecurity position? maybe not, but we do need a person security guideline and procedure come from. This way they can be vetted, and you don't ahve to train your entire staff in computer security.
The Kruger Dunning explains most post on
*sigh*
Multiplayer Gaming (defined): Sitting around, discussing single-player games with my friends, at the bar.
It must have been something you assimilated. . . .
The second they use the term "Czar", to describe a person in administrative capacity over a regulatory body, they betray the authoritarian and anti-democratic ideology with which they conspire against representative government and individual rights and liberties.
Czar is the Slavic rendering of Caesar. Why anybody sees this as an expediency worthy of trade-off for democratic involvement and oversight is a question I leave you, the dear reader to resolve.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful treasonous behavior of the Bush administration is a useful demonstration of how it can go wrong very quickly.
What Schneier is very reasonably suggesting is that we lessen that hierarchy, not add to it.
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
http://geekz.co.uk/schneierfacts/
He's good at security, but government policy is not something in his league. Besides, private interests are beholden to foreign countries that do not share our interests(China, India) and cannot be trusted for such qualities.
Take your "bash government" speech elsewhere.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Really? You have video?
On second thought, I'll just take your word for it, and you keep the videos.
He mentioned last year about the last security czar who had no security experience, but didn't do his rant right then. And his rant should be good. `8r)
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.
And not one aspect of that sounds anything like systems security, where attacks are fluid and the definitions of success are countless.
We do not need to fund federally a position that is far better met by people closer to the domain they are protecting.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It could easily be the same security framework or standard (ISO27000?), applied to different realities gives you a different strategy of course.
Actually no it cannot. If you are "applying a standard to different realities", you have divergence and two real de-facto standards.
Furthermore the data you are trying to protect varies wildly by domain. CC are protected differently from SSN are protected differently from medical records, for they all have different data paths.
The variances are great enough we do not need to pay for a federal position that writes up proclamations that people ignore or apply in ways they see fit. We already have industry groups that give us security standards aplenty (like OWASP) that are the devil to apply already, so what good is someone at the federal level going to do beyond that? It's just a total waste of money when we have none to spare.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I, for one, would be happy with an oversight committee that does its job.
So would be all, but the very nature of an oversight committee (heck, a committee in general) is to make no-one happy and basically consume funds as it grows.
Thanks for wanting me to pay for that, but no thanks.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Which is worse? i donno.
---- Booth was a patriot ----
More was done to secure the US govt by OMB fiats, than any other recent actions.
Why? Because someone at OMB said:
Harden every desktop installation of Windows XP & Vista. One leader at the NSA, for the entire federal government, could greatly assist in doing the same for every piece of IT we operate. This is a start on the massive IT security problem the federal govt has. After that, a govt wide approach for software security would be nice.
so that means that CTU guys can't access FBI databases? Cloe's can... she has helped Jack a LOT with that
Thanks to an old man of the stack I read S773, but I didn't need to, nor do you, to KNOW its unconstitutional. Take a look at Amendments 9 & 14 of the US Constitution (something something any powers not specifically set aside for the federal gov. is under the exclusive domain of the States or local gov.s something). They can't create a federal authority for cyberspace out of thin air... they'll need to amend the Constitution to do it. Well, they can, but they'll be destroyed in the courts. If they DO amend the Constitution, making such an appointment legal, then we can go over S773 with a fine toothed 4th Amendment comb... and again find it unconstitutional.
The Admin and the Engineer
He voted for John McCain or Ron Paul. I always find it funny when people go on like that, because with that thinking we should do away with CEOs and have everyone in a company do whatever they want. LMAO
The Czar thing didn't work in Russia. They aren't good at rescueing things in the time of crisis.
Besides, why not appoint some more authentic American character? How about Security Superman?
And change the 'S' on the shield to 'SS'?
The problem with the NSA is that it IS part of the intelligence structure. If you insert them as a defensive player, more often than not, they will take absolutely NO action in order to protect their spying capabilities.
At present, nobody knows exactly what the reach is of the NSA. Nobody knows what they can and can't hear. If you task them with defending assets, each probe or attack reveals new information about what the NSA has at their disposal, depending on what the response is. I really don't think the NSA is willing to compromise the secrecy of its capabilities in order to thwart hackers.
Seth
$5 / month hosted VPS on linux = awesome!
One Czar to Rule them all and in the Darkness bind them?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
"You don't need a cybersecurity czar... This isn't the issue you're looking for... They can go about their business... Move along."
I dunno, this whole thing smells like bantha poodoo to me.
Find environmentally and socially responsible products on http://buy-right.net
If the NSA (No Such Agency) is in charge, it'll be the same as having no security oversight at all. They naturally keep everything secret, so if they want to tell you to do something, you won't have the security clearance to read the order or any of its details.
Yes, they can write secret orders, not show them to you, and then prosecute you for not obeying them. But this has been true for around a decade now, so it won't be anything new.
Anyway, the main area where security is important is in the corporate world's handling of its comprehensive information about all of us. And in the modern US, agencies of the government don't give orders to corporations; the corporations give orders to the government. So corporate databases will continue to be as insecure as always, which doesn't really matter because the information is always for sale to the highest bidder, secure or not. Security really means that the information can't be read by anyone who hasn't paid for it, y'know.
If there are any changes, the most likely are that the NSA will be forced to adopt corporate-style "security" measures such as 4-digit PINs or password rules so complex that you have to write your passwords down and carry them in your wallet. And they'll routinely leave entire databases in laptops inside parked cars. This will be by policy, not accident. It'll result in more funny news stories; we'll mostly laugh and go about our lives.
I'd add a ;-), but I'm not sure that this actually qualifies as humor ...
(I'm sure that Jon Stewart and Steven Colbert will explain it much better than I can.)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Opposing large government generally makes one 'right wing'.
Using bombastic, hyperbolic terms such as 'gargantuan' and 'omnipotent' is what makes one a nut.
Well... Duh!
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
If this happens we will only end up having a cyber Hitler and his cyberNazi's. Then they will purge the internet of all the porn by burning it.
Uhm... you don't need a law degree to know that the federal government can certainly create an organization to oversee cybersecurity for the federal government. I guess you were modded "Insightful" because "paranoid" isn't a mod option.
If you mod me down, I shall become more powerful than you could possibly imagine.
http://www.yes-minister.com/polterms.htm
The title of the former rulers of Russia was "Tsar".
You would not expect the so called czar to direct a response to an attack by himself. That's not feasible. However the czar could oversee the aspects of the problem that are repeatable, for example ensuring training programs exist for system administrators; making sure groups working with critical systems have contingency plans; ensuring that vulnerability testing is done; investigating open installations which haven't installed recommended security patches. That sort of thing.
All done today by private industry, and various IT departments across government groups. You do not need to hold many other places to the same level of security as military IT, you have totally different data security requirements and needs from one group to the other.
A central overseer just adds bulk that gets in the way.
When an attack on a large scale occurs, then there needs to be a team in place to coordinate the response.
I question that need altogether. It may be helpful to know someone else is being attacked, but you don't have to have a team to coordinate anything across groups - you fix what is yours. Central control only leads to delay.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Step inside, ion.simIAn.c, prove what you claimed
"I'm a programmer." - by ion.simon.c (1183967) on Saturday May 02, @11:17PM (#27803057)
Really? Ok, same question you asked ME to prove & I did via the lists below you no longer question (along w/ other proofs I gave you but when YOU are asked for the same proofs? YOU RAN!)
SO, that "all said & aside"?
Prove to us you are a professional programmer, ion.simIAn.c, won't you?
After all, you CLAIMED that you are above, & demanded others do so as well, here:
"You claim that you're a professional. Prove it" - by ion.simon.c (1183967) on Sunday May 03, @08:52PM (#27811101)
OK - See the lists below (contact the magazines, publishing houses, or software companies involved @ your discretion, if you wish)... because it truly IS a pleasure watching you stick your foot in your mouth, each time you falsely accuse myself & others here.
So - professional technically means getting PAID to do a job, right? That's there below in the "My Name is Ozymandias, king of kings: Look upon my works, ye mighty, and despair" list below in fact, 1st entry...
AND
I've answered ALL of your questions (the ones that matter, & I did so, w/ out writing out a book to do so), here -> http://tech.slashdot.org/comments.pl?sid=1219095&cid=27806379 & here also -> http://slashdot.org/comments.pl?sid=1219095&cid=27853857
Funniest part is? When I and others (MEK_LoveBug) asked YOU to prove YOU ARE A PROFESSIONAL PROGRAMMER, as you claimed you were? You RAN, lmao!
----
"Google failed to find any offical mention of your work with Russinovich" - by ion.simon.c (1183967) on Monday May 04, @10:57PM (#27825779)
GOOGLE didn't fail, YOU DID (as usual, per this reply AND the list of your screwups here I enumerate below in this exchange)...
See this -> http://www.pcmech.com/article/defragging-the-windows-page-file/ (& the comment by "SuperFluid" there)
YOU can't even GOOGLE something right, lol...
You're only showing yourself as what you really are: Nothing more than a "I can't do anything w/out GOOGLE" type online...
SO, AGAIN - YOU say you're a programmer? PROVE IT!
(So, how do you like it? After all, that's the kind of crap you've been saying to me & I provide proof below... and, you do not, & YOU have NOTHING LIKE THE LISTS I PROVIDE BELOW, to your credit)
----
"I've emailed Mr. Russinovich to figure out what work that you've done with him" - by ion.simon.c (1183967) on Monday May 04, @10:57PM (#27825779)
For Sunbelt Software (I'll save you the time there) to whom we contracted out wares we had written, thru LC Tech!
(& also MANY years later, in 2003, when I fixed up his pagedefrag program, instructing him where it was hardcoded and how/why it could adversely affect the operations of his application if people moved their pagefile.sys location AND eventlogs (which is doable on both accounts, & he STILL has a hardcode to the latter) to another disk (he had them hardcoded to C: drive only, & it made his program fail). In the end? Well - he emailed me back thanking me in fact.
----
"You're thread's not stickied on xtremepccentral, btw" - by ion.simon.c (1183967) on Monday May 04, @02:18AM (#27812855)
I don't believe they do that, & I can't get that EVERY place I imagine though I'd like to!
(However, my guide IS rated "5/5 stars" there, AND is in the top 2 most viewed of all time @ that website within the forums section it is featured on)...
This administration can find an early grave given their increasing wanting of power.
The photos of torture will out.
What the world suspects, will be confirmed.
The Bush administration, Monsters one all, will be confirmed as Monsters, and they turned the institutions of the United States of America, the Executive, Justice, Defense, Congress and the Supreme Court and All, into Monsters, and every employee, into a Monster. Even the US Military Troops on station, are now acknowledged as the Monsters, the prime Evil lurking in the world.
Way to go; George, Dick and Barak.
What a mess you All have made.
What a mockery you All are.
Treason, is a word too kind for the likes of you.
Comcast Cable Communications, Inc. ATT-COMCAST (NET-71-192-0-0-1)
71.192.0.0 - 71.207.255.255
Comcast Cable Communications, Inc. HUNTSVILLE-8 (NET-71-207-192-0-1)
71.207.192.0 - 71.207.255.255
ion.simon.c = 71.207.228.227
And you need an ISSO or some other security expert/chief/scary person to strike fear into them and into having that mindset. I think a Czar sounds scary, don't you? ;-)
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
So they can pretend to do something.
A position with the title of Czar is one that has absolutely no power to do anything.