Slashdot Mirror
Schneier Says We Don't Need a Cybersecurity Czar
Trailrunner7 writes "Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. 'Really what I think is it shouldn't be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn't a dictator in charge, when there isn't one organization in charge. My feeling is there shouldn't be one organization in charge. Not only shouldn't it be the NSA, it shouldn't be anybody,' Schneier said."
Our economic and political systems work best when there isn't a dictator in charge
Next in News: Bruce Schneier asked to be member of a Cybersecurity Tribunal.
The internets are decentralized (mostly), so why shouldn't the security model be?
Linux, you magnificent bastard, I read the fucking manual!
I, for one, would be happy without an overlord.
He won't make any friends with the government research grant people with that attitude, though. Seriously, if you only occasionally read what Schneier has to say, and follow his advice and guidelines, you'll be more "secure" than 99% of everyone else. That's because 99% of the people (and companies) don't follow his advice, which is often simple and just requires a little effort and awareness. It's the "effort and awareness" thing that most people find challenging.
I couldn't agree more. I wrote this blog post a few months ago arguing the exact same thing. There will always be crisis situations where government intervention and coordination may be necessary, but the first line of governance and management should be at the personal, community, and company level.
DHS is a hodge podge of federal agencies that performs like the Keystone Cops in Gestapo uniforms. Not only is the NSA more qualified to take over federal infosec in a time of crisis, but it is statutorally safer for the general public because as a member of the intelligence community, it is not legally a part of the law enforcement apparatus. In order for information to flow to law enforcement, the NSA would not only have to be willing to cooperate, but have to jump a large number of hoops and hurdles to hand off the information. There are a lot of restrictions on the intelligence community with respect to information about Americans that simply don't exist for law enforcement like DHS.
The real reason why we don't need a Cybersecurity Czar is that 99 times out of 100, the systems that are getting hacked are not sensitive systems. Who cares if the Department of Labor or Interior gets hacked here and there since the intelligence community and military are generally competent at securing their classified networks?
I could see someone who will do testing and be the point person for the money. We need someone to do penetration testing with a white hat on.
Any volunteers?
Better question is why the USA needs Czars of anything?
Weren't they leaders of imperialist Russia?
Why would that label seem appropriate?
Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.
Bottom up works too -- for tasks that involve things that are too complex and fluid for a single person or chain of command to comprehend and react to. Where creativity is at a premium, bottom up is the way to go.
No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.
It seems to me that something like cybersecurity needs a bit of each approach. It's organizationally difficult, if not impossible to approach such a problem perfectly. However, I think the rough appearance of a structure to handle this would be top down with expertise pushed out to the various groups in the organization and discretion allowed.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
that I can see why you want another one.
All regulatory agencies, oversight committees, etc. are taken over by the regulatees.
This is a law of human social system-level nature as inexorable as the law of gravity.
History is full of layers and layers of oversight, none of which substitute for the self-interest of the operational group doing their job 'right'.
That doesn't happen very often even in large corporations, is rare in government : precisely what you expect from the relative levels of self-interest of employees in these orgs.
I have worked in organizations from startups through state and federal governments. I am currently in a 30-person small network products company. As a generalization, I find that startups generally work, small organizations do quite often, but the larger the organization and the less connected the employees with management, the worse they execute,
There is already a set of standards and an agency with responsibility for setting and updating them, namely the Computer Security Division of the National Institute of Standards and Technology. We don't need another czar; we're running out of Fabergé eggs and gaudy uniforms.
What they need is a solid system of IT auditing to make sure the standards are followed. To the extent they are done now, IT audits are done within each agency and rarely receive attention at the department secretary level. Each department has an inspector general with oversight responsibilities, but they don't seem to put IT audits at the top of their agendas. GAO does not do much with this, either. Why not?
A White House directive for IT audits and request for reports of results would really be sufficient. Let them know the president is taking the issue seriously and they would do so as well.
She said it many times. Loudly. With seashells on the sides of her head.
"We shall grapple with the ineffable, and see if we may not eff it after all." - Douglas Adams
First, it's not a dictator.
Second, Government works best when it's open and has a top down functionality.
Third, Do you propose that some account be in charge of handling his own security? that every agency works in a bubble?
Do we need a Cybersecurity position? maybe not, but we do need a person security guideline and procedure come from. This way they can be vetted, and you don't ahve to train your entire staff in computer security.
The Kruger Dunning explains most post on
It must have been something you assimilated. . . .
The second they use the term "Czar", to describe a person in administrative capacity over a regulatory body, they betray the authoritarian and anti-democratic ideology with which they conspire against representative government and individual rights and liberties.
Czar is the Slavic rendering of Caesar. Why anybody sees this as an expediency worthy of trade-off for democratic involvement and oversight is a question I leave you, the dear reader to resolve.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful treasonous behavior of the Bush administration is a useful demonstration of how it can go wrong very quickly.
What Schneier is very reasonably suggesting is that we lessen that hierarchy, not add to it.
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
http://geekz.co.uk/schneierfacts/
He's good at security, but government policy is not something in his league. Besides, private interests are beholden to foreign countries that do not share our interests(China, India) and cannot be trusted for such qualities.
Take your "bash government" speech elsewhere.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Really? You have video?
On second thought, I'll just take your word for it, and you keep the videos.
He mentioned last year about the last security czar who had no security experience, but didn't do his rant right then. And his rant should be good. `8r)
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.
And not one aspect of that sounds anything like systems security, where attacks are fluid and the definitions of success are countless.
We do not need to fund federally a position that is far better met by people closer to the domain they are protecting.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It could easily be the same security framework or standard (ISO27000?), applied to different realities gives you a different strategy of course.
Actually no it cannot. If you are "applying a standard to different realities", you have divergence and two real de-facto standards.
Furthermore the data you are trying to protect varies wildly by domain. CC are protected differently from SSN are protected differently from medical records, for they all have different data paths.
The variances are great enough we do not need to pay for a federal position that writes up proclamations that people ignore or apply in ways they see fit. We already have industry groups that give us security standards aplenty (like OWASP) that are the devil to apply already, so what good is someone at the federal level going to do beyond that? It's just a total waste of money when we have none to spare.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I, for one, would be happy with an oversight committee that does its job.
So would be all, but the very nature of an oversight committee (heck, a committee in general) is to make no-one happy and basically consume funds as it grows.
Thanks for wanting me to pay for that, but no thanks.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Which is worse? i donno.
---- Booth was a patriot ----
More was done to secure the US govt by OMB fiats, than any other recent actions.
Why? Because someone at OMB said:
Harden every desktop installation of Windows XP & Vista. One leader at the NSA, for the entire federal government, could greatly assist in doing the same for every piece of IT we operate. This is a start on the massive IT security problem the federal govt has. After that, a govt wide approach for software security would be nice.
Thanks to an old man of the stack I read S773, but I didn't need to, nor do you, to KNOW its unconstitutional. Take a look at Amendments 9 & 14 of the US Constitution (something something any powers not specifically set aside for the federal gov. is under the exclusive domain of the States or local gov.s something). They can't create a federal authority for cyberspace out of thin air... they'll need to amend the Constitution to do it. Well, they can, but they'll be destroyed in the courts. If they DO amend the Constitution, making such an appointment legal, then we can go over S773 with a fine toothed 4th Amendment comb... and again find it unconstitutional.
The Admin and the Engineer
God forbid somebody says something sensible...*sigh* indeed.
The Czar thing didn't work in Russia. They aren't good at rescueing things in the time of crisis.
Besides, why not appoint some more authentic American character? How about Security Superman?
And change the 'S' on the shield to 'SS'?
The problem with the NSA is that it IS part of the intelligence structure. If you insert them as a defensive player, more often than not, they will take absolutely NO action in order to protect their spying capabilities.
At present, nobody knows exactly what the reach is of the NSA. Nobody knows what they can and can't hear. If you task them with defending assets, each probe or attack reveals new information about what the NSA has at their disposal, depending on what the response is. I really don't think the NSA is willing to compromise the secrecy of its capabilities in order to thwart hackers.
Seth
$5 / month hosted VPS on linux = awesome!
One Czar to Rule them all and in the Darkness bind them?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
"You don't need a cybersecurity czar... This isn't the issue you're looking for... They can go about their business... Move along."
I dunno, this whole thing smells like bantha poodoo to me.
Find environmentally and socially responsible products on http://buy-right.net
If the NSA (No Such Agency) is in charge, it'll be the same as having no security oversight at all. They naturally keep everything secret, so if they want to tell you to do something, you won't have the security clearance to read the order or any of its details.
Yes, they can write secret orders, not show them to you, and then prosecute you for not obeying them. But this has been true for around a decade now, so it won't be anything new.
Anyway, the main area where security is important is in the corporate world's handling of its comprehensive information about all of us. And in the modern US, agencies of the government don't give orders to corporations; the corporations give orders to the government. So corporate databases will continue to be as insecure as always, which doesn't really matter because the information is always for sale to the highest bidder, secure or not. Security really means that the information can't be read by anyone who hasn't paid for it, y'know.
If there are any changes, the most likely are that the NSA will be forced to adopt corporate-style "security" measures such as 4-digit PINs or password rules so complex that you have to write your passwords down and carry them in your wallet. And they'll routinely leave entire databases in laptops inside parked cars. This will be by policy, not accident. It'll result in more funny news stories; we'll mostly laugh and go about our lives.
I'd add a ;-), but I'm not sure that this actually qualifies as humor ...
(I'm sure that Jon Stewart and Steven Colbert will explain it much better than I can.)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Opposing large government generally makes one 'right wing'.
Using bombastic, hyperbolic terms such as 'gargantuan' and 'omnipotent' is what makes one a nut.
Well... Duh!
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
If this happens we will only end up having a cyber Hitler and his cyberNazi's. Then they will purge the internet of all the porn by burning it.
Uhm... you don't need a law degree to know that the federal government can certainly create an organization to oversee cybersecurity for the federal government. I guess you were modded "Insightful" because "paranoid" isn't a mod option.
If you mod me down, I shall become more powerful than you could possibly imagine.
http://www.yes-minister.com/polterms.htm
The title of the former rulers of Russia was "Tsar".
You would not expect the so called czar to direct a response to an attack by himself. That's not feasible. However the czar could oversee the aspects of the problem that are repeatable, for example ensuring training programs exist for system administrators; making sure groups working with critical systems have contingency plans; ensuring that vulnerability testing is done; investigating open installations which haven't installed recommended security patches. That sort of thing.
All done today by private industry, and various IT departments across government groups. You do not need to hold many other places to the same level of security as military IT, you have totally different data security requirements and needs from one group to the other.
A central overseer just adds bulk that gets in the way.
When an attack on a large scale occurs, then there needs to be a team in place to coordinate the response.
I question that need altogether. It may be helpful to know someone else is being attacked, but you don't have to have a team to coordinate anything across groups - you fix what is yours. Central control only leads to delay.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
And you need an ISSO or some other security expert/chief/scary person to strike fear into them and into having that mindset. I think a Czar sounds scary, don't you? ;-)
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
So they can pretend to do something.
A position with the title of Czar is one that has absolutely no power to do anything.