Slashdot Mirror
Schneier Says We Don't Need a Cybersecurity Czar
Trailrunner7 writes "Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. 'Really what I think is it shouldn't be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn't a dictator in charge, when there isn't one organization in charge. My feeling is there shouldn't be one organization in charge. Not only shouldn't it be the NSA, it shouldn't be anybody,' Schneier said."
Our economic and political systems work best when there isn't a dictator in charge
Next in News: Bruce Schneier asked to be member of a Cybersecurity Tribunal.
The internets are decentralized (mostly), so why shouldn't the security model be?
Linux, you magnificent bastard, I read the fucking manual!
I, for one, would be happy without an overlord.
He won't make any friends with the government research grant people with that attitude, though. Seriously, if you only occasionally read what Schneier has to say, and follow his advice and guidelines, you'll be more "secure" than 99% of everyone else. That's because 99% of the people (and companies) don't follow his advice, which is often simple and just requires a little effort and awareness. It's the "effort and awareness" thing that most people find challenging.
I couldn't agree more. I wrote this blog post a few months ago arguing the exact same thing. There will always be crisis situations where government intervention and coordination may be necessary, but the first line of governance and management should be at the personal, community, and company level.
DHS is a hodge podge of federal agencies that performs like the Keystone Cops in Gestapo uniforms. Not only is the NSA more qualified to take over federal infosec in a time of crisis, but it is statutorally safer for the general public because as a member of the intelligence community, it is not legally a part of the law enforcement apparatus. In order for information to flow to law enforcement, the NSA would not only have to be willing to cooperate, but have to jump a large number of hoops and hurdles to hand off the information. There are a lot of restrictions on the intelligence community with respect to information about Americans that simply don't exist for law enforcement like DHS.
The real reason why we don't need a Cybersecurity Czar is that 99 times out of 100, the systems that are getting hacked are not sensitive systems. Who cares if the Department of Labor or Interior gets hacked here and there since the intelligence community and military are generally competent at securing their classified networks?
Better question is why the USA needs Czars of anything?
Weren't they leaders of imperialist Russia?
Why would that label seem appropriate?
Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.
Bottom up works too -- for tasks that involve things that are too complex and fluid for a single person or chain of command to comprehend and react to. Where creativity is at a premium, bottom up is the way to go.
No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.
It seems to me that something like cybersecurity needs a bit of each approach. It's organizationally difficult, if not impossible to approach such a problem perfectly. However, I think the rough appearance of a structure to handle this would be top down with expertise pushed out to the various groups in the organization and discretion allowed.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
All regulatory agencies, oversight committees, etc. are taken over by the regulatees.
This is a law of human social system-level nature as inexorable as the law of gravity.
History is full of layers and layers of oversight, none of which substitute for the self-interest of the operational group doing their job 'right'.
That doesn't happen very often even in large corporations, is rare in government : precisely what you expect from the relative levels of self-interest of employees in these orgs.
I have worked in organizations from startups through state and federal governments. I am currently in a 30-person small network products company. As a generalization, I find that startups generally work, small organizations do quite often, but the larger the organization and the less connected the employees with management, the worse they execute,
There is already a set of standards and an agency with responsibility for setting and updating them, namely the Computer Security Division of the National Institute of Standards and Technology. We don't need another czar; we're running out of Fabergé eggs and gaudy uniforms.
What they need is a solid system of IT auditing to make sure the standards are followed. To the extent they are done now, IT audits are done within each agency and rarely receive attention at the department secretary level. Each department has an inspector general with oversight responsibilities, but they don't seem to put IT audits at the top of their agendas. GAO does not do much with this, either. Why not?
A White House directive for IT audits and request for reports of results would really be sufficient. Let them know the president is taking the issue seriously and they would do so as well.
The second they use the term "Czar", to describe a person in administrative capacity over a regulatory body, they betray the authoritarian and anti-democratic ideology with which they conspire against representative government and individual rights and liberties.
Czar is the Slavic rendering of Caesar. Why anybody sees this as an expediency worthy of trade-off for democratic involvement and oversight is a question I leave you, the dear reader to resolve.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful treasonous behavior of the Bush administration is a useful demonstration of how it can go wrong very quickly.
What Schneier is very reasonably suggesting is that we lessen that hierarchy, not add to it.
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
http://geekz.co.uk/schneierfacts/
He mentioned last year about the last security czar who had no security experience, but didn't do his rant right then. And his rant should be good. `8r)
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
It could easily be the same security framework or standard (ISO27000?), applied to different realities gives you a different strategy of course.
Actually no it cannot. If you are "applying a standard to different realities", you have divergence and two real de-facto standards.
Furthermore the data you are trying to protect varies wildly by domain. CC are protected differently from SSN are protected differently from medical records, for they all have different data paths.
The variances are great enough we do not need to pay for a federal position that writes up proclamations that people ignore or apply in ways they see fit. We already have industry groups that give us security standards aplenty (like OWASP) that are the devil to apply already, so what good is someone at the federal level going to do beyond that? It's just a total waste of money when we have none to spare.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The one that exists in the private sector, and controls government.
Or:
The one that exists as a foreign government that controls us via large amounts of debt and/or business lobbies.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
More was done to secure the US govt by OMB fiats, than any other recent actions.
Why? Because someone at OMB said:
Harden every desktop installation of Windows XP & Vista. One leader at the NSA, for the entire federal government, could greatly assist in doing the same for every piece of IT we operate. This is a start on the massive IT security problem the federal govt has. After that, a govt wide approach for software security would be nice.
Thanks to an old man of the stack I read S773, but I didn't need to, nor do you, to KNOW its unconstitutional. Take a look at Amendments 9 & 14 of the US Constitution (something something any powers not specifically set aside for the federal gov. is under the exclusive domain of the States or local gov.s something). They can't create a federal authority for cyberspace out of thin air... they'll need to amend the Constitution to do it. Well, they can, but they'll be destroyed in the courts. If they DO amend the Constitution, making such an appointment legal, then we can go over S773 with a fine toothed 4th Amendment comb... and again find it unconstitutional.
The Admin and the Engineer
We need someone to do penetration testing with a white hat on.
Can I use my wizard hat and robe instead?
The problem with the NSA is that it IS part of the intelligence structure. If you insert them as a defensive player, more often than not, they will take absolutely NO action in order to protect their spying capabilities.
At present, nobody knows exactly what the reach is of the NSA. Nobody knows what they can and can't hear. If you task them with defending assets, each probe or attack reveals new information about what the NSA has at their disposal, depending on what the response is. I really don't think the NSA is willing to compromise the secrecy of its capabilities in order to thwart hackers.
Seth
$5 / month hosted VPS on linux = awesome!
If the NSA (No Such Agency) is in charge, it'll be the same as having no security oversight at all. They naturally keep everything secret, so if they want to tell you to do something, you won't have the security clearance to read the order or any of its details.
Yes, they can write secret orders, not show them to you, and then prosecute you for not obeying them. But this has been true for around a decade now, so it won't be anything new.
Anyway, the main area where security is important is in the corporate world's handling of its comprehensive information about all of us. And in the modern US, agencies of the government don't give orders to corporations; the corporations give orders to the government. So corporate databases will continue to be as insecure as always, which doesn't really matter because the information is always for sale to the highest bidder, secure or not. Security really means that the information can't be read by anyone who hasn't paid for it, y'know.
If there are any changes, the most likely are that the NSA will be forced to adopt corporate-style "security" measures such as 4-digit PINs or password rules so complex that you have to write your passwords down and carry them in your wallet. And they'll routinely leave entire databases in laptops inside parked cars. This will be by policy, not accident. It'll result in more funny news stories; we'll mostly laugh and go about our lives.
I'd add a ;-), but I'm not sure that this actually qualifies as humor ...
(I'm sure that Jon Stewart and Steven Colbert will explain it much better than I can.)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
and you don't ahve to train your entire staff in computer security.
Actually, you do. That's Bruce's whole point most of the time, and it's what makes my job as a security consultant so difficult (and well-paid).
Security is a mindset. Every person has to have the concept of "secure environment" in their head every day, be they developers, users of IT systems, or even the seemingly-rare non-IT user (i.e. custodians). People need to understand why security is so crucial, and they have to be involved in the process; just designing technical controls around them always fails quickly, because people who don't value security will abuse whatever privileges they have, thinking that they're helping someone.