Schneier Says We Don't Need a Cybersecurity Czar

Trailrunner7 writes "Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. 'Really what I think is it shouldn't be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn't a dictator in charge, when there isn't one organization in charge. My feeling is there shouldn't be one organization in charge. Not only shouldn't it be the NSA, it shouldn't be anybody,' Schneier said."

Our economic and political systems

[Culture20]

Our economic and political systems work best when there isn't a dictator in charge

Next in News: Bruce Schneier asked to be member of a Cybersecurity Tribunal.

Re:Our economic and political systems

[Cornwallis]

Hah! Since he dares question the powers-that-be: Next in News: Bruce Schneier to be tried by Cybersecurity Tribunal.

Makes sense

[Captain+Splendid]

The internets are decentralized (mostly), so why shouldn't the security model be?

Re:Makes sense

[Shakrai]

The cybersecurity czar would more likely than not be mostly responsible for making sure that the public perceives that the feds are doing actually something while actually accomplishing very little other than to direct a few contracts to vendors who donated the right amount of money and/or were buddies of his while he was in school

Fixed that for you. Given the track record of the other "czar's" appointed by the Federal Government, you'll forgive me for my skepticism.

Re:Makes sense

[flyingsquid]

The problem isn't the basic idea of having a 'czar', which is a good idea. The issue is that we have too many czars appointed, so it has become difficult to keep track of them all and coordinate their efforts. What we need is a single individual given the executive power to oversee all of these czars, and appoint them, discipline them, and fire them at will, so as to centralize control of the czars. That person will be the Czar Czar.

Re:Makes sense

[snspdaarf]

....Gabor?

No overlord necessary.

[Bentov]

I, for one, would be happy without an overlord.

Re:No overlord necessary.

[Ethanol-fueled]

I, for one, would be happy with an oversight committee that does its job.

I love Schneier

[PingXao]

He won't make any friends with the government research grant people with that attitude, though. Seriously, if you only occasionally read what Schneier has to say, and follow his advice and guidelines, you'll be more "secure" than 99% of everyone else. That's because 99% of the people (and companies) don't follow his advice, which is often simple and just requires a little effort and awareness. It's the "effort and awareness" thing that most people find challenging.

Re:I love Schneier

[moderatorrater]

I completely agree. The biggest point people need to take from Schneier is that security is more of a mindset than anything else. If you care about security and you're willing to take a little effort to achieve it, you can (at least until you get humans involved, then there will be a willing idiot almost every time). Encryption is a solved problem, XSS attacks are easily dealt with if you know what you're doing and head the problem off early in development, etc. The biggest thing that would be accomplished is just to get people thinking about it and dealing with it proactively.

Cyber Security is OUR problem

I couldn't agree more. I wrote this blog post a few months ago arguing the exact same thing. There will always be crisis situations where government intervention and coordination may be necessary, but the first line of governance and management should be at the personal, community, and company level.

The NSA is more qualified than DHS

[MikeRT]

DHS is a hodge podge of federal agencies that performs like the Keystone Cops in Gestapo uniforms. Not only is the NSA more qualified to take over federal infosec in a time of crisis, but it is statutorally safer for the general public because as a member of the intelligence community, it is not legally a part of the law enforcement apparatus. In order for information to flow to law enforcement, the NSA would not only have to be willing to cooperate, but have to jump a large number of hoops and hurdles to hand off the information. There are a lot of restrictions on the intelligence community with respect to information about Americans that simply don't exist for law enforcement like DHS.

The real reason why we don't need a Cybersecurity Czar is that 99 times out of 100, the systems that are getting hacked are not sensitive systems. Who cares if the Department of Labor or Interior gets hacked here and there since the intelligence community and military are generally competent at securing their classified networks?

Re:The NSA is more qualified than DHS

[Beryllium+Sphere(tm)]

At the Department of the Interior, "Alan Balaran, a court-appointed special master, soon confirmed that a team of hackers could break into the trust accounting system with relative ease and then write checks on the trust funds". Those trust funds were held for the benefit of Native American nations, who filed a multi-billion dollar lawsuit over the security problems.

There are sensitive systems all over.

Czar?

[DarthVain]

Better question is why the USA needs Czars of anything?

Weren't they leaders of imperialist Russia?

Why would that label seem appropriate?

The business generalization is too crude

[hey!]

Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.

Bottom up works too -- for tasks that involve things that are too complex and fluid for a single person or chain of command to comprehend and react to. Where creativity is at a premium, bottom up is the way to go.

No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.

It seems to me that something like cybersecurity needs a bit of each approach. It's organizationally difficult, if not impossible to approach such a problem perfectly. However, I think the rough appearance of a structure to handle this would be top down with expertise pushed out to the various groups in the organization and discretion allowed.

Why an ANYTHING Czar?

[Philip+K+Dickhead]

The second they use the term "Czar", to describe a person in administrative capacity over a regulatory body, they betray the authoritarian and anti-democratic ideology with which they conspire against representative government and individual rights and liberties.

Czar is the Slavic rendering of Caesar. Why anybody sees this as an expediency worthy of trade-off for democratic involvement and oversight is a question I leave you, the dear reader to resolve.

The "tyranny of the hierarchy"

[macraig]

Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful treasonous behavior of the Bush administration is a useful demonstration of how it can go wrong very quickly.

What Schneier is very reasonably suggesting is that we lessen that hierarchy, not add to it.