Slashdot Mirror
White House Declassifies Outline of Cybersecurity Plans
An anonymous reader writes "The Obama administration on Tuesday declassified part of the Comprehensive National Cybersecurity Initiative created during the Bush administration, outlining offensive and defensive strategies for protecting information networks. The initiative was originally intended to unify efforts of a number of government agencies into a comprehensive strategy to protect the nation's computer networks. 'One area in which the government did officially disclose new details was Einstein 3, a program to protect civilian government systems from intrusion by deploying sensors on the networks of private telecommunications companies. For the first time, the government disclosed officially that the program would use technology developed by the NSA, the nation's largest intelligence agency. It also said that the Department of Homeland Security, which would run the program, would share malicious code data with the NSA but not the content of communications, such as e-mails.'"
Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs. One goal of the CNCI is to develop technologies that provide increases in cybersecurity by orders of magnitude above current systems and which can be deployed within 5 to 10 years. This initiative seeks to develop strategies and programs to enhance the component of the government R&D portfolio that pursues high-risk/high-payoff solutions to critical cybersecurity problems. The Federal Government has begun to outline Grand Challenges for the research community to help solve these difficult problems that require 'out of the box' thinking. In dealing with the private sector, the government is identifying and communicating common needs that should drive mutual investment in key research areas.
(Emphasis mine)
I propose instead that we consult the results of the previous R&D work that has been active in this area since the 1960s, and learn the lessons of problems already solved. This is low risk (as we've already paid for it), high payoff.
Let's get capability based security into the hands of the masses. This will remove their machines from the threat pool. It would also allow those inside the government to manage security in a much more granular (and thus more effective) manner.
This can be fixed, and it doesn't require a high risk, just due diligence, and hard work.
On the face of it proposal #3 seems perfectly fine.
The desire for government agencies to have "situational awareness" in the form of deep-packet inspection of every transaction coming in or out of their network is nothing more then a proactive capability that any responsible Admin might want for their network. (assuming they disclose this capability and have policy dictating its use)
What does worry me are the washington posts comments about Telcom involvement.
This other article make it very clear EINSTEIN 3 is truly NSA equipment installed on the commercial telcom network where the potential exists for it to easily be repurposed to monitor _OTHER_ traffic streams.
http://www.washingtonpost.com/wp-dyn/content/article/2009/07/02/AR2009070202771.html?nav=emailpage
this is a whole different animal from whitehouse.gov's portrayal of responsible network admin.
Why? He was a neutered dictator at that point, unable to commit the acts of genocide that he committed in the past. Thus, he wasn't significantly worse than most of the other leaders in that region.
Check out my sci-fi/humor trilogy at PatriotsBooks.
No, I don't propose enumerating goodness. I propose that you tell the OS what capabilities you want to give to a program when you run it. Don't trust code, and you don't have to try to solve the halting problem.
The USER of the system is the one who should decide what's appropriate. They aren't likely to give permission to trash the OS if things are kept transparent and easy to understand.