While I applaud the Senators' efforts to assist in securing
cyberspace, historical efforts to legislate cyber-security have not proven
effective. (that was tough to say with a straight
face) To wit, examine the Government's own record: Currently all federal agencies are required
to follow strict guidelines/policy, yet the average info-security grade given
by OMB, for FY2007 was a C-. How far would you get in life if your average
grade was a C-? I'd guess the average
Slashdotter had better than a 1.7 average.
Further, they seem to think that if NIST establishes
"measurable and auditable cybersecurity standards", then all will be
right with the world. NEWSFLASH - The
Fed already has that for the entire GOV, and while many agencies have improved
it has not shown to be the panacea they intended. According to OMB's
report out 3 weeks ago(go to page 9), the DOD, the
agency with the most important security concerns and highest risk (and
consequently the most stringent InfoSecurity program) is failing miserably.
Funny, if you read the FISMA top page, it refers
to 'cost-effective' security programs, but nowhere does it mention effective programs...
New legislation is not the answer - holding people
accountable is. [to
keep this relatively short I'm not going to expand on this - you know how to
find the laws]
As one previous poster noted, a bunch of us posting here is
not going to change anything. So, I will
end this with a call to action for all Slashdotters - write a letter to your
Senator and Congressman and let them know (using clear, thoughtful words) that
this is an f'ing stupid idea and that they should not
support it.
As someone that is looking for people like you, I recommend you check with your local college and see what student assistant positions are available. Especially since local government organizations are clamoring for good people at cheap rates (student assistant = slave labor in many cases). Locally, Sacramento State has a foundation that serves as a clearing house for student employment across the region.
For example, we are looking for someone to help put together an OSSIM installation. The only real requirement is that the person has a reasonable understanding of a Posix compliant OS and basic scripting skills. (Sadly, it is very painful to find someone that can spell OS, let alone understand how to work in one). In exchange for that knowledge they will get an opportunity for a great resume' builder and real-world experience, on an extremely flexible schedule, while getting paid.
The difference between students and consultants is that we expect the students to be learning on our dime (which is why we pay them less)
First, I generally agree that there are many areas where this will be of significant benefit.
Unfortunately, there are so many problems across DOD right now due to insufficiently trainied operators/admins - this will make it significantly worse in the operational arena. I have been on board many installations to train people and was saddened by the lack of sound IT skills by those that are supposed to be managing the systems. Of the 100 or so IT personnel I have trained, I would say that 5-6 have the necessary mindset and skills to effectively implement OSS.
Centralized control is a hallmark of DOD IT - and this flies in the face of that as well, from a cultural perspective. (not that this is a bad thing)
So, this means that not only will they need to change the infrastructure - the culture will need to shift, which is a much longer term issue. Then again, this could be good for the network-centric warfare concept. It could inject a much needed does of innovation.
Slashdot Mirror
While I applaud the Senators' efforts to assist in securing cyberspace, historical efforts to legislate cyber-security have not proven effective. (that was tough to say with a straight face) To wit, examine the Government's own record: Currently all federal agencies are required to follow strict guidelines/policy, yet the average info-security grade given by OMB, for FY2007 was a C-. How far would you get in life if your average grade was a C-? I'd guess the average Slashdotter had better than a 1.7 average.
Further, they seem to think that if NIST establishes "measurable and auditable cybersecurity standards", then all will be right with the world. NEWSFLASH - The Fed already has that for the entire GOV, and while many agencies have improved it has not shown to be the panacea they intended. According to OMB's report out 3 weeks ago(go to page 9), the DOD, the agency with the most important security concerns and highest risk (and consequently the most stringent InfoSecurity program) is failing miserably.
Funny, if you read the FISMA top page, it refers to 'cost-effective' security programs, but nowhere does it mention effective programs...
New legislation is not the answer - holding people accountable is. [to keep this relatively short I'm not going to expand on this - you know how to find the laws]
As one previous poster noted, a bunch of us posting here is not going to change anything. So, I will end this with a call to action for all Slashdotters - write a letter to your Senator and Congressman and let them know (using clear, thoughtful words) that this is an f'ing stupid idea and that they should not support it.
Find your congressman
Find your senator
As someone that is looking for people like you, I recommend you check with your local college and see what student assistant positions are available. Especially since local government organizations are clamoring for good people at cheap rates (student assistant = slave labor in many cases). Locally, Sacramento State has a foundation that serves as a clearing house for student employment across the region.
For example, we are looking for someone to help put together an OSSIM installation. The only real requirement is that the person has a reasonable understanding of a Posix compliant OS and basic scripting skills. (Sadly, it is very painful to find someone that can spell OS, let alone understand how to work in one). In exchange for that knowledge they will get an opportunity for a great resume' builder and real-world experience, on an extremely flexible schedule, while getting paid.
The difference between students and consultants is that we expect the students to be learning on our dime (which is why we pay them less)
- Mo
First, I generally agree that there are many areas where this will be of significant benefit. Unfortunately, there are so many problems across DOD right now due to insufficiently trainied operators/admins - this will make it significantly worse in the operational arena. I have been on board many installations to train people and was saddened by the lack of sound IT skills by those that are supposed to be managing the systems. Of the 100 or so IT personnel I have trained, I would say that 5-6 have the necessary mindset and skills to effectively implement OSS. Centralized control is a hallmark of DOD IT - and this flies in the face of that as well, from a cultural perspective. (not that this is a bad thing) So, this means that not only will they need to change the infrastructure - the culture will need to shift, which is a much longer term issue. Then again, this could be good for the network-centric warfare concept. It could inject a much needed does of innovation.
Hi, my name is Mo and I'm a Quake addict...