Schneier on Security

A blog covering security and security technology.

« Lessons of the ChoicePoint Theft | Main | REAL ID »

May 6, 2005

New U.S. Government Cybersecurity Position

The Department of Homeland Security Cybersecurity Enhancement Act, approved by the House Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, would create the position of assistant secretary for cybersecurity at DHS. The bill, sponsored by Representatives Mac Thornberry, a Texas Republican, and Zoe Lofgren, a California Democrat, would also make the assistant secretary responsible for establishing a national cybersecurity threat reduction program and a national cybersecurity training program....
The top cybersecurity official at DHS has been the director of the agency's National Cyber Security Division, a lower-level position, and technology trade groups for several months have been calling for a higher-level position that could make cybersecurity a higher priority at DHS.

Sadly, this isn't going to amount to anything. Yes, it's good to have a higher-level official in charge of cybersecurity. But responsibility without authority doesn't work. A bigger bully pulpit isn't going to help without a coherent plan behind it, and we have none.

The absolute best thing the DHS could do for cybersecurity would be to coordinate the U.S. government's enormous purchasing power and demand more secure hardware and software.

Here's the text of the act, if anyone cares.

Posted on May 6, 2005 at 8:05 AM • 10 Comments • View Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

The traditional way of creating large slow moving organizations is certainly not the way to go in a cyber-world while electroncs zip by faster than thought.

Israel Torres

Posted by: Israel Torres at May 6, 2005 9:57 AM

Sounds like an excuse for Texas Uni to collect another 300 Million in pork...

Posted by: Clive Robinson at May 6, 2005 10:20 AM

(quote) "The absolute best thing the DHS could do for cybersecurity would be to coordinate the U.S. government's enormous purchasing power and demand more secure hardware and software."

If done sensibly, that would help. But it seems to me more likely than not that it would result in mandatory compliance with FIPS-like standards and tests, which have little to do with actual application security, and cannot possibly be engaged in by small players.

For example, we are a small closed source software company; we pay much attention to security, and our results so far have been good; but we don't by far have resources to have our software FIPS tested, as the costs of that exceed hundreds of thousands of dollars per release.

I have doubts that our company could hold on to its spot and continue to produce the quality software I hope to believe it does if arbitrary bureaucratic rules with mandatory, insensible and hugely expensive compliance were in place.

Posted by: Anonymous at May 6, 2005 10:21 AM

Imitation is said to be the sincerest form of flattery.

glad to see I have a fan club... and it persists.

Israel Torres

Posted by: Israel Torres at May 6, 2005 12:10 PM

Even a history of software companies with track records of poor security would help (and warning off government purchases of such products). It wouldn't be perfect, but it would have less of a negative impact towards small companies simply because they're small than FIPS standards.

Posted by: Zimbel42 at May 6, 2005 1:41 PM

Bruce, what do you expect them to do? Is it possible to begin to define a set of objectives, goals and concrete actions?

For example:

1) Set up baseline expectations for all aspects of computer security, including the handling by software of Internet/network transmittable data and documents.
http://groups.google.com/groups?selm=slrnaghlie.1h4.heretic@heretic.ihug.co.nz

2) Move to virtualized sandboxed environments and audit-able build environments. Including provision from third party Trusted Build Agents.
http://itheresies.blogspot.com/2004_10_01_itheresies_archive.html

3) Because security mechanisms are fallible, provide secured secondary channel notification mechanisms. It only needs a small percentage of people to opt in to such schemes for the systems to act as an effective honeypot system, detecting possible fraudulent access.
http://itheresies.blogspot.com/2005_03_01_itheresies_archive.html

Posted by: David Mohring at May 7, 2005 8:15 AM

How 'bout pushing for some power for customers who buy security-defective software to get some portion of their purchase price back.

Posted by: Matthew at May 7, 2005 8:00 PM

I actually think that the process by which a company creates secure products is more useful (and a better regulation target) than the individual products. Basically, I view (software) security as more of a portion of a development process than a feature of a product.

Posted by: Zimbel42 at May 9, 2005 10:37 AM

In a town full of bully pulpits, it does seem true that little can be accomplished by adding one more. However, the creative powerless *can* make a difference. In this case, by pushing for security governance (just as many commenters are suggesting in discrete ways). Not to make even a tiny move towards the cyberczar we'd all like to see seems foolish.

Posted by: Carol Stimmel at May 9, 2005 2:33 PM

"Imitation is said to be the sincerest form of flattery.

glad to see I have a fan club... I'm rubber and you're glue ...

Israel Torres"

I am not entirely clear as to what your motives are. Surely you can find better things to do. Apparently bruce doesn't mind users posting as other users, otherwise he'd put a stop to it.

Israel Torres

Posted by: Israel Torres at May 10, 2005 8:27 AM