Schneier on Security
A blog covering security and security technology.
« Lessons of the ChoicePoint Theft |
| REAL ID »
May 6, 2005
New U.S. Government Cybersecurity Position
The Department of Homeland Security Cybersecurity Enhancement Act, approved by the House Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, would create the position of assistant secretary for cybersecurity at DHS. The bill, sponsored by Representatives Mac Thornberry, a Texas Republican, and Zoe Lofgren, a California Democrat, would also make the assistant secretary responsible for establishing a national cybersecurity threat reduction program and a national cybersecurity training program....
The top cybersecurity official at DHS has been the director of the agency's National Cyber Security Division, a lower-level position, and technology trade groups for several months have been calling for a higher-level position that could make cybersecurity a higher priority at DHS.
Sadly, this isn't going to amount to anything. Yes, it's good to have a higher-level official in charge of cybersecurity. But responsibility without authority doesn't work. A bigger bully pulpit isn't going to help without a coherent plan behind it, and we have none.
The absolute best thing the DHS could do for cybersecurity would be to coordinate the U.S. government's enormous purchasing power and demand more secure hardware and software.
Here's the text of the act, if anyone cares.
Posted on May 6, 2005 at 8:05 AM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
(quote) "The absolute best thing the DHS could do for cybersecurity would be to coordinate the U.S. government's enormous purchasing power and demand more secure hardware and software."
If done sensibly, that would help. But it seems to me more likely than not that it would result in mandatory compliance with FIPS-like standards and tests, which have little to do with actual application security, and cannot possibly be engaged in by small players.
For example, we are a small closed source software company; we pay much attention to security, and our results so far have been good; but we don't by far have resources to have our software FIPS tested, as the costs of that exceed hundreds of thousands of dollars per release.
I have doubts that our company could hold on to its spot and continue to produce the quality software I hope to believe it does if arbitrary bureaucratic rules with mandatory, insensible and hugely expensive compliance were in place.
Bruce, what do you expect them to do? Is it possible to begin to define a set of objectives, goals and concrete actions?
1) Set up baseline expectations for all aspects of computer security, including the handling by software of Internet/network transmittable data and documents.
2) Move to virtualized sandboxed environments and audit-able build environments. Including provision from third party Trusted Build Agents.
3) Because security mechanisms are fallible, provide secured secondary channel notification mechanisms. It only needs a small percentage of people to opt in to such schemes for the systems to act as an effective honeypot system, detecting possible fraudulent access.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.