Schneier on Security
A blog covering security and security technology.
« Bypassing Microsoft Vista's Memory Protection |
| Flying Without ID »
August 12, 2008
Memo to the Next President
Obama has a cyber security plan.
It's basically what you would expect: Appoint a national cyber security advisor, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.
I could comment on the plan, but with security the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is. They're too detailed for campaign speeches or even position papers, but they're essential for improving information security in our society. Actually, they apply to national security in general. And they're things only government can do.
One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production. Think software: The first copy costs millions, but the second copy is free.
You have to secure your own government networks, military and civilian. You have to buy computers for all your government employees. Consolidate those contracts, and start putting explicit security requirements into the RFPs. You have the buying power to get your vendors to make serious security improvements in the products and services they sell to the government, and then we all benefit because they'll include those improvements in the same products and services they sell to the rest of us. We're all safer if information technology is more secure, even though the bad guys can use it, too.
Two, legislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at.
Three, broadly invest in research. Basic research is risky; it doesn't always pay off. That's why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup, but the root cause was a desire for higher efficiency and short-term profitability -- not unreasonable in an unregulated business. Government research can be used to balance that by funding long-term research.
Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.
If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.
Oh, and get rid of those post-9/11 restrictions on student visas that are causing so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will hurt us immensely in the long run.
Those are the three big ones; the rest is in the details. And it's the details that matter. There are lots of serious issues that you're going to have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It's not enough to get the broad policy goals right. You can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.
Security is both subtle and complex, and -- unfortunately -- doesn't readily lend itself to normal legislative processes. You're used to finding consensus, but security by consensus rarely works. On the internet, security standards are much worse when they're developed by a consensus body, and much better when someone just does them. This doesn't always work -- a lot of crap security has come from companies that have "just done it" -- but nothing but mediocre standards come from consensus bodies. The point is that you won't get good security without pissing someone off: The information broker industry, the voting machine industry, the telcos. The normal legislative process makes it hard to get security right, which is why I don't have much optimism about what you can get done.
And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority. Otherwise he won't be able to get anything done, either.
This essay originally appeared on Wired.com.
Posted on August 12, 2008 at 6:36 AM
• 58 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
No, a mere "czar" (tsar?) is too low-ranking a position to deserve budgetary authority. How about appointing an even higher paid "Ueber-Czar" over him with budgetary authority.
Well said, as usual, Bruce. Unfortunately, it's going to take a catastrophic blow to our critical IT infrastructure before someone starts listening. Sadly, that's the way of IT security.
"The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers"
It's not a "perception", it's reality. The widespread false perception is that how much money and power a person has is a measure of that person's worth.
You forgot the most important thing, overhauling the patent system.
Good security is never going to happen when large ineficient companies and patent trolls can stich the industry up in law suits for ever and a day.
The original idea of tha patent to "protect the inventor and their idea" is dead. The little guys cannot aford to defend their patents and the legal vultures have no intention of relinquishing the immoral back door that is the submarine patent.
I'm still living in hope that one day you'll provide a proper analysis of the economic impacts of legislating about software liability on the consumers.
And I hope that you'll differentiate between liability for bugs and liability for insecurities that hurt 3rd parties.
And also that you'll clarify your own position with regard to password safe (lovely software btw, I use it all the time, but wouldn't if you had to charge me to pay for the liability the government forces you to have in regard to me)
"You forgot the most important thing, overhauling the patent system."
There were a bunch of details like that I decided not to talk about. I probably should have pulled the student visas paragraph, too.
"but also because science isn't valued in a country full of creationists."
Cheap shot Bruce... What about the last 232 years, has science never been valued in this country?
"One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production."
I was paroled out of government, working this very topic. Turns out the G does not have "immense buying power." Granted they are up there, but talking to the heavy hitters in the Bay or Redmond and you'll hear there are much larger buying centers (e.g., financial services) with much more influence.
OMB, with an Oracle contract, started to influence improvements. Have we seen it trickle out world-/industry-wide? Not really. I'd like to think we can see this with the funding behind the recent cyber initiative. Time will tell.
You are right on the mark with the bits about lawyers, doctors, and creationists. It isn't about whether there was science before. Science was marching along, but now it can often be quelled for mythological/religious reasons rather than judged on its own scientific merits. When it comes to science, religion needs to take a backseat or not even allowed into the car at all. When people are fighting to have "creationism" taught in science courses, science education is being marginalized.
I also agree about overhauling the patent system, and think an overhaul of copyrights should come along too. Neither of those concepts were meant to allow companies to lock down concepts and creations until the end of time (but history shows us going in that direction). Public domain works should be a foundation that keeps us moving forward, instead it has been almost killed off.
@Geoff, Re: Cheap shot at creationists
Cheap psuedo-science doesn't deserve any more than that.
As Bruce has pointed out many times it all comes down to economics. Add into the mix a legal basis for an expectation of privacy. Give the individual ownership of the "snail trails" of their lives combined with reasonable legal reform (so as to not create a feeding frenzy of class action litigation) and the economics shift for the better.
"Gravity explains the motions of the planets, but it cannot explain who set the planets in motion. God governs all things and knows all that is or can be done."
If Newton thought enough of creationism to spend much of his life studying it, then I'd say your position is a pretty gutsy one!
"Unfortunately, it's going to take a catastrophic blow to our critical IT infrastructure before someone starts listening."
I'm afraid that's not going to do it, either. Serious problems generally result in a lot of hand-waving to "do something", whether or not that something is valuable, and rash decisions being made because nobody wants to look like they stood by and did nothing.
Side note: are we really debating belief vs. non-belief here? Surely we can talk about security policy like civilized gentlemen without resorting to poking at unresolvable hot-button issues that are only tenuously relevant to the topic?
Newton didn't think enough of Creationism to use it to explain something that already had a scientific explanation. It would be easy to say "God explains the motion of the planets", but he didn't. You can have your God of the gaps, but once you have an explanation supported by evidence, it's time to throw away the mythology.
Cheer up Bruce, the technology march continues...
On your points;
1. Instead - Use the buying power to design a complete system lvl 1 on up for only secure military usage---I believe the NSA did this many years ago.
2. Incorrect - Commericially it is ALWAYS cheaper to put off security till tomorrow... no amount of law or enforcement will change that (look at the drug trade)
3. I cant argue with spending money, but why can't the free market decide the best place to spend money?
I don't mean to troll, but I see a major hole in your viewpoint... that is the idea that personal/private information or data has any value.
So would you take the Cybersecurity Czar job if President McBama/O'Cain offered it? (Heck I might vote for the first candidate to propose you for the job!)
"I don't mean to troll, but I see a major hole in your viewpoint... that is the idea that personal/private information or data has any value."
People are willing to pay for personal/private information. Is any more proof that it has value needed?
Currently, private information doesn't have much monetary value to individuals (other than potential costs like the cost of fraudulent transactions, etc). I think that's a result of the current rules of the market, not some universal law. Markets have their rules and find efficient solutions following those rules. For instance, if you change things so that it becomes much less feasible, more costly, or less appealing for companies to hold on to databases containing so much key information on their customers, won't that make identify theft a lot harder?
"I'm still living in hope that one day you'll provide a proper analysis of the economic impacts of legislating about software liability on the consumers."
Agreed. In the meantime, I'd settle for realizing that although a non-lawyer might think the phrase "software liabilities" sounds like lawyer talk, it doesn't quite mean what you think it means. Every time I read that phrase it's like listening to someone try to speak a language he doesn't actually understand.
Bruce, you are generally on the mark with most of your analysis, but you get lost in deep waters when you start talking about law. I'll make a deal with you. I promise, as someone with no training in cryptology, never ever to design a cryptosystem. In return, perhaps you could refrain from designing law until you've studied it. Law, like cryptography, is dangerous when designed by amateurs.
Well said, Bruce. I can boil this essay down to a single sentence, though: Legislate results, not methodologies.
You lost me at "And they're things only government can do."
Such a statement is based in an incorrect understanding of the relation of government to individuals. Governments do not exist in a vacuum, they are instituted of men, and that being the case, governments can not rightfully exercise any powers that individuals could not rightfully exercise. Else, whence the delegation of authority? Any government that claims powers that could not rightfully be claimed by its people is in reality a sham, disguising oppression of some citizens by others.
@Geoff, AwesomeRobot, Brian Greer, etc:
I don't think Bruce should really have mentioned creationism in a blog on security. It's kind of irrelevant.
[last OT] Too, we could argue all day long about whether creationism is pseudo-science or not, but it might help if we actually used scientific techniques to bash or defend it. Bald assertions or unreferenced quotes aren't much good.
@Not Yet a Lawyer
My experience's indicates that law is not really safe in the hands of lawyers either.
Laws are part of *our* society. We should all have a say in them if you want everyone to follow them. Regulation of the externalities in markets seems reasonable enough.
The idea that car manufactures have to provide a reasonably safe car and works properly for a resoluble amount of time is a given. We are not all mechanics, but we see the sense and fairness in such situations. We don't need to be a lawyer to see that either.
Why should it be different in the software industry? Why should M$ be able to claim that there software may in fact be unable to a single thing, and my cause damage, and thats your problem? What they seem to be allowed to put in EULA should be a good indicator of whats not right with software liability.
Perhaps you could be more specific as to what is wrong with the suggestions?
Actually, I think the most important point in the essay is the point that "getting the details right matters"; we have far too many people who think if they having a broad vision and a catchy one sentence sound-bite they have a good security policy. I presume Bruce didn't highlight that point because there's an implicit criticism there that in many fields of public life details aren't really attended to (eg, financial management and planning, foreign policy, etc) and things just get patched up as mistakes get noticed.
@ Carl Clark,
"we could argue all day long about whether creationism is pseudo-science or not, but it might help if we actually used scientific techniques to bash or defend it."
Likewise it would help InfoSec if "we actually used scientific techniques to bash or defend it."
InfoSec is about as close to pesudo-scince / religion as you get in the "high cathedral of technology" design as well the hawkers in the "bizzar of technology" well know.
Newton was credited with many things in his life (including the cat flap) but probably more important than his laws on "natural philosophy" was the "scentific method".
Before we can talk about things like laws and liability we need to actually have reliable "metrics" by which to measure the "security quality" of products.
There are two ways this can be done the first is by collecting sufficient data over time and assessing it statisticaly (acturial method) or by observing hypotosising and testing (scientific method).
Currently we look at organisations that are demed to be good at security, we look at what the top ten do and call it "best practice". Which clearly fits in neither method and is not just extreamly subjective it ignores the motivation and drivers of those that chose to render security impotent.
Worse the few standards we have are based on "tick the box for quality" approach originaly championed by the British Standards Institute (BSI). They give the illusion of a security methodology but in reality offer nothing of the sort.
You're right, Lawyers are pretty bad at designing laws too. But good lawyers (and legislators) at least have an idea of the complexities involved.
My problems? First is the phrase "software liabilities," which doesn't really mean anything. Who's liable? For what? Under what conditions? "Strict liability for software flaws" is different from "Negligence liability for security flaws." Both are more precise than "software liabilities," and the difference between them is crucial in practice. Besides, it's just an awkward phrase—like calling libel "speech liabilties" or assault "fist liabilities."
But more than that, I think there's a genuine question whether what Bruce seeks doesn't already exist in some form. If someone could prove that he was physically harmed due to a software flaw, and that he didn't knowingly agree to accept the risk of that happening, then I suspect he could recover on traditional product liability theory. A big difference between computers and cars in the eyes of the law is that faulty software rarely kills people.
It's also something of an open question how effective shrink-wrap licenses really are. Some cases have held them to be effective as long as there's some chance for the purchaser to back out of the agreement (so, for example, a license agreement included inside a Gateway computer box was effective, because the consumer could have refused the license by packing up the computer and shipping it back). I don't think these always make sense, but the alternative to taking a license at face value is saying that the parties to a sale are bound by different terms than they agreed on. That's not at all rare—the Uniform Commercial Code overrides contract language by dictating a lot of terms of commercial sales—but it should be done carefully with knowledge of all the consequences.
So, really, my point is not that one needs a law degree to understand the objectives of the law. We all want safer cars and more secure software. The question is how to do that, and while "legislate objectives, not methodologies" is excellent advice, advocating for "software liabilities" looks more like trying to legislate a (legal) methodology.
I thought it was somewhat amusing that Bruce seems to have given up on Bush actually doing anything. Not even mentioned! American politics is weird looking at it from accross to ocean.
Bruce, be nice to the creationists, they have enough problems as it is.
Personally I'm beginning to think there is no way you can have a secure computing platform which is actually capable of doing anything meaningfull.
More to the point, no-one seems to care that their machines are riddled with security holes, trojans, back doors and virii. Sooner or later the whole damn thing is going to come crashing down!
"Personally I'm beginning to think there is no way you can have a secure computing platform which is actually capable of doing anything meaningfull."
Not true, if you mean "a general purpose computing platform" you would have a point. Specific aplication platforms can be made secure beyond a level that most would regard as reasonable.
The two significant problems are "undefined purpose" and "efficiency".
With a "general purpose" platform "undefined purpose" effectivly renders the security of the platform an "unbounded problem". The number of oportunities for security failings goes up with the number of relationships with the number of purposes the individual component parts can be put. Further as the purpose is undefined you cannot analyse the platform and make the appropriate compramises and changes that would put significant bounds on the potential failings.
The second problem is that in a "general purpose" platform "efficiency" is usually seen as a key design principle. Unfortunatly as we are begining to understand, the more efficient we make a process the more fragile security wise it becomes. The easiest example to see is that of "timing attacks" where efficiency dictates the fastest path through the software and thus testing and branching clearly show up on the power spectrum of the device.
As a rule of thumb the more efficient a process is the more likley it is to have "side channels" leaking information to an attacker.
OK, if I use a piece of software, say a browser, and I agree that the software might be pure crap and that by using it I might expose myself to bad things happening to me, then I must take responsibility for agreeing to use that software.
However, if I enter into an agreement with my bank (or Airline, ISP, Telco, ...) were I have the legal basis to say how the records of my interaction with my bank can and can not be used, the responsibility shifts to the bank. If they violate that agreement, then I'm going to be compensated for damages. I don't care who is responsible so long as I get paid. If the bank wants to offer me online banking as a service, they will have to give me, sell me, or point me to software to use. The bank is on the "hook" if that software has flaws that expose my information in violation of the agreement I have with them. If the bank doesn't want to be on the hook for that they won't offer online banking. The "laws" of financial pain and suffering will work out who is responsible without government getting involved. What is missing right now is I don't have the right to control the information that is collected about me.
Nice thoughts, but Obama is just as beholden to corporate interests as McCain is. There won't be liability, because that would cause corporations to stop donating to the election funds. Required software will be legislated, because that software company will be the one actually writing the bill, vis their lobbyists.
The purpose of government in 2008 is to make it easy on corporations, period. If Obama or McCain appoints a security czar, he'll do the exact same thing that a Bush appointee would. Remove any restrictions on corporations and foist the costs onto the taxpayers.
Well said. If you're not already aware, I'd like to point you to the Commission on Cyber Security for the 44th Presidency , a non-partisan group formulating a set of recommendations on cybersecurity to propose to the next president. The commission includes the CSOs of Oracle and Cisco, and people like Ed Felten, Dan Geer, and Marcus Sachs. They're still taking input from the community, at least based on the bull session that Mr Sachs had with a bunch of interested Defcon attendees last weekend.
Desperately needed patent overhauling aside (that's not a security issue), security research grants (and all grants) should at least stipulate that the results not be patented--or it's not funding the general good at all.
Reactions to article and blog comments: Good article, promotes discussion!
1. Mandating software liabilities is good.
Reaction: Wrong! Economics and business is war realities. Cost of doing business is paying off judges and juries, tiny, compared to having a monopoly. 9/11 and security: Airlines were forced to run on razor profits and everyone ignored spending money on last mile issues, even in a class action lawsuit happy country. Cycle bailout business are bad, especially when disaster racketed. Funding DOD can solve last mile problems.
LynxOS is used in critical areas, sue em? Grr, others might like that business and bad control methods that result with ownership. NYAL, can make some legal comments here on contract law, etc, which might be fair.
2. We all want secure software.
Reaction: Wrong! Information wants to be free and valuable at the same time. NYAL, good legal points, but society is being manipulated by serious power, and serious robber baron age of today. Knowledge is power to influence markets and decisions.
3. Law is [ fill in the blanks ]
Reaction: Law is a civil war gone bad.
Memo to the people, govenment, and President: Simple, read Ross Anderson's Blog and section, Commonsense in the Crisis. Hard to find, see under Comments under Terrorism, wtc.html, or just http://www.cl.cam.ac.uk/~rja14/wtc.htm
My memo to the future president and people: Damn, how did things ever get so bad?
@ Carl Clark
Actually creationism is a security issue - for much of our history we've valued our secular education as a right and privilege not afforded to all people, and an essential part of the democratic-republic experiment.
Since I've been alive, education is more and more a thing to be shirked and avoided, where it's not absoultely necessary for one's chosen career. Creationism is an example of the sloppy thinking we've allowed to dominate some of our public discourse. The founders would be appalled, not that some folks believe in it, but that rational people can't shake it loose from the public education system in parts of our nation.
People are free to think what they want, but when they stop thinking, it's going to affect our security. When they don't learn how to think, they do things like ignoring intelligence reports and discounting analysis in favor of the truthiness they prefer.
Even if you believe (as I do) that our leaders are thinking, they're taking advantage of those that don't to make these insane decisions, using the non-rational "truthy" arguments to sway the polls. If we could teach America to use reason, we'd never allow such folks to get near "the button" again.
What externalities are there in software for which the injured party can not sue to recover damages? I don't think there are any.
Reading your linked essay, its hard to find many externalities in there.
Damages to the purchaser of the software? Nope, they're not a third party: can't be an externality by definition.
A company disclosing its customer's personal data? The customer isn't a third party. Neither is the credit card company.
There are some, for example all the spam sent from compromised machines; the worm probes from them; etc. But the damage from one compromised machine is fairly trivial; the persons responsible so dispersed; and the difficulty of apportioning the damages so high that liability makes little sense. The law does not deal in trifles for good reason: the transaction costs are ridiculous.
And, that liability already exists. The only reason I can't sue anyone for the damages I suffer is because it'd cost me at least $100k in attorney's fees, expert witnesses, etc., and the same to all the defendants to argue who of Microsoft (for producing buggy software), the user (for not applying updates ever; for browsing shady websites; etc.), the botnet operator, the ISP (for not filtering); the antivirus software vendor (for failing to catch it); etc. owe me a total of 1¢. Or, should it be class-action instead, $100. It'd only cost half a million at least. So no one does it; it'd be insane.
You may point out that Microsoft can't be held liable; fine; the purchaser of the software is instead. He's a party to the transaction, so that's not an externality.
Instead, I suggest that, although it'd be a fair bit of effort to design, a Pigovian tax would be far more efficient.
> You lost me at "And they're things only government can do."
> Such a statement is based in an incorrect understanding of
> the relation of government to individuals. Governments
> do not exist in a vacuum, they are instituted of men, and that
> being the case, governments can not rightfully exercise any
> powers that individuals could not rightfully exercise. Else,
> whence the delegation of authority?
This is bunk. What government can do that individuals cannot is compel the individuals to ALL MOVE IN THE SAME DIRECTION. No individual can do that and that is the fundamental raison d'etre of government.
"Creationists" is a pretty broad term.
It includes people who devalue science because they're threatened by it and worry that it might conflict with their personal beliefs. (Although it should also be noted that plenty of scientists through the years have been unwilling to consider alternate explanations of the natural world that conflicted with their personal *scientific* beliefs about how things worked.)
"Creationists" also, however, includes people who aren't threatened by science, who embrace both God and science, and who believe that science is a wonderful tool for a better understanding of what God has made and and how He made it. There are creationists who believe that when science conflicts with theology, we need to reexamine both to figure out where the fault lies. These people realize that our understanding is imperfect and incomplete -- both in science and in theology.
Saying that "science isn't valued in a country full of creationists" is indeed a cheap shot, and unworthy in an otherwise well thought out piece.
I know plenty of people who believe God created the universe (whether literally, in seven days, or by creating the underpinnings of natural order that allowed us to come to be) and who are strong believers in the value of science.
And I know people who wouldn't believe in God if an angel smacked 'em upside the head who couldn't care less about science.
Endiel - for the purposes of general public discourse in the USA the definition of "creationist" is one who believes, against all evidence to the contrary, that man was created as is and that evolution on a broad scale does not exist.
I've never heard the term used the way you define it in your second definition - which is essentially a deist philosophy. Even though deists frequently use the term "the Creator" the deist philosophy is not regularly labeled as creationism.
SumDumGuy - I really get pissed off at the creation/evolution debate because of people who think all creationists are similar to your definition of a creationist. It is a predisposition that causes good debates to be immediately discarded because, "he is a creationist" or, conversely, "he is an evolutionist". Both sides do this and it is very annoying and truly unproductive.
Endiel's explanation is actually a very good one.
jiistme - Seems to me the problem is that you and Endiel are lumping different philosophies under one label and then getting mad when people use that label to refer to just one of those philosophies.
What is the value of a label if it is not precise? I personally doubt that anyone who believes in a deist philosophy would be happy with Endiel using the term "creationist" to describe them. I certainly am not.
To those who want an evolution vs. creation debate: I'm sure you can find at least 100 other places on the web where that is being fought out right now. Don't turn this into another one.
SumDumGuy: You say "Seems to me the problem is that you and Endiel are lumping different philosophies under one label and then getting mad when people use that label to refer to just one of those philosophies."
I basically agree with you here. I think that where we disagree is on whether "creationist" is a precise term.
I don't think it is. I think applying the term only to those who believe in a literal seven day creation as told in modern translations of Genesis is a wee bit restrictive.
> use of Social Security numbers as identifiers
I think the problem isn't using SSN's as identifiers, it is the use of them for authentication.
> If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.
Not at all. The declining interest is because it's hard and there's little payoff. Why would someone go through a math undergrad, go to grad school, get a PhD (while making peanuts), unless they really love what they're doing and really don't care about money at all. Then with the PhD your career options aren't much better than without, on top of that they actually can get worse if you intend to write code for the rest of your life.
> Oh, and get rid of those post-9/11 restrictions on student visas that are causing so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will hurt us immensely in the long run.
It's far worse. It's not that students don't stay for grad school; many do. That's still really easy to do. It's that after grad school they're forced to leave even though they want to stay.
Re: Buying power.
The problem with the government requiring, say, better encryption on gsm phones, is that the market will make a separate, more expensive version for the government. Now as you say, the development costs of these is significant. So they must have a higher price.
If the manufacturer doesn't see this as a software-only issue (i.e. cheap to install on the consumer version), the special edition will remain special for a long time.
What is required for the "extra security" feature to trickle down to the consumer versions is that there is a sliding slope of requirements. Say federal government requires the high security phones, but although not mandated the local governments would like to pay a small fee for having them. Only then does competition start, prices drop, and it starts to trickle down the foodchain.
Bruce, on your first point, I think the government has been working toward that goal for a number of years. I know how you feel about the CC, but that aside, NSTISSP #11 (from 2005) espouses much of what you talk about: http://www.niap-ccevs.org/cc-scheme/faqs/...
"The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers"
Engineers CREATE wealth by creating things or processes. Everyone else, for the most part, re-distributes it.
The hell of it is that the engineers get the smallest slice of the pie.
Another point I'd like to make...
"Leadership is about maximizing gains, usually by making the pie bigger. Management concentrates on minimizing losses"... which kind of explains NASA's problems with "management".
The point about legislation is good, too, since the legislatures need to pay attention to Patton's Law and provide incentives for initiative.
@Bruce: "Two, legislate results and not methodologies."
The CANSPAM act is a perfect example of where the government failed utterly and completely. Rather than 'can' the spam, which the act was presumably designed for, it instead made it so anyone 'can spam'.
Rather than saying that it's illegal to send unwanted emails, they said that the emails had to provide an unsubscribe link, thereby making it perfectly legal to email (basically) whatever to whomever you'd like.
"software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river"
i find it odd that you should bring that up as an example.
maybe you meant it as a way to tell who will really stand for security and who will stand for lobbyists lining the pocketbook of public officials?
i look first to obama, who introduced the Chemical Safety and Security Act in 2006. as he wrote:
"The bill requires chemical facilities to enhance security, including improving arriers, containment, mitigation, and safety training, and, where possible, using safer technology, such as less toxic chemicals. It also included protections for wastewater treatment and drinking water treatment facilities, and makes clear that state and local governments are not preempted from adopting chemical security protections stronger than federal law."
that looks like some real homeland security.
then i look way over to the other end of the spectrum where mccain says he opposes government regulation of chemical plants:
“A government controlled chemical substitution program or approaches such as requiring the thousands of facilities across the country that use or store chemicals to prove to the government that safer materials don’t exist could become exercises in excessive bureaucracy and paperwork...”
no doubt governance introduces a *risk* of excessive bureaucracy and paperwork. however mccain apparently did not revise or propose a more efficient regulation. he did not even agree to the value proposition of homeland security regulating chemical threats. industry lobbyists seem to be behind this strange security and logical loophole:
"How to explain the chemical industry’s ability to override legitimate national security interests and get the Bush Administration to adopt flimsy rules? One key factor may be how much the industry spends lobbying on the issue."
more details, including cheney's love for maintaining chemical vulnerabilities, can be read here:
"A flippant critic might say the father-in-law has been prosecuting a war that creates more terrorists abroad, while the son-in-law has been working to ensure they’ll have easy targets at home. But it’s more precise to say that White House officials really, really don’t want to alienate the chemical industry, and Perry has been really, really willing to help them not do it."
for perspective, the us gov't just passed a unanimous bill to pay $4mil/yr to protect cheney and his family once he leaves office.
that means cheney's personal annual security budget is expected to be about half the total amount spent by the department of homeland security in 2007 for chemical threats to all americans.
one has to assume that the cheney family will spend their millions of federal security dollars far, far away from any chemical companies (darn, so much for that hydrogen hummer). if they lived too close to a chemical plant, he might end up having to use federal money earmarked for personal safety towards regulating the chemical threats that do not exist.
maybe mccain will suddenly show some spine and stand up for americans, but when you compare chemical security to cyber security the republican's record dims like a KBR/Halliburton light bulb during barrack showers.
> And if you're going to appoint a cyber security
> czar, you have to give him actual budgetary
> authority. Otherwise he won't be able to get
> anything done, either.
Yep, and if Mr. O will provide budget in addition to the impressive title the result will be exactly the same (modulo wasted money).
Sometimes naivete of this blog's owner amazes me.
Now, can we get politicos out of business of screwing up OUR security? Pretty please, with sugar on top.
"Law, like cryptography, is dangerous when designed by amateurs."
The worst thing you can do for ANYTHING is to allow lawyers to control it - ESPECIALLY laws. If you let lawyers write laws, then only lawyers will benefit from them. Lawyers are the closest thing to a leech that can infect an entire society, but without the medicinal potential.
I want a revision control system for all bills in Congress.
I want to know who/when/where the language of a bill was changed. Who added the extra clause that changed a bill?
I want Congressmen who might have extensively read draft n of a 100 page bill to be able to look at the diff from n to current so they can quickly find all the stuff that was squeezed in at the last minute.
And, when something like that does happen, we'll know who to blame.
This is one of those small detail things, but I think it'd have far reaching implications.
Bruce for the next national cyber security advisor !!
I think the creationism remark is inaccurate. As a father and youth leader, it appears to me that kids aren't studying math and science because with the decline of traditional values, they've become lazy, superficial, and stupid. Math and science are perceived as difficult, un-cool, and nerdy. Hannah Montana would never do math!
Very well put, Bruce. I wish the public had a direct vote for techno-czar. You'd certainly be on the ballot.
Maybe we can somehow convince the next administration to appoint *real* security/technology experts, rather than appointed acquaintances and political pals whose technology credentials include "I have watched the movie 'Hackers' and did not like that the FBI didn't win". ;)
A rider to point 1. Many politicians will think you're just asking for "the market's best solutions", by which they will naturally assume you mean "the solutions my company produces". You need to make it absolutely explicit that the market has not, to date, produced solutions that are remotely good enough. There are many, many, examples of the US government deciding it wanted technology that the market had not already produced, and using its buying power to get the market to produce it. This is another case when that strategy is worth trying. Success is not guaranteed, but this method at least stands a chance. Until entire management structures start getting fired for security breaches, the market will not do it.
Phil and Clive, when I said we weren't hosting a creation vs. evolution debate here, that meant *don't post about it*, not "point out that this isn't the place for the debate and then have it anyway."
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.