Schneier on Security

I just downloaded the whitepaper and am reading it. Thanks to Bruce and the openness of US CSIS.

It appears to be a wide ranging wish list! It's provision for centralising the forces for cyber security would overcome the disparate approaches from a large variety of military and civil bureaucracies. However, with a single overarching authority you have to get it right the first time!

Whether the new president is going to be strong enough to implement all, or at least the majority, of these recommendations remains to be seen.

In my quick perusal, I did not see any recommendations regarding the President's own cyber security. In particular whether they can recommend a way to secure his Blackberry communications ;-)

Tis early Christmas morn so I'm not going to be reading the PDF till later but the third conclusion smacks of making yet another "big federal agency".

Which immediatly and unfortunatly gives rise to that "uh oh" moment of "have they learnt nothing since 2000".

As was once noted by a major American industrialist teams of more than a certain size don't work.

His reasons for this view point (in the 1960's) have not changed at all in beuracratic organisations...

I'm not sure how this will work:

17. The US should allow consumers to use strong government-issued credentials (or commercially issued credentials based on them) for online activites, consistent with protecting privacy and civil liberties.

Here are two reactions to the CSIS report:

http://www.cs.columbia.edu/~smb/blog/2008-12/2008-12-15.html

http://www.interesting-people.org/archives/interesting-people/200812/msg00093.html

They had a Q&A about this on slashdot (q's here: http://interviews.slashdot.org/article.pl?sid=08/12/12/135207 a's here: http://interviews.slashdot.org/article.pl?sid=08/12/19/1448238 ). In general, I wasn't impressed with the answers (granted, I was one of the people asking questions, but still).

I'll agree with the person above who said it looks like it's a wishlist...while there's nothing wrong with wishlists in general, things become problematic when the wishlist is divorced from reality. (government-issued strong authentication? making government the gold standard for security?)

After a first quick read three things spring out that are realy realy bad,

1, Cyberspace National ID Cards...

2, Unrestricted remote access to anybodies computer (for sering a data warrent).

3, Pretending Privacy is important whilst the actuall sugestions will do irreprable harm to privacy.

Also there is no real discusion on,

1, Security liability

2, Faulty software from vendors.

So I give it at best 3 out of ten for effort...