Schneier on Security
A blog covering security and security technology.
« Explosive Breast Implants -- Not an April Fool's Joke |
| iPhone Secret Decoder Ring »
April 2, 2010
DHS Cybersecurity Awareness Campaign Challenge
This is a little hokey, but better them than the NSA:
The National Cybersecurity Awareness Campaign Challenge Competition is designed to solicit ideas from industry and individuals alike on how best we can clearly and comprehensively discuss cybersecurity with the American public.
Key areas that should be factored into the competition are the following:
- Ability to quantify the distribution method
- Ability to quantify the receipt of message
- Solution may under no circumstance create spam
- Use of Web 2.0 Technology
- Feedback mechanism
- List building
- Privacy protection
It should engage the Private Sector and Industry leaders to develop their own campaign strategy and metrics to track how to get a unified cyber security message out to the American public.
Deadline is end of April, if you want to submit something. "Winners of the Challenge will be invited to an event in Washington D.C. in late May or early June." I wonder what kind of event.
Posted on April 2, 2010 at 6:14 AM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sigh. Nothing quite like asking for a solution to a problem. Then mandating that the solution must have certain elements. Most likely because those elements happen to be favorite "buzzwords"
Yep. Everything today needs to be team oriented.
* Ability to quantify the distribution method
* Ability to quantify the receipt of message
Got to have metrics on much of the message is getting out and if people are actually reading it.
* Solution may under no circumstance create spam
Kind of conflicts with the idea of getting the message out. But given how badly spam is despised, this requirement needs to exist.
* Use of Web 2.0 Technology
Must use the latest and greatest buzzword compliant solution. Never mind if it actually pertains to the actual problem. The solution has to use the newest.
* Feedback mechanism
Kind of implied in earlier bullets. But the department of redundancy department has to make certain that their mandate is handled.
* List building
* Privacy protection
Interesting combination of bullets. Think maybe they conflict with each other?
Why not. If the message didn't get through the first time, we have to make certain we can repeat the same mistake again.
We want to make certain that people understand the process. And this is a favorite buzzword of the current administration. So we must use it. May wish to consult with the Secretary of State's husband to see how certain words may be redefined. It is our understanding that he's had some practice in the area.
Opps. Almost forgot the actual goal. Good thing someone noticed. Guess we'll tack it on after we've mandated the solution.
Sorry for the heavy dose of cynicism. Guess I'm getting skeptical in my old age.
I thought the same thing as soon as i saw the list. Its 100% PHB type "solution" request. Lucky for PHB's of the world, most company's provide all sorts of Web 2.0 solutions. What they solve is another question entirely.
I also like the factors left off the list, like cheapness, usefulness and accuracy of message, and metric of people actually improving their online practices. The "winning" plan will not be the one with the best supporting arguments, nor the one that (heaven forfend) actually works, but the one that appeals best to the same minds that gave us Level Orange and the no-fly list.
@John: "* Use of Web 2.0 Technology
Must use the latest and greatest buzzword compliant solution. Never mind if it actually pertains to the actual problem. The solution has to use the newest. "
That was my thought. Referencing specific technologies in a process that will take as long as this will is to all but guarantee it will be outdated before published.
I had a solution, but it involved leveraging synergey within inter-agency interfacing configurations - so looks like that's outside the rules.
The nice thing about this effort is that they won't have to actually fix anything. All they want to do is get the word out, which is a lot easier than, you know, locking your assets down.
This quote from the link: "This competition will gather and share publicly the best, most creative ideas for making the public more cyber secure, cyber smart, and cyber assured."
First best advice, permanently delete use of the word cyber. NO ONE outside the beltway says "cyber-space" (or cyber-anything). It's called "the internet".
Lately, when I hear that word, I know a politician who doesn't understand the internet and who doesn't understand his/her constituents' needs is saying something a lobbyist told him to say.
"I wonder what kind of event"
Well, since they don't have the mechanism to tell you, how can they let you know? Apparently, it will be a security event, or perhaps just a secure event (you can't know).
Good grief, folks, this is just PR. Public image. Propoganda. It is not about communicating anything, but how to make money pretending to do so. Keeping track of you getting the message, reading it, and doing something about it, seems to indicate where the punishments will be applied if there is a failure.
@Nobody: you left out "proactively". Synergy is always leveraged proactively. Ideally for the purpose of enhancing something going forward.
As I've said on many occasions...
Not only will this be an improvement, but it might actually be an improvement for the better.
You have missed the other listed requirements:
12. It should engage the Private Sector to develop their own campaign strategy and metrics
13. It should engage Industry leaders to develop their own campaign strategy and metrics
14. to track how to get a unified cyber security message out to the American public.
Now that last is self contradictory to a large extent:
a - a unified message
b - through diverse formats of e-media
c - to the whole American public?
If you look at these as three ends of a cognitive triangle,
you will readily observe each has dissonance with the other two,
not to mention all three having dissonance with (12) and (13).
But don't worry - just like other social mystery religeons,
the magic of step requirements 1 through 11 will solve it all
So the most important thing about an awareness program is the technology used to implement it?
This is a fail of system analysis.
Why don't any of the requirements refer to a major component of the system? The human brain.
Surely between academia and madison avenue there have been advancements (where's the beef?) in understanding how to convey a message (plop plop fizz fizz o what a relief it is) to the brain that should be part of the call for participation (takes a lickin' and keeps on tickin').
I've got it. Offer free downloads of Devo's "Whip it." Track the number of downloads to determine how well the message is getting out.
"When a problem comes along -
You must whip it!
Before the cream sets out too long -
You must whip it!
Now whip it
Shape it up
Try to detect it
It's not too late
To whip it
Whip it good!"
Devo is usually dismissed as a novelty act, but I think they were visionaries. They knew a little something about leveraging synergy long before the PHBs.
How about Key Leadership Engagement?
@peri interesting article! In my experience the NSA has shown more compassion in terms of the misconduct by contractors on my observation. I think there are a lot of good people there.
Whether NSA targeted me or not that's another issue. Contractors are a huge part of domestic surveillance of US citizens. They operate as if they are above the law because of the Patriot Act--the people being watched are being called domestic terrorists.
Until the President works on holding people accountable, those of us under observation live with security perimeters, gps trackers on our vehicles, managed service points for our mail, and literal broadcasts on the FEMA Sprint cellphone network of private conversations that have nothing to do with national security. There is nobody watching the watchers. They can't be sued and the police can't do much to help. Its much creepier than people reading your email when you are on a terror watch list.
SANS NewsBites for yesterday was interesting.
Some headings I highlight:
U.S. Government Step Up Recruitment for 'Cyberwarriors'
Cyberwar Rhetoric Starting to Chafe
--Includes interesting comments on the bipartisan Cybersecurity Act and links to rebuttals stating it is overblown.
Speaking of Web 2.0 security, here's a helpful whitepaper on the subject of blocking social networking apps. It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, etc.):
IT departments are stuck between a rock and a hard place. They know that end-users and the business units will revolt if these apps are outright blocked. At the same time, they know these apps carry risks and can’t leave them unchecked. It requires a good balance between enablement and security.
You know, I actually had a question about submitting ideas for this campaign, so I sent an email to the address provided. A couple months later I received an auto response letting me know that my email had been deleted, unread. Curious to know if anything ever came of this -- and that mysterious May/June event -- I just Googled the campaign, landed back on the DHS site to find the following:
"The National Cybersecurity Awareness Campaign Challenge has concluded the entry phase and is no longer accepting proposals. Due to the overwhelming response all proposals are currently still being reviewed. The Department of Homeland Security would like to thank participants for their submissions. Participants may be contacted by a Department representative with follow up questions regarding proposals, and finalists will be notified by mid- to late-summer, 2010." (down the page, there's still reference to an event in May/June)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.