Schneier on Security

Nick P • April 19, 2010 2:58 PM

So, on the table we have agencies that routinely abuse their power and our liberties offering highly classified defenses for *our* benefit to provide security against hyped attackers, but not further empower said agencies and erode civil liberties?

*doesn't cough* BULLSHIT! *doesn't cough*

Mandate a low defect rate and at least moderate security in all DOD applications. Ensure that these are dual-use technologies. Subsidize the initial burdens of reengineering from scratch. Tons of useful, medium-assurance platforms will hit the market and the attackers' low-hanging fruit will start dwindling. It must be done this way. It must be mandatory, the metrics useful, and the process profitable for the software companies. Otherwise, national IT security won't happen.

Case study: chip manufacturing offshored to cut costs, but now DOD can't trust the chips. Their proposed solution [in my words]: develop technologies that can look at a chip and tell if it's evil or not. (read: LMAO). My solution: partly subsidize some fabs for chip designers over here, privatized for efficiency and regulated for usefulness. Then, set a date where these chips will be mandatory in DOD systems. Only hire American citizens with no other citizenships that can pass a good background check. Now, the ball is in our court, the employees are American, and the US courts have full jurisdiction over abuses. Is it perfect? No. Is it less likely to be the cornerstone of massive Chinese espionage? Certainly.

Nick P • April 20, 2010 6:38 PM

@ Chris (7pm on April 19)

Your whole post assumes they are doing something worthwhile, against the right foe, etc. This is an incorrect assumption. The problem is that DOD is redefining the problem so that they can do another power grab. The actions of politicians and generals are not isolated: in many cases, particular proposals heavily benefit certain contractors (one in particular for cyberwar). You also see previous [failed] initiatives like this happen, billions of dollars end up in contractors' pockets, and the generals who pushed these initiatives leave the Pentagon and suddenly have six-figure jobs with the companies that they gave the contracts to. This is not a coincidence.

The DOD is an extremely corrupt, wasteful and totally inefficient organization. They've at times "lost" tens of billions of dollars, bought $140,000 coffee makers, committed propaganda against Americans, and can't even do an audit of their inventory. So, when the DOD pops up and says they need tons of money and more power to implement secret measures to stop a controversial threat, strong skepticism is very much warranted. The only boogeymen are produced by the Pentagon's "think tanks." They keep the war machine in business and many Pentagon workers have actually quit because they were too sickened by this. Their claims are often supported by documents released through FOIA requests, so have no doubt Pentagon will make stuff up to start wars. Every American knows this & it's what I think they are doing here.

The real problem is not that there's an imminent cyberwar and we need to build cyberwar commands, cyberwar infrastructure, etc. (read: fill pockets of defense contractors). The problem is that there's no financial or psychological motivation for solution developers to make secure systems. The DOD is part of that problem. They've made these cyberwar claims before, back in the 80's. They said we needed Class A1, "verified" systems to protect classified information. Several companies spent millions to develop them, but then DOD & NSA changed their mind and started buying Windows & Trusted Solaris in mass because they were cheaper and had more convenience features. Honeywell ended up only selling 35,000 of its SCOMP systems. They said they would never develop ultra-secure systems like that again unless they were certain it would pay off.

DOD's own initiatives, with exception of PKI, have usually totally failed, costed taxpayers astronomically, and included more BS expenditures than useful ones. An example is that many companies have to implement wireless intrusion detection for PCI compliance even if they don't have a wireless network, just in case attackers devices use that wireless spectrum. (wtf!?) That's not a good use of limited security budget, but government requires it. Most of us who actually care about *real* security that's integrated with good risk management tradeoffs don't want the government managing, monitoring and dictating practices on the Internet.

If they can't even secure or cost-effectively manage their simplest problems, how are they going to manage the more complex distributed global IT infrastructures that modern businesses use (in multiple countries)? They can't. They will screw it up. They will abuse it. It will cost us greatly in liberty and money. This almost *always* happens with these kinds of projects. It's why we fought the Clipper initiative that was for *our* benefit, it's why we Americans fought Total Information Awareness, it's why we fight pervasive TPM schemes, and it's why I'm fighting the cyberwar doctrine, infrastructure and command.

Want to help solve the problem? Identify key customer requirements and applications. Get some venture capital or open-source volunteers together. Write a major, useful application using Cleanroom or Correct by Construction or similar low-defect process on a good enough platform using a safe language. Have it thoroghly, independently tested, fixing any flaws. Make sure it leverages the security features of the underlying platform. BAM! One problem solved. If the government provides financial or mandatory incentives to companies, they will all start doing this for at least one product line and anyone using those products will have very low risk in that area.

With widespread technical security in place, attackers will shift almost entirely to insider, social engineering or procedural attacks. Then, people will care more about those and we fight that battle. If we make progress in both areas, we win. Otherwise, we loose. As long as the market doesn't want secure software and DOD is untrustworthy/inefficient/incompetant, no "cyber" command or huge defense contracts will solve these problems. Such false sense of security will only make them worse. "Just say NO!" (or BULLSHIT!)

Nick P • April 21, 2010 12:46 PM

@ Chris

It's not reflexive distrust: it's more like reflexive, intense skepticism. It should be that way: the status quo is that we don't need whatever new intitiave shows up, so the burden of proof is on the promoters (DOD/NSA). There is no proof or anything objectively evaluatable, though. (hmm...). Between people and governments, there's always a power struggle. Government sometimes helps us, but often just helps itself. They constantly try to get more control. My previous statements weren't occasional "anecdotes:" they were a few samples of a mountain of abuses that show a consistent pattern of corrupt behavior overtime. I only listed a few to give the gist of it. If you don't live in the US, don't know of the routine corruption, and need more data to establish a trend, many books and web sites are dedicated to the subject. Finanical waste is a favorite topic in the "funny" section, as the government does enough of it to keep a steady stream of books coming out. Besides, *one* department (Pentagon) loosing hundreds of billions of dollars in waste over over a decade or two is not an anecdote: it's an atrocity for the taxpayers. So, now they want to manage the Internet's security in a useful and cost-effective way. If that doesn't sound crazy, I don't know what does.

The government as a whole causes much measurable damage in the IT regulation space each month, esp. with PCI, for questionable benefit. Most organizations that conform to their CC, FIPS-2, PCI, FISMA, etc. standards are exploited or hit by attackers just as easy as anywhere else. More money appears to be spent on paperwork and compliance issues than security itself. I expect cyberwar intitiaves to be similar. The DOD has never launched *any* initiative that improved commercial security across the board: all initiatives got companies stuck in loads of paperwork and non-essential mandatory features. DOD should only get partial credit for their PKI because that's RSA's independent product that they simply configured/deployed: previous DOD-developed systems failed to achieve their objectives. The NIST has accomplished more positive results, like AES competition and security guides, but they are being overly swayed by NSA recently. After a potential backdoor was found in that ECC random number generator, many are concerned about NSA involvement.

It might seem clear by now that my biggest point is that the DOD is unqualified to do this job. They can't secure their own networks. They make the same financially-motivated decisions businesses do when they use cheaper, less trustworthy guards and OS's. Their plans are classified, making them impossible to evaluate for effectiveness or trustworthiness. Their previous plans gave them control over virtually any American computer, so it's wise to think they might try that again. So far, their version of mandatory regulations has been contradictory to risk management best practices, like how CC demands certain features in a EAL5 system regardless of whether they are needed for the situation at hand. Most studies on DOD show they have too much waste, poor sense of requirements for even most basic systems, and failure within their own systems. GAO's audits have repeatedly confirmed what I'm saying. I haven't even mentioned DHS and TSA's results in their security initiaves. Would you expect the less agile DOD to do better?

So, why should I trust DOD *this* time if they failed most security projects in commercial space? More so, many big attempts included backdoors or policies giving them too much control, so why should we think that's not in their classified plans? Moreover, most of the threat info comes from the specific defense contractors that will make millions on cyberwar efforts. Why should we trust them without carefully scrutinizing their evidence? Wired has a few nice pieces on this below.

Cyberwar Hype Intended To Destroy The Open Internet
http://www.wired.com/threatlevel/2010/03/...

Check the Hype - There's no such thing as "cyber"
http://www.wired.com/threatlevel/2010/03/...