Schneier on Security
A blog covering security and security technology.
« Violating Terms of Service Possibly a Crime |
| Economic Considerations of Website Password Policies »
July 20, 2010
New GAO Cybersecurity Report
From the U.S. Government Accountability Office: "Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development." Thirty-six pages; I haven't read it.
Posted on July 20, 2010 at 6:43 AM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Don't hurry to get your hands on it. Summary: Federal agencies spend money on cybersecurity R&D. Some should spend more on this R&D. Some should spend differently on this R&D. In grand GAO fashion, the elusive cybersecurity R&D is never clearly defined, nor is it explained why larger quantities or different allocations of cybersecurity R&D would lead to better security...I'd wait for the paperback version.
You've just relieved us (Bruce included) from reading it, thanks :-)
Another "haven't read" blog post? What a clever practice of you: let your blog's patrons read the article and report what's in it, so you don't have to :-) Unless someone reports something interesting, of course.
Think of it as distributed processing. And nothing requires you to participate against your will.
I read Bruce's blog not just for his comments, but for links to things I might not find otherwise; somewhat like a news-clipping service. If it looks interesting enough, I'll read it for myself, regardless of whether Bruce commented.
I've seen a lot of articles appear in Bruce's blog that I sent him. A few of them generated lots of comments. I assume others in this community do likewise.
The key word is 'community'. Whether we source article links, analyze articles, or opine, it is nice to share thoughts with so many sharp minds -- about issues that affect most of us.*
*The squid population seems to be prevented from posting comments on Bruce's blog, although 14% of the week's daily topics are squid-centric. Hmmm. Somewhat of a Teuthida-ist position by the site administrator. However, there might have been some prior misbehavior by members of this order (before my time) that resulted in a permanent ban.
"14% of the week's daily topics are squid-centric."
Less, I think. I try to do two blog posts a day. Friday Squid Blogging is a third for Friday, which would be 1 in 11. Now I don't always do two post a day, but I don't think it's enough single-post days to warrant 14% squid content. (Not to mention the occasional squid post that is also security related.)
**chuckles** It is entertaining to see one defending squid-blogging probabilities with the vigor of a master cryptographer analyzing how much entropy he's getting per byte!
The moral of the story is simple: more security related squid posts!
Reading Gov't reports is something of an art/endurance test.
@Josh "In grand GAO fashion, the elusive cybersecurity R&D is never clearly defined"
I don't think that was thier intent. Nor is it their job. The GAO I've dealt with know their limitations. The law says "Do R&D" The president asked "where's the R&D? what's the problem?"
It's not their job to develop WIDGET A, or to define it's functional requirements or operational enviornment or purpopse. Thier job is to find out what's wrong with delivery. "Why ain't it here yet?"
GAO responds agreeing with you Josh.
And they say in essence there's no leadership, no national agenda, and no mechanism to keep track of federal cybersecurity R&D funding.
So now Office of Science and Technology Policy takes a whipping and complies. They'll tag efforts underway with an R&D label and begin to track and report. Maybe they'll even do the agenda right.
If the same thing had been done with intell in this country the Washington Post wouldn't be running the expose Top Secret America.
Course that would mean defining what our classified budget is...(Mr President you can't let the Rooskie Ambassador in here he'll see the big board!)
I understand why the U.S. government continues to believe that it can make an insecure technology secure by doing more cybersecurity research and development, but that line of thinking is just stupid.
People need to realize that the only way computing is ever going to be secure, is by completely re-engineering the hardware, operating systems and applications to be inherently secure. All these bolt-on security and monitoring tools are not making computing more secure - they are just making things more complex and impossible to manage.
Everyone is just chasing their tails hoping that more effort and money is going to allow them to catch it. People need to free themselves of the old computer security paradigms that everyone knows is becoming more and more ineffective with each passing day.
Take a step back, consider the fact that the computer industry hasn't really done anything to make computing more secure in the last 10 years and then ask yourself what the first thing that needs to change. The answer to that question is the way people think about security.
@Bruce: "I don't think it's enough single-post days to warrant 14% squid content."
You certainly don't need my help, but you'd have to average 3 one post days a week, since 1/7 is 14%. Sorry, it's the auditor in me that just knows certain numbers. No way you average that. :)
@ Mister Reiner
Good point. It won't happen though because of market forces. So, the government must do what they can with what they have. I think a nice middle ground would occur using low-defect hardware with decent security features, minimal kernel mode code enforcing strong isolation, RAM/devices considered untrusted (see Aegis), and QNX- or OKL4-style component approach to building OS services. The most trusted and critical components should be rewritten with low defect development processes. Some should be tossed out entirely or emulated carefully. *cough* ActiveX *cough*
I think the government's approach to strengthening insecure components is the best they can do if they don't want to disrupt market forces and destroy the advantages of COTS solutions. However, I think if they did it the way I mentioned, they'd have a much more trustworthy TCB and it would be a few tens of millions well spent. It was done in the past for other platforms, preserving legacy apps, and can be done again.
Very good point. The "market" is not aligned to the "government".
The government wants a system that is secure enough today.
The market wants a system that is good enough that you'll use it but crappy enough that you'll buy the next version.
@Brandioch: "The market wants a system that is good enough that you'll use it but crappy enough that you'll buy the next version."
That pretty much nails it.
@M. Reiner "the only way computing is ever going to be secure, is by completely re-engineering the hardware, operating systems and applications to be inherently secure."
No. I don't agree.
When I was first approached about putting SIPRnet across a 802.11 channel my first response was GAK!
Then I realized that earlier in my career I was routinely broadcasting TS/SCI/LIMDiS/Eyes Only material AROUND THE WORLD via HF/LF/UHF. My HF transmitters were 100w with 1000w amplifiers and we moved all over the world. That's a powerful signal. You can hear KOMO Seattle up in Barrow Alaska so I kinda gotta believe that the signal was being picked up and recorded. The bad guys didn't even really need to field a trawler. Just a big antenna farm outside of Minsk.
But we could do that securely (once those bastards Walker and Whitworth were locked up) because the crypto was good, the encryption system (hardware, software, HJs) was trustworthy and the keys were managed. Trusted, trained and supervised people (with the exceptions of the afore mentioned bastards may they rot) managed the systems and served as checks on each other.
Now Bruce was once a believe in Crypto as the big solve which is why he was a most bitter opponent of Clipper and advocate of good crypto
Would it shock you to know that WinXP is the principal OS on SIPRNet?
That's not a secret. What should it be? Linux? Solaris? Any general purpose OS is vulnerable to the same set of class fails.
WHen you state the only way to is the "completely engineer ..." why don't you include the user (you, me, us?) in that that equation? USERS are how entry is made into enterprises.
What a system is suppose to know that a user doesn't know what they are doing when they open an .exe file? Go rewatch TRON. Users are GODS to programs. They'll do what ever we tell them to do...not what we mean them to do.
Security, even computer security, is not an exclusively, or even pricipally, technological issue. It's a conjoin of many different domains.
14% is, indeed, based on 1/7 (days of the week). The "daily topics" ratio does allow for other topics on Fridays. I allowed for squid topics on other days (rare) and blog posts on the weekend (also rare). I wasn't hinting that 14% of all post topics were squid-centric.
Since you 'know' the actual identities of the Bruce Schneier community, can you reveal if any of them are squid aliases or if you have banned squids from posting?
Certainly some interesting idea worth considering.
LOL - True words.
- The thought of wireless SIPR still sends chills up my spine.
- Broadcasting encrypted signals doesn't make the endpoints secure, only the transmissions between them.
- Closed networks are only secure if the physical environment is secure. Many closed networks are not as physically secure as people think. ;-)
- Users can't be re-engineered and will always be the weakest link. It is possible to re-engineer everything such that users can be protected from themselves, but that includes a process that many won't like.
Consider these questions:
- Why are buffer overflows possible and how can the hardware/software be re-engineered to make it impossible to perform a buffer overflow?
- Why can't the operating system audit itself to determine that it doesn't contain a root kit?
- Why does Windows allow anyone to write in the registry and in folders used by the operating system? Why isn't there a separate registry for the operating system and one for everything else?
- Why does re-installation of Windows require re-installation of the software?
Just remember... Windows wasn't designed to protect itself from hackers. It was designed to keep honest people honest.
You don't need to guess the squid related ratio. We have the archives.
Going back to Jan 2009 we see that it has been as high as 14% in a given month only once, but overall we are subjected to squid 10% of the time.
Y M Non Squid %
2009 1 51 7 14%
2009 2 45 4 9%
2009 3 44 4 9%
2009 4 44 3 7%
2009 5 44 5 11%
2009 6 57 4 7%
2009 7 48 5 10%
2009 8 35 4 11%
2009 9 39 4 10%
2009 10 48 6 13%
2009 11 45 4 9%
2009 12 40 5 13%
2010 1 1 0 0%
2010 2 41 4 10%
2010 3 50 4 8%
2010 4 51 5 10%
2010 5 38 5 13%
2010 6 45 4 9%
2010 7 29 3 10%
Total 795 80 10%
Seems entirely reasonable.
N.B. I've only checked the numbers against the last 2 months, and I have no idea what happened to Jan 2010's numbers.
It seems to me that if you want to get more Americans into cybersecurity, you'll need to get more Americans into programming. To do that, you'd have to give programming in America a future (relative to India). I don't see a good way of doing that.
Then again I tend to be a fatalist about such things.
"**chuckles** It is entertaining to see one defending squid-blogging probabilities with the vigor of a master cryptographer analyzing how much entropy he's getting per byte!"
Once in a while someone tells me -- usually in person, at a conference -- that they want to see fewer squid posts and more security posts, like there's some conservation law in effect.
In reality, squid blogging is the easiest part of this blog. I almost always have several weeks of posts lined up in advance.
Nerds.... If these guys don't like your squid posts, so what, they do not have to click on those entries.
The squid stuff does not detract from a great blog.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.