Schneier on Security
A blog covering security and security technology.
« How to Not Fix the ID Problem |
| Anti-Missile Defenses for Commercial Aircraft »
July 20, 2005
New Cybersecurity Position at DHS
There's a major reorganization going on at the Department of Homeland Security. One of the effects is the creation of a new post: assistant secretary for cyber and telecommunications security.
Honestly, it doesn't matter where the nation's chief cybersecurity chief sits in the organizational chart. If he has the authority to spend money and write regulations, he can do good. If he only has the power to suggest, plead, and cheerlead he'll be as frustrated as all the previous ones were.
Posted on July 20, 2005 at 7:44 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well said. What's the point of the job if there's no power entrusted to this guy?
he? guy? No chance of appointing a woman then eh?
That's exactly my position in the debate about where the CSO/CISO is supposed to be positioned in the organizational chart: it doesn't matter if he has the right authorization and gets the job done.
Actually, it can make a difference where the CSO is on the org chart, as she (;-) will often inherit and/or be strongly influenced by the business agenda of whoever she reports to. The CTO can have a different view of the world from the CFO, for example. But it's also true that in any case, without budget and authority, you can't do anything anyway.
Would Bruce even take the job?
I actually think it will make a BIG difference, as being up higher in the heirarchy greatly increases the likelyhood that the person in the roll WILL have some authority to spend money and institute changes rather than nagging.
But then again, will we end up with yet another position where the people stay about as long as a drummer in Spinal Tap?
"he? guy? No chance of appointing a woman then eh?"
That would be kind of neat, actually.
You really think that after Enron (Sherron Watkins, female whistleblower) Worldcom (Cynthia Cooper, female whistleblower) and Halliburton (Bunnatine Greenhouse, female whistleblower) the Bush administration is going to let a woman ANYWHERE NEAR a position like this?
Technically in English if you are referring to a person of unknown gender then you use masculine pronouns. Yes, this makes English sexist, but at least it's not as clumsy as SHe and Hir (from Timothy Leary) which almost works when written but fails when spoken. and He/She or She/He can equally be accused of sexism based on the ordering of the pronouns.
English isn't perfect but I don't think Bruce was trying to say it had to be a man.
That Fat Lady...
But they haven't kicked Condi out yet. They don't have anything against Women in general. As long as they are properly indoctrinated into the allotheism of the Bush cult.
The government is vvery different from a coporation and an assistant secretary is very different from a vice-president. An assistant secretary is appointed by the President--not the secretary of the department--is independently confirmed by the Senate, and usually has a direct relationship with the relevant House and Senate committees. In the hands of a strong person, an assistant secretary can become much more of an independent power than a vice-president in a corporate hierarchy.
Stu Baker could easily be such a person. He is very well connected in both the intelligence and law enforcement communities and knows where an awful lot of bodies are buried. He's also both knowledgeable and sensible on security issues.
> Yes, this makes English sexist, but at least it's not as clumsy as SHe and Hir . . .
Let's just use 'them' and 'they'. Lots of people do it already, oblivious to the fact that English teachers give big red marks for it, it isn't as awkward as 'he or she' (what's the point of a pronoun if it's clumsier than the orginal word?), and we don't have to invent any new words.
Glad I'm not the only person that saw Bruce's use of He as a bit weird.
"If he has the authority to spend money and write regulations, he can do good."
True, but on a limited scale, which is only a few degrees better than today. The real issue is getting back to a pervasiveness of security awareness, and I'm not sure anyone has an easy answer about how to create that kind of shift in thinking inside an organization (let alone the entire country) without establishing recognized security practitioners at the highest levels.
If people were predisposed to embed or be positively influenced by "good security decisions" in their daily routines already, then the smallest bit of spending and regulation would indeed have a broad ripple effect. Yet, that is overly optimistic for today's situation where companies like CardSystems demonstrate a complete absence of security awareness.
It's a bit like being asked to drive someone else's car with them still in the driver's seat -- the more momentum/speed already in progress, the harder it becomes to make significant change in direction, and the firmer the grip on the wheel (and/or access to the brakes) required to help avert disaster.
"Why not Bruce Schneier?"
If it were a job that was free of politics, then maybe. But we're not going to fix cybersecurity in this country without pissing off several industries, and that wouldnt go over well in Washington right now.
"Would Bruce even take the job?"
I'd probably have to stop blogging, and discontinue Crypto-Gram. I don't think candor is one of the qualities wanted in a political appointment.
"Technically in English if you are referring to a person of unknown gender then you use masculine pronouns."
True, but I'm usually better at noticing stuff like that.
"I don't think candor is one of the qualities wanted in a political appointment."
It's not wanted by the politicians, but similar traits are good for the populace.
...the sage kings of ancient times ranked the virtuous high and honored the worthy, and although a man might be a farmer or an artisan from the shops, if he had ability they promoted him. Such men were honored with titles, treated to generous stipends, entrusted with important matters, and empowered to see that their orders were carried out. For it was said that if their stipends were not generous, the people would have no confidence in them; and if their orders were not carried out, the people would not stand in awe of them. These benefits were bestowed upon the worthy not because the ruler wished to reward them for their worth but because he hoped thereby to bring about success in the affairs of government. Therefore at that time ranks were assigned according to virtue, duties allotted according to the office held, and rewards given according to the effort expended; achievements were weighed and stipends distributed accordingly. Thus no official was necessarily assured of an exalted position for life, nor was any member of the common people condemned to remain forever humble. Those with ability were promoted, those without it were demoted. This is what it means to promote public righteousness and do away with private likes and dislikes.
--Mo Tzu, as translated by Burton Watson from Section 8 of the "Mo Tzu"
Speaking of candor, the US is in dire need of some more "bully pulpit" talks on applying cryptography in the real world.
Just the other day a vendor suggested a large enterprise company adopt a proprietary encryption solution to secure customer records. And when told that would not fly (against policy, which forbids proprietary encryption), they proposed an implementation of AES where they key was encrypted...yes, by another implementation of AES on the same system. When asked where the key for that was stored, they said it was safely obfuscated into a binary (e.g. you would only need to take the binary with the data to decrypt it). No joke. How long before someone exploited that exposure? Will someone please define "reasonable" encryption for developers who are struggling to update their software?
I agree you are wise to stay in whatever position allows you to rattle the most sense into people tasked with developing and implementing real security solutions.
@That Fat Lady
You mean like Nuala O'Connor Kelly? The Chief Privacy Officer for the Department of Homeland Security?
Who cares what gender the Cybersecurity dork is, as long as they are useful? I can think of plenty of worthless males (and worthless females) that can fill the position but I don't want any of them. Give me someone worthy, male, female, or transgender.
I write "s/he". That can be pronounced as "he or she" (for those who want to preserve a little bit of chauvinistic tradition), "she or he" (for those who insist on following left-to-right order), or "she over he" (for the mathematically inclined, and also for those who know the true order of things in the world). :-)
Yes I agree. Can we get away from the sexist discussion? Bruce didn't mean it to offend - so why take offence?
Now that the discussion is back on point, my $.02 is that I don't know why those of us who do cyber security at work should be really concerned about it if the federal govt. is not going to take it seriously by not creating a position, that as Bruce states,
"...has the authority to spend money and write regulations..."
I'm not a big supporter of govt. regulations in general, but in the area of cyber security I feel it’s the only way to get most corporations to pay attention to it by mandating the allocation of an acceptable level of resources for cyber security.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.