Schneier on Security
A blog covering security and security technology.
« Hypnotist Thief in Italy |
| Malware Targeted Against Pro-Tibet Groups »
March 26, 2008
New Cyber-Security Czar
The U.S. has a new cyber-security czar, Rod A. Beckstrom, who has no cyber-security experience.
EDITED TO ADD (3/31): A more informed opinion.
Posted on March 26, 2008 at 2:18 PM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So has Denmark. The newly appointed head of information security admits she knows nothing about IT.
This follows a number of stories of loss of low-key data from stolen laptops belonging to public administrators, combined with a total reluctance to consider any form of disk encryption or standard IS practise.
It's getting better
It's okay! These infosec leaders have a "Security Mentality," so we'll all be fine!
Did it just get a little dumber over here?
The last few paragraphs of the article that refer to the book this guy wrote are dumb. The analogy is, "If you cut off a starfish's arm, it will grow back, but if you cut off a spider's head, it will die, so a decentralized organization is more resilient." What?
How is that not obviously comparing apples to golf carts? This book weighed in their decision to bring this guy in? Sigh...
Isn't appointing people without appropriate qualifications standard practice under the Bush administration? This certainly shouldn't surprise anyone anymore.
That's OK. The Security Czar is just someone to blame when something goes wrong.
actually, the starfish doesn't just regrow an arm. From wikipedia:
"A new starfish may be regenerated from a single arm attached to a portion of the central disk."
"A starfish arm can only regenerate into a whole new organism if some of the central ring of the starfish is part of the chopped off arm."
"The regeneration of these stars is possible due to the vital organs kept in their arms."
Now think about the analogy again.
I guess the cyber attackers around the world are smiling with this choice.
While someone eminently qualified would be preferred, this guy won't necessarily harm things either -- he may even benefit things by bringing energy, ideas, etc.
There are lots of smart -- very, very smart -- people working on cyber security in the U.S. I doubt this guy will hurt their efforts.
I imagine he's there as a favour, he cut someone in the White House in on an IPO, or something of the like; so for the last nine months of the Administration they're giving him a pretty cool job.
"Hey, I protected the Internet once" goes down well at parties.
Many of our heads of state seem to be validating the common view that Hollywood can't come up with anything new. We keep watching reruns of Sergeant Schultz in action running the country: “I know nothingk, nothingk!”
Does the title "The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations" sound like a description our current administration to anyone else?
Should we start saying "You're doing a heckuva job, Roddie." now?
Don't tell me, let me guess--failed at running horse shows.
Maybe he has Czar experience.
While it sounds the same, it smells different. I think it has the potential of being something new and exciting. I'm reminded of a paper "The topology of covert conflict" by Shishir Nagaraja and Ross Anderson when I read this article. I haven't read his book, though. I certainly hope it doesn't turn out to be disappointing.
Perhaps no sane, qualified individual will take this post and subject themselves to abuse knowing they're powerless to change the status quo...
Isn't it traditional in US government to have a clueless departmental boss, appointed for political reasons and a qualified deputy who actually knows the job and keeps the department running?
Of course, someone has to tell the boss that he is an idiot and under no circumstances should he overrule the deputy.
So he'll be in charge of handing out tons of money to no-bid contractors (Friends of Dick) who will saddle us with monstrosities that don't work?
Yes, yes, but more importantly, does he have a relationship with Jesus?
Hey, all he has to do is let his people do their jobs.
Of course, since this is under the Cheney administration, that won't happen.
Also, if you rip a spider's arm off, it won't grow back, but the spider can still bite you.
Also, starfish don't have heads to shoot, but they do have creepy mouths on their undersides.
I guess he knows what starfish to kiss.
This will give Dilbert readers material for years to come.
Anyone paying attention knows not to expect competent people to be given jobs in the Bush administration.
"Brownie, you're doing a heckuva job"
Hey, this is perfectly normal.
The Counter terrorism "Czar" (Tjibbe Joustra) who was appointed in 2004 in the Netherlands also had no experience in any of the related fields whatsoever.
He is an executive of the Agricultural Ministry from origin, succeeded in misspending a fortune in another government agency and then got the new job as CT Czar.
He is now building his own empire and meanwhile crippling the operational services that should do the work when there would be a real threat. The Dutch CT capacity was much more efficient and effective before it got 'coordinated'.
But look at it his way: it is again some evidence that the whole terrorism hype is just a political game. If the politicians who gave him this job would see terrorism as a real problem and this position as really important they would have appointed someone with brains, expertise and competence.
Your tax dollars at work.
You might like this, from the Technology Review (published by MIT):
This article details some of the software banks are using to combat fraud and money laundering, in the context of the recent Elliot Spitzer controversy.
> That's OK. The Security Czar is just someone to blame when something goes wrong.
Sounds like it.
"Following this analogy, user-driven, starfish-like organizations distribute decision-making among all members."
And what if those members start not to agree on things? And even worse: in the event of some cyber catastrophe that this organization is designed to combat, what happens if the enemy finds a way to break down the lines of communication this decentralized structure uses to coordinate? I know! Let's just put a bunch of redundancy everywhere! At the very least while disparate sections would indeed operate faster, the organization as a whole might operate slower, which could be very bad in some situations.
> Government 2.0 ....Beta.
I guess his major role will be to re-organise, give orders and sort out some mess. Security doesn't seem to be their priority though.
Anyway if something goes wrong we'll know who to blame. An easy target.....without experience and the guys who hired him :)
reminds me of a scene in trainspotting where a guy is complaining that the new 'drug tzar' is crap because he hasn't done anything to get the prices down and that the quality is still awful.
come on guys.. having this guy will keep us all in jobs !!
Oh... poor baby. He doesn't have any experience in computer security.
Well, AFAIK he has all the experience his position is concerned with - stealing as much as possible from the taxpayers. All he needs to know is how to make the corporate pals of federal politicos happy by channeling funds to the "right" people.
[blink] Maybe that should be my career goal. I mean, I actually have relevant experience.
The bagman for the junta is joe albaugh, the same guy who made sure that all the records of bushs desertion were burned. or does he keep the originals in case bush ever crosses him?
1.20.09 the end of an error.
What's the problem? Standard practice in my (major U.S.) company. :-(
"what happens if the enemy finds a way to break down the lines of communication this decentralized structure uses to coordinate?"
Actually this severing of communications is more crippling to a top down, centralized org than one that is decentralized and used to working independantly (Assuming the orgs are of any appreciable size).
Asymmetric warfare thinking sounds good to "combat cyber warfare" but it really isn't a rationale way to operate a government. The opportunity for abuse and misallocation is too high unless they have some (undisclosed) plan of controls and audits around what the decentralized teams will be doing.
I know I'm going to draw flames on this one, and a disclaimer - I'm a CISO with a strong Computer Science education and 11-years of security experience, ranging from secure development to networking to security governance.
Okay, here goes. Who care about his background if he's able to get the job done? Did anyone here ever *really* look at the work "security luminary" Howard Schmidt did when he was in that position? It's embarrassing. He was there for about 8 months, accomplished nothing other than blowing his own horn at every security conference he could attend and then either pushed out or forced to resign. Clarke was no better either.
Not that I think it's a great idea to hire someone with no security expertise - it's better to have someone capable with the required skills able to lead, but if he gets the job done, he'll be better than the whole Schmidt/Clarke debacle.
It's okay. Read carefully:
"The new inter-agency group, which will coordinate information sharing about cyber attacks aimed at government networks, is being created as part of a government-wide "cyber initiative" spelled out in a national security directive signed in January by President Bush, according to the sources, who asked to remain anonymous because they did not have permission to talk publicly about the information."
This post is about coordinating information sharing... and they got the guy best known for his work on the Twiki project. Sounds like they got the right man to setup a government Wiki for them to share information on! LOL
john and peter, I could not agree with you more. Why do we have craptastic officials along with a craptastic president in office? Hell, Howdy Doody Gumby and Pokey could do a better job of Homeland Security. Great idea on paper at first, but now a damnable punchline to the rest of the world. People, stop drinking the madman's kool- aid before its too late!
Spiders WILL grow back a missing leg.
I had a tarantula once, a Mexican Red-kneed female, that lost a log. The next time it molted, the whole leg was back, just skinnier than usual. After the next molt, the leg was as good as it ever was.
The spider lived about 10 years in my custody, and molted maybe 15 times during that period.
Apparently this guy has excellent organizational skills and an interest in decentralizing cyber-security, neither of which are bad traits in essentially what his position will be... a manager.
I am sure he will get guys who do have vast experience in cyber-security involved at lower levels, where they need to be.
I guess we will see how this goes, but I wouldn't start worrying just yet.
Shouldn't this be a job for you?
Just kidding :-)
I personally know Mr. Beckstrom. I have both worked with and discussed many of the issues he is undertaking. Mr. Beckstrom is an extremely intelligent strategic thinker in organizational structures.
He has applied this skills to software solutions in several fields, and the development of 2nd Channel Diplomacy in a number of highly sensitive locations around the world. He is privately given a good deal of the credit for creating the group which openned air travel corridors between India and Pakistan by facilitating leadership exchanges between IT executives in both nations.
Rod is also blessed with a very sensitive BS Meter, a very open mind to solutions and a full voiced willingness to tell people they are wrong.
While I respect some of my collegues are flabbergastered and sputtering to see this role not filled by one of the usual suspects, or someone they believe better credentialed, I am by contrast stunned nearly speachless the administration has made such a brilliant choice.
Rod may not be, and certainly will not trumpet himself to be a Cyber Expert. However, I believe he is a stunningly good choice to stand up a powerful, innovative institution in which CyberSec can thrive.
But, then again, I know the guy.
This is more proof that Washington still doesn't take the job of protecting the information infrastructure seriously. What is he going to do in 8 months that is going to have an impact? He's going to need that time alone to learn the basics of INFOSEC even if he had a clue. By that time, he'll be replaced by someone else by McCain, Barack, or Clinton. It would probably be better if they simply promoted the next most senior person there. At least, they would probably had more experience.
As a CISSP, I had to have at least 5 years of INFOSEC experience, 4 years with a degree. And they choose this guy when there are thousands of people far more qualified. I find this another gross waste of an opportunity. The "cyber-czar" position is a joke because it's so low in the food chain, no one who is a real security professional wants it anymore. This is especially true when this position has no power over the agencies which have a direct impact on INFOSEC such as the NSA, NIST, OMB, the intel community, the law enforcement community, etc. Since the position was moved from the White House staff, no one has stayed in the position more than a couple of years, at best.
"has no cyber-security experience" = fantastic. This dramatically increases the odds that he will be effective and get something useful done.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.