Schneier on Security
A blog covering security and security technology.
« Thefts at the Museum of Bad Art |
| DNA False Positives »
April 2, 2009
Who Should be in Charge of U.S. Cybersecurity?
U.S. government cybersecurity is an insecure mess, and fixing it is going to take considerable attention and resources. Trying to make sense of this, President Barack Obama ordered a 60-day review of government cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology is holding hearings on the same topic.
One of the areas of contention is who should be in charge. The FBI, DHS and DoD -- specifically, the NSA -- all have interests here. Earlier this month, Rod Beckström resigned from his position as director of the DHS's National Cybersecurity Center, warning of a power grab by the NSA.
Putting national cybersecurity in the hands of the NSA is an incredibly bad idea. An entire parade of people, ranging from former FBI director Louis Freeh to Microsoft's Trusted Computing Group Vice President and former Justice Department computer crime chief Scott Charney, have told Congress the same thing at this month's hearings.
Cybersecurity isn't a military problem, or even a government problem -- it's a universal problem. All networks, military, government, civilian and commercial, use the same computers, the same networking hardware, the same Internet protocols and the same software packages. We all are the targets of the same attack tools and tactics. It's not even that government targets are somehow more important; these days, most of our nation's critical IT infrastructure is in commercial hands. Government-sponsored Chinese hackers go after both military and civilian targets.
Some have said that the NSA should be in charge because it has specialized knowledge. Earlier this month, Director of National Intelligence Admiral Dennis Blair made this point, saying "There are some wizards out there at Ft. Meade who can do stuff." That's probably not true, but if it is, we'd better get them out of Ft. Meade as soon as possible -- they're doing the nation little good where they are now.
Not that government cybersecurity failings require any specialized wizardry to fix. GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs. These aren't super-secret NSA-level security issues; these are the same managerial problems that every corporate CIO wrestles with.
We've all got the same problems, so solutions must be shared. If the government has any clever ideas to solve its cybersecurity problems, certainly a lot of us could benefit from those solutions. If it has an idea for improving network security, it should tell everyone. The best thing the government can do for cybersecurity world-wide is to use its buying power to improve the security of the IT products everyone uses. If it imposes significant security requirements on its IT vendors, those vendors will modify their products to meet those requirements. And those same products, now with improved security, will become available to all of us as the new standard.
Moreover, the NSA's dual mission of providing security and conducting surveillance means it has an inherent conflict of interest in cybersecurity. Inside the NSA, this is called the "equities issue." During the Cold War, it was easy; the NSA used its expertise to protect American military information and communications, and eavesdropped on Soviet information and communications. But what happens when both the good guys the NSA wants to protect, and the bad guys the NSA wants to eavesdrop on, use the same systems? They all use Microsoft Windows, Oracle databases, Internet email, and Skype. When the NSA finds a vulnerability in one of those systems, does it alert the manufacturer and fix it -- making both the good guys and the bad guys more secure? Or does it keep quiet about the vulnerability and not tell anyone -- making it easier to spy on the bad guys but also keeping the good guys insecure? Programs like the NSA's warrantless wiretapping program have created additional vulnerabilities in our domestic telephone networks.
Testifying before Congress earlier this month, former DHS National Cyber Security division head Amit Yoran said "the intelligence community has always and will always prioritize its own collection efforts over the defensive and protection mission of our government's and nation's digital systems."
Maybe the NSA could convince us that it's putting cybersecurity first, but its culture of secrecy will mean that any decisions it makes will be suspect. Under current law, extended by the Bush administration's extravagant invocation of the "state secrets" privilege when charged with statutory and constitutional violations, the NSA's activities are not subject to any meaningful public oversight. And the NSA's tradition of military secrecy makes it harder for it to coordinate with other government IT departments, most of which don't have clearances, let alone coordinate with local law enforcement or the commercial sector.
We need transparent and accountable government processes, using commercial security products. We need government cybersecurity programs that improve security for everyone. The NSA certainly has an advisory and a coordination role in national cybersecurity, and perhaps a more supervisory role in DoD cybersecurity -- both offensive and defensive -- but it should not be in charge.
A version of this essay appeared on The Wall Street Journal website.
Posted on April 2, 2009 at 6:09 AM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've been a fan of you for many years, Bruce - this is the first essay of yours I've strongly disagreed with.
The problem is that "trust" implies two different things - trust that someone will have good intentions, and trust that someone is competent enough to not cause harm.
Weighing the two options, I'd MUCH rather the NSA take the lead on cybersecurity than DHS. Perhaps the NSA will be less transparent. That is a reason for Congress to step in and exercise its oversight powers, or even legislative powers to legislate greater transparency requirements in its cybersecurity mission. I simply don't trust the DHS to have the appropriate culture for understanding the principles of security the way that DoD and the NSA do.
Almost every essay you've written praises the qualities that the NSA already has, and criticizes the qualities that the DHS has. Which agency is more likely to engage in "security theater"? Who is more likely to have the "security mindset"? Who lives and breathes daily reminded that "security is a tradeoff"?
Finally, the NSA has decades of experience securing information against skilled and well-funded adversaries. The DHS is an unproven organization, whose existence is barely justifiable.
You should be in charge, Bruce.
To expound upon your last paragraphs, I think a lot of government needs to be a lot more transparent and not just the NSA (DoD, etc). The sheer opaqueness of even my local government operations (Chicago) is enough to frustrate even the most dedicated.
@Shane: I'm not sure Bruce suggested any specific agency (especially the DHS) take control of cyber security. Rather, he enumerated why the NSA's conflicts of interest make them inherently insecure. In such a situation, it may be better to work with independent contractors with little vested interest in anything but completing their job.
It looks like the plan now is to create a new White House-based office to run security, including authority over private networks (http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684.html). The plan, a bill drafted with White House input and soon to be introduced in the Senate, would also require NIST, the National Institute of Standards and Technology, to create "measurable and auditable cyber-security standards" for all these networks and would require licensing and certification of cyber-security professionals.
Wait, wait. There is a Suggestion that one of our illustrious "lets loose our laptops on which we have unsecured data" (and a host of other issues which are listed in the original post) government agencies should be in charge of U.S. Cybersecurity? Really? I'm calling Shenanigans on that one.
The sad fact is, as pointed out by Shane, that the choices are slim to none. If it is to be a government agency (which, almost by definition, it'd have to be since for it to be effective, it'll have to have some enforcement power above and beyond the leveraging of the economies of scale), none of the current ones qualify. Conversely, anything newly created is likely to arouse mistrust as being "too new and uproven."
The best hope would seem to be getting one of the existing yet publically-scritinized agencies to un*#&$ themselves internally with respect to their IT policies and take charge. Right around that time I'll start selling tickets to Bacon Air.
And... my spelling skills this morning "for t3h f41l" as it were.
In my opinion, NSA is one of the few agencies in the world, let alone the US, with any competencies to start on this road. If you consider the scale and complexity the US needs to defend itself, I don't want folks with almost no cyber knowledge or bench doing it from DHS or elsewhere. Nobody is properly equipped, but I believe NSA is a couple orders of magnitude out in front.
There is a reason why SWAT teams aren't tasked with ticketing expired parking meters. The NSA isn't an IT organization. Their focus is on protecting the national secure communications. The majority of government security issues go back to basic IT management. Sometimes I think event NIST is too extreme. Promote and enforce basic IT practices and functions across government agencies and the threat model changes significantly.
The NSA seems to have a clear conflict of interest. Because we all use the same technologies, better IT security means less intelligence information. So it should not be given a leadership role.
"The National Security Agency is divided into two major missions: the Signals Intelligence Directorate (SID), responsible for the production of foreign signals intelligence information, and the Information Assurance Directorate (IAD), responsible for the protection of U.S. information systems."
Sorry if I made it sound like we were being forced to choose between the DHS and the NSA. I don't think the NSA is the ideal candidate for the job, but I do strongly believe that they're the best choice for today.
Reminds me of the old DES controversy. The NSA made some recommendations, which were incorporated into the standard, and people argued for years whether they were to make DES easier or harder to break. (Harder to break, it turned out eventually.)
The NSA simply doesn't have the street cred to run US cyber security. If it were to issue recommendations, most people are going to wonder why those specific recommendations. We need an agency that works on a more open basis, so that independent experts will be able to evaluate those recommendations.
In the list of "interested parties," you did not mention the NIST. Because they do not have an intelligence gathering responsibility, they would not have a direct conflict or "equities issue." On the other hand they seem to have the technical understanding of the principles behind security, given their role in standardizing the security protocols for the USA. Do you have any thoughts on whether it makes sense to expand the role of NIST to include oversight of how the security standards are implemented, above and beyond the standards themselves?
As a number of people have said, this is a management issue.
The wherewithal to protect systems is available either off the shelf or from the NSA. But knowing how to protect systems is not the same as getting people (individuals, companies, and government departments) to do it!
You would be better off getting the Harvard Business School to set up guidelines and legislation rather than the NSA or the DHS.
But then, given the current failures in the business sector, maybe not...
I have to admit I'm baffled by the whole cyber security issue. Are we really in so much systematic danger from "them" that we need a another TLA to oversee something which market forces should by and large be dealing with anyway? There's certainly a case for creative legislation to deal with the issues like data protection and security, but I really don't see what any beauracracy is really going to do to effect change in any meaningful or cost-effective way.
Almost all government agencies are information alligators - they attack, absorb, take, seize all the information they can find all day long - then it gets put into a safe/scif/vault etc and never sees the light of day again or benefits anyone in the country (well, other than govt empire builders and information thieves).
NSA doing this would be in the same bind as FAA is; their missions are on opposite sides of a single coin (promote air travel and enforce safety - both at the cost of the other).
Although I am normally deadset against creating new agencies, this needs to be in the hands of an organization whos mantra is "get this info into the hands of everyone" and I dont think the govt has one of those. Maybe create a department at the FCC empowered with it?
If the NSA is the only place that has the expertise (unlikely) then coopt the experts from NSA and move them to the CSA (cybersecurity agency, not confederate states of america) and make them work there. But they have to leave their "steel trap" mindset at the door.
The NSA has produced useful public information (example: " Microsoft Windows 2000 IPsec Guide") and tools (example: Security-Enhanced Linux). But the conflict of interest pointed out in the article is clear.
And as the article points out, all the new security won't help unless the managerial problems are fixed. But the NSA is unlikely to help improve the network and system administration problems. Even after 6 years and a judicial order to disconnect systems from the network, the Department of the Interior was still unable to implement basic "best practice" http://www.nextgov.com/nextgov/...
Unless there are real consequence (loss of pay, loss of jobs, jail time) associated with failure to implement the basics, how is getting the NSA or the DHS involved going to help improve cybersecurity?
Simple answer. Let the NSA define the standards, and create a Department of Pulling the Plug. Two bad audits, and the lights go out.
I would like to consider the 'only government can do this' premise. I'm not sure I agree. It seems to me there could be a big role for a self-regulatory organization ("SRO") in setting and enforcing standards here. Companies would pay up to be members, and only members would get certain privileges (like, maybe, the right to sell to the federal government, and early notice of what the SRO's auditors find). The SRO would be funded from member dues but would be accountable to Congress. It would then promulgate best practices and do audits
To do this you would need enabling legislation, yes, but not an ongoing government department.
I realize SROs have a mixed track record, and are at risk of capture by the industry they regulate; but they're still probably preferable, at least in this case, to a government department subject to big conflicts of interest multiplied by inertia and politicization.
President has hired a convicted shirt thief to oversee the IT in the White house; things are sure you improve now.
What bothers me more than who will be responsible for security is the back door licensing (certification) requirements attached to this effort. More often than not the only people who benefit from a certificate are the companies selling you training and providing testing.
I don't think government is capable of securing a sandwich, much less complex systems connected to a global computer network.
The NSA should put Skynet in control of our cyber-security. What could possibly go wrong?
I can't speak for US Government Information Security, but I would be very suprised if the policies in place were not perfectly adequate and fit-for-purpose. The issue is with most likely to do with the implementation. If Governments worldwide want security of information, they must make the investment in sufficient personnel capable of configuring systems securely and introducing harsh penalties for any information system user found breaching those security policies.
The problem with letting market forces deal with security is that it's largely an externality, and not one that can be easily accounted for. Moreover, market forces don't act well on government actions.
Ideally, in event of a data breach or break-in, the full costs would fall on the enterprise responsible, and those could be mitigated by buying insurance. The insurance rates would ideally be set by evaluating the enterprise's security measures in an empirical fashion.
In practice, if my personal information is copied by bad guys, I'm the one with the problem, and if I sue I'm liable to be informed that the company followed "best business practices" (which in practice means the cheapest measures the industry as a whole thinks will sell).
Therefore, market liability is not going to happen without some pretty sizable changes to the law (both the written version and the customary practices).
*IF* that happened, we could address government data security by mandating that all government agencies dealing with personal data buy private insurance, and actually enforcing that mandate.
In other words, I don't think it'll happen, and if it does it won't be soon.
Realistically, we need to have government regulations and enforcement, because that's the only thing that's going to work in the near future.
I may be entirely wrong here, but isn't NIST already in charge of what can be used for sensitive-but-unclassified data anyway with the FIPS standards for encryption and crypto-systems? They also have traditionally been more towards improving security for civilians anyway because they are not an intelligence / law enforcement agency. They probably could be given power to set up standards for products the government can purchase which hopefully would lead to more secure operating systems. However, this whole thing of day-to-day management and patches cant be solved from one central agency for all government machines, and even if it were, civilian machines are just as important (I THINK they're better at patching in most businesses, but I have no evidence for that position.).
The Air Force should be in charge. If they have any surveillance duties, take those out of their hands so that their only duty is to harden the security of the nation. The Air Force already employs a ton of technical people, so it wouldn't be outside of what they'd do anyway.
The only other real option that I see would be to have it be a separate agency entirely, one that doesn't suck like the DHS does. The problem with that is that the DHS was never intended to suck, the idea had a great deal of potential, it was just implemented badly.
The NSA has an additional drawback, their institutional cost-is-no-object mentality: they have no experience weighing economic tradeoffs.
Whatever the solutions, they must be open-source to prevent back doors. Development should engage universities across the country and around the world, drawing on a weath of (free!) expertise from across the country and around the world, much as was done in the development of Perl and Linux.
BTW, market forces account for peanuts and pistachios can now kill.
I also disagree with Bruce here. I think the NSA _could_ be the right place. We just need to make sure we have the _right_ NSA. Not the NSA that pushes the clipper chip and key-escrow and is concerned about damage to its operations, but the NSA that is concerned about electronic threats. That second NSA saw Linux as an opportunity to get a type enforcement MAC into a mainstream operating system with SELinux. There is more good work that could be done like that. Very Fundamental work on browsers that has never been done. I would love to see things like trusted path extensions in Xorg , DBus, Win32, COM, where ever it made sense and wrapped in a simple high level API so real applications like firefox could use it. The OS could tell you which process in which type_container is asking you to authorize which resource. Right now, this is more or less hopeless. You have to trust anything you display to too great an extent. The NSA can do work like this. They should do more like this to increase our overall posture.
BGP is a good target for research as well.
We live in a world where '.com' isn't signed, banks use non-ssl wrapped login pages that submit to EV cert protected sites. Given all that awesomeness ... perhaps we could use some security design pressure from people not selling a product.
NSA when focused on its goals of safe guarding national infrastructure, the national economy, etc has shown promise. I agree greater transparency is needed. I think congress should provide it. Something like the FOIA take 2. Require the government take action to keep documents secret. Secrecy has a real cost on society. If a document is over say ... 10 years old: perhaps they should be 'paying' some cost per document, for not releasing it. This would actually encourage government agencies to redact and release.
I think Homeland security should get the axe completely or be merged with Fema. However it happens it needs a new mission. It was created to be unsafe to democracy, IMO. It should not exist in its current form. It needs to have a scoped mission (like the FBI, or CIA) that limits its operation.
"We just need to make sure we have the _right_ NSA. Not the NSA that pushes the clipper chip and key-escrow and is concerned about damage to its operations"
The "right NSA" is long gone, if it ever was. Not at least in the sense that they work for the people and their chosen representatives, abide by the laws and are fully accountable for their actions. "Right" agencies are transparent, Not Such Agency is pitch black.
There has never been a "right NSA" and never will.
The NSA has already demonstrated an ability to do this. They've been doing it for years, if other agencies were following their free advice, we might not be in this situation.
Experts at the NSA have been publishing detailed guides on securing every level of IT under their Information Assurance mission for years. See: http://www.nsa.gov/ia/index.shtml
Their work on taking advantage of already available code and making it more secure is already known with their SELinux project being a leading example.
Many civilians are quick to offer commentary based only on their familiarity with recent and past headlines such as the NSA domestic wiretapping, clipper chip, key escrow plans and allegations of promoting weak encryption and random number systems to their benefit. However, security experts already working in the field may also recognize that the NSA has been doing work towards this goal long before the Obama administration's recent push.
What do the alternative choices have to show? or are they starting from scratch?
I would feel safer letting the NSA lead the way than other more traditional parts of the military who have a hard time distinguishing a script kiddie attack with an act of war and consider their physical arsenal a sane response.. http://www.armedforcesjournal.com/2008/05/3375884
So former Oil Tycoons should be considered great candidates for heading up the U.S. Department of Energy because they've 'got the skills' and have 'provided energy in the past'?
I'd take a septuagenarian hobo heading cybersecurity initiatives over an opaque government agency with counter-intuitive agendas and no accountability ANY day.
If the knowledge and experience of the NSA are so vital to the securing of our nation's technological infrastructure, there should be no reason they can't lend all the expertise they want to whomever heads this up.
That there is any contention between any of the agencies at all is already a sign of underlying agendas, budget grabs, and power struggles. We need what's best for the nation, and in terms of 'cybersecurity', that means the ONLY agenda is securing our nation's technological infrastructure, not doing so whilst also spying on the nation, scanning airports for terror-bits, or trying to create super soldiers.
Screw what the NSA has already done and released. I'm no tin-foil-hatter, but when you read their published mission statements:
(especially note the last bit: "Integrity. Transparency. Accountability. Respect for Law.")
it's pretty plain to see that their major export is what we simple folk call 'bullshit'.
Any 'cybersecurity' initiatives our country employs needs to be as transparent as OSS, or they'll be as useless as the TSA.
Makes sense. The investigator should not be the same as the secure operator.
Why a government agency? Shouldn't this be outsourced to a corporation that has a demonstrated track record, and can demonstrably manage large deployments?
Red Hat? IBM? Novell? There are lots to choose from with the necessary qualifications.
Outsourcing also allows the process to be transparent, as opposed to attempting security by obscurity - a failure waiting to happen.
Competition for the regularly renewed post would help insure quality of the service as well.
> These aren't super-secret NSA-level security issues; these are
> the same managerial problems that every corporate CIO wrestles with.
Of course, the problem in the corporate world is that the CIO usually does not have the actual authority to solve these managerial problems, because they impact business processes for units that have an organizational structure that bypasses the CIO.
This is less of a problem in a monolithic structure, as long as the CIO has actual weight to throw around; of course, in a monolithic structure, you have the opposite problem of being able to establish standards fairly easily, but having them often be bypassed because they do not meet people's actual needs.
The problem is that actual usable in-real-world security requires both top down and bottom up analysis. A National Security Guru who was only good at the first would be ineffective at implementing change across multiple organizations, and a National Security Guru who was only good at the second would be eaten alive trying to play politics.
This is *not* a problem that can be directly tackled by a single person, or even an existing organization. The NSA's functional purpose has a completely different security posture than even the DHS, and neither of them is an appropriate security posture for a small city government. Trying to impose any sort of top down structure across those multiple agencies isn't going to work unless your Security Guru has domain expertise in all those agencies, and that's just not likely to happen.
I agree with Bruce that a huge number of the security problems that exist today can be mitigated simply by making it profitable to fix them. Leveraging buying power absolutely will help raise the tide. If you can reduce bot-net size by an order of magnitude, that alone would represent a huge win for the overall health of the network.
However, I think this is actually a core part of the issue:
> We've all got the same problems, so solutions must be shared.
Here's where I disagree with this essay. From the domain perspective, we don't actually all have the same problems. In the practical perspective, we *do* all have the same problems, but that's because we spent the last decade creating this problem. "Buy off-the-shelf! It's cost-effective! It saves money! It's interoperable with what you already have!"
All those things are true to some extent, but there this push has led to the utility operations network running the same OS as the civilian population, on the same network. Financial, military, and national security systems are reachable and exploitable by the same attack vectors.
Since the mid 1990s, we've actually done computer engineering *completely backwards* - instead of designing and building secure systems for high-reliability applications such as the military and utility companies and letting the lessons learned make their way into civilian systems, we jettisoned developing these systems in the name of cost savings, and bought civilian grade systems for high-reliability applications... and then tried to fix the resulting horrid security by building additional safeguards and implementing processes, which, quite frankly, didn't work out so well.
There's an opportunity here; a declarative top-down standard for *classes of systems* can help solve this problem. Trying to establish "a secure computer" standard for every conceivable application just won't work. On the other hand, classifying use for systems and then declaring security standards based upon those use cases might actually work pretty well.
Hrm. Let me get this right:
It's against the NSA's (and other 3-leter government agency's) best interests for the average American to be able to defend him/herself effectively against a determined attacker in cyberspace. That it will reduce the ability for them to spy on people and police them. .
So therefore you cannot depend on the NSA or other government agency to push proper security policies and spearhead improvements in hardware and software.
And as a result of this the USA, as a whole, is under greater threat from foreign aggressors.
Yep. Makes sense to me.
Classic problem. Same reason why people in government want to take your guns away from you.
You cannot control and monitor a population that has the will AND the ability to resist you. So you take away the ability, and make enough false promises that hopefully the will drains away also.
Yet, as a country, that leaves us all ultimately much weaker.
yeah. Fun stuff.
Yes....Bruce is quite wrong on this one.
Why are people talking as if whatever agency gets selected for the government IT security brief will run the private sector's IT as well? Such a ridiculous notion does not appear in Bruce's article. How could this even be under consideration? I doubt that any private firm is going to run its IT plans by a federal agency for approval. If that were required, the agency would need something like 10k inspectors to keep up; which ain't gonna happen.
A more reasonable question would be how much influence such an agency would have within the federal government. I'd say let's start it out with responsibility for IT security for itself and one other agency. Something unimportant, like the Dept. Interior or HUD or similar. If this works for two years without any egregious security failure, select a few more agencies to fall under the new agency's authority with respect to IT security. Only after decades of success would the new agency be allowed near the military.
Anyone that thinks its just going to take management and standards to protect the nation is naive. We’re talking about cyber –attack-. The US is going to see a 9/11 on our cyber infrastructure. More than the criminals, we need to go toe to toe with nation states here. I want NSA innovation out there keeping me, my economy and my country safe.
@shane as pointed out already there are other other agencies and venues and this will likely end up in the White House at the special assistant level.
re:trust good intentions. I was at a conference at the end of the last century where the CIA was asked why they don't do economic espionage for U.S. companies like the French intelligence services do for their nationals. Their answer was interesting. "Because the American corporations wonder about the provenance and purpose they were being furnished with the information and what was being left out." Leave aside the question of if you trust the CIA's intention of good will or competetance. Thier route around was interesting - information they gathered that they though significant was given to Commerce to disseminate. Of course this assumes there ARE still US corporations.
"NSA should put Skynet in charge"
are you mad!...give me Summer Glau anyday.
You hit the nail right on the head. @Pat Calahan also presents nicely how the state of events has evolved to today's broken model, horror show state of affairs in his post.
What is needed is someone in authority to monitor and enforce the march along the parade route to some state of improved risk mitigation, by making sure that the basics are done as a minimum. Tying performance, rewards and punishment to improvements in IT security posture, as a priority, are a definite step forward.
NSA ultimately obeys orders, though. If they were clearly told they no longer had a choice when disclosing vulnerabilities conflicts with their SIGINT mission, they'd grumble and try to fight it, but in the end they'd do it.
Might be hard to give orders like that, particularly as Democrats are afraid of being seen as weak on national-security issues. But with a radical enough step, you could probably make NSA into an org that could be trusted to protect US computer security.
The equities issue seems like a moot point. Most IT departments can't get the basics right, due to politics, lack of resources, or outright incompetence. Does it really matter if NSA is withholding some complex, diabolical vulnerability when you're letting your users browse the web as admin? If the vast majority of companies were getting the basics right, the equities issue would become much more relevant.
Conficker is a prime example of this. The worm wasn't seen in the wild until _after_ Microsoft released a patch for the vulnerability it uses to self-propogate. And some corporate networks _still_ got infected. We're talking about a publicly known vulnerability that has had a patch available for months.
You are giving me REALNESS.....!
Who Should be in Charge of U.S. Cybersecurity? US Senate has an answer for you: Office of the National Cybersecurity Advisor within the Executive Office of the President. That's a part of legislation introduced by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine):
Apart from creating new bureaucracy and extending its regulatory powers far into private sector (think of SarbOx to entirely new levels), the legislation would require certification of information security professionals and will create financial market for "cybersecurity risk management, to include civil liability and government insurance".
You could argue that we need development of greater security systems, but a big part of the problem is that people are not using the security systems we already have.
For example, I know someone who works for a government contractor. When I talk about encryption, she complains about cold boot attacks. (She doesn't seem to really understand cold boot attacks, but apparently she went to a briefing and remembered enough that I was able to figure out that was what it was.)
And yet the laptop she brings home from work is completely unencrypted and running Windows with Internet Explorer. Only people who encrypt their hard drives have to worry about cold boot attacks. If you do not encrypt your hard drive, an attacker does not need a cold boot attack to get your data.
Similarly, their response to viruses was to ban USB devices. That really sounds more like a decision made by a statistician than a person who knows much about computers. Seriously, at least switch to Debian. If you really want a secure operating system, switch to a BSD, preferably OpenBSD, but for heaven's sake, nothing is more vulnerable to viruses than Windows.
It's not that you can't, in theory, run Windows without getting viruses, but training personnel to do so would be more difficult than simply showing them how to use KDE or Gnome. Besides, even if you use Windows with Firefox and Noscript and no Java or Flash and an anti-virus scanner and software firewall and disable unnecessary services, it's hard to tell what Windows might be doing in the background. The best way to secure Windows, in my opinion, is not to connect to a network with it.
Cybersecurity isn't a military problem, or even a government problem -- it's a universal problem. All networks, military, government, civilian and commercial, use the same computers, the same networking hardware, the same Internet protocols and the same software packages. We all are the targets of the same attack tools and tactics. It's not even that government targets are somehow more important; these days, most of our nation's critical IT infrastructure is in commercial hands. Government-sponsored Chinese hackers go after both military and civilian targets.... interesting.. the topic is "U.S. Cybersecurity" .... someone in our government needs to control the governments security. If we are talking about securing our nations network - files that the government owns, our SSN's etc.. then someone in our government should be monitoring this. If we are talking about our nations network, the internet that the united states operates on, that everyone uses, then this is up to the people. You cannot regulate the internet!
Who should be in charge...
The industry of Free and Open people, who can have their own Networks, and become highly skilled.
The NSA should help make IT work, and SOLVE last mile problems, especially legal, and business incentives.
While it might be poor to call security a language and cultural sophistication, it basically is.
We are in a distributed IT sophistication arms race. Thinking the NSA can just "traffic cop" IT, is a dangerous denial of truth.
I wrote the cover story on this topic for the March 2009 issue of the ISSA journal - it was titled "Who Shall Defend Us?" I think the readers of this blog might find it interesting.
Our article starts out by observing that the US currently does not have a good answer to questions of cybersecurity jurisdiction, authority and responsibilities. We conclude by suggesting a collaborative, cooperative approach, rather than one marked by strict boundaries and an "I'll protect this flank, you protect that one" approach.
And I must blushingly admit, we failed to even mention the NSA by name (we sort of grouped them under the general "DoD" umbrella), but after reading this post, perhaps that wasn't so bad?
In my opinion, Mr. Schneier nailed it when he wrote: "Cybersecurity isn't a military problem, or even a government problem -- it's a universal problem." We're all in this together and we need to figure out a way to work it - together.
FYI, ISSA requires a subscription to read the article, but someone posted it on Scribd, so you can get it for free there: http://www.scribd.com/doc/13624201/...
Last week I attended a conference put on by US Stratcom and after listening to the the DoD’s top brass talk about the struggles they are having, these same thought echoed through my head, with one idea presenting itself to me.
"Cyber warriors/Cyber defenders do not fit well in a uniform."
Do your elite hacking and defending staff need to also know how to use firearms, and follow very diligent reporting hierarchies and regiments? Do your enemy cyber combatants follow these same regiments. Cyber warfare is a different battle space and in my opinion requires a much different way of thinking when approaching it. Shimming an existing structure isn't going to cut it if we want to succeed.
The White House and Congress are in charged of Cyber Security for the Government. The write and enforce the rules. Or should I say, fail to. Shuffling the deck chairs doesn't change a thing. They seem fundamentally incapable of abiding by their own rules which, if they did, their networks would be secure and they wouldn't get D's on their own report cards. Unlike private businesses they don't get fined or sued when they fail. Congress should try that. As to them "running" security for the country. NIST has done a fine job of publishing standards and practices.
Cult of the Dead Cow or Subliminal Insidious Network would be better than the NSA, DoD, Air Force, CIA, or any government agency, except, perhaps, the NIST. I trust CDC and SIN more. They also have the expertise. Both I suspect have some of the best security operators in existence. They are non government; although I also suspect that they my have members who have worked for government, and corporations.
I must mention one weakness in our cybersecurity, the home users connected to the www. whose computers may be wielded as weapons without their knowledge. That last is the reason why transparency is necessary. The NIST is the best agency to coordinate 'net security, with an advisory role for other interested agencies, including the intelligence and law enforcement agencies.
The reason I practise prescience paranoia about security is my concern about cybersecurity, and use good 'net habits, in addition to a hardened system, best security applications, check on patches for all applications almost daily, including sandboxed surfing and email. I learned these from the private sector, but with knowledge also from Berkeley Lab Procedures for Securing XP Systems. There are many sources, but it would be necessary for one source for business, government, and home users for a serious cybersecurity.
I don't believe that many other governments would trust the cooperation proposals from our intelligence agencies. I certainly would not trust their intelligence agencies. BUT I don't trust my intelligence agencies. They have spied on honest citizens for national security.
I trust CDC and SIN. They have cracked foreign networks. They have advised how to secure ours.
I recognise that it must be a government agency along with a private entity, say Carnegie Mellon University, Cornell University, Massachusetts Institute of Technology (MIT), Princeton University, Stanford University, University of California at Berkeley, University of Illinois at Urbana-Champaign, University of Washington,
University of Wisconsin at Madison, or University of Texas at Austin. All excellent choices to work with NIST - and Cult of the Dead Cow and Subliminal Insidious Network.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.