Schneier on Security

name.withheld.for.obvious.reasons • February 26, 2013 2:03 AM

Speaking of conferences–

On 23 Feb, the Governor’s Association held a series of conferences in Washington D.C. The Health and DHS Committee discussed a program to deploy wireless networks nation-wide called the “First Responder Network” to address issues brought to the consciousness of the public made obvious by the “Security Theatre” Agencies. The most disturbing statements made during the meeting came from both Richard Clarke (I used to have a great level of respect for his “honesty”–no longer) and the CSO from the State of Michigan. Richard’s comments just didn’t hold up to basic scrutiny—and—were followed by irresponsible statements made by Michigan’s CSO. Essentially the CSO blamed the end-user (people) for the problems affecting state governments with respect to cyber-security.

As is well documented, sphear phishing operates on the assumption of some level of naivete—but—technology companies share a level of responsibility when it comes to the operative behavior of systems that I’d term “fragile”. The CSO’s statements didn’t seem to make sense, for the last 15 years I’ve complained about the issues surrounding system vendors that “release” products that one could call golden (ready for production). Understanding that people could not be made to make detailed decisions about operational choices when using computer systems as tools to do their job. Understanding what is required to operate a system “safely” is not an exercise that anyone having more than a basic understanding of the technology seems to be an unreal expectation.

Microsoft, during the late 1990’s, for a period of almost five years fought adopting the Common Criteria (ISO 15408, 27001) standard. The standard, though apparently complex, is basically a “best practices” for software development. Included in the standard is issue around things that aerospace companies exercise as standard practice. The IEEE draft standard(s) and licensing for software engineers has been available for some time. Though I have some real issue with the industry practices and the integrity the IEEE efforts. IEEE does little to address what I would term the “social” capital costs of technological systems deployed in/as social-political solutions. What others might say is ethics is a bit too narrow to address the issue I have identified.

Why do I mention this;

1.)Officials abuse the public’s trust by either not understanding the truth, or are actively engaged in deceit. The result, poorly understood analysis of the issues put more than just their opinion at risk.

2.)Sound reasoning and rationale action is not possible based on decisions made using poor or inaccurate information. The result, decisions made put the general public at risk.

3.)If the false information is given weight or gravity it becomes and intractable situation to take on the “established in fact” propaganda propagated by the pseudo-intelligensia.

4.) The rest of us, those that have a little more information than the so-called experts, get to watch in horror and amazement as the facts are ignored and governments exercise their power on the unwitting “public.”