A "Department of Cybersecurity"

Presidential candidate John Delaney has announced a plan to create a Department of Cybersecurity.

I have long been in favor of a new federal agency to deal with Internet -- and especially Internet of Things -- security. The devil is in the details, of course, and it's really easy to get this wrong. In Click Here to Kill Everybody, I outline a strawman proposal; I call it the "National Cyber Office" and model it on the Office of the Director of National Intelligence. But regardless of what you think of this idea, I'm glad that at least someone is talking about it.

Slashdot thread. News story.

EDITED TO ADD: Yes, this post is perilously close to presidential politics. Any comment that opines on the qualifications of this, or any other, presidential candidate will be deleted.

Posted on April 17, 2019 at 7:57 AM • 31 Comments

Comments

RjApril 17, 2019 8:12 AM

The article says, "Currently our cybersecurity efforts are spread across multiple agencies, but by creating a new department we can centralize our mission, focus our goals and efforts, and create accountability.”

This sounds good at first glance, but one department can crystalize on one approach, whereas multiple independent departments can have a diverse set of approaches (to any problem, not just cybersecurity). I am not opposed to a cybersecurity department, but lets keep looking at the problem from multiple angles by multiple departments, so we explore multiple approaches.

SlagApril 17, 2019 8:15 AM

I am positve that even if there was a dept of cybersecurity there would be still be a widely variable approach across different agencies to all different aspects. For example, the Navy has fighter jets, and the Army has boats.

DHApril 17, 2019 9:14 AM

From the press release:

Currently, the responsibility of cybersecurity is strewn across multiple agencies including the Cybersecurity and Infrastructure Security Agency within DHS, the FBI within the Department of Justice, and the U.S. Cyber Command within the Department of Defense.

What's wrong with the existing CISA within DHS? This just seems like a re-org to me by carving out CISA's current role into its own agency on the same ladder rung as DHS.

Impossibly StupidApril 17, 2019 9:52 AM

I think evoking the DHS actually undermines the argument of needing yet another cabinet-level agency. I don't know of anybody who interacts with the TSA that thinks of them as the best and brightest. And how many of these defense and security organizations do we need? At what point do they again start stepping on each others toes and/or conversely failing to share critical data and processes?

Given that computers and technology have woven themselves so deeply into our daily lives, I'm not sure it makes much sense to pretend that "cyber" is something that can be isolated and dealt with in a single unified manner. If it gets dealt with at all. I think a big part of the problem with cybersecurity is that nobody seems willing to get "tough on crime" when it comes to new innovations. Companies get away with murder (literally, in the case of Uber) without serious consequences from existing agencies that should be overseeing them. Forgive me if I don't see more toothless red tape as the way to change that for the better.

ThursdayApril 17, 2019 10:47 AM

@Impossibly Stupid: "I think evoking the DHS actually undermines the argument of needing yet another cabinet-level agency."...

A wise perspective to say the least!

When DHS was created in 2002 it was defined as a reorganization of existing departments. That's far from what it turned out to be it seems.

“The U.S. government does not have a single definition for ‘homeland security,’ ” the report said. “Multiple definitions, missions and an absence of prioritization results in consequences to the nation’s security.”

https://www.washingtonpost.com/news/the-watch/wp/2014/05/07/dhs-a-wasteful-growing-fear-mongering-beast/?noredirect=on&utm_term=.9ccbdb81f8e9 -and- https://www.abqjournal.com/390438/homeland-security-a-runaway-train.html

Now replace 'homeland security' with 'cyber security' and we may see into our future.

If we need a new cyber office modeled after ODNI to oversee all of the cyber parts then what are the real top priorities of such an office?

Can we be assured of agreement in definition and priority between politicians and the laws written to create such an office? What about 10-15 years down the road?

Afterall, sweeping changes to government have a way of lingering beyond their useful lifetime and morphing into something else entirely.

WhiskersInMenloApril 17, 2019 11:15 AM

The single most important mind set is to understand that flaws known by TLAs and
considered to be a tool are a larger risk hidden in NDA products and classified
tool kit programs.

There is a national policy but it is not followed. Kiosk services at the FBI, contractors and other TLAs utilize exploits undisclosed to the manufactures. US law can be by bypassed by having a contract service in another nation keep the exploit flaws secret.

Corporations hobble their employees via NDA documents. Law can mandate companies to self report with a longer repair window than if the same flaw is discovered by others to be exploited in the wild.

The landscape is apparently not moving on the maintenance side only on the punitive and obfuscation side.

https://fas.org/sgp/crs/natsec/R42114.pdf

My favorite problem is the software life of hardware can be stated at five years but many companies start that clock at introduction not last manufactured. It is not uncommon to purchase a nice bit of hardware and only see a year or two of bug fixes and updates. This problem is not unique to imported hardware. This can partly be improved with open documentation so third parties can sustain the software. Companies do go bankrupt and components used in the product of the bankrupt company can be covered by NDA documents complicating ownership of needed fixes.

Systems on chips are often a collection of IP covered by NDA. The layers of NDA inside these NDA trees make law firms rich.

Workarounds for hardware flaws and blunders are only possible if responsible disclosure is found.


Tim StevensApril 17, 2019 11:18 AM

Bruce, a crazy woman from Miami flew to Denver and bought a shotgun, and today schools are closed for almost half a million students. What would you recommend that a school district superintendent do?

https://www.9news.com/article/news/local/hundreds-of-schools-across-denver-area-closed-as-search-for-dangerous-woman-continues/73-48039270-a337-4c10-9b01-677bb3f38400

Apologize for off-topic; if inappropriate to address here, could you please post a topic about this soon? Thank you.

markApril 17, 2019 11:18 AM

Wonderful. Not.

Ok, background: I work for a federal contractor at a civilian US government agency. Currently, the GAO is auditing the organization for security. I hear, from my manager, that early last week, he was in a meeting about it. Then I read the "what's happening" newsletter... and that it was a "non-technical meeting about cybersecurity". This gives me cognitive dissonance, since I don't understand how one has a non-technical discussion about the subject.

Also, what's been being pushed down is overwhelmingly "ok for a Windows desktop", but scale? or even appropriate? for Linux workstations and servers? You're really going to be scanning every file that's opened by a massive R program reading tens of thousands of datasets, and the job runs for one, two, or three *WEEKS* on a server with two GPUs, and no one else on it?

So, yeah, I can see them trying to push crap that's ok on a manager's Windows box onto EVERYTHING.

This isn't even security theatre, this is ignorant bs.

Anon E. MooseApril 17, 2019 11:41 AM

The last thing we need is another governmental department of anything. There are at least three or four mature bureaucracies within our government that can implement cybersecurity guidelines and be tasked with enforcing the changes in the public sector.

But all departments having the same security implementation is not good either. Own one and you own them all.

Should we talk about the issue of cybersecurity? Yes!

Should we implement real change to provide better security to our citizenry while promoting individual freedom based upon that discussion? Yes! Yes!

The government screws up everything it touches and it takes concerned citizens to get that changed not career politicians, no matter what party they are from.

EvanApril 17, 2019 11:55 AM

A centralized bureau of cybersecurity will a) inevitably fall victim to politics that reduce its effectiveness at its core mission and b) always be fighting with other government departments and agencies (in particular defense) over every single recommendation. The office of the director of cybersecurity sends a memo to, say, the Bureau of Labor Statistics, informing them that their servers are insecure and they need to upgrade their software, and it gets ignored because like everyone they'd rather spend their budget on program tasks than on what seems like unnecessary expenses. If the ODCS has the authority to force them, they'll just use whatever mechanisms they can to contest it, wasting resources on both sides.

To my mind, a better approach is to treat cybersecurity as something like law - instead of a single group of people someone issuing guidelines and/or orders to everyone, you have a lawyer in every office or so that's a part of that group and is there to provide legal advice and guidance, and to insist on following matters of law when necessary. Similarly you have a security person in or every 100 or so employees, and they help the office make sure that its computers and data are handled and stored in a secure way. When it's a larger matter of policy, e.g. for the whole State Department, there's a security advisor just for that level as well to make sure the wrong decisions don't get made.

It would be a bit of a task to get all these people placed into offices, but the initial hiring drive could draw inspiration from successful programs like PMF, which is basically a program to attract and place MBA graduates into Federal public service; once selected, you can end up pretty much anywhere. Set up something similar for cybersecurity experts and you've got yourself a pilot program.

SedApril 17, 2019 11:59 AM

I'll be honest - I'm still spooked from the constant reports we've had over the years of additional encroaches on our privacy from the FBI and NSA.

I don't have much of a conception of government cybersecurity that doesn't involve subverting security standards, mass surveillance, or advocating for encryption backdoors.

What could a Department of Cybersecurity even do that wouldn't make life more miserable for non-governmental security practitioners or for people who care about their civil liberties?

cmeierApril 17, 2019 12:46 PM

A new government department will not be all that useful if it does not have the legal authority to force utilities and other private businesses to address problems. There is a regular trickle of news stories about infrastructure security vulnerabilities and another regular trickle of news stories about how these businesses do not want the government investigating vulnerabilities in private infrastructure. If the government cannot investigate and force business to get its cybersecurity act together, a new department will not solve the most pressing cybersecurity problems.

OMGApril 17, 2019 1:39 PM

@AL

about special tools known as “rainbow tables” that WikiLeaks used to crack hash values and determine any passwords associated with them.

Dear Courthouse News. You need a new reporter who actually understands cracking passwords and doesn't write gibberish sentences like the one above.

ALApril 17, 2019 2:51 PM

@OMG
This thing about rainbow tables came straight from the FBI affidavit. Courthouse News specialty is reviewing legal documents, such as affidavits and court cases, not technical matters. Insofar as the technical matter is concerned, the FBI affidavit did discuss the forensics, such as matching the LM hash found in the jabber chat with one on the system that Manning was allegedly trying to hack.

If there is an issue with someone who knows about cracking passwords, that lies entirely with the F.B.I. So, if after reading the affidavit, you think the F.B.I. is incompetent, then perhaps you agree with Bruce that there should be a separate agency.

RjApril 17, 2019 4:59 PM

@AL: " Similarly, I think "Spaceforce" should be handled by the Airforce."

No, the Navy gets space. Reason: There is no air up there, just like there is no air around a submarine. The Air Force gets the air.

GornApril 17, 2019 7:19 PM

Cut out the middleman and just militarize NASA. Giant lasers etc.

Trump is an abject fool, there are several military-adjoined agencies that handle space already. You can't "put boots on the ground" there, there's no there! The international space station is the grand extent of nearby "conquerable" territory, and low Earth orbit is already whizzing with random chunks of metal from the recent pastime of blowing things up. It doesn't make sense to use anything but robots anyway, humans are just extra luggage in space and especially so for any kind of military mission. The whole concept is deluded, and thankfully it was only meant as a passing distraction and/or avenue to self-aggrandize himself as if Trump were some kind of military-anything-at-all.

Meanwhile the Secret Service is sticking Chinese spy thumb drives into their systems at the golf resort Mar a Lago, and we're worried about new space uniforms for Star Trek fantasists? We have seen the space enemy, and it is us.

Don't these people have jobs to do?

JoeApril 17, 2019 8:11 PM

@Anon E. Moose
I agree totally! And I would just add "Quis custodiet ipsos custodes?". I don't trust any of them!

1&1~=UmmApril 18, 2019 4:49 AM

@AL @OMG:

"Courthouse News specialty is reviewing legal documents, such as affidavits and court cases, not technical matters."

Whilst that may or may not be true @OMG's point of,

"Dear Courthouse News. You need a new reporter"

Still stands, actually go back and read the article again, because it realy does contain gibberish, that did not originate out of an FBI affidavit, but I assume the reporter's mind.

But as for the Feds, I would start with the position that 'They lie to Courts because they know they will not get sanctioned', --esspecialy in tech cases-- then work on down from there.

It appears that their attitude is 'We say you are guilty, now let's see what we can invent'.

The US realy needs to clean out that Cloaca of an organisation, as it's bringing the US into disrepute.

Petre Peter April 18, 2019 9:40 AM

Assigning responsibility through this new department puts us on the right track. Onboarding though, could mean the breakup of existing agencies.

justinacolmenaApril 18, 2019 1:35 PM

I have long been in favor of a new federal agency to deal with Internet -- and especially Internet of Things -- security. The devil is in the details, of course, and it's really easy to get this wrong.

Oh, of course. Now how do you expect the new NSA that you propose to be any better or different than the old NSA?

Wouldn't the same old federal employees essentially be doing the same jobs as they were before, only at the new federal agency?

They already have all their top secret clearance paperwork in order, after all, and the Office of Personnel Management is not exactly in a frenzy to hire new uncleared employees.

I highly suspect that the same papers are going to be shuffled in the same direction as before.

albertApril 18, 2019 2:46 PM

One doesn't make bureaucracies better by making them bigger. The US government is a -massive- top heavy bureaucracy, populated by -mostly- paper-pushers riding the taxpayers dime. The best analogy is a tollway, which, once the new road is built, never goes away.

A "Department of Cybersecurity" will likely fail, because it will be expensive to set up, other departments won't spend the money necessary to implement fixes, and private companies continue to resist computer and network improvements. If a DoC have teeth, it might improve -government agencies- computer security, and that would be a good thing. The law would also have to apply to any entity that handles government contracts, and that would be fought tooth and claw by those entities.

The best outcome I could see would be Political Theatre, to assuage the publics fear, until the next Big Cyber Attack that is.
..

. .. . .. --- ....

JamesApril 18, 2019 11:50 PM

I don't think Mr. Schneier was pushing for a new large Government Department. All I took from it was He was glad they were at least talking about it. I'm glad too. Problem is most people in Government are like me and have no clue about how everything works. I like reading His Blog and follow as much of it as I can. People don't like to talk about things they don't understand.
The main problem with all this is 99% of the population are just LAZY. We want everything done for us. Why in hell would you hook your Microwave or Toaster to the internet anyway? We, as a population needs to be Proactive, not Reactive! When a large area of the Power Grid is destroyed, I can hear them now, "Why didn't someone tell us this could happen?"
Look, I'm pretty confident that I'm by far the dumbest person posting on this board. Even I know throwing processing power into every little crap Gadget with little to No security is a stupid thing to do. As long as it's cheap and can do a trick or two We're good with it. Something awful is going to happen and when it does People like you, who have been beating the Drum for Years will be drowned out by the fat face Politian's. They'll be looking for a Camera to tell us this is what they have been preaching about for Years. When all they have done is duck and dodge the problem.
I know that we have some Super Smart Computer People in the NSA. I don't like some of the things that have gone on but I just have to believe that most have a good Heart. Somebody needs to have the power to look over all this Data because there are some horrible people out there. Sad as it is to say, we need someone looking over our Shoulders. Isn't it funny that there hasn't been a disaster yet?
How would it feel if You were fighting these Crazy People everyday? You prevent disaster after disaster. Just to hear the President insult you and the Public is hating on you! Either we have been super lucky or someone is watching out for us. I think its the later. I don't like it much but until we round up the Super Crazy People, never happen. Or start find ways to secure Data and protect the Power, Air and Gas.
I know it SUCKS but someone needs to keep an eye out. Would you rather have Russia or China do it? only way to make sure that doesn't happen is get there first.

DennisApril 20, 2019 8:18 AM

@James,

Funny as it sounds, cybersecurity would not exist if the Big Brother does not warrant it thru legislations. Gone are the days they treat it as some sort of mail fraud.

G. The False ProphetApril 20, 2019 4:02 PM

Making government stronger does not help you when the time comes... as all have before in history and as all will in the future... for that government to fall; this is objective certainty, and it is only humans that live on. Making government stronger only makes their respective and inevitable endings that much harder suffering for everyone to live through.

The solution is seek solutions beyond governments.

Youtube Search: Keith Knight, Larken Rose, Mark Passio

Geoffrey NicolettiApril 22, 2019 4:56 AM

More bureaucracy? No. Serious change in INFRASTRUCTURE. The current Internet was designed for academics not humans... An architecture that takes into account "if we think we can get away with it, we will do it." Current architecture creates individual, criminal, and nation-state hackers.

Clive RobinsonApril 22, 2019 9:46 AM

@ Geoffrey Nicoletti,

The current Internet was designed for academics not humans...

Wrong in all respects.

The Internet was thought up by one of the Bletchly Park set Gordon Welchman, who might have started in academia but was very much "war hardened" and had invented a much improved bombe than Turings, he also came up with Traffic Analysis and was a founder of what has become computational managment. He also spent considerable time designing communications systems for ordinary millitary personnel to use. Atleast one of which is still in standard use in NATO and other related organisations.

What you call the Internet was developed from Gorden Welchmans ideas when he was working in the US by what has variously been called ARPA and DARPA with the original IP and later TCP work being done by BBN of Cambridge MA.

It was based on what was called the DOD Four Layer model as the other stack from ISO (7 layer) was not practical at the time due to the excesive resources required.

Users of ARPNET did include academic organisations working on DoD or DARP projects along with various mil commands. With time more and more civilian organisations joined ARPAnet and the military split off to form ot's own network called by many MilNet.

The expansion of ARPANET and the Internet it eventually became, was almost always "resource limited" or "resource bound" as it very much still is.

Whilst lots of CS students contributed to it's advancment it was always designed very much for human usage. Thus like *nix it's underlying protocol is human readable text, that untill fairly recently was 7bit ASCII with most infrastructure services being accessable by using Telnet.

It has only been with modern scalling issues that this human usable protocols has started to be degraded for two reasons first "compression" second and much more recently "encryption"...

The fact it is still around after fourty years more or less still working the way it did when the general public got access with their 8 and 16bit PC's is testiment to the fact they got things right within the resource capabiliries then available, including that all important resource the human, with brain notepad pencil and slide rule or later calculator.

The PullApril 22, 2019 6:35 PM

@gorn

"Cut out the middleman and just militarize NASA. Giant lasers etc."

Whoever they are, they should have virtual swat type hacker teams to react and focus on specific outbreaks. Fast and agile, handing over outbreaks after concluding they are criminal or intelligence.

Another team should figure out defensive actions.

And leave it to the handoff agency to distribute or not the fix.

HannahMay 29, 2019 4:24 AM

I also heard about some cybersecurity improvements in the UK. Here is a couple of words about it — https://www.scmagazineuk.com/cyber-security-innovations-uk-gaming-industry-year-ahead/article/1525806. Though it mostly concerns the gaming industry, it needs to be protected as well. Actually, this industry is one of the most vulnerable ones, and every day it becomes a victim of numerous hacking attacks, scums, and piracy. So, the innovations mentioned in the article above should be for the best to its current state.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.