Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] Rick Forno zur National Cybersecurity Strategy: Gleiches Zeug, andere Regierung



Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Schöner Verriss, der wichtige Kritik formuliert, u.a. an der
vollständigen Ignoranz der US-Regierung ggü. dem Problem der
Software-Monokulturen und der panischen Zurückhaltung ggü. der
Industrie.

Bestes Zitat:
"[W]hat is currently needed is not a prescription but a mandate on what
must be done (and by when) to improve federal information security, not
another list of things that "should" be done but most likely won't. In
this regard, the Strategy is no different than other government
cyber-strategy documents (mentioned earlier) and audit reports (from GAO
or OMB) published over the years eschewing the need for better systems
security and what "should" be done to improve it."

RB


http://www.infowarrior.org/articles/2002-11.html

America's National Cybersecurity Strategy: Same Stuff, Different
Administration

Richard Forno
(c) 2002 Infowarrior.org. All Rights Reserved
Article #2002-11.

Permission granted to reproduce and distribute in entirety with credit
to
author.

http://www.infowarrior.org/articles/2002-11.html

--------------------------------------------------------------------------------

Today the White House releases its long-awaited "National Strategy To
Secure
Cyberspace." This high-level blueprint document (black/white or color),
in-development for over a year by Richard Clarke's Cybersecurity team,
is the
latest US government plan to address the many issues associated with the
Information Age.

The Strategy was released by the President's Critical Infrastructure
Protection
Board (PCIPB), an Oval Office entity that brings together various Agency
and
Department heads to discuss critical infrastructure protection. Within
the PCIPB
is the National Security Telecommunications Advisory Council (NSTAC), a
Presidentially-sponsored coffee klatch comprised of CEOs that  provide
industry-based analysis and recommendations on policy and technical
issues
related to information technologies.  There is also the National
Infrastructure
Advisory Council (NIAC) - another Presidentially-sponsored klatch -
allegedly
consisting of private-sector 'experts' on computer security;  but in
reality
consists of nothing more than additional corporate leaders, few if any
considered an 'expert' on computer security matters.

Thus, a good portion of this Presidential Board chartered to provide
security
advice to the President consists of nothing more than executives and
civic
leaders likely picked for their Presidential loyalty and/or visibility
in the
marketplace, not their ability to understand technology in anything
other than a
purely business sense. Stacking the deck with friendly faces (and thus
receiving
anything but objective advice) is not new to the President, who recently
stacked
his Scientific Advisory Council with those supporting his policy
agendas.
Factor in Richard Clarke's team ? many of whom, including Clarke, are
not
technologists but career politicians and thinktank analysts ? and you've
got the
government's best effort at providing advice to the President on
information
security, such as it is. (One well-known security expert I spoke with
raised the
question about creating a conflict of interest for people who sell to
the
government or stand to gain materially from policy decisions to act in
advisory
roles, something that occurred during the Bush Administration's secret
energy
meetings.)

Now that you know where the Strategy comes from, and where the real
interests
lie behind its creators, let's examine some of its more noteworthy
components.

Although the Administration heralds this as the first "National
Strategy" for
cyberspace security, we need only reflect on the Clinton
Administration's
"National Plan for Information Systems Protection" from 2000, and the
President's Commission on Critical Infrastructure Protection Report from
1996 -
like its predecessors - and despite the publicity push from the
Administration -
nearly all of what's in this Strategy isn't new, either in what it says
or what
it fails to say. In keeping with tradition, the Strategy "addresses"
various
security "issues" instead of directing the "resolution" of security
"problems" ?
tiptoeing around the problems instead of dealing with them head-on and
demanding
results.

At times, the Strategy reads like the fear-mongering propaganda
published by
assorted industry groups and security product vendors. It claims that
70% of
cyber-attacks on corporations are caused by insiders, yet provides no
source for
these statistics. Further, during its discussion of the threats and
vulnerabilities, there's an eye-catching sidebar with a hypothetical
worst-case
cyberterrorism scenario conjured up by "50 scientists, computer experts,
and
former intelligence officers" ? and throughout the report are statements
that
the Administration consulted with experts across the country in a
variety of
industries. Yet there's no reference listing who these 'experts' are, or
what
their credentials are to enable them to make such prophecies and
participate in
the preparation of this Strategy, something that undermines the
credibility of
these statistics and statements  For all we know, these 'experts' are
career
politicians, academics, or clueless CEOs ? many of whom probably never
served in
an operational IT capacity before -- and thus don't understand the
reality of
today's information environment.

To its credit, the Strategy provides (yet another) list of suggested
'best
practices' and proposals to improve technology security in a variety of
venues,
from homes and small business to government and large enterprises. It
uses
simple, easy-to-read language and presents its contents in vibrant color
with
lots of white space and eye-catching sidebars and high-tech graphic
motifs, very
much like a vendor's Powerpoint presentation for prospective customers..

In the areas of corporate security improvements, the Strategy indeed
shines, as
it recommends Board-level accountability for information security,
proper
security administration, and better integration and alignment of
information
security with senior management and business goals. This is perhaps the
best
component of the Strategy, and actually provides innovative guidance
that can be
implemented fairly easy by corporations.

The Strategy makes it clear that it is to serve not as a "Federal
government
prescription" but as a "participatory process" to develop America's
national
information security environment with the private sector, and believes
that a
hands-off policy is the correct way to work with them.  Indeed, for
technology's
private sector, this is a good thing given the speed that government
operates.
Unfortunately, for the federal government, what is currently needed is
not a
prescription but a mandate on what must be done (and by when) to improve
federal
information security, not another list of things that "should" be done
but most
likely won't.

In this regard, the Strategy is no different than other government
cyber-strategy documents (mentioned earlier) and audit reports (from GAO
or OMB)
published over the years eschewing the need for better systems security
and what
"should" be done to improve it. For the private sector to take the
government
seriously in this area, government needs to police itself first before
coordinating the efforts of industry.

As expected, the Strategy gives a tiny nod to developing a separate
government-only network, otherwise known as GovNET. While sounding good
on
paper - and been Clarke's vision for years - leading security
professionals
question the logic of such a network. Given that the Internet is
redundant with
multiple ? if not infinite ? numbers of pathways between nodes, one
wonders why
Clarke & Co. are considering moving large chunks of the government to a
network
with a finite series of nodes, and multiple single points of failure or
attack ?
thus consolidating all his eggs into one basket just waiting to be
dropped?
(Earlier this year, Clarke acknowledged that GovNET would still have its
share
of viruses, trojans, and worms, so one has to further wonder about this
proposal, since it's apparently not going to be any more secure or
robust as
what he's got now.)

According to the Strategy, vendors and possibly security consultants may
be
required to obtain government or industry-based certifications to prove
their
competency. Again, this sounds good on paper, but some argue this
requirement
could be skewed to favor large, established companies (or products) and
thus
alienate small firms, consultants, or alternative technologies from the
'certified' mainstream security or technology industry. Further, the
Administration fails to note that a certification (or a college degree
in
cyber-security, another of its proposals) does not make a person any
more
competent a professional; rather it takes years of applied experience to
be
considered an 'expert' and 'competent' in one's field.  Contrary to the
profiteering interests of certification and testing organizations, we
forget
that nearly anyone can pass a test; what matters is how they perform in
the
workplace, not in the classroom.

Regarding technology products, the Strategy discusses employing
programmers who
understand security to code better products, yet makes no mention about
the
executives in marketing and corporate leadership wanting to bundle
features
together to make a product 'convenient' for marketing  purposes and thus
likely
more exploitable. Certainly, we need programmers to understand software
and
system-level security, but programmers are only one small part of the
problem (a
very small one in the grand scheme of the software industry) and act at
the
direction of the higher-ups in the company. Executives must realize the
dangers
of ? and work to reduce or eliminate ? 'feature-creep' in their products
that
leads to exploitation. Just consider how much 'more secure' your
information
would be, and how much less spam you'd receive had Microsoft not
integrated
Internet Explorer and Visual Basic Scripting into Windows.

The Strategy notes that "systems often become overloaded or fail because
a
component has gone bad" and proposes that "trustworthy computing" be
part of a
national priority. Not surprisingly, this is the same term used by
Microsoft to
describe its multi-faceted approach to securing future versions of
Windows.
Conspiracy theories about this will abound, particularly given the close
ties
Redmond has with the White House. Industry analysts will also watch to
see how
quickly Hollywood's cartels leap to position their copy control
initiatives as
part of "trustworthy computing" to ensure their profit streams, and link
their
revenue protection to computer security features.

It's interesting that - perhaps as a result of industry lobbying (or the
Administration's ignorance) - the Strategy has no concern over the
current
'monoculture' environment for operating systems, choosing instead to
support the
development of new security products, technologies, and services to be
built
around (or over) the current (and heavily-flawed) 'foundation' for most
of
America's critical systems. The Strategy must consider such preventable
(but
recurring) problems as the price of doing business in the Information
Age,
something that many believe is foolhardy and complacent thinking.

Then again, effectively securing the foundation of our systems ? the
operating
systems ? would mean less security products and services need to be
purchased
from third parties?.perhaps this oversight in the Strategy is tribute to
the
lobbying efforts of security vendors trying to preserve their revenue
streams?

A national strategy is certainly necessary to effectively deal with the
many
problems of computer security. While there are indeed well-conceived
portions of
the Strategy that will lead to procedural improvements in America's
information
security posture if implemented, the Strategy falls far short of what it
was
heralded as by the Administration, and were the subject of this article.

Today's release of the National Strategy To Secure Cyberspace is yet
another
Oval Office attempt to gain consensus in dealing with the many problems
associated with effective information security in the United States.
Unfortunately, in the areas most responsible for the dismal current
state of
information security, the Strategy fails to recognize and deal with them
at all.

If the administration spent one-tenth the time or money on actual
security
implementation and education (thus leading to long-term solutions) that
it does
on convening boards of advisors, councils, town hall meetings, and
issuing
vaguely-worded, broadly-encompassed, slickly-packaged "feel good"
reports like
this one, there wouldn't be such a large computer security problem
needing to be
remedied in the first place.

Maybe I should start my own Coffee Klatch.

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.