Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Rick Forno zur National Cybersecurity Strategy: Gleiches Zeug, andere Regierung,

Schöner Verriss, der wichtige Kritik formuliert, u.a. an der
vollständigen Ignoranz der US-Regierung ggü. dem Problem der
Software-Monokulturen und der panischen Zurückhaltung ggü. der

Bestes Zitat:
"[W]hat is currently needed is not a prescription but a mandate on what
must be done (and by when) to improve federal information security, not
another list of things that "should" be done but most likely won't. In
this regard, the Strategy is no different than other government
cyber-strategy documents (mentioned earlier) and audit reports (from GAO
or OMB) published over the years eschewing the need for better systems
security and what "should" be done to improve it."


America's National Cybersecurity Strategy: Same Stuff, Different

Richard Forno
(c) 2002 All Rights Reserved
Article #2002-11.

Permission granted to reproduce and distribute in entirety with credit


Today the White House releases its long-awaited "National Strategy To
Cyberspace." This high-level blueprint document (black/white or color),
in-development for over a year by Richard Clarke's Cybersecurity team,
is the
latest US government plan to address the many issues associated with the
Information Age.

The Strategy was released by the President's Critical Infrastructure
Board (PCIPB), an Oval Office entity that brings together various Agency
Department heads to discuss critical infrastructure protection. Within
is the National Security Telecommunications Advisory Council (NSTAC), a
Presidentially-sponsored coffee klatch comprised of CEOs that  provide
industry-based analysis and recommendations on policy and technical
related to information technologies.  There is also the National
Advisory Council (NIAC) - another Presidentially-sponsored klatch -
consisting of private-sector 'experts' on computer security;  but in
consists of nothing more than additional corporate leaders, few if any
considered an 'expert' on computer security matters.

Thus, a good portion of this Presidential Board chartered to provide
advice to the President consists of nothing more than executives and
leaders likely picked for their Presidential loyalty and/or visibility
in the
marketplace, not their ability to understand technology in anything
other than a
purely business sense. Stacking the deck with friendly faces (and thus
anything but objective advice) is not new to the President, who recently
his Scientific Advisory Council with those supporting his policy
Factor in Richard Clarke's team ? many of whom, including Clarke, are
technologists but career politicians and thinktank analysts ? and you've
got the
government's best effort at providing advice to the President on
security, such as it is. (One well-known security expert I spoke with
raised the
question about creating a conflict of interest for people who sell to
government or stand to gain materially from policy decisions to act in
roles, something that occurred during the Bush Administration's secret

Now that you know where the Strategy comes from, and where the real
lie behind its creators, let's examine some of its more noteworthy

Although the Administration heralds this as the first "National
Strategy" for
cyberspace security, we need only reflect on the Clinton
"National Plan for Information Systems Protection" from 2000, and the
President's Commission on Critical Infrastructure Protection Report from
1996 -
like its predecessors - and despite the publicity push from the
Administration -
nearly all of what's in this Strategy isn't new, either in what it says
or what
it fails to say. In keeping with tradition, the Strategy "addresses"
security "issues" instead of directing the "resolution" of security
"problems" ?
tiptoeing around the problems instead of dealing with them head-on and

At times, the Strategy reads like the fear-mongering propaganda
published by
assorted industry groups and security product vendors. It claims that
70% of
cyber-attacks on corporations are caused by insiders, yet provides no
source for
these statistics. Further, during its discussion of the threats and
vulnerabilities, there's an eye-catching sidebar with a hypothetical
cyberterrorism scenario conjured up by "50 scientists, computer experts,
former intelligence officers" ? and throughout the report are statements
the Administration consulted with experts across the country in a
variety of
industries. Yet there's no reference listing who these 'experts' are, or
their credentials are to enable them to make such prophecies and
participate in
the preparation of this Strategy, something that undermines the
credibility of
these statistics and statements  For all we know, these 'experts' are
politicians, academics, or clueless CEOs ? many of whom probably never
served in
an operational IT capacity before -- and thus don't understand the
reality of
today's information environment.

To its credit, the Strategy provides (yet another) list of suggested
practices' and proposals to improve technology security in a variety of
from homes and small business to government and large enterprises. It
simple, easy-to-read language and presents its contents in vibrant color
lots of white space and eye-catching sidebars and high-tech graphic
motifs, very
much like a vendor's Powerpoint presentation for prospective customers..

In the areas of corporate security improvements, the Strategy indeed
shines, as
it recommends Board-level accountability for information security,
security administration, and better integration and alignment of
security with senior management and business goals. This is perhaps the
component of the Strategy, and actually provides innovative guidance
that can be
implemented fairly easy by corporations.

The Strategy makes it clear that it is to serve not as a "Federal
prescription" but as a "participatory process" to develop America's
information security environment with the private sector, and believes
that a
hands-off policy is the correct way to work with them.  Indeed, for
private sector, this is a good thing given the speed that government
Unfortunately, for the federal government, what is currently needed is
not a
prescription but a mandate on what must be done (and by when) to improve
information security, not another list of things that "should" be done
but most
likely won't.

In this regard, the Strategy is no different than other government
cyber-strategy documents (mentioned earlier) and audit reports (from GAO
or OMB)
published over the years eschewing the need for better systems security
and what
"should" be done to improve it. For the private sector to take the
seriously in this area, government needs to police itself first before
coordinating the efforts of industry.

As expected, the Strategy gives a tiny nod to developing a separate
government-only network, otherwise known as GovNET. While sounding good
paper - and been Clarke's vision for years - leading security
question the logic of such a network. Given that the Internet is
redundant with
multiple ? if not infinite ? numbers of pathways between nodes, one
wonders why
Clarke & Co. are considering moving large chunks of the government to a
with a finite series of nodes, and multiple single points of failure or
attack ?
thus consolidating all his eggs into one basket just waiting to be
(Earlier this year, Clarke acknowledged that GovNET would still have its
of viruses, trojans, and worms, so one has to further wonder about this
proposal, since it's apparently not going to be any more secure or
robust as
what he's got now.)

According to the Strategy, vendors and possibly security consultants may
required to obtain government or industry-based certifications to prove
competency. Again, this sounds good on paper, but some argue this
could be skewed to favor large, established companies (or products) and
alienate small firms, consultants, or alternative technologies from the
'certified' mainstream security or technology industry. Further, the
Administration fails to note that a certification (or a college degree
cyber-security, another of its proposals) does not make a person any
competent a professional; rather it takes years of applied experience to
considered an 'expert' and 'competent' in one's field.  Contrary to the
profiteering interests of certification and testing organizations, we
that nearly anyone can pass a test; what matters is how they perform in
workplace, not in the classroom.

Regarding technology products, the Strategy discusses employing
programmers who
understand security to code better products, yet makes no mention about
executives in marketing and corporate leadership wanting to bundle
together to make a product 'convenient' for marketing  purposes and thus
more exploitable. Certainly, we need programmers to understand software
system-level security, but programmers are only one small part of the
problem (a
very small one in the grand scheme of the software industry) and act at
direction of the higher-ups in the company. Executives must realize the
of ? and work to reduce or eliminate ? 'feature-creep' in their products
leads to exploitation. Just consider how much 'more secure' your
would be, and how much less spam you'd receive had Microsoft not
Internet Explorer and Visual Basic Scripting into Windows.

The Strategy notes that "systems often become overloaded or fail because
component has gone bad" and proposes that "trustworthy computing" be
part of a
national priority. Not surprisingly, this is the same term used by
Microsoft to
describe its multi-faceted approach to securing future versions of
Conspiracy theories about this will abound, particularly given the close
Redmond has with the White House. Industry analysts will also watch to
see how
quickly Hollywood's cartels leap to position their copy control
initiatives as
part of "trustworthy computing" to ensure their profit streams, and link
revenue protection to computer security features.

It's interesting that - perhaps as a result of industry lobbying (or the
Administration's ignorance) - the Strategy has no concern over the
'monoculture' environment for operating systems, choosing instead to
support the
development of new security products, technologies, and services to be
around (or over) the current (and heavily-flawed) 'foundation' for most
America's critical systems. The Strategy must consider such preventable
recurring) problems as the price of doing business in the Information
something that many believe is foolhardy and complacent thinking.

Then again, effectively securing the foundation of our systems ? the
systems ? would mean less security products and services need to be
from third parties?.perhaps this oversight in the Strategy is tribute to
lobbying efforts of security vendors trying to preserve their revenue

A national strategy is certainly necessary to effectively deal with the
problems of computer security. While there are indeed well-conceived
portions of
the Strategy that will lead to procedural improvements in America's
security posture if implemented, the Strategy falls far short of what it
heralded as by the Administration, and were the subject of this article.

Today's release of the National Strategy To Secure Cyberspace is yet
Oval Office attempt to gain consensus in dealing with the many problems
associated with effective information security in the United States.
Unfortunately, in the areas most responsible for the dismal current
state of
information security, the Strategy fails to recognize and deal with them
at all.

If the administration spent one-tenth the time or money on actual
implementation and education (thus leading to long-term solutions) that
it does
on convening boards of advisors, councils, town hall meetings, and
vaguely-worded, broadly-encompassed, slickly-packaged "feel good"
reports like
this one, there wouldn't be such a large computer security problem
needing to be
remedied in the first place.

Maybe I should start my own Coffee Klatch.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.