Ladies and gentlemen, I present to you HR5983, Homeland Security Network Defense and Accountability Act of 2008. From the bill, describing a proposed requirement of the DHS IG in its report to congress:
"describing the effectiveness of the testing protocols developed under subsection (c) in reducing successful exploitations of the Department’s information infrastructure."
I really fear this is another case of blaming the victim. Can more be done to raise the bar for attackers? Of course. I'll be the first to throw stones at DHS for having very, very shoddy security and doing zilch to help out the rest of us. But it occurs to me that asking DHS officials to prevent compromises is in some ways akin to giving women a bottle of mace and asking them to stop getting assaulted. The anecdote is harsh, but it drives home my point. We'd never do the latter, so why is the former an approach for which we expect results?
The real problem is the high ROI for attackers and insurmountable odds facing computer network defenders. There isn't, nor has there been, any real political consequence attached to getting "caught." Until decision makers in the executive branch show a willingness to address this gap, we will only see limited improvements no matter how strongly worded a bill is. And, to that end, it is our job as experts in the field to communicate this problem to the public, with the hope that it will flow up in the democratic way the US's founding fathers intended.
Showing posts with label politics. Show all posts
Showing posts with label politics. Show all posts
2008-05-12
2008-05-03
Nothing that hasn't already been said...
...but it bears repeating.
Security has its limits. Thanks to Igor for the help on this entry.
Image on the right is directly from the Ohio state patrol website. Image on the left source unknown; Soviet Russia 1950's ("Be sharp sighted and vigilant").
Security has its limits. Thanks to Igor for the help on this entry.
Image on the right is directly from the Ohio state patrol website. Image on the left source unknown; Soviet Russia 1950's ("Be sharp sighted and vigilant").
2008-04-09
Someone's finally listening
When a hospital computer gets compromised, the privacy of a person's health records are at risk of theft. When a bank is compromised, people stand to lose money through fraud.When defense department computers are compromised, information about the tactics and technologies used to defend our country can be lost. For years, major defense contractors have been jumping up and down, waving our hands, trying to tell the US Government that we have a major problem: compromises of unclassified systems that have the potential to impact national security. And let there be no mistake: regardless of your feelings on the subject, the lines between the networks and staff of the DoD and the defense industrial base are blurred. A compromise of one likely means a compromise of the other, and vice versa. We sit next to each other in operations centers. We build next-generation technology side-by-side.
It seems that, along with the injection of billions of dollars from a presidential directive, someone is finally starting to pay attention. Naturally, this is being presented as their idea, but whatever - the important point is that it gets addressed.
A choice quote:
The government needs the "best and brightest" from Silicon Valley and elsewhere in the private sector to work on creating an advanced warning system to prevent such cyberattacks.
The best & brightest in the DIB have been trying to help the government for years. If this means they will finally start listening (as an institution - to date collaboration has been at more of a professional than organizational level), then I welcome the change. If this means DHS will begin looking for a silver bullet to every security problem, or engaging in more security theater like that which we see at airports, then I loathe to think what this could mean. I can only imagine FTP becoming illegal over IP because an adversary stole sensitive military technology from a compromised system via that protocol. Laughable, yes, but this is a direct parallel to the approach taken in matters of airport security. We need something more than theater and throwing money at snake oil.
The important question is now: can the DHS, which has failed over its 6 years in many of its most important tasks (see also: Katrina), and the NSA, still notorious amongst the intel community for being unwilling to share data, accomplish this task? Let's hope so.
2008-02-03
HistoryCENTER: Spying
My TiVo knows me well. This morning, it recorded a show on The History Channel titled "HistoryCENTER: Spying." History Channel's Steve Gillon does a good job of presenting material in this show from the few other episodes I've seen, but while educational, I normally find HistoryCENTER as exciting as watching paint dry. This one happens to fall right between one of the bigger political debates of the time and my profession, and as such I was immediately drawn in. The description, from their website:
Security vs. Civil Liberties: How have presidents during wartime walked the sometimes difficult line between protecting Americans and their civil liberties? And will the Bush Administration's decision to spy on American citizens without warrants end up as a chapter or footnote in American history? Guests: Timothy Naftali, professor of history at the University of Virginia's Miller Center and David Kahn, author of The Reader of Gentleman's Mail . Hosted by History Channel resident historian Steve Gillon.
I suspect this aired a year or two ago, but it is relevant today nonetheless. I found it an interesting historical perspective on the issue, and as fair and balanced as anything else I've seen on this topic. It's a javascript nightmare, but a replay of this is available courtesy of AOL Video.
If you're in the industry, you should care about and pay close attention to these discussions. Remember than what you're doing as security analysts is, in many cases, spying (network security monitoring, auditing transactional content, etc). How these public debates are resolved may directly impact our field, and in our positions of trust, we're obligated to strike a fair balance between the powers granted to us and the privacy of those impacted by our actions.
Quis custodiet, ipsos custodes?
Security vs. Civil Liberties: How have presidents during wartime walked the sometimes difficult line between protecting Americans and their civil liberties? And will the Bush Administration's decision to spy on American citizens without warrants end up as a chapter or footnote in American history? Guests: Timothy Naftali, professor of history at the University of Virginia's Miller Center and David Kahn, author of The Reader of Gentleman's Mail . Hosted by History Channel resident historian Steve Gillon.
I suspect this aired a year or two ago, but it is relevant today nonetheless. I found it an interesting historical perspective on the issue, and as fair and balanced as anything else I've seen on this topic. It's a javascript nightmare, but a replay of this is available courtesy of AOL Video.
If you're in the industry, you should care about and pay close attention to these discussions. Remember than what you're doing as security analysts is, in many cases, spying (network security monitoring, auditing transactional content, etc). How these public debates are resolved may directly impact our field, and in our positions of trust, we're obligated to strike a fair balance between the powers granted to us and the privacy of those impacted by our actions.
Quis custodiet, ipsos custodes?
Subscribe to:
Posts (Atom)
