Posts in Kudos, Opinions and Rants

What About the Other 11 Months?

Sunday, October 04, 2009 by Prof. Spafford in General, Infosec Education, Kudos, Opinions and Rants, Policies & Law,

October is "officially" National Cyber Security Awareness Month. Whoopee! As I write this, only about 27 more days before everyone slips back into their cyber stupor and ignores the issues for the other 11 months.

Yes, that is not the proper way to look at it. The proper way is to look at the lack of funding for long-term research, the lack of meaningful initiatives, the continuing lack of understanding that robust security requires actually committing resources, the lack of meaningful support for education, almost no efforts to support law enforcement, and all the elements of "Security Theater" (to use Bruce Schneier's very appropriate term) put forth as action, only to realize that not much is going to happen this month, either. After all, it is "Awareness Month" rather than "Action Month."

There was a big announcement at the end of last week where Secretary Napolitano of DHS announced that DHS had new authority to hire 1000 cybersecurity experts. Wow! That immediately went on my list of things to blog about, but before I could get to it, Bob Cringely wrote almost everything that I was going to write in his blog post The Cybersecurity Myth - Cringely on technology. (NB. Similar to Bob's correspondent, I have always disliked the term "cybersecurity" that was introduced about a dozen years ago, but it has been adopted by the hoi polloi akin to "hacker" and "virus.") I've testified before the Senate about the lack of significant education programs and the illusion of "excellence" promoted by DHS and NSA -- you can read those to get my bigger picture view of the issues on personnel in this realm. But, in summary, I think Mr. Cringely has it spot on.

Am I being too cynical? I don't really think so, although I am definitely seen by many as a professional curmudgeon in the field. This is the 6th annual Awareness Month and things are worse today than when this event was started. As one indicator, consider that the funding for meaningful education and research have hardly changed. NITRD (National Information Technology Research & Development) figures show that the fiscal 2009 allocation for Cyber Security and Information Assurance (their term) was about $321 million across all Federal agencies. Two-thirds of this amount is in budgets for Defense agencies, with the largest single amount to DARPA; the majority of these funds have gone to the "D" side of the equation (development) rather than fundamental research, and some portion has undoubtedly gone to support offensive technologies rather than building safer systems. This amount has perhaps doubled since 2001, although the level of crime and abuse has risen far more -- by at least two levels of magnitude. The funding being made available is a pittance and not enough to really address the problems.

Here's another indicator. A recent conversation with someone at McAfee revealed that new pieces of deployed malware are being indexed at a rate of about 10 per second -- and those are only the ones detected and being reported! Some of the newer attacks are incredibly sophisticated, defeating two-factor authentication and falsifying bank statements in real time. The criminals are even operating a vast network of fake merchant sites designed to corrupt visitors' machines and steal financial information. Some accounts place the annual losses in the US alone at over $100 billion per year from cyber crime activities -- well over 300 times everything being spent by the US government in R&D to stop it. (Hey, but what's 100 billion dollars, anyhow?) I have heard unpublished reports that some of the criminal gangs involved are spending tens of millions of dollars a year to write new and more effective attacks. Thus, by some estimates, the criminals are vastly outspending the US Government on R&D in this arena, and that doesn't count what other governments are spending to steal classified data and compromise infrastructure. They must be investing wisely, too: how many instances of arrests and takedowns can you recall hearing about recently?

Meanwhile, we are still awaiting the appointment of the National Cyber Cheerleader. For those keeping score, the President announced that the position was critical and he would appoint someone to that position right away. That was on May 29th. Given the delay, one wonders why the National Review was mandated as being completed in a rush 60 day period. As I noted in that earlier posting, an appointment is unlikely to make much of a difference as the position won't have real authority. Even with an appointment, there is disagreement about where the lead for cyber should be, DHS or the military. Neither really seems to take into account that this is at least as much a law enforcement problem as it is one of building better defenses. The lack of agreement means that the tenure of any appointment is likely to be controversial and contentious at worst, and largely ineffectual at best.

I could go on, but it is all rather bleak, especially when viewed through the lens of my 20+ years experience in the field. The facts and trends have been well documented for most of that time, too, so it isn't as if this is a new development. There are some bright points, but unless the problem gets a lot more attention (and resources) than it is getting now, the future is not going to look any better.

So, here are my take-aways for National Cyber Security Awareness:

the government is more focused on us being "aware" than "secure"
the criminals are probably outspending the government in R&D
no one is really in charge of organizing the response, and there isn't agreement about who should
there aren't enough real experts, and there is little real effort to create more
too many people think "certification" means "expertise"
law enforcement in cyber is not a priority
real education is not a real priority

But hey, don't give up on October! It's also Vegetarian Awareness Month, National Liver Awareness Month, National Chiropractic Month, and Auto Battery Safety Month (among others). Undoubtedly there is something to celebrate without having to wait until Halloween. And that's my contribution for National Positive Attitude Month.

Odds & Ends

Friday, September 18, 2009 by Prof. Spafford in General, Kudos, Opinions and Rants,

Cyber Leap Year Summit

I've heard from many, many people who read my blog post about this. So far, everyone who attended and was not involved with the planning of the Summit has basically agreed with my comments.

Here is an interesting post by Russ Thomas that explores the NCLY in depth from a different point of view.

Cybersecurity Legislation

There has been considerable press coverage and discussion on the intertubes about the provision in S. 773 (see my earlier post) that would allow the President to shut down critical infrastructure networks in the event of a national emergency. The people worried about the black helicopters are sure this, coupled with attempts to pass health care, are a sure sign of the Apocalypse -- or the approach of the end of the world in 2012, whichever comes first. Far less attention has been paid to other troubling aspects of the bill, such as the troubling requirement for professional certification of cyber security personnel.

According to some of the experts I have talked with, the President already has this general authority from other legislation. This simply makes it explicit. Furthermore, if we're in a declared national emergency wouldn't a centralized, coordinated response make sense? If not centered at the White House, then where else?

The bill is still in revision, although a draft of an amended version has been circulated to some groups for comment. I have been told that it is unlikely to move forward until after health care reform has been resuscitated or pronounced dead, and after the annual Federal budget appropriations process is finished. So, there may be additional issues betwixt now and then.

9/11 Comments

I wrote something in my personal blog about my 9/11 memories. It isn't really related to cyber security or Purdue, but some of my comments might be interesting to some people.

Other blog

In addition to my personal blog cited above, I also maintain a Tumbler blog with pointers to recent news items that relate to security, privacy and cyber law. It is available as <http://blog.spaf.us> (my part of the overall CERIAS blog (here) can be accessed as <http://cblog.spaf.us>). I generally post links there every day.

A Snapshot

I spent several days this week in DC, visiting officials and agencies related to cyber security. I get the sense that there is little expectation of more funding or attention in the coming fiscal year. The administration has been undergoing a bruising battle over health care, there is yet to be debate on policy for Afghanistan, and there are background engagements in constant play on issues related to the deficit. Cyber is not likely to be viewed as critical because things seem to have been going "okay" so far, and addressing cyber will be costly and require political capital. So, unless there is some splashy disaster, we might not see much progress.

Still no sign of land

Saturday, August 29, 2009 by Prof. Spafford in General, Kudos, Opinions and Rants, Policies & Law,

I am a big fan of the Monty Python troupe. Their silly take on several topics helped point out the absurd and pompous, and still do, but sometimes were simply lunatic in their own right.

One of their sketches, about a group of sailors stuck in a lifeboat came to mind as I was thinking about this post. The sketch starts (several times) with the line "Still no sign of land." The sketch then proceeds to a discussion of how they are so desperate that they may have to resort to cannibalism.

So why did that come to mind?

We still do not have a national Cyber Cheerleader in the Executive Office of the President. On May 29th, the President announced that he would appoint one â€“ that cyber security was a national priority.

Three months later â€“ nada.

Admittedly, there are other things going on: health care reform, a worsening insurgency problem in Afghanistan, hesitancy in the economic recovery, and yet more things going on that require attention from the White House. Still, cyber continues to be a problem area with huge issues. See some of the recent news to see that there is no shortage of problems â€“ identity theft, cyber war questions, critical infrastructure vulnerability, supply chain issues, and more.

Rumor has it that several people have been approached for the Cheerleader position, but all have turned it down. This isn't overly surprising â€“ the position has been set up as basically one where blame can be placed when something goes wrong rather than as a position to support real change. There is no budget authority, seniority, or leverage over Federal agencies where the problems occur, so there is no surprise that it is not wanted. Anyone qualified for a high-level position in this area should recognize what I described 20 years ago in "Spaf's First Law":

If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

I wonder how many false starts it will take before it is noticed that there is something wrong with the position if good people don't want it? And will that be enough to result in a change in the way the position is structured?

Meanwhile, we are losing good people from what senior leadership exists. Melissa Hathaway has resigned from the temporary position at the NSC from which she led the 60-day study, and Mischel Kwon has stepped down from leadership of US-CERT. Both were huge assets to the government and the public, and we have all lost as a result of their departure.

The crew of the lifeboat is dwindling. Gee, what next? Well, funny you should mention that.

Last week, I attended the "Cyber Leap Year Summit," which I have variously described to people who have asked as "An interesting chance to network" to "Two clowns short of a circus." (NB. I was there, so it was not three clowns short.)

The implied premise of the Summit, that bringing together a group of disparate academics and practitioners can somehow lead to a breakthrough is not a bad idea in itself. However, when you bring together far too many of them under a facilitation protocol that most of them have not heard of coupled with a forced schedule, it shouldn't be a surprise if the result in much other than some frustration. At least, that is what I heard from most of the participants I spoke with. It remains to be seen if the reporters from the various sections are able to glean something useful from the ideas that were so briefly discussed. (Trying to winnow "the best" idea from 40 suggestions given only 75 minutes and 40 type A personalities is not a fun time.)

There was also the question of "best" being brought together. In my session, there were people present who had no idea about basic security topics or history. Some of us made mention of well-known results or systems, and they went completely over the heads of the people present. Sometimes, they would point this out, and we lost time explaining. As the session progressed, the parties involved seemed to simply assume that if they hadn't heard about it, it couldn't be important, so they ignored the comments.

Here are three absurdities that seem particularly prominent to me about the whole event:

Using "game change" as the fundamental theme is counter-productive to the issue. Referring to cyber security and privacy protection as a "game" trivializes it, and if nothing substantial occurs, it suggests that we simply haven't won the "game" yet. But in truth, these problems are something fundamental to the functioning of society, the economy, national defense, and even the rule of law. We cannot afford to "not win" this. We should not trivialize it by calling it a "game."
Putting an arbitrary 60-90 day timeline on the proposed solutions exacerbates the problems. There was no interest in discussing the spectrum of solutions, but only talking about things that could be done right away. Unfortunately, this tends to result in people talking about more patches rather than looking at fundamental issues. It also means that potential solutions that require time (such as phasing in some product liability for bad software) are outside the scope of both discussion and consideration, and this continues to perpetuate the idea that quick fixes are somehow the solution.
Suggesting that all that is needed is for the government to sponsor some group-think, feel-good meeting to come up with solutions is inane. Some of us have been looking at the problem set for decades, and we know some of what is needed. It will take sustained effort and some sacrifice to make a difference. Other parts of the problem are going to require sustained investigation and data gathering. There is no political will for either. Some of the approaches were even brought up in our sessions; in the one I was in, which had many economists and people from industry, the ideas were basically voted down (or derided, contrary to the protocol of the meeting) and dropped. This is part of the issue: the parties most responsible for the problem do not want to bear any responsibility for the fixes.

I raised the first two issues as the first comments in the public Q&A session on Day 1. Aneesh Chopra, the Federal Chief Technology Officer (CTO), and Susan Alexander, the Chief Technology Officer for Information and Identity Assurance at DoD, were on the panel to which I addressed the questions. I was basically told not to ask those kinds of questions, and to sit down. although the response was phrased somewhat less forcefully than that. Afterwards, no less than 22 people told me that they wanted to ask the same questions (I started counting after #5). Clearly, I was not alone in questioning the formulation of the meeting.

Do I seem discouraged? A bit. I had hoped that we would see a little more careful thought involved. There were many government observers present, and in private, one-on-one discussions with them, it was clear they were equally discouraged with what they were hearing, although they couldn't state that publicly.

However, this is yet another in long line of meetings and reports with which I have had involvement, where the good results are ignored, and the "captains of industry and government" have focused on the wrong things. But by holding continuing workshops like this one, at least it appears that the government is doing something. If nothing comes of it, they can blame the participants in some way for not coming up with good enough ideas rather than take responsibility for not asking the right questions or being willing to accept answers that are difficult to execute.

Too cynical? Perhaps. But I will continue to participate because this is NOT a "game," and the consequences of continuing to fail are not something we want to face â€” even with "...white wine sauce with shallots, mushrooms and garlic."

More customer disservice—This time, Facebook

Saturday, August 22, 2009 by Prof. Spafford in Kudos, Opinions and Rants,

I have a Facebook account. I use it as a means to communicate little status updates with many, many friends and acquaintances while keeping up to date (a little) on their activities. I'm usually too pressed for time to correspond with everyone as I would otherwise prefer to do, and this tenuous connection is probably better than none at all.

Sometime early in the year, either I slipped up in running a script or somehow, without authorization, Facebook slurped up my whole address book. This was something I most definitely did not want to happen, so even giving Facebook the benefit of the doubt and blaming it on operator (me) error it says something about their poor interface that such a thing could happen to an experienced user. (Of course, in the worst case, their software did something invasive without my authorization.)

Whatever happened, Facebook immediately started spamming EVERYONE with an invitation "from me" inviting them to join Facebook. There are many people in my address book with whom I have some professional relationship but who would not be in any category I would remotely consider "friend." It was annoying to me, and annoying/perplexing to them, to have to deal with these emails. A few of them joined, but many others complained to me.

I thought the problem would resolve itself with time. In particular, I didn't want to send a note to everyone in my list saying it was a mistake and not to respond. Sadly, the Facebook system seems to periodically sweep through this list and reissue invitations. Thus, I have gotten a trickle of continuing complaints, and suspect that a number of other people are simply annoyed with me.

So, what to do if this was a responsible business? Why, look for a customer help email address, web form, or telephone number to contact them. Good luck. They have FAQs galore, but it is the web equivalent of voicemail-hell: one link leads to another and back to the FAQs again with no way to contact anything other than an auto-responder that tells me to consult the FAQ system.

On July 26, I responded to a complaint from one of the unintended victims. I cc'd a set of email addresses that I thought might possibly be monitored at Facebook, including "abuse@facebook.com." I got an automated response back to read an inappropriate and unhelpful section of the FAQ. I replied to the email that it was not helpful and did not address my complaint.

On July 29 I received a response that may have been from a person (it had a name attached) that again directed me to the FAQs. Again I responded that it was not addressing my complaint.

August 6th brought a new email from the same address that seemed to actually be responsive to my complaint. It indicated that there was a URL I could visit to see the addresses I had "invited" to join, and I could delete any I did not wish to be receiving repeated invitations. Apparently, this is unadvertised but available to all Facebook users (see http://www.facebook.com/invite_history.php).

I visited the site, and sure enough, there were all 2200+ addresses.

First problem: It is not possible to delete the entire list. One can only operate on 100 names at a time (one page). Ok, I can do this, although I find it very annoying when sites are programmed this way. But 22 times through the removal process is something I'm willing to do.

Second problem: Any attempt to delete addresses from the database results in an error message. The message claims they are working on the problem or to check that I'm actually connected to the Internet, but that's it. I've tried the page about every other day since August 6th, with various permutations of choices, and the error is still there. So much for "working on it."

I've also tried emailing the same Facebook address where I got the earlier response, with no answer in 2 weeks.

I thought about unsubscribing from Facebook as a way of clearing this out, but I am not convinced that the list -- and the automated invites -- would stop even if I inactivated my account.

Bottom line: providing Facebook any access to email addresses at all is like Roach Motel -- they go in, but there is no way to get them out. And Facebook's customer service and interfaces leave a whole lot to be desired. Coupled with other complaints people have had about viruses, spamming, questionable uses of personal images and data, changes to the privacy policy, and the lack of any useful customer service, and I really have to wonder if the organization is run by people with any clue at all.

I certainly won't be inviting anyone else to join Facebook, and I am now recommending that no one else does, either.

A Cynic’s Take on Cyber Czars and 60-day Reports

Saturday, May 30, 2009 by Prof. Spafford in General, Kudos, Opinions and Rants, Policies & Law,

Today, and Before

On July 17, 2008, (then) Senator Barack Obama held a town hall meeting on national security at Purdue University. He and his panel covered issues of nuclear, biological and cyber security. (I blogged about the event here and here.) As part of his remarks at the event, Senator Obama stated:

Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.

As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information — from the networks that power the federal government, to the networks that you use in your personal lives.

That was a pretty exciting statement to hear!

On February 9, 2009, (now) President Obama appointed Melissa Hathaway as Acting Senior Director for Cyberspace and charged her with performing a comprehensive review of national cyberspace security in 60 days. I interacted with Ms. Hathaway and members of her team during those 60 days (as well as before and after). From my point of view, it was a top-notch team of professionals approaching the review with a great deal of existing expertise and open minds. I saw them make a sincere effort to reach out to every possible community for input.

If you're keeping count, the report was delivered on or about April 10. Then, mostly silence to those of us on the outside. Several rumors were circulated in blogs and news articles, and there was a presentation at the RSA conference that didn't really say much.

Until today: May 29th.

Shortly after 11am EDT, President Obama gave some prepared remarks and his office released the report. In keeping with his July 2008 statement, the President did declare that "our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset." However, he did not appoint someone as a National Cyber Advisor. Instead, he announced the position of a "Cybersecurity Coordinator" that will be at a lower level in the Executive Office of the White House. No appointment to that position was announced today, either. (I have heard rumor from several sources that a few high-profile candidates have turned down offers of the position already. Those are only rumors, however.)

The President outlined the general responsibilities and duties of this new position. It apparently will be within the National Security Staff, reporting to the NSC, but also reporting to OMB and the National Economic Council, and working with the Federal CIO, CTO and the Office of Science and Technology Policy.

The new Coordinator will be charged with

helping develop (yet another) strategy to secure cyberspace. This will include metrics and performance milestones;
coordinating with state and local governments, and with the private sector, "to ensure an organized and unified response to future cyber incidents."
to strengthen ties with the private sector, with an explicit mandate to not set security standards for industry.
to continue to invest in cyber (although the examples he gave were not about research or security
to begin a national campaign to increase awareness and cyber literacy.

The President also made it clear that privacy was important, and that monitoring of private networks would not occur.

Reading Between the Lines

There were a number of things that weren't stated that are also interesting, as well as understanding implications of what was stated.

First of all, the new position is rather like a glorified cheerleader: there is no authority for budget or policy, and the seniority is such that it may be difficult to get the attention of cabinet secretaries, agency heads and CEOs. The position reports to several entities, presumably with veto power (more on that below). Although the President said the appointee will have "regular access" to him, that is not the same as an advisor -- and this is a difference that can mean a lot in Washington circles. Although it is rumor that several high-profile people have already turned down the position, I am not surprised given this circumstance. (And this may be why it has been two months since the report was delivered before this event — they've been trying to find someone to take the job.)

The last time someone was in a role like this with no real authority -- was in 2001 when Howard Schmidt was special adviser for cyberspace security to President G.W.Bush. Howard didn't stay very long, probably because he wasn't able to accomplish anything meaningful beyond coordinating (another) National Plan to Secure Cyberspace. It was a waste of his time and talents. Of course, this President knows the difference between "phishing" and "fission" and has actually used email, but still...

Second, the position reports to the National Economic Council and OMB. If we look back at our problems in cyber security (and I have blogged about them extensively over the last few years, and spoken about them for two decades), many of them are traceable to false economies: management deciding that short-term cost savings were more important than protecting against long-term risk. Given the current stress in the economy I don't expect any meaningful actions to be put forth that cost anything; we will still have the mindset that "cheapest must be best."

Third, there was no mention of new resources. In particular, no new resources for educational initiatives or research. We can pump billions of dollars into the bank accounts of greedy financiers on Wall Street, but no significant money is available for cyber security and defense. No surprise, really, but it is important to note the "follow the money" line -- the NEC has veto power over this position, and no money is available for new initiatives outside their experience.

Fourth, there was absolutely no mention made of bolstering our law enforcement community efforts. We already have laws in place and mechanisms that could be deployed if we simply had the resources and will to deploy them. No mention was made at all about anything active such as this -- all the focus was on defensive measures. Similarly, there was no mention of national-level responses to some of the havens of cyber criminals, nor of the pending changes in the Department of Defense that are being planned.

Fifth, the President stated "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic." I suspect that was more than intended to reassure the privacy advocates -- I believe it was "code" for "We will not put the NSA in charge of domestic cyber security." Maybe I'm trying to read too much into it, but this has been a touchy issue in many different communities over the last few months.

There are certainly other things that might be noted about the report, but we should also note some positive aspects: the declaration that cyber is indeed a strategic national asset, that the problems are large and growing, that the existing structures don't work, that privacy is important, and that education is crucial to making the most of cyber going forward.

Of course, Congress ("pro is to con as Progress is to Congress") is an important player in all this, and can either help define a better or solution or stand in the way of what needs to be done. Thus, naming a Cyberspace Coordinator is hardly the last word on what might happen.

But with the perspective I have, I find it difficult to get too excited about the overall announcement. We shall see what actually happens.

The Report

I've read the report through twice, and read some news articles commenting on it. These comments are "off the top" and not necessarily how I'll view all this in a week or two. But what's the role of blogging if I need to think about it for a month, first? :cheese:

It is important to note that the President's remarks were not the same as the report, although its issuance was certainly endorsed by the White House. The reason I note the difference is that the report identifies many problems that the President's statement does not address (in any way), and includes many "should"s that cannot be addressed by a "coordinator" who has no budget or policy authority.

What is both interesting and sad is how much the new report resembles the largely-inconsequential National Plan to Secure Cyberspace issued under the Bush Administration (be sure to see the article at the link). That isn't a slam on this report -- as I wrote earlier, I think it is a good effort by a talented and dedicated team. What I mean to imply is that the earlier National Plan had some strong points too, but nothing came of it because of cost and prioritization and lack of authority.

There are a number of excellent points made in this report: the international aspects, the possibility of increased liability for poor security products and pratices, the need for involvement of the private sector and local governments, the need for more education, the problems of privacy with security, and more.

I was struck by a few things missing from the report.

First, there was no mention of the need for more long-term, less applied research and resources to support it. This is a critical issue, as I have described here before and has been documented time and again. To its credit, the report does mention a need for better technology transfer, although this is hardly the first time that has been observed; the 2005 PITAC report "Cyber Security: A Crisis of Prioritization" included all of this (and also had minimal impact).

The report had almost nothing to say about increasing resources and support for law enforcement and prosecution. This continues to puzzle me, as we have laws in place and systems that could make an impact if we only made it a priority.

There is no discussion about why some previous attempts and structures -- notably DHS -- have failed to make any meaningful progress, and sometimes have actually hindered better cyber security. Maybe that would be expecting too much in this report (trying not to point fingers), but one can't help but wonder. Perhaps it is simply enough to note that no recommendations are made to locate any of the cyber responsibilities in DHS.

There is some discussion of harmonizing regulations, but nothing really about reviewing the crazy-quilt laws we have covering security, privacy and response. There is one sentence in the report that suggests that seeking new legislation could make things worse, and that is true but odd to see.

As an aside, I bet the discussion about thinking about liability changes for poor security practices and products -- a very reasonable suggestion -- caused a few of the economic advisors to achieve low Earth orbit. That may have been enough to set off the chain of events leading to reporting to the NEC, actually. However, it is a legitimate issue to raise, and one that works in other markets. Some of us have been suggesting for decades that it be considered, yet everyone in business wants to be held blameless for their bad decisions. Look at what has played out with the financial meltdown and TARP and you'll see the same: The businessmen and economists can destroy the country, but shouldn't be held at fault. 😠

There is discussion of the supply-chain issue but the proposed solution is basically to ensure US leadership in production -- a laudable goal, but not achievable given the current global economy. We're going to need to change some of our purchasing and vetting habits to really achieve more trustworthy systems — but that won't go over with the economists, either.

There is no good discussion about defining roles among law enforcement, the military, the intelligence community, and private industry in responding to the problems. Yes, that is a snake pit and will take more than this report to describe, but the depth of the challenges could have been conveyed.

As David Wagner noted in email to an USACM committee, there is no prioritization given to help a reader understand which items are critical, which items are important, and which are merely desirable. We do not have the resources to tackle all the problems first, and there is no guidance here on how to proceed.

Summary

I didn't intend for this to be a long, critical post about the report and the announcement. I think that this topic is receiving Presidential attention is great. The report is really a good summary of the state of cybersecurity and needs, produced by some talented and dedicated Federal employees. However, the cynic in me fears that it will go the way of all the other fine reports -- many of which I contributed to -- including the PITAC report and the various CSTB reports; that is, it will make a small splash and then fade into the background as other issues come to the fore.

Basically, I think the President had the right intentions when all this started, but the realpolitik of the White House and current events have watered them down, resulting in action that basically endorses only a slight change from the status quo.

I could be wrong. I hope I'm wrong. But experience has shown that it is almost impossible to be too cynical in this area. In a year or so we can look back at this and we'll all know. But what we heard today certainly isn't what Candidate Obama promised last July.

(And as I noted in a previous post, Demotivators seem to capture so much of this space. Here's one that almost fits.)

Recent Blogs

Blog Archive

Posts in Kudos, Opinions and Rants

Page Content

What About the Other 11 Months?

Recent Blogs

Blog Archive