[ISN] [infowarrior] - America's National Cybersecurity Strategy: Same Stuff, Different Administration

From: InfoSec News (isnat_private)
Date: Thu Sep 19 2002 - 02:52:44 PDT

  • Next message: InfoSec News: "RE: [ISN] White House Slows Cybersecurity Planning"

    Forwarded from: Richard Forno <rfornoat_private>
    America's National Cybersecurity Strategy: Same Stuff, Different
    Richard Forno
    (c) 2002 Infowarrior.org. All Rights Reserved
    Article #2002-11.
    Permission granted to reproduce and distribute in entirety with credit
    to author.
    Online version with contextual URLS can be found at
    Today the White House releases its long-awaited "National Strategy To
    Secure Cyberspace." This high-level blueprint document (black/white or
    color), in-development for over a year by Richard Clarke's
    Cybersecurity team, is the latest US government plan to address the
    many issues associated with the Information Age.
    The Strategy was released by the President's Critical Infrastucture
    Protection Board (PCIPB), an Oval Office entity that brings together
    various Agency and Department heads to discuss critical infrastructure
    protection. Within the PCIPB is the National Security
    Telecommunications Advisory Council (NSTAC), a
    Presidentially-sponsored coffee klatch comprised of CEOs that provide
    industry-based analysis and recommendations on policy and technical
    issues related to information technologies.  There is also the
    National Infrastructure Advisory Council (NIAC) consisting of 30
    private-sector 'experts' on computer security, yet nobody knows who
    these people are.  Thus, a good portion of this Presidential Board is
    comprised of CEO-level people and a shadowy group of un-named experts,
    picked for their Presidential loyalty, campaign contributions, or
    visibility in the marketplace. Factor in Richard Clarke's team ­ many
    of whom, including Clarke, are not technologists but career politicans
    and thinktank analysts ­ and you've got the government's best effort
    at providing advice to the President on information security. (One
    well-known security expert I spoke with raised the question about
    creating a conflict of interest for people who sell to the government
    or stand to gain materially from policy decisions to act in advisory
    roles, something that occured during the Bush Administration's secret
    energy meetings.)
    Although the Administration heralds this as the first "National
    Strategy" for cyberspace security, we need only reflect on the Clinton
    Administration's "National Plan for Information Systems Protection"
    from 2000, and the President's Commission on Critical Infrastructure
    Protection Reportfrom 1996 - like its predecessors - and despite the
    publicity push from the Administration - nearly all of what's in this
    Strategy isn't new, either in what it says or what it fails to say. In
    keeping with tradition, the Strategy "addresses" various security
    "issues" instead of directing the "resolution" of security "problems"
    ­ tiptoeing around the problems instead of dealing with them head-on
    and demanding results.
    Now that you know where the Strategy comes from, let's examine some of
    its more noteworthy components.
    At times, the Strategy reads like the fear-mongering propaganda
    published by assorted industry groups and security product vendors. It
    claims that 70% of cyber-attacks on corporations are caused by
    insiders, yet provides no source for these statistics. Further, during
    its discussion of the threats and vulnerabilities, there's an
    eye-catching sidebar with a hypothetical worst-case cyberterrorism
    scenario conjured up by "50 scientists, computer experts, and former
    intelligence officers" ­ and throughout the report are statements that
    the Administration consulted with experts across the country in a
    variety of industries. Yet there's no reference listing who these
    'experts' are, or what their credentials are to enable them to make
    such prophecies and participate in the preparation of this Strategy,
    something that undermines the credibility of these statistics and
    statements For all we know, these 'experts' are career politicians,
    academics, or clueless CEOs ­ many of whom probably never served in an
    operational IT capacity before -- and thus don't understand the
    reality of today's information environment.
    To its credit, the Strategy provides (yet another) list of suggested
    'best practices' and proposals to improve technology security in a
    variety of venues, from homes and small business to government and
    large enterprises. It uses simple, easy-to-read language and presents
    its contents in vibrant color with lots of white space and
    eye-catching sidebars and high-tech graphic motifs, very much like a
    vendor's Powerpoint presentation for prospective customers..
    In the areas of corporate security improvements, the Strategy indeed
    shines, as it recommends Board-level accountability for information
    security, proper security administration, and better integration and
    alignment of information security with senior management and business
    goals. This is perhaps the best component of the Strategy, and
    actually provides innovative guidance that can be implemented fairly
    easy by corporations.
    The Strategy makes it clear that it is to serve not as a "Federal
    government prescription" but as a "participatory process" to develop
    America's national information security environment with the private
    sector, and believes that a hands-off policy is the correct way to
    work with them.  Indeed, for technology's private sector, this is a
    good thing given the speed that government operates. Unfortunately,
    for the federal government, what is currently needed is not a
    prescription but a mandate on what must be done (and by when) to
    improve federal information security, not another list of things that
    "should" be done but most likely won't.
    In this regard, the Strategy is no different than other government
    cyber-strategy documents (mentioned earlier) and audit reports (from
    GAO or OMB) published over the years eschewing the need for better
    systems security and what "should" be done to improve it. For the
    private sector to take the government seriously in this area,
    government needs to police itself first before coordinating the
    efforts of industry.
    As expected, the Strategy gives a tiny nod to developing a separate
    government-only network, otherwise known as GovNET. While sounding
    good on paper - and been Clarke's vision for years - leading security
    professionals question the logic of such a network. Given that the
    Internet is redundant with multiple ­ if not infinite ­ numbers of
    pathways between nodes, one wonders why Clarke & Co. are considering
    moving large chunks of the government to a network with a finite
    series of nodes, and multiple single points of failure or attack ­
    thus consolidating all his eggs into one basket just waiting to be
    dropped? (Earlier this year, Clarke acknowledged that GovNET would
    still have its share of viruses, trojans, and worms, so one has to
    further wonder about this proposal, since it's apparently not going to
    be any more secure or robust as what he's got now.)
    According to the Strategy, vendors and possibly security consultants
    may be required to obtain government or industry-based certifications
    to prove their competency. Again, this sounds good on paper, but some
    argue this requirement could be skewed to favor large, established
    companies (or products) and thus alienate small firms, consultants, or
    alternative technologies from the 'certified' mainstream security or
    technology industry. Further, the Administration fails to note that a
    certification (or a college degree in cyber-security, another of its
    proposals) does not make a person any more competent a professional;
    rather it takes years of applied experience to be considered an
    'expert' and 'competent' in one's field. Contrary to the profiteering
    interests of certification and testing organizations, we forget that
    nearly anyone can pass a test; what matters is how they perform in the
    workplace, not in the classroom.
    Regarding technology products, the Strategy discusses employing
    programmers who understand security to code better products, yet makes
    no mention about the executives in marketing and corporate leadership
    wanting to bundle features together to make a product 'convienient'
    for marketing purposes and thus likely more exploitable. Certainly, we
    need programmers to understand software and system-level security, but
    programmers are only one small part of the problem (a very small one
    in the grand scheme of the software industry) and act at the direction
    of the higher-ups in the company. Executives must realize the dangers
    of ­ and work to reduce or eliminate ­ 'feature-creep' in their
    products that leads to exploitation. Just consider how much 'more
    secure' your information would be, and how much less spam you'd
    receive had Microsoft not integrated Internet Explorer and Visual
    Basic Scripting into Windows.
    The Strategy notes that "systems often become overloaded or fail
    because a component has gone bad" and proposes that "trustworthy
    computing" be part of a national priority. Not surprisingly, this is
    the same term used by Microsoft to describe its multi-faceted approach
    to securing future versions of Windows. Conspiracy theories about this
    will abound, particularly given the close ties Redmond has with the
    White House. Industry analysts will also watch to see how quickly
    Hollywood's cartels leap to position their copy control initiatives as
    part of "trustworthy computing" to ensure their profit streams, and
    link their revenue protection to computer security features.
    It's interesting that - perhaps as a result of industry lobbying (or
    the Administration's ignorance) - the Strategy has no concern over the
    current 'monoculture' environment for operating systems, chosing
    instead to support the development of new security products,
    technologies, and services to be built around (or over) the current
    (and heavily-flawed) 'foundation' for most of America's critical
    systems. The Strategy must consider such preventable (but recurring)
    problems as the price of doing business in the Information Age,
    something that many believe is foolhardy and complacent thinking.
    Then again, effectively securing the foundation of our systems ­ the
    operating systems ­ would mean less security products and services
    need to be purchased from third partiesŠ.perhaps this oversight in the
    Strategy is tribute to the lobbying efforts of security vendors trying
    to preserve their revenue streams?
    A national strategy is certainly necessary to effectively deal with
    the many problems of computer security. While there are indeed
    well-conceived portions of the Strategy that will lead to procedural
    improvements in America's information security posture if implemented,
    the Strategy falls far short of what it was heralded as by the
    Administration, and were the subject of this article.
    Today's release of the National Strategy To Secure Cyberspace is yet
    another Oval Office attempt to gain consensus in dealing with the many
    problems associated with effective information security in the United
    States. Unfortunately, in the areas most responsible for the dismal
    current state of information security, the Strategy fails to recognize
    and deal with them at all.
    If the administration spent one-tenth the time or money on actual
    security implementation and education (thus leading to long-term
    solutions) that it does on convening boards of advisors, councils,
    town hall meetings, and issuing vaguely-worded, broadly-encompassed,
    slickly-packaged "feel good" reports like this one, there wouldn't be
    such a large computer security problem needing to be remedied in the
    first place.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 19 2002 - 05:22:09 PDT