[ISN] FC: Bruce Schneier: Feds need to pass new laws for "cybersecurity"

From: InfoSec News (isnat_private)
Date: Wed Oct 16 2002 - 00:25:33 PDT

  • Next message: InfoSec News: "[ISN] Net security chief leaves too many questions unanswered"

    ---------- Forwarded message ----------
    Date: Tue, 15 Oct 2002 19:43:39 -0400
    From: Declan McCullagh <declanat_private>
    To: politechat_private
    Subject: FC: Bruce Schneier: Feds need to pass new laws for "cybersecurity"
    Date: Tue, 15 Oct 2002 17:50:28 -0500
    From: Bruce Schneier <schneierat_private>
    Subject: CRYPTO-GRAM, October 15, 2002
    Mime-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"; format=flowed
                    October 15, 2002
                   by Bruce Schneier
                    Founder and CTO
           Counterpane Internet Security, Inc.
         National Strategy to Secure Cyberspace
    On 18 September, the White House officially released its National Strategy 
    to Secure Cyberspace.  Well, it didn't really release it on that date; 
    versions had been leaking here and there for a while.  And it really isn't 
    a national strategy; it's just a draft for comment.  But still, it's something.
    No, it isn't.  The week it was released I got all sorts of calls from 
    reporters asking me what I thought of the report, whether the 
    recommendations made sense, and why certain things were omitted.  My 
    primary reaction was: "Who cares?  It doesn't matter what the report says."
    For some reason, Richard Clarke continues to believe that he can increase 
    cybersecurity in this country by asking nicely.  This government has tried 
    this sort of thing again and again, and it never works.  This National 
    Strategy document isn't law, and it doesn't contain any mandates to 
    government agencies.  It has lots of recommendations.  It has all sorts of 
    processes.  It has yet another list of suggested best practices.  It's 
    simply another document in my increasingly tall pile of recommendations to 
    make everything better.  (The Clinton Administration had theirs, the 
    "National Plan for Information Systems Protection."  And both the GAO and 
    the OMB have published cyber-strategy documents.)  But plans, no matter how 
    detailed and how accurate they are, don't secure anything; action does.
    And consensus doesn't secure anything.  Preliminary drafts of the plan 
    included strong words about wireless insecurity, which were removed because 
    the wireless industry didn't want to look bad for not doing anything about 
    it.  Preliminary drafts included a suggestion that ISPs provide all their 
    users with personal firewalls; that was taken out because ISPs didn't want 
    to look bad for not already doing something like that.
    And so on.  This is what you get with a PR document.  You get lots of 
    varying input from all sorts of special interests, and you end up with a 
    document that offends no one because it demands nothing.
    The worst part of it is that some of the people involved in writing the 
    document were high-powered, sincere security practitioners.  It must have 
    been a hard wake-up call for them to learn how things work in 
    Washington.  You can tell that a lot of thought and effort went into this 
    document, and the fact that it was gutted at the behest of special 
    interests is shameful...but typical.
    So now everyone gets to feel good about doing his or her part for security, 
    and nothing changes.
    Security is a commons.  Like air and water and radio spectrum, any 
    individual's use of it affects us all.  The way to prevent people from 
    abusing a commons is to regulate it.  Companies didn't stop dumping toxic 
    wastes into rivers because the government asked them nicely.  Companies 
    stopped because the government made it illegal to do so.
    In his essay on the topic, Marcus Ranum pointed out that consensus doesn't 
    work in security design.  Consensus security results in some good 
    decisions, but mostly bad ones.  By itself consensus isn't
    harmful; it is the compromises that are almost always harmful, because the 
    more parties you have in the discussion, the more interests there are that 
    conflict with security.  Consensus doesn't work because the one crucial 
    party in these negotiations -- the attackers -- aren't sitting around the 
    negotiating table with everyone else.  "And the hackers don't negotiate 
    anyhow.  In other words, it doesn't matter if you achieve consensus...; 
    whether it works or not is subject to a different set of rules, ones over 
    which your wishes exercise zero control."
    If the U.S. government wants something done, they should pass a 
    law.  That's what governments do.  It's like pollution; don't mandate 
    specific technologies, legislate results.  Make companies liable for 
    insecurities, and you'll be surprised how quickly things get more 
    secure.  Leave the feel-good PR activities to the various industry trade 
    organizations; that's what they're supposed to do.
    The draft report:
    News articles:
    Marcus Ranum's essay:
    Other essays:
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    Recent CNET News.com articles: http://news.search.com/search?q=declan
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 03:05:10 PDT