Re: [ISN] Homeland Security CIO wants 'network of networks'

From: InfoSec News (isnat_private)
Date: Mon Nov 11 2002 - 01:50:00 PST

  • Next message: InfoSec News: "[ISN] HIPAA resistance continues"

    Forwarded from: Ralph Forsythe <rf-listat_private>
    
    Oh I just can't resist commenting on this one...  Text inserted below
    at various points.
    
    At 03:00 AM 11/8/2002 -0600, you wrote:
    > "What if we take existing networks at all levels of government and
    > the private sector as appropriate and integrate them? The challenges
    > are true standards and interoperability. We can solve those
    > problems," Cooper said at the Federal CTO Forum 2002 here.
    
    I'm actually having difficulty finding the words on this one.  I
    thought the whole point of establishing new security guidelines among
    other things was because the existing networks were not cutting it!  
    Obviously the challenges are true standards and interoperability - so
    instead of working towards a new technology standards-based
    methodology, let's just hook it all up together and hope it works?  
    <hysterical laughter here> I'm just imagining the finger pointing that
    happens when a problem arises inside a single company with lots of
    departments and network devices, and trying to put it into perspective
    on this scale.
    
    > The day after the Republicans captured a mid-term majority in the
    > House and Congress, Cooper stated that he is confident a Department
    > of Homeland Security bill will be passed and that a national
    > enterprise architecture could be a reality in two to three years.
    
    <More hysterical laughter> "A national enterprise architecture could
    be a reality in two to three years"...  Ahem, ok sure.  It takes some
    corporate projects that long just by themselves, let alone connecting
    all aspects of government and corporate networks into one big
    conglomerate that's supposed to allow for efficient and accurate
    exchange of data...
    
    > "The priorities that we have set are focused on the information
    > sharing and systems arena. ... We need to get the right information
    > to the right people all the time. This is what we're about in
    > Homeland Security," he said.
    
    I just bet they are.
    
    He needs to try putting down the Jack Handy self motivational books
    for a few minutes and step back to look at the reality of the
    magnitude of this project he has taken on, which is probably
    historical in terms of size; If they even come up with a plan for it
    in two to three years time that is complete and accurate, I will be
    impressed.  It has taken that long for some government organizations
    just to audit their own security, let alone map everything out well
    enough to include it in the largest private WAN in the world.
    
    > Citing the info sharing and systems integration models among various
    > federal and local law enforcement bodies, Cooper called for the help
    > of state and local governments and those companies that comprise the
    > critical infrastructure, including utilities and transportation
    > companies.
    
    How many years has it taken just these organizations to adopt these
    models?  And how many have still yet to do so?  Please.  And the
    utilities and transportation will now be dependent on this network?
    
    <snip!>
    
    > "What if the right parties that have a vested interest all sat down
    > and agreed on some shared objectives? And agreed upon a fair amount
    > of work and how to divvy it up? Rather than everyone trying to do
    > similar [functions] with the best of intentions and often
    > inadvertently."
    
    I agree that this is a good way to go.  However taking it from this
    level, to an actual plan that will interconnect all of these networks
    (a number of which are probably running systems that predate IP)
    without introducing huge problems, and then building it right will IMO
    take a lot more than two to three years time.
    
    I'm not trying to slam the overall idea (yet), or government in
    general, I just think this concept is overly optimistic having seen
    firsthand how many corporations and some government bodies handle
    change and interoperability.  Not to mention that this network would
    at some point connect competing companies together I assume.  Would
    you trust your local feds to protect your network from them?  What
    about when these networks are connected up - someplace, somewhere,
    there will be an Internet link on a LAN that has potential to tie into
    this.  If that company is lax in security, they will have exposed the
    entire infrastructure to a potential breach.  Perhaps I'm just being
    paranoid, but this isn't just giving everyone a shiny new email
    address and some message forums, he wants to bridge thousands of
    things together.  I just don't trust the government to get it right,
    which is unfortunate but experience and observation has caused this
    viewpoint.
    
    More power to them if they think they can pull it off, I will be
    eagerly waiting to see how that's going to happen.  However my
    skepticism far outweighs my confidence...  If I'm off-base on this
    though, someone can email me by all means.
    
    - rf
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 11 2002 - 04:44:30 PST