Forwarded from: "Robert G. Ferrell" <rgferrellat_private> At 05:22 AM 4/9/03 -0500, InfoSec News wrote: > "For many, the cyber threat is hard to understand; no one has died > in a cyberattack, after all, there has never been a smoking ruin for > cameras to see," said Clarke, now a security consultant. "It is the > kind of thinking that said we never had a major foreign terrorist > attack in the United States, so we never would; al Qaeda has just > been a nuisance, so it never will be more than that." Let's see, by this logic we should be preparing for the possibility of an attack from bug-eyed aliens, as well. No one has ever died from such an attack, but it is theoretically possible. No one who should be taken seriously ever said that "cyberwarfare" can't be destructive; it obviously can. But it is not now, and nor is it likely to be in the foreseeable future, on a par with conventional weapons of terrorism or military actions by sovereign governments. Claiming that lives will be lost if we fail to secure our information systems only serves to undermine the entire process by bringing the proponents under ridicule. Keeping things in perspective and allocating resources according to the priorities of the moment is a much more rational and, in the long run, effective way of building up our information security infrastructure. Hysterical foot-stomping just gets you mocked. > Testifying before a House Government Reform subcommittee, Clarke > said the government should create a National Cybersecurity Center > staffed by top computer security experts. The government also needs > a federal chief information security officer with authority over all > federal agencies, he said. > > "Without such an official, departments will continue as they have > for years, vulnerable to cyber intrusion and woefully behind in the > deployment of modern IT security technology," Clarke said. I've said this before, but it (still) seems to me that the primary purpose of "such officials" is to provide a ready scapegoat when something goes wrong. Congress sanctimoniously grills the "czar" for a while, diverting attention away from the actual issues, then he or she resigns and everyone gets a warm fuzzy from having forced a necessary purge. Meanwhile, the former official gets (or returns to) a private sector job at three times their government salary and the dysfunctions within the agency go merrily on. It's a little choreographed performance not unlike professional wrestling. > The White House Office of Management and Budget has authority over > IT security within federal civilian agencies, but Clarke said the > office is understaffed. "[The] OMB has attempted to perform this > function with one or two people buried in their bureaucracy and an > interagency committee of the CIO Council, which lacks both expertise > and authority," he said. So obviously the cure for this ill is to hire yet another SES-level official who's never sat at a keyboard and installed a patch or monitored an IDS in his or her entire career. That oughta fix things right up, ya'll. I know this is a radical proposal, but how about we promote senior level technical personnel who've been in the trenches for years, then give them the authority to implement and enforce policies already in place? If you don't know what you're talking about, it's difficult for the technical professionals whom you manage to respect you or your decisions. If we can't respect your decisions and directives, we're much less likely to take them seriously and implement them with the attention to detail that successful initiatives require. That's human nature. Imagine hiring someone off the street with no combat experience to fill the position of general. Hard to visualize, isn't it? Nevertheless, that's the way a lot of federal executive positions are filled. The prevailing "wisdom" (and I use the term charitably) is that the skills necessary for executive service are separate from and often mutually exclusive to those required for technical personnel. I hereby formally challenge that supposition. Executive skills where management of technical professionals is concerned should be garnered after, or concurrently with, technical proficiency, not instead of. The best boss I've ever had was a career fed who came up through the ranks and served her time in the trenches first, as she was accumulating her management skills. Her knowledge of technical matters wasn't always current, but she knew enough to realize when she didn't understand an issue fully, and seldom failed to ask for and act upon advice from her technical specialists. I never once felt in talking to her that she was merely pretending to understand a complex issue. As a result, she rarely (if ever) made decisions that were not technically sound or implemented programs that failed because of technical shortcomings. I watched her being passed over for promotions to jobs for which she was eminently qualified in favor of folks who hadn't a clue about the organizations they were being hired to run merely because she had not played the political game to her superiors' satisfaction. Instead of taking long lunches with the division chief, she met with her staff or attended a technical seminar to better understand the technologies she was charged with implementing. "It isn't what you know, but whom you know." Amen. Despite, or perhaps as a result of, the avalanche of criticism leveled against it, the federal government has made huge strides in the infosec arena in recent years. We may be approaching or have already reached a plateau in these efforts, however. I believe the best way to overcome that stagnation is to put the people we already have to better use, and in the process do away with the tired old paradigm of "those who can, do--those who can't, administrate." This ain't your daddy's civil service, bubba. RGF - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Apr 12 2003 - 03:28:58 PDT