---------- Forwarded message ---------- Date: Fri, 3 Apr 2009 10:10:20 -0400 From: Richard Forno <rforno (at) infowarrior.org> To: Infowarrior List <infowarrior (at) attrition.org> Subject: [Infowarrior] - Comments: Proposed Cybersecurity Legislation Several security and DOD-oriented lists I participate in have been abuzz with the propsed cybersecurity legislation being floated around in the Senate this week by Sens Snowe and Rockefeller. After a few days of discussion, I've decided to just add my comments to the fray here on infowarrior-l based on the following DefenseTech article: Proposed Cyber Security Legislation http://www.defensetech.org/archives/004779.html Summary: They appear to be reinventing the wheel (again) -- and the results will be no different. Comments below: > The proposed legislation calls for the creation of a Cyber Security > Advisory Panel that is composed of outside experts from industry, > academia, and nonprofit groups that would advise the president on > related matters. They have them - NSTAC, NIAC, and other Advisory Counsels. In fact, my April prank this week (yeah yeah) was along just such lines, because any such advisory body likely will be composed of those least knowledgeable about what's really going on (ie, mostly hand-picked senior executives from the corner offices) Of course, those in charge do NOT want to have truly knowledgeable folks advising them, for they will not like what they are being told. Groupthink reigns supreme in Washington policy circles, as does lobbying influence. http://infowarrior.org/aprilfools/aprilfools09.html (for those who missed it) > The proposed legislation calls for the creation of a public/private > clearinghouse for cyber threats and vulnerability information > sharing, establishment of measurable and auditable cyber security > standards from the National Institute of Standards and Technology. Umm, the SEI CERT/CC has been around for 20 years doing just that. Highly trusted and regarded folks, they are. Do we need another group to do this? (Disclaimer: I am a visiting scientist @ SEI) > The proposed legislation would also require that cyber security > professionals be licensed and certified. > Provision: The proposed legislation would also require that the > Cyber Security Adviser conduct a review of the U.S. cyber security > program every four years and require officials to complete a number > of reviews and reports. The security experts whom I respect and admire the most (mentioned above) cut their teeth and made their reputations by hard work and demonstrated professional activities (jobs, papers, con talks, research, etc) and not simply by passing a test. As this proposal reads, will people like Dorothy Denning, Whit Diffie, Matt Blaze, Dan Geer, Bruce Schneier, and how many other VERY competent and knowledgeable security experts be prevented from consulting to the government because they do not have (to my knowledge) any certification? Or will there be waivers? And will "waivers for awesome people" be the new norm? As one securitygeek told me, "The fed gov needs X IA pros. They need to be certified. My guess is the difficulty in getting that cert has to be low enough that you can have X + enough to fill the pipe." So at what point does this policy become meaningless and ineffective because getting a cert is "so simple to pass even a Caveman can do it?" Requiring certification for infosec people is conventional thinking. As with those security experts and hackers whom I respect and admire, the "enemy" will be effective not because the have certifications but because of their personal attributes --- ie, qualities like inquisitiveness, tenacity, professional interests, tacit knowledge, and drive --- things that CAN NOT be externally taught, nor externally certified present. Just as when folks are surprised when I bring up "stuff" (such as threats/vulns/risks/observations) during red team exercises that they thought was uber-classified and known to only a handful of people, the same analogy applies here.....if you maintain the belief in the sanctity and exclusiveness of your standards, don't be surprised when others are able to run circles around you! So who's the real beneficiary here? The certification-issuing folks, who stand to profit handsomely from this. And, those executives/ managers/CIO/CTOs who are forced to use these certified professionals, for they have received a legislated Get-Out-of-Jail-Free card -- if there are problems, damages, or losses, they can point to these certified people and say "these EXPERTS told me what to do, and I did it" ... ie, they can dodge accountability for problems happening on their watch. How convenient! > The proposed legislation calls for the creation of state and > regional cyber security centers to help small and midsize businesses > adopt security measures. Yep. We love those "fusion center" operations, don't we? That's the hottest ticket in town, building these centers. > The proposed legislation would establish a Secure Products and > Services Acquisitions Board that would to review and approve the > security and integrity of products purchased by the federal > government. Isn't that what NIST and NSA were supposed to be doing all along in examining and certifying technology products for federal use and security requirements? Do we need another entity now? > The proposed legislation would require government and private sector > networks that control the critical infrastructure to comply with a > set of cyber security standards established by the National > Institute of Standards and Technology (NIST). They're probably there in one form or other - just need to consolidate things. Okay, fine. > This legislation is past due! Report after report has highlighted > the increased complexity and frequency of cyber attacks on business, > government and our critical infrastructure. Delays in pushing this > legislation through could have serious consequences. So time is of > the essence in preparing for the passage and enactment of this > legislation. This reporter knows nothing about cybersecurity issues and is simply parrotting the typical DC response to problems --- We must do something now, because the threats are immediate. Forget thinking things through and objectively coming to rational, effective solutions, we need solutions NOW. *facepalm* Something must be done; this is something, therefore we must do it. :( > mandatory reporting within 24 hours of discovery is critical. > Another area of concern is training. While the proposed legislation > touches on training, it does not specifically address continuing > education. Cyber attack techniques and criminal scams are highly > dynamic and rapidly evolving. Nor does it do ANYTHING in terms of forcing accountability on people, agencies, vendors, and service providers to build, develop, deploy, and administer resilient systems. Remember that "good enough" has become the accepted standard of cybersecurity excellence. There is no economic motivation for anyone to do anything more to fix these problems short of offering more consultants and "stuff" to deploy on top of foundations that remain fundamentally flawed and unstable. After all, if you think about it, "good enough" is too damn profitable!! Also, IIRC there is also talk of developing a "national cybersecurity dashboard" where someone (WH, DHS) can see at anytime the "cybersecurity health" of the country and then point at some network node and say "disconnect it now". The former notion might - might - be doable, but the latter point is downright scary, especially when we see things like this article, where the FBI creates huge collateral damage "disconnecting" an Internet site: FBI Agents Raid Dallas Computer Business http://cbs11tv.com/local/Core.IP.Networks.2.974706.html. But we've got to have *some* pie-in-the-sky thinking here, right? As I said, this is More of The Same Stuff. Just a different Administration, and Different Congress. I remain cynical. -rick _______________________________________________ Infowarrior mailing list Infowarrior (at) attrition.org https://attrition.org/mailman/listinfo/infowarrior _______________________________________________ Best Selling Security Books and More! http://www.shopinfosecnews.org/Received on Sun Apr 05 2009 - 22:33:24 PDT
This archive was generated by hypermail 2.2.0 : Sun Apr 05 2009 - 22:47:25 PDT