Re: [ISN] The Cybersecurity Myth (2 replies)

From: InfoSec News <alerts_at_private>
Date: Tue, 6 Oct 2009 03:36:32 -0500 (CDT)
Forwarded from: security curmudgeon <jericho (at) attrition.org>

On Mon, 5 Oct 2009, InfoSec News wrote:

: http://www.cringely.com/2009/10/the-cybersecurity-myth/
:
: Listen to this post in Bob's sexy, sexy voice
: http://www.cringely.com/podcast/20091002.mp3
:
: Robert X. Cringely
: October 2nd, 2009
:
: The Department of Homeland Security (DHS) said this week it will hire 
: up to 1,000 cybersecurity experts over the next three years to help 
: protect U.S. computer networks. This was part of National 
: Cybersecurity Awareness Month and the announcement was made by DHS 
: Secretary Janet Napolitano, who also said they probably won.t need to 
: hire all 1,000 experts, which is good because I am pretty sure THERE 
: AREN'T ONE THOUSAND CIVILIAN CYBERSECURITY EXPERTS IN THE ENTIRE 
: FRIGGIN. WORLD!!!!

This article is pretty spot-on, and amusing even. Two gripes though:

1. Using the math behind the number of CCIE's is a non-starter. Holding 
   a CCIE isn't about 'cyber security' at all.

http://www.cisco.com/web/learning/le3/ccie/index.html

  The Cisco Certified Internetwork Expert (CCIE) certification is 
  accepted worldwide as the most prestigious networking certification in 
  the industry. Network Engineers holding an active Cisco CCIE 
  certification are recognized for their expert network engineering 
  skills and mastery of Cisco products and solutions.

2. The big point Cringely seems to miss, is that even if there were 1000 
   qualified civilian security experts, then what? Let's say money was 
   no object and DHS could manage to hire the top security people in the 
   industry. What could they do for DHS exactly?

The key here is that DHS thinks they can "help protect U.S. computer 
networks". Admittedly, it has been 3 or 4 years since i've gone stomping 
through various .gov networks, but I can't imagine the atmosphere has 
changed at all.

The atmosphere I was familiar with between 1999 - 2006 was one where a 
given agency was very secluded from the rest of the government. They had 
no intention of allowing other .gov agencies in their house unless it 
came with a presidential order, warrant and armed federal agents. No, 
this wasn't the spook agencies and high profile names you are familiar 
with, these were agencies like the National Park Service or Minerals 
Management Service.

The horror stories of inter-governmental communication are notorious to 
anyone who has played in one of the many .gov sandboxes. Does anyone 
really expect that 1000 cyber warriors sitting at DHS will be allowed to 
do *anything* for "U.S. computer networks" in reality? I don't.


-=-


Forwarded from: Richard Forno <rforno (at) infowarrior.org>
& cc'd: security curmudgeon <jericho (at) attrition.org>

On Oct 5, 2009, at 04:54 , security curmudgeon wrote:

> This article is pretty spot-on, and amusing even. Two gripes though:

Good to know great minds think alike.

> 1. Using the math behind the number of CCIE's is a non-starter. 
>    Holding a CCIE isn't about 'cyber security' at all.

Yep.

> 2. The big point Cringely seems to miss, is that even if there were 
>    1000 qualified civilian security experts, then what? Let's say 
>    money was no object and DHS could manage to hire the top security 
>    people in the industry. What could they do for DHS exactly?

More bodies = able to do more work = able to show more activity = able 
to justify more requests for financial and policy authority.  That's the 
goal of all bureaucracies.  Just ask Sir Humphrey.

> The horror stories of inter-governmental communication are notorious 
> to anyone who has played in one of the many .gov sandboxes. Does 
> anyone really expect that 1000 cyber warriors sitting at DHS will be 
> allowed to do *anything* for "U.S. computer networks" in reality? I 
> don't.

/dons cynical hat/

But then DHS can say it too has an 31337 cyber-command, just like its 
DOD counterpart!  And then a new joint fusion center can be created 
between DOD and DHS to coordinate their efforts and further reduce 
'stovepiping' within the national and homeland security organisations.  
That means more Congressional committees will be involved (which makes 
Congress happy) and thus we can keep working to secure America's 
cyberspace, and more importantly, EVERYBODY GETS MORE MONEY TO CONDUCT 
MORE ACTIVITY!!!! [1]

[1] "activity" =! "effective or meaningful activity"


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Oct 06 2009 - 01:36:32 PDT

This archive was generated by hypermail 2.2.0 : Tue Oct 06 2009 - 02:06:51 PDT