--- Date: Tue, 15 Oct 2002 17:50:28 -0500 From: Bruce Schneier <schneierat_private> Subject: CRYPTO-GRAM, October 15, 2002 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed CRYPTO-GRAM October 15, 2002 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneierat_private <http://www.counterpane.com> [...] National Strategy to Secure Cyberspace On 18 September, the White House officially released its National Strategy to Secure Cyberspace. Well, it didn't really release it on that date; versions had been leaking here and there for a while. And it really isn't a national strategy; it's just a draft for comment. But still, it's something. No, it isn't. The week it was released I got all sorts of calls from reporters asking me what I thought of the report, whether the recommendations made sense, and why certain things were omitted. My primary reaction was: "Who cares? It doesn't matter what the report says." For some reason, Richard Clarke continues to believe that he can increase cybersecurity in this country by asking nicely. This government has tried this sort of thing again and again, and it never works. This National Strategy document isn't law, and it doesn't contain any mandates to government agencies. It has lots of recommendations. It has all sorts of processes. It has yet another list of suggested best practices. It's simply another document in my increasingly tall pile of recommendations to make everything better. (The Clinton Administration had theirs, the "National Plan for Information Systems Protection." And both the GAO and the OMB have published cyber-strategy documents.) But plans, no matter how detailed and how accurate they are, don't secure anything; action does. And consensus doesn't secure anything. Preliminary drafts of the plan included strong words about wireless insecurity, which were removed because the wireless industry didn't want to look bad for not doing anything about it. Preliminary drafts included a suggestion that ISPs provide all their users with personal firewalls; that was taken out because ISPs didn't want to look bad for not already doing something like that. And so on. This is what you get with a PR document. You get lots of varying input from all sorts of special interests, and you end up with a document that offends no one because it demands nothing. The worst part of it is that some of the people involved in writing the document were high-powered, sincere security practitioners. It must have been a hard wake-up call for them to learn how things work in Washington. You can tell that a lot of thought and effort went into this document, and the fact that it was gutted at the behest of special interests is shameful...but typical. So now everyone gets to feel good about doing his or her part for security, and nothing changes. Security is a commons. Like air and water and radio spectrum, any individual's use of it affects us all. The way to prevent people from abusing a commons is to regulate it. Companies didn't stop dumping toxic wastes into rivers because the government asked them nicely. Companies stopped because the government made it illegal to do so. In his essay on the topic, Marcus Ranum pointed out that consensus doesn't work in security design. Consensus security results in some good decisions, but mostly bad ones. By itself consensus isn't harmful; it is the compromises that are almost always harmful, because the more parties you have in the discussion, the more interests there are that conflict with security. Consensus doesn't work because the one crucial party in these negotiations -- the attackers -- aren't sitting around the negotiating table with everyone else. "And the hackers don't negotiate anyhow. In other words, it doesn't matter if you achieve consensus...; whether it works or not is subject to a different set of rules, ones over which your wishes exercise zero control." If the U.S. government wants something done, they should pass a law. That's what governments do. It's like pollution; don't mandate specific technologies, legislate results. Make companies liable for insecurities, and you'll be surprised how quickly things get more secure. Leave the feel-good PR activities to the various industry trade organizations; that's what they're supposed to do. The draft report: <http://www.whitehouse.gov/pcipb/> News articles: <http://www.bangkokpost.com/021002_Database/02Oct2002_dbcol10.html> <http://www.infoworld.com/articles/hn/xml/02/09/18/020918hnnatcyber.xml? s=IDGNS> <http://www.computerworld.com/securitytopics/security/story/0,10801,7444 9,00.html> <http://www.computerworld.com/governmenttopics/government/story/0,10801, 74353,00.html> <http://www.news.com.com/2102-1023-958545.html> Marcus Ranum's essay: <http://www.tisc2002.com/newsletters/414.html> Other essays: <http://www.infowarrior.org/articles/2002-11.html> <http://online.securityfocus.com/columnists/110> <http://online.securityfocus.com/news/677> <http://www.zdnet.com/anchordesk/stories/story/0,10738,2882094,00.html> <http://www.avolio.com/columns/21-SecuringCyberspace.HTML> [...] ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ Recent CNET News.com articles: http://news.search.com/search?q=declan -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 17:09:26 PDT