FC: Bruce Schneier: Feds need to pass new laws for "cybersecurity"

[Declan McCullagh <declan () well com>]

---

Date: Tue, 15 Oct 2002 17:50:28 -0500
From: Bruce Schneier <schneier () counterpane com>
Subject: CRYPTO-GRAM, October 15, 2002
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
        

                 CRYPTO-GRAM

               October 15, 2002

              by Bruce Schneier
               Founder and CTO
      Counterpane Internet Security, Inc.
           schneier () counterpane com
         <http://www.counterpane.com>

[...]

    National Strategy to Secure Cyberspace



On 18 September, the White House officially released its National Strategy 
to Secure Cyberspace.  Well, it didn't really release it on that date; 
versions had been leaking here and there for a while.  And it really isn't 
a national strategy; it's just a draft for comment.  But still, it's something.

No, it isn't.  The week it was released I got all sorts of calls from 
reporters asking me what I thought of the report, whether the 
recommendations made sense, and why certain things were omitted.  My 
primary reaction was: "Who cares?  It doesn't matter what the report says."

For some reason, Richard Clarke continues to believe that he can increase 
cybersecurity in this country by asking nicely.  This government has tried 
this sort of thing again and again, and it never works.  This National 
Strategy document isn't law, and it doesn't contain any mandates to 
government agencies.  It has lots of recommendations.  It has all sorts of 
processes.  It has yet another list of suggested best practices.  It's 
simply another document in my increasingly tall pile of recommendations to 
make everything better.  (The Clinton Administration had theirs, the 
"National Plan for Information Systems Protection."  And both the GAO and 
the OMB have published cyber-strategy documents.)  But plans, no matter how 
detailed and how accurate they are, don't secure anything; action does.

And consensus doesn't secure anything.  Preliminary drafts of the plan 
included strong words about wireless insecurity, which were removed because 
the wireless industry didn't want to look bad for not doing anything about 
it.  Preliminary drafts included a suggestion that ISPs provide all their 
users with personal firewalls; that was taken out because ISPs didn't want 
to look bad for not already doing something like that.

And so on.  This is what you get with a PR document.  You get lots of 
varying input from all sorts of special interests, and you end up with a 
document that offends no one because it demands nothing.

The worst part of it is that some of the people involved in writing the 
document were high-powered, sincere security practitioners.  It must have 
been a hard wake-up call for them to learn how things work in 
Washington.  You can tell that a lot of thought and effort went into this 
document, and the fact that it was gutted at the behest of special 
interests is shameful...but typical.

So now everyone gets to feel good about doing his or her part for security, 
and nothing changes.

Security is a commons.  Like air and water and radio spectrum, any 
individual's use of it affects us all.  The way to prevent people from 
abusing a commons is to regulate it.  Companies didn't stop dumping toxic 
wastes into rivers because the government asked them nicely.  Companies 
stopped because the government made it illegal to do so.

In his essay on the topic, Marcus Ranum pointed out that consensus doesn't 
work in security design.  Consensus security results in some good 
decisions, but mostly bad ones.  By itself consensus isn't
harmful; it is the compromises that are almost always harmful, because the 
more parties you have in the discussion, the more interests there are that 
conflict with security.  Consensus doesn't work because the one crucial 
party in these negotiations -- the attackers -- aren't sitting around the 
negotiating table with everyone else.  "And the hackers don't negotiate 
anyhow.  In other words, it doesn't matter if you achieve consensus...; 
whether it works or not is subject to a different set of rules, ones over 
which your wishes exercise zero control."

If the U.S. government wants something done, they should pass a 
law.  That's what governments do.  It's like pollution; don't mandate 
specific technologies, legislate results.  Make companies liable for 
insecurities, and you'll be surprised how quickly things get more 
secure.  Leave the feel-good PR activities to the various industry trade 
organizations; that's what they're supposed to do.

The draft report:
<http://www.whitehouse.gov/pcipb/>

News articles:
<http://www.bangkokpost.com/021002_Database/02Oct2002_dbcol10.html>
<http://www.infoworld.com/articles/hn/xml/02/09/18/020918hnnatcyber.xml? 
s=IDGNS>
<http://www.computerworld.com/securitytopics/security/story/0,10801,7444 
9,00.html>
<http://www.computerworld.com/governmenttopics/government/story/0,10801, 
74353,00.html>
<http://www.news.com.com/2102-1023-958545.html>

Marcus Ranum's essay:
<http://www.tisc2002.com/newsletters/414.html>

Other essays:
<http://www.infowarrior.org/articles/2002-11.html>
<http://online.securityfocus.com/columnists/110>
<http://online.securityfocus.com/news/677>
<http://www.zdnet.com/anchordesk/stories/story/0,10738,2882094,00.html>
<http://www.avolio.com/columns/21-SecuringCyberspace.HTML>

[...]




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------