[infowarrior] - America's National Cybersecurity Strategy: Same Stuff, Different Administration

[InfoSec News <isn () c4i org>]

Forwarded from: Richard Forno <rforno () infowarrior org>

America's National Cybersecurity Strategy: Same Stuff, Different
Administration

Richard Forno
(c) 2002 Infowarrior.org. All Rights Reserved
Article #2002-11.
Permission granted to reproduce and distribute in entirety with credit
to author.

Online version with contextual URLS can be found at
http://www.infowarrior.org/articles/2002-11.html

Today the White House releases its long-awaited "National Strategy To
Secure Cyberspace." This high-level blueprint document (black/white or
color), in-development for over a year by Richard Clarke's
Cybersecurity team, is the latest US government plan to address the
many issues associated with the Information Age.
 
The Strategy was released by the President's Critical Infrastucture
Protection Board (PCIPB), an Oval Office entity that brings together
various Agency and Department heads to discuss critical infrastructure
protection. Within the PCIPB is the National Security
Telecommunications Advisory Council (NSTAC), a
Presidentially-sponsored coffee klatch comprised of CEOs that provide
industry-based analysis and recommendations on policy and technical
issues related to information technologies.  There is also the
National Infrastructure Advisory Council (NIAC) consisting of 30
private-sector 'experts' on computer security, yet nobody knows who
these people are.  Thus, a good portion of this Presidential Board is
comprised of CEO-level people and a shadowy group of un-named experts,
picked for their Presidential loyalty, campaign contributions, or
visibility in the marketplace. Factor in Richard Clarke's team ­ many
of whom, including Clarke, are not technologists but career politicans
and thinktank analysts ­ and you've got the government's best effort
at providing advice to the President on information security. (One
well-known security expert I spoke with raised the question about
creating a conflict of interest for people who sell to the government
or stand to gain materially from policy decisions to act in advisory
roles, something that occured during the Bush Administration's secret
energy meetings.)

Although the Administration heralds this as the first "National
Strategy" for cyberspace security, we need only reflect on the Clinton
Administration's "National Plan for Information Systems Protection"
from 2000, and the President's Commission on Critical Infrastructure
Protection Reportfrom 1996 - like its predecessors - and despite the
publicity push from the Administration - nearly all of what's in this
Strategy isn't new, either in what it says or what it fails to say. In
keeping with tradition, the Strategy "addresses" various security
"issues" instead of directing the "resolution" of security "problems"
­ tiptoeing around the problems instead of dealing with them head-on
and demanding results.
 
Now that you know where the Strategy comes from, let's examine some of
its more noteworthy components.
 
At times, the Strategy reads like the fear-mongering propaganda
published by assorted industry groups and security product vendors. It
claims that 70% of cyber-attacks on corporations are caused by
insiders, yet provides no source for these statistics. Further, during
its discussion of the threats and vulnerabilities, there's an
eye-catching sidebar with a hypothetical worst-case cyberterrorism
scenario conjured up by "50 scientists, computer experts, and former
intelligence officers" ­ and throughout the report are statements that
the Administration consulted with experts across the country in a
variety of industries. Yet there's no reference listing who these
'experts' are, or what their credentials are to enable them to make
such prophecies and participate in the preparation of this Strategy,
something that undermines the credibility of these statistics and
statements For all we know, these 'experts' are career politicians,
academics, or clueless CEOs ­ many of whom probably never served in an
operational IT capacity before -- and thus don't understand the
reality of today's information environment.
 
To its credit, the Strategy provides (yet another) list of suggested
'best practices' and proposals to improve technology security in a
variety of venues, from homes and small business to government and
large enterprises. It uses simple, easy-to-read language and presents
its contents in vibrant color with lots of white space and
eye-catching sidebars and high-tech graphic motifs, very much like a
vendor's Powerpoint presentation for prospective customers..
 
In the areas of corporate security improvements, the Strategy indeed
shines, as it recommends Board-level accountability for information
security, proper security administration, and better integration and
alignment of information security with senior management and business
goals. This is perhaps the best component of the Strategy, and
actually provides innovative guidance that can be implemented fairly
easy by corporations.
 
The Strategy makes it clear that it is to serve not as a "Federal
government prescription" but as a "participatory process" to develop
America's national information security environment with the private
sector, and believes that a hands-off policy is the correct way to
work with them.  Indeed, for technology's private sector, this is a
good thing given the speed that government operates. Unfortunately,
for the federal government, what is currently needed is not a
prescription but a mandate on what must be done (and by when) to
improve federal information security, not another list of things that
"should" be done but most likely won't.
 
In this regard, the Strategy is no different than other government
cyber-strategy documents (mentioned earlier) and audit reports (from
GAO or OMB) published over the years eschewing the need for better
systems security and what "should" be done to improve it. For the
private sector to take the government seriously in this area,
government needs to police itself first before coordinating the
efforts of industry.
 
As expected, the Strategy gives a tiny nod to developing a separate
government-only network, otherwise known as GovNET. While sounding
good on paper - and been Clarke's vision for years - leading security
professionals question the logic of such a network. Given that the
Internet is redundant with multiple ­ if not infinite ­ numbers of
pathways between nodes, one wonders why Clarke & Co. are considering
moving large chunks of the government to a network with a finite
series of nodes, and multiple single points of failure or attack ­
thus consolidating all his eggs into one basket just waiting to be
dropped? (Earlier this year, Clarke acknowledged that GovNET would
still have its share of viruses, trojans, and worms, so one has to
further wonder about this proposal, since it's apparently not going to
be any more secure or robust as what he's got now.)
 
According to the Strategy, vendors and possibly security consultants
may be required to obtain government or industry-based certifications
to prove their competency. Again, this sounds good on paper, but some
argue this requirement could be skewed to favor large, established
companies (or products) and thus alienate small firms, consultants, or
alternative technologies from the 'certified' mainstream security or
technology industry. Further, the Administration fails to note that a
certification (or a college degree in cyber-security, another of its
proposals) does not make a person any more competent a professional;
rather it takes years of applied experience to be considered an
'expert' and 'competent' in one's field. Contrary to the profiteering
interests of certification and testing organizations, we forget that
nearly anyone can pass a test; what matters is how they perform in the
workplace, not in the classroom.
 
Regarding technology products, the Strategy discusses employing
programmers who understand security to code better products, yet makes
no mention about the executives in marketing and corporate leadership
wanting to bundle features together to make a product 'convienient'
for marketing purposes and thus likely more exploitable. Certainly, we
need programmers to understand software and system-level security, but
programmers are only one small part of the problem (a very small one
in the grand scheme of the software industry) and act at the direction
of the higher-ups in the company. Executives must realize the dangers
of ­ and work to reduce or eliminate ­ 'feature-creep' in their
products that leads to exploitation. Just consider how much 'more
secure' your information would be, and how much less spam you'd
receive had Microsoft not integrated Internet Explorer and Visual
Basic Scripting into Windows.
 
The Strategy notes that "systems often become overloaded or fail
because a component has gone bad" and proposes that "trustworthy
computing" be part of a national priority. Not surprisingly, this is
the same term used by Microsoft to describe its multi-faceted approach
to securing future versions of Windows. Conspiracy theories about this
will abound, particularly given the close ties Redmond has with the
White House. Industry analysts will also watch to see how quickly
Hollywood's cartels leap to position their copy control initiatives as
part of "trustworthy computing" to ensure their profit streams, and
link their revenue protection to computer security features.
 
It's interesting that - perhaps as a result of industry lobbying (or
the Administration's ignorance) - the Strategy has no concern over the
current 'monoculture' environment for operating systems, chosing
instead to support the development of new security products,
technologies, and services to be built around (or over) the current
(and heavily-flawed) 'foundation' for most of America's critical
systems. The Strategy must consider such preventable (but recurring)
problems as the price of doing business in the Information Age,
something that many believe is foolhardy and complacent thinking.
 
Then again, effectively securing the foundation of our systems ­ the
operating systems ­ would mean less security products and services
need to be purchased from third partiesŠ.perhaps this oversight in the
Strategy is tribute to the lobbying efforts of security vendors trying
to preserve their revenue streams?
 
A national strategy is certainly necessary to effectively deal with
the many problems of computer security. While there are indeed
well-conceived portions of the Strategy that will lead to procedural
improvements in America's information security posture if implemented,
the Strategy falls far short of what it was heralded as by the
Administration, and were the subject of this article.
 
Today's release of the National Strategy To Secure Cyberspace is yet
another Oval Office attempt to gain consensus in dealing with the many
problems associated with effective information security in the United
States. Unfortunately, in the areas most responsible for the dismal
current state of information security, the Strategy fails to recognize
and deal with them at all.
 
If the administration spent one-tenth the time or money on actual
security implementation and education (thus leading to long-term
solutions) that it does on convening boards of advisors, councils,
town hall meetings, and issuing vaguely-worded, broadly-encompassed,
slickly-packaged "feel good" reports like this one, there wouldn't be
such a large computer security problem needing to be remedied in the
first place.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.