Re: Feds Falling Short on Cybersecurity

[InfoSec News <isn () c4i org>]

Forwarded from: "Robert G. Ferrell" <rgferrell () direcway com>

At 05:22 AM 4/9/03 -0500, InfoSec News wrote:

> "For many, the cyber threat is hard to understand; no one has died
> in a cyberattack, after all, there has never been a smoking ruin for
> cameras to see," said Clarke, now a security consultant. "It is the
> kind of thinking that said we never had a major foreign terrorist
> attack in the United States, so we never would; al Qaeda has just
> been a nuisance, so it never will be more than that."

Let's see, by this logic we should be preparing for the possibility of
an attack from bug-eyed aliens, as well.  No one has ever died from
such an attack, but it is theoretically possible.

No one who should be taken seriously ever said that "cyberwarfare"
can't be destructive; it obviously can.  But it is not now, and nor is
it likely to be in the foreseeable future, on a par with conventional
weapons of terrorism or military actions by sovereign governments.  
Claiming that lives will be lost if we fail to secure our information
systems only serves to undermine the entire process by bringing the
proponents under ridicule.

Keeping things in perspective and allocating resources according to
the priorities of the moment is a much more rational and, in the long
run, effective way of building up our information security
infrastructure. Hysterical foot-stomping just gets you mocked.

> Testifying before a House Government Reform subcommittee, Clarke
> said the government should create a National Cybersecurity Center
> staffed by top computer security experts. The government also needs
> a federal chief information security officer with authority over all
> federal agencies, he said.
>
> "Without such an official, departments will continue as they have
> for years, vulnerable to cyber intrusion and woefully behind in the
> deployment of modern IT security technology," Clarke said.

I've said this before, but it (still) seems to me that the primary
purpose of "such officials" is to provide a ready scapegoat when
something goes wrong.  Congress sanctimoniously grills the "czar" for
a while, diverting attention away from the actual issues, then he or
she resigns and everyone gets a warm fuzzy from having forced a
necessary purge. Meanwhile, the former official gets (or returns to) a
private sector job at three times their government salary and the
dysfunctions within the agency go merrily on. It's a little
choreographed performance not unlike professional wrestling.

> The White House Office of Management and Budget has authority over
> IT security within federal civilian agencies, but Clarke said the
> office is understaffed. "[The] OMB has attempted to perform this
> function with one or two people buried in their bureaucracy and an
> interagency committee of the CIO Council, which lacks both expertise
> and authority," he said.

So obviously the cure for this ill is to hire yet another SES-level
official who's never sat at a keyboard and installed a patch or
monitored an IDS in his or her entire career.  That oughta fix things
right up, ya'll.

I know this is a radical proposal, but how about we promote senior
level technical personnel who've been in the trenches for years, then
give them the authority to implement and enforce policies already in
place? If you don't know what you're talking about, it's difficult for
the technical professionals whom you manage to respect you or your
decisions. If we can't respect your decisions and directives, we're
much less likely to take them seriously and implement them with the
attention to detail that successful initiatives require. That's human
nature.

Imagine hiring someone off the street with no combat experience to
fill the position of general.  Hard to visualize, isn't it?
Nevertheless, that's the way a lot of federal executive positions are
filled. The prevailing "wisdom" (and I use the term charitably) is
that the skills necessary for executive service are separate from and
often mutually exclusive to those required for technical personnel.  
I hereby formally challenge that supposition. Executive skills where
management of technical professionals is concerned should be garnered
after, or concurrently with, technical proficiency, not instead of.  
The best boss I've ever had was a career fed who came up through the
ranks and served her time in the trenches first, as she was
accumulating her management skills.  Her knowledge of technical
matters wasn't always current, but she knew enough to realize when she
didn't understand an issue fully, and seldom failed to ask for and act
upon advice from her technical specialists. I never once felt in
talking to her that she was merely pretending to understand a complex
issue.  As a result, she rarely (if ever) made decisions that were not
technically sound or implemented programs that failed because of
technical shortcomings. I watched her being passed over for promotions
to jobs for which she was eminently qualified in favor of folks who
hadn't a clue about the organizations they were being hired to run
merely because she had not played the political game to her superiors'
satisfaction.  Instead of taking long lunches with the division chief,
she met with her staff or attended a technical seminar to better
understand the technologies she was charged with implementing. "It
isn't what you know, but whom you know." Amen.

Despite, or perhaps as a result of, the avalanche of criticism leveled
against it, the federal government has made huge strides in the
infosec arena in recent years.  We may be approaching or have already
reached a plateau in these efforts, however.  I believe the best way
to overcome that stagnation is to put the people we already have to
better use, and in the process do away with the tired old paradigm of
"those who can, do--those who can't, administrate."

This ain't your daddy's civil service, bubba.

RGF



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.