Re: Scaled Back Cybersecuruty

[David Scott Olverson <olverson () fas harvard edu>]

> In article <103014.152131.21746 () avi netaxs com> Pete wrote:
>
> : I'm trying to envision an RFP that awards business to one or
> : a few network operators, but requires that they interoperate
> : effectively with other operators who don't win any of the
> : business. I've only got a state-level purchasing
> : perspective, but I don't see it happening at any level.
>
> Let me be more clear :)
>
> If the next FTS or if all large Federal IP purchases mandated
> one of:
>
> - Routers must be configured by end of 2003 so that all packets
>   to the control plane must be logically separated from user
>   packets (or demonstrate the ability to take 200mb of attack
>   traffic to the router CPU without having an effect)
>
> OR
>
> - All single-homed customers must be source-address filtered at
>   ingress or egress.  (Becoming multi-homed at ingress as a
>   requirement over time)
>
> OR
>
> ...
>
> You get the idea.  Something that IS possible, that matters MOST
> at the large end of the scale.  And if we go a long way towards
> solving one beasty per year we'll at least be making MORE progress
> than we've been making to date, which is roughly zero.

The problem with these mandates by the Federal gov't is that they most
often are not enforced once they're directed.  There was a mandate that
all operating systems installed on gov't networks meet a certain security
minimum.  I forget the name of the program now but Windows didn't and
couldn't so it was wavered onto the program.  I also seem to remember a
drive to have all software development follow the Capability Maturity
Model (at least in the Air Force) and a mandate that all software
development should be done at CMM level 3 that lost steam as well.
It's not a bad idea if you could get the gov't to truly enforce it.

Thanks,

Dave Olverson