Return-Path: <sentto-279987-4049-1008253057-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 13 Dec 2001 06:19:10 -0800 (PST) Received: (qmail 31400 invoked by uid 510); 13 Dec 2001 14:17:56 -0000 Received: from n1.groups.yahoo.com (216.115.96.51) by all.net with SMTP; 13 Dec 2001 14:17:55 -0000 X-eGroups-Return: sentto-279987-4049-1008253057-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.162] by n1.groups.yahoo.com with NNFMP; 13 Dec 2001 14:17:40 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_2); 13 Dec 2001 14:17:37 -0000 Received: (qmail 27210 invoked from network); 13 Dec 2001 14:17:36 -0000 Received: from unknown (216.115.97.172) by m8.grp.snv.yahoo.com with QMQP; 13 Dec 2001 14:17:36 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta2.grp.snv.yahoo.com with SMTP; 13 Dec 2001 14:17:39 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fBDEIK000566 for iwar@onelist.com; Thu, 13 Dec 2001 06:18:20 -0800 Message-Id: <200112131418.fBDEIK000566@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 13 Dec 2001 06:18:19 -0800 (PST) Subject: [iwar] [fc:White.House.CyberSecurity.-.Jobs,.Research,.and.Rhetoric,.but.Few.Results] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit <a href="http://www.securityfocus.com/columnists/46">http://www.securityfocus.com/columnists/46> White House CyberSecurity - Jobs, Research, and Rhetoric, but Few Results (c) 2001 Securityfocus The commitment by the federal government to further computer security research may be laudable, but it fails to address the root cause of most security issues: bad software. By Richard Forno Dec 12 2001 8:30AM PT Diane Frankıs December 5 article Bills Aim at Cyber R&D in Federal Computer Week reports that the Cyber Security Research and Development Act, introduced by Rep. Sherwood Boehlert (R-NY), seeks to provide nearly half a billion dollars in funding for research and education of information security matters. The proposed legislation provides a $233 million check to the National Science Foundation for research into what Frank calls ³basic cybersecurity issues.² In a related policy-driven attempt to shore up information security, White House Cybersecurity Coordinator Richard Clarke announced recently that his office was going to create a national map of the information grid (networks, power grids, and related infrastructures) to help research and plan for future problems. This will be accomplished through a National Center for Infrastructure Simulation and Analysis to be established in 2002. Both of these proposals mean more money, more jobs, and more research on the long-term security issues. While this is admirable not too mention much needed - it neglects to address the immediate, real-world problems plaguing the Internet. The proposed bill would give $90 million for colleges to develop graduate degree programs in cybersecurity, as if earning a degree confirms that its bearer is any wiser in the ways of information security than someone with twenty years of hands-on experience. Wisdom occurs through trial, error, and experienced over a significant period of time. You canıt create an expert overnight, or in two years, or with millions of dollars. An academic degree or professional certification doesnıt necessarily mean the bearer is any more competent or experienced, and it shouldnıt be the determining factor in hiring security folks. At a recent IT summit in Washington, Clarke stated that: "We need to decide that IT security functionality will be built into what we do. It's not an afterthought anymore." True, but where was Clarke (who was, after all, computer security "Czar" in the Clinton Administration) for the past ten years while critical information infrastructures were designed without the appropriate and necessary security processes? Why did he and his government cronies not step forward previously to ensure security was an integral part of all aspects of IT infrastructure, including software? The federal government could have used its legislative force to hold software vendors liable for producing and distributing insecure products. Furthermore, it could have thrown its considerable economic weight around and refused to repeatedly purchase buggy software. Now that such bug-ridden products are the unfortunate rule, rather than the exception, Clarke is proposing that software vendors provide automatic updates to their products when problems are discovered. This will save users from having to perform such updates themselves and would usually be accomplished by placing trusted vendor backdoors in the software. This is laughably ironic: planting back doors in programs in order to provide security updates unfortunately means putting in place a vulnerable path for intruders to exploit. Such a strategy violates the first rule of network security, which is to deny all traffic and accept only known, trusted connections. Besides, vendors already provide update services, such as Windows Update, Red Hat Patch Updater, and Apple Software Update. Yet power users (and most security folks I know) usually disable such remote features in order to maintain full control over their systems. It does not take much foresight to anticipate the day when such a vendor update system is manipulated by a cyber-varmint, putting us right back to ³square one². What will be Clarkeıs answer then? Will the vendor whose update features were compromised be held accountable for the situation? Or will it simply be dismissed as the latest "price of doing business" on the Internet? Instead of (as Clarke said) "pushing updates down the throats of users", why not take active steps to ensure the software users run isnıt so damn buggy and exploitable in the first place? That would make more sense, donıt you think? What Clarke and Co. Still Donıt Get Clarke et al. are on the right track - at least they are beginning to recognize the enormity of the computer security issue. Research is a long-term investment, and something we certainly need, but it shouldnıt be seen as a substitute for remedying immediate problems. Rather than waste taxpayer dollars on corporate welfare, government jobs programs, and more research, the federal government should focus on two critical areas of IT. First, they need to consult less with CEOs and marketers and more with CTOs, CIOs, and line officers in corporate IT departments. These are people who understand the nature of the problem and can provide advice that can contribute to the development an effective national information assurance program. Hiring Microsoft Security Advisor Howard Schmidt is a good first step - I know Schmidt personally - heıs been in the IT trenches for many years and can provide operational guidance on the issue from personal experience and not just media hype. (I just hope he didnıt drink too much of the Kool-Aid during his tenure in Redmond.) Secondly, part of the half-billion or more dollars being proposed for various long-term cyber-security initiatives should be spent doing both an objective design review of our critical information infrastructures. This should include holding vendors accountable for failing to provide appropriate security and availability guidance in the infrastructure design process. We should not have to pay them to fix mistakes caused by their profit-driven shortsightedness. It should also include a line-by-line software code assessment of any Microsoft product being used in a critical system. Iıd even suggest some of that half-billion be used to foster open source software development to give enterprise users a choice in their IT infrastructures. As the Irish potato famine illustrated, itıs bad karma to only plant and rely one type of seed, especially one as prone to disease as Windows. # # # # Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area. References Bills Aim at Cyber R&D By Diane Frank, Federal Computer Week, 12/5/2001 U.S. Cyber Chief to Map Infrastructure for Security By Andy Sullivan, Reuters, 12/5/2001 Bush Cyber-Security Adviser Wants Internet Users to Get Free Security Software AP, 12/5/2001 ------------------------ Yahoo! Groups Sponsor ---------------------~--> Need new boots for winter? Looking for a perfect gift for your shoe loving friends? Zappos.com is the perfect fit for all your shoe needs! http://us.click.yahoo.com/ltdUpD/QrSDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST