December 09, 2004

Government and Cyber Security

Two concepts that don't mesh well. I was wandering by Heather's place to see if she had posted anything... but alas her main page remains blank. So, I did the next best thing and wandered over to the blog of her beloved spouse BrianJ. As usual when I visit, he has lots of terrific things to say and naturally I noticed the post about the government and computer security.

From a CNN story Bush pressed for more Net security it looks as if a few more people want to climb onto the government gravy train. As Brian says:

As a taxpayer and a customer, I don't look forward to the expanding synergy between government security administration and private industry. Let's take an example from recent history: airports. Airlines, leaky boats which the government frequently bails out with buckets of taxpayer cash, and airport authorities, government bureaucracies in their own right in many cases and not very good at for-profit in others, abdicated their obligation to secure their places of business. First, they took government funds to pay for their own surly security employees, and when that wasn't enough, the government stepped in and provided its own employees, surly and unaccountable to the private sector, to grope grandma.

This is absolutely correct. When ever government comes in the door, common sense goes out the window. So what is it they want the government to do for us?

The Bush administration should spend more on computer-security research, share threat information with private-sector security vendors, and set up an emergency computer network that would remain functional during Internet blackouts, a computer-security trade group said.

Lets take the points one at a time...
1) spend more on computer-security research. First of all, there is already money being spent on this. Do we know where it goes? How effective the current spending is? After all we have the NSA, we have CERT, we have public universities getting government funding for just this sort of thing. But as usual, we get no accounting of current money going in, we get no clue as to what new money is needed for... only the ubiquitous "computer-security". Sorry guys you'll have to do better than that!

2) share threat information with private-sector security vendors. What? only security vendors? Does this mean that if you're a regular business you don't get the opportunity to find out about a threat until you pay a security vendor? Also, there is already CERT which is "funded primarily by the U.S. Department of Defense and the Department of Homeland Security, along with a number of other federal civil agencies" - to quote from their web site. Seems to me this point is already being taken care of properly. If you don't like the way CERT runs, maybe it should be changed. But, why are they trying to reinvent the wheel?

3) set up an emergency computer network that would remain functional during Internet blackouts. Apparently none of these big ole security honchos know even a little bit of the history behind the formation of the internet... might I suggest the book by Peter Salus, Casting the Net: from ARPANET to INTERNET and Beyond it was written in 1995 (they must have missed it), but he makes it clear that the Internet was started by the Defense Department in order to have a means of communication that was redundant and resistant to failure in case of nuclear attack. (some people need these things spelled out for them because they didn't pay attention the first time the information came their way) Now, there are certainly ways that the current Internet can be made more reliable and less prone to failures, but failures are why we have the net in the first place... so once again we are being asked to reinvent the wheel - this time it's a wheel from one of those big mining machines - you know the HUGE ones.

No, as far as I can see, no one is bringing anything new to the table. They simply want an influx of cash with themselves as the beneficiaries... Oh but there is one more thing they want.

One especially important move, they said, would be to elevate Yoran's successor to the assistant-secretary level within the Homeland Security Department.

Ah that political clout - that's worth some cash too isn't it. Once you get someone in at a secretary level, you get more of a chance at the cash. Sorry, but in the interest of computer security, I think we need to leave the government out of things or at least off to the side. Currently they can't secure their own systems, so putting them in charge of security would be like taking a cop who allows every criminal to escape and making him the head of the prison.

Thank you, but I'm going to keep my hand on my wallet for now. This looks like another sink hole for money of monumental proportions.

Posted by: Teresa in WebTech at 06:33 PM | Comments (1) | Add Comment
Post contains 833 words, total size 5 kb.

1 Excellent job of "following the money" on this one :-)

Posted by: Harvey at December 10, 2004 04:05 AM (tJfh1)

Hide Comments | Add Comment

Comments are disabled. Post is locked.
25kb generated in CPU 0.02, elapsed 0.0932 seconds.
69 queries taking 0.0799 seconds, 219 records returned.
Powered by Minx 1.1.6c-pink.