Cybersecurity Chief Resigns 367
Doc Ruby writes "AP is reporting that 'The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave.' Yoran is the third cybersecurity chief in a row, after Richard Clarke and Howard Schmidt, to quit the Bush administration citing organizational inability to do his job. Maybe the job can't be done." In a possibly related story, individuals take cybersecurity lightly: Ant writes "This story says that consumers have a casual approach toward cybersecurity and fail to grasp the pervasiveness of online threats, according to a study released Thursday. More than a third of the 493 PC users surveyed by the nonprofit National Cyber Security Alliance (NCSA) said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code."
BIG mistake (Score:3, Interesting)
Intractable Problem? (Score:5, Interesting)
So symptomatic of all politics (Score:5, Interesting)
All politics is about power, the obtaining of it and the maintaining and expanding it. The focus when running for office is to say and promise whatever it takes to get you into office. Once there, the focus becomes hanging on to power at all costs. The way to do that is to play on voter's fears, desires, insecurities, in such a way as to get them to think you will solve their problems better than the next guy. Thereby saving your job.
This is true no matter the topic, and no matter the importance of the topic. Right now, Topic A is security, and boy is that a vital topic. So vital, you'd think politicians would put their usual partisan techniques and actually get something done. But no, even here with lives at stake, it's politics as usual. Is computer security a hot-button issue for the average voter? Not enough to throw someone out of office over. So does this get priority? Nope.
Look at the vulnerability of chemical plants to attacks. There were proposals to beef up security, the chemical industry squawked at the costs, the plan got scaled back. Why? Isn't security important? Sure, just ask Union Carbide about Bhopal. More importantly, ask thousands of Indians about Union Carbide in Bhopal. It is important, but it's not attacting votes, so it gets shunted aside. That's all that matters, folks. It's about maintaining power. So no matter how many security czars they get, unless that becomes a hot-button issue for the voters, it'll never be a hot-button issue for the Bush White House (or any other president that comes along).
Cyber security needs to be tied into defense (Score:3, Interesting)
The political bottleneck (Score:2, Interesting)
Things which are more likely to happen... (Score:3, Interesting)
...than winning the lottery: well, you're about 250 times more likely to be involved in a car accident than to win the lottery. And about 10 times more likely to be murdered.
(That's over a whole year, assuming you buy a ticket every week).
Virtually everything is more likely than winning the lottery. Their poll just shows that people don't really understand probability... (hmm. You're also more likely to be hit by lightning than to win the lottery.)
These guys gotta toughen up! (Score:2, Interesting)
Granted, its not like I'm in a highly-influential government job, but I do work in Computer Security. As a low-level grunt with delusions of grandure, I can certainly understand the feelings of frustration, particularly when people don't do the right thing (i.e. what I tell them to). Maybe those of us in the trenches just have the clarity to realize that the job is hard, there are no quick fixes, and trying to convince people who bought their computer the same way they bought their toaster is a really, REALLY hard job.
On the other hand, I've been doing this for 8 years, 7 years at my present company. Maybe the Baby Bush should hire me, since I'm not such a candy-ass :-)
Re:Things which are more likely to happen... (Score:4, Interesting)
Why not educate people? (Score:3, Interesting)
For all the money they probably pump into cybersecurity, can't they start a nationwide campaign to educate users?
Re:Security is a hard job (Score:2, Interesting)
Considering it's in agreement that "take away electricity & technology, we're back in the stone ages" is very true and easy to understand for those wish harm on the US as well as the connected world. Computers are tools and can be used as weapons or utility, make your choice. And with computers more interconnected to that environment (business, society, etc...), protection of privacy, from malicious code, intrusion or exploitation should be top priorities.
I'd take the job, anyone here should offer. It's important for anyone in technology. Success or fail, we'll learn something. I'm surprised Yoran doesn't offer any notable "lessons learned".
Then again, from experience, I feel his pain trying to get things working at DHS. Oh well, the clock is ticking--at least those who oppose us donot have much technology...yet. I hear Iraqis have better cellphones (EDGE) than we do here...
Re:Well... (Score:2, Interesting)
Re:Why not educate people? (Score:3, Interesting)
But you realize with your car to change the oil every so often or take it to someone who can. You might even have it winterized every year. You probably buy new tires every few years and even get it washed sometimes.
All that is needed is a basic computer class (ie like getting your drivers licence), an auto-updating virus scanner and adaware type software. I don't think that is much harder than what anyone has to do to own a car.
Re:Intractable Problem? (Score:2, Interesting)
Now we don't store PGP/GPG plaintext passwords, but we do store plaintext KEK (Key Encryption Key) and Master Keys and what not for banking networks, ATMs, etc.. They are in a safe. It takes two people to open the safe. It takes two other people to enter the plaintext into the HSMs (There's much more involved - such as the audit trail, and so on...) I dare ya to social engineer that.
As long as proper security controls are implemented (i.e. dual-control, seperation of duties, authentication procedures) there's nothing wrong with having plain-text for recovery purposes.
Re:no Digital Pearl Harbors (Score:2, Interesting)
The only way to make people aware of the problem is for somebody to fly a beowolf cluster of zombies into the statue of liberty ... on tv. Fat chance for that to happen.
So I guess we have to deal with the alternative. Users are lame. It's their priviledge. So we have to create an environment where it's safe for them to be lame.
Now there is a challenge...
Re:I just don't believe it! (Score:3, Interesting)
No, they don't. If they did, they would never buy anything from Microsoft. They'd all be buying Macs.
And don't try to claim that they're ignorant of Windows' user hostility. Jokes about the difficulty of making computers do anything right are part of the general culture. And people with even the slightest bit of computer awareness are always aware of Apple. I've overhead many forms of this exchange:
Person1: I hate my fuckin' computer; it never works right.
Person2: Hmm
Person1: Yeah, but you use a Macintosh.
Person2: <shrug/>
No, there's a simple reason they buy the most user-hostile computers: marketing. They buy it because they've been told over and over that it's the only computer that people ever buy. And this happens because Microsoft has an advertising budget larger than the total operating budget of all those zillions of little computer companies like Apple or Sun or whoever.
Also, they don't want to be thought of as nerds, which is how they think of Mac users.
Re:I shouldn't have to care about malicious code (Score:3, Interesting)
Exactly!!! Certified experts have already designed those products for use by Joe-average. He can cook all kinds of meals without needing to install new gas fittings, adjust microwave frequencies, or fiddle with particle beams [technovelgy.com]. :-)
I have argued for years that the general, home-user PC device should have matured into appliance-level sophistication (ie: easy to use) YEARS ago. The "complexity" of the modern PC operating systems are total overkill.
Now, depending on which programs I elect to use, I would agree that an increased level of knowledge is necessary. For example, if I load Quicken for Small Business, I better understand something about accounting, finance, banking, etc...
But if all I want to do is read e-mail, surf the web, and play a game, I should ONLY be required to understand the complexities of entering URLs, knowing the difference between Reply and Reply-to-all, and that I want to play the Recruit level -not the Frag-Master level.
That's my point! PC's are waaay too complex for their most common uses. That we (the tech industry) have delivered machines that require so much care-and-feeding just for the O/S is a complete embarassment. And to add insult to injury, we (the tech industry) often maintain the arrogant attitude of "well, if they're too stupid to use it, they don't deserve to read e-mail..." instead of saying to ourselves "you know, Joe-average shouldn't have to deal with all this crap just to access some basic communication services."
Re:To everyone saying people are stupid (Score:3, Interesting)
Look, they may not be stupid (in the dictionary sense of the word) but stupid is often used in place of ignorant. But they ARE apathetic. How else do you explain the low voter turnout? If 100% of the population was involved, even minimally, in voting or civics in general, this country would be a different place...
"The average Joe does want to learn."
Uhh, maybe. Some do, but many do not want to expend any effort to do so or learn anything that conflicts with their preconceived notion of how the world is. And if you don't want to expend effort, then you really don't want to learn.
Re:Intractable Problem? (Score:2, Interesting)
That way, when someone has locked something up and their key is no longer available, the superfriends can get together and re-unite the master key to unlock whatever. Nobody actually has to write down anything to keep from getting locked out.
Forgotten passwords you handle by having a designated revoker to kill your old key, then make a new one. Right?
Re:no Digital Pearl Harbors (Score:1, Interesting)
I don't blame him a bit! (Score:2, Interesting)
I took the "security test"... (Score:5, Interesting)
I guess the answers their scoring system didn't like were
RE: flip the power on and go? (Score:3, Interesting)
As just one (of countless!) examples I run across in my line of work (on-site PC service), I was trying to help a guy out this afternoon who had spyware/virus problems crippling his Windows XP machine.
He's no dummy either. He has a PhD in Physics, and works from home as an editor for college textbooks.
This is about the 5th. time in 6 months or so that I've had to help him fix these types of issues. Originally, he was running Windows ME on his Gateway Pentium 4 system, and viruses pretty much made the computer unusable. I spent the better part of an afternoon removing the viruses and all the spyware I could find - but a lone remaining virus was a "downloader trojan horse" and apparently re-downloaded and installed numerous virii after I left.
After a second round of cleanup, I seemed to have it all fixed - but about a month later, it seems a few things got past his Symantec Personal Firewall and started causing tons of pop-up ads and other issues, so I was called out yet again!
Finally, he just asked us to wipe the drive and start fresh. We did, and made sure to do every possible Windows update, install the latest ZoneAlarm firewall, etc. etc.
So then, he decides to take the plunge and upgrade to Windows XP (since ME was a regularly crashing/blue-screening piece 'o junk anyway). We did that for him, and applied Service Pack 1 and everything else available at the time.
Well, after a couple weeks, voila - more rampant spyware/virii problems! He already tried both SpyBot and Ad-Aware SE 1.05, the very latest AVG Anti-Virus updates, and more, yet he couldn't eliminate the problems - and it was hindering him from doing his work.
I tried everything I could think of, including hours of manually deleting things. (XP likes to keep temporary files inside hidden sub-folders under the "Documents and Settings" directory, and I've found many viruses hide out in there, for example.) I got everything clean that I could find, and all the scanners report it clean, yet each time you launch Internet Explorer - it redirects you to some spyware/ad-ware web site and starts trying to install a bunch of garbage via Active-X!
Nobody should have to go through all of this B.S. just to get some work done from home! This is a disgrace. This guy isn't even "surfing porn sites" or any of the stuff people like to point fingers and accuse people of if their PC gets infected....
I've already suggested maybe he should make his next computer a Mac.... Several of his co-workers made the switch recently, already, and seem to be pleased. He's just concerned with the fact he owns so many PC only software packages and doesn't want to buy the same things over again to get a Mac native version....
Re:Why not educate people? (Score:3, Interesting)
A computer is a tool like a car - just because I don't know how to build a transmission doesn't mean I shouldn't drive.
A car is a tool for one job: driving. A computer is a tool for lots of different jobs, some of them very complex. If people wanted a computer to do only simple things, then we wouldn't be in this mess: ActiveX and JavaScript-enabled email would never have come along, for instance.
But users constantly demand more capabilities. Not without cause, mind you, but that's not the point. The users want to be able to send emails that make a dancing baby go along the bottom of their computer screen. If John's computer can read the dancing-baby email but Jane's can't, she'll want to change her software be able to read the dancing-baby email. We gots to have the dancing baby! And that's a normal desire for Jane to have, nothing inherently bad about it.
The problem is, it's not clear to Jane that this is unsafe. She sees John's dancing baby. Maybe she sees that John's computer crashes more often, but she doesn't link that to the dancing baby. Why should she?
I'd like to be able to step into my car and tell it, "Take me to Fry's" and off it goes. I can sit and chat with my friend while we travel, none of this pesky watching the road. The technology to do this is around today, but it's unsafe. Since car manufacturers take on liability, nobody's built this car.
The vendors of computer technology are not like car vendors. Insecurity on a computer doesn't automatically mean unsafe (that is, it's uncommon for people to be killed by computer problems). So technology vendors aren't liable if their products are insecure. That means that technology vendors have the freedom to develop insecure solutions to meet market demands.
Now, Theo the Technology Vendor builds a product that's secure, but won't show the dancing baby. Bill the Technology Vendor sells a product that's insecure, and will show the dancing baby. Of course, Bill doesn't tell people that his product is insecure. He might not even know it. So who does Jane get her technology from? (Followup: who now has money to develop and market the next product?)
I'm not saying it's the users' fault. I'm not saying it's the vendors' fault. That's a losing game: the vendors point the finger at the users, the users point the finger at the vendors, and all anybody gets is the finger. I'm simply saying that, as long as users demand complex capabilities, and vendors provide them without regard to security, the situation will not be resolved.