Schneier Says We Don't Need a Cybersecurity Czar 173
Trailrunner7 writes "Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. 'Really what I think is it shouldn't be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn't a dictator in charge, when there isn't one organization in charge. My feeling is there shouldn't be one organization in charge. Not only shouldn't it be the NSA, it shouldn't be anybody,' Schneier said."
Re:Makes sense (Score:3, Insightful)
Because we don't want varying standards for security. The cybersecurity czar would more likely than not be mostly responsible for making sure efforts are coordinated and testing. In the past the various departments have done a piss poor job of verifying that systems are in fact hardened.
I love Schneier (Score:5, Insightful)
He won't make any friends with the government research grant people with that attitude, though. Seriously, if you only occasionally read what Schneier has to say, and follow his advice and guidelines, you'll be more "secure" than 99% of everyone else. That's because 99% of the people (and companies) don't follow his advice, which is often simple and just requires a little effort and awareness. It's the "effort and awareness" thing that most people find challenging.
Re:No overlord necessary. (Score:5, Insightful)
Cyber Security is OUR problem (Score:4, Insightful)
I couldn't agree more. I wrote this blog post [mobiusdevelopment.com] a few months ago arguing the exact same thing. There will always be crisis situations where government intervention and coordination may be necessary, but the first line of governance and management should be at the personal, community, and company level.
Comment removed (Score:5, Insightful)
Czar? (Score:5, Insightful)
Better question is why the USA needs Czars of anything?
Weren't they leaders of imperialist Russia?
Why would that label seem appropriate?
Dictatorships have always worked so well (Score:1, Insightful)
that I can see why you want another one.
Re:Makes sense (Score:2, Insightful)
And given the track record of this administration, will either have cheated on taxes or be so inept at cyber security that every computer he owns is a member of multiple botnets.
Along with a recent investigation into his former employees that indicate they were running the botnets installed on his computers, with clues that he may or may not have been aware of this.
The quality of appointees from this administration has so far been a bit on the disappointing side, to say the least.
Comment removed (Score:5, Insightful)
Re:The business generalization is too crude (Score:3, Insightful)
Why an ANYTHING Czar? (Score:5, Insightful)
The second they use the term "Czar", to describe a person in administrative capacity over a regulatory body, they betray the authoritarian and anti-democratic ideology with which they conspire against representative government and individual rights and liberties.
Czar is the Slavic rendering of Caesar. Why anybody sees this as an expediency worthy of trade-off for democratic involvement and oversight is a question I leave you, the dear reader to resolve.
Re:Makes sense (Score:4, Insightful)
Also known as The President?
Mind you, maybe that's part of the problem ... and the Czar Czar should be the Speaker of the House...
Different realities = divergence (Score:3, Insightful)
It could easily be the same security framework or standard (ISO27000?), applied to different realities gives you a different strategy of course.
Actually no it cannot. If you are "applying a standard to different realities", you have divergence and two real de-facto standards.
Furthermore the data you are trying to protect varies wildly by domain. CC are protected differently from SSN are protected differently from medical records, for they all have different data paths.
The variances are great enough we do not need to pay for a federal position that writes up proclamations that people ignore or apply in ways they see fit. We already have industry groups that give us security standards aplenty (like OWASP) that are the devil to apply already, so what good is someone at the federal level going to do beyond that? It's just a total waste of money when we have none to spare.
Re:I love Schneier (Score:5, Insightful)
Re:Makes sense (Score:3, Insightful)
While I'm very concerned about the amount of money they are currently spending.
Why in the HELL should/would they be spending our money (that we don't have) on any people that aren't citizens of the United States??
I don't mind helping out when you have excess.....but, right now, we do not, and one thing to do, would be to cut out foreign aid.
Re:The "tyranny of the hierarchy" (Score:2, Insightful)
...and the successful treasonous behavior of every administration after Kennedy is a useful demonstration of how it can go wrong very quickly.
(And yes this includes Obama!) I do agree with you in principal. What can be corrupt, will be corrupt and we need less legislation that has the potential to become corrupt. Due to this, no Czar is a good thing, and I don't think I need to explain the connection with absolute power and corruption.
P.S. "Czar" is the dumbest buzzword that the interwebs has given birth to in a long time and I for one am sick of hearing it. But I guess its not really birth... its more like stealing someone's kid, calling it your own, then beating the shit out of him until he's a she.
Don't worry ... (Score:3, Insightful)
If the NSA (No Such Agency) is in charge, it'll be the same as having no security oversight at all. They naturally keep everything secret, so if they want to tell you to do something, you won't have the security clearance to read the order or any of its details.
Yes, they can write secret orders, not show them to you, and then prosecute you for not obeying them. But this has been true for around a decade now, so it won't be anything new.
Anyway, the main area where security is important is in the corporate world's handling of its comprehensive information about all of us. And in the modern US, agencies of the government don't give orders to corporations; the corporations give orders to the government. So corporate databases will continue to be as insecure as always, which doesn't really matter because the information is always for sale to the highest bidder, secure or not. Security really means that the information can't be read by anyone who hasn't paid for it, y'know.
If there are any changes, the most likely are that the NSA will be forced to adopt corporate-style "security" measures such as 4-digit PINs or password rules so complex that you have to write your passwords down and carry them in your wallet. And they'll routinely leave entire databases in laptops inside parked cars. This will be by policy, not accident. It'll result in more funny news stories; we'll mostly laugh and go about our lives.
I'd add a ;-), but I'm not sure that this actually qualifies as humor ...
(I'm sure that Jon Stewart and Steven Colbert will explain it much better than I can.)
Re:Has Bruce gone bat shit loco? (Score:3, Insightful)
and you don't ahve to train your entire staff in computer security.
Actually, you do. That's Bruce's whole point most of the time, and it's what makes my job as a security consultant so difficult (and well-paid).
Security is a mindset. Every person has to have the concept of "secure environment" in their head every day, be they developers, users of IT systems, or even the seemingly-rare non-IT user (i.e. custodians). People need to understand why security is so crucial, and they have to be involved in the process; just designing technical controls around them always fails quickly, because people who don't value security will abuse whatever privileges they have, thinking that they're helping someone.