Schneier Says We Don't Need a Cybersecurity Czar 173
Trailrunner7 writes "Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. 'Really what I think is it shouldn't be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn't a dictator in charge, when there isn't one organization in charge. My feeling is there shouldn't be one organization in charge. Not only shouldn't it be the NSA, it shouldn't be anybody,' Schneier said."
Our economic and political systems (Score:5, Interesting)
Our economic and political systems work best when there isn't a dictator in charge
Next in News: Bruce Schneier asked to be member of a Cybersecurity Tribunal.
Makes sense (Score:5, Interesting)
The business generalization is too crude (Score:5, Interesting)
Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.
Bottom up works too -- for tasks that involve things that are too complex and fluid for a single person or chain of command to comprehend and react to. Where creativity is at a premium, bottom up is the way to go.
No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.
It seems to me that something like cybersecurity needs a bit of each approach. It's organizationally difficult, if not impossible to approach such a problem perfectly. However, I think the rough appearance of a structure to handle this would be top down with expertise pushed out to the various groups in the organization and discretion allowed.
Examples of oversight committees working, please (Score:3, Interesting)
All regulatory agencies, oversight committees, etc. are taken over by the regulatees.
This is a law of human social system-level nature as inexorable as the law of gravity.
History is full of layers and layers of oversight, none of which substitute for the self-interest of the operational group doing their job 'right'.
That doesn't happen very often even in large corporations, is rare in government : precisely what you expect from the relative levels of self-interest of employees in these orgs.
I have worked in organizations from startups through state and federal governments. I am currently in a 30-person small network products company. As a generalization, I find that startups generally work, small organizations do quite often, but the larger the organization and the less connected the employees with management, the worse they execute,
Just refine the idea a little (Score:2, Interesting)
What they need is a solid system of IT auditing to make sure the standards are followed. To the extent they are done now, IT audits are done within each agency and rarely receive attention at the department secretary level. Each department has an inspector general with oversight responsibilities, but they don't seem to put IT audits at the top of their agendas. GAO does not do much with this, either. Why not?
A White House directive for IT audits and request for reports of results would really be sufficient. Let them know the president is taking the issue seriously and they would do so as well.
The "tyranny of the hierarchy" (Score:5, Interesting)
Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful treasonous behavior of the Bush administration is a useful demonstration of how it can go wrong very quickly.
What Schneier is very reasonably suggesting is that we lessen that hierarchy, not add to it.
Schneier's blog (Score:3, Interesting)
He mentioned last year about the last security czar [schneier.com] who had no security experience, but didn't do his rant right then. And his rant should be good. `8r)
Re:No overlord necessary. (Score:4, Interesting)
I, for one, would be happy with an oversight committee that does its job.
Job descriptions don't come more accurate than that...
Re:Makes sense (Score:1, Interesting)
Yeah, that stuff that started suspiciously after the Democrats had control of Congress and started blocking all of Bush's policies? What a coincidence that all this starts when the Democrats have control of Congress and then spirals completely out of control when they get the house. What a weird coincidence...
Re:dictator or bureaucracy? (Score:3, Interesting)
The one that exists in the private sector, and controls government.
Or:
The one that exists as a foreign government that controls us via large amounts of debt and/or business lobbies.
Bruce got this one wrong (Score:3, Interesting)
Why? Because someone at OMB said:
Harden every desktop installation of Windows XP & Vista [nih.gov]. One leader at the NSA, for the entire federal government, could greatly assist in doing the same for every piece of IT we operate. This is a start on the massive IT security problem the federal govt has. After that, a govt wide approach for software security would be nice.
S773 'Cybersecurity' Bill is unconstitutional. (Score:3, Interesting)
Thanks to an old man of the stack I read S773, but I didn't need to, nor do you, to KNOW its unconstitutional. Take a look at Amendments 9 & 14 of the US Constitution (something something any powers not specifically set aside for the federal gov. is under the exclusive domain of the States or local gov.s something). They can't create a federal authority for cyberspace out of thin air... they'll need to amend the Constitution to do it. Well, they can, but they'll be destroyed in the courts. If they DO amend the Constitution, making such an appointment legal, then we can go over S773 with a fine toothed 4th Amendment comb... and again find it unconstitutional.
why NSA shouldn't be used for defense (Score:4, Interesting)
The problem with the NSA is that it IS part of the intelligence structure. If you insert them as a defensive player, more often than not, they will take absolutely NO action in order to protect their spying capabilities.
At present, nobody knows exactly what the reach is of the NSA. Nobody knows what they can and can't hear. If you task them with defending assets, each probe or attack reveals new information about what the NSA has at their disposal, depending on what the response is. I really don't think the NSA is willing to compromise the secrecy of its capabilities in order to thwart hackers.
Seth
Excellent "Yes, Prime Minister" quote in podcast (Score:1, Interesting)
http://www.yes-minister.com/polterms.htm [yes-minister.com]
Re:why NSA shouldn't be used for defense (Score:3, Interesting)
^^^^ THIS.
You cannot appoint a military organization whose effectiveness depends on ignorance of its capabilities and vulnerabilities to protect civilian infosec. The only way any newly discovered vulns will ever be disclosed to the public by this sort of watchdog is if it is felt that "The Enemy" already knows about them and has a workaround, and that the disclosure would not compromise the position of any spies/well placed janitors.
After all, we're *all* generally using the same basic computing infrastructure these days.