Forgot your password?
typodupeerror
Security Government United States News Politics

Schneier Says We Don't Need a Cybersecurity Czar 173

Posted by timothy
from the but-sir-these-polls-show-that-you're-winning dept.
Trailrunner7 writes "Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. 'Really what I think is it shouldn't be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn't a dictator in charge, when there isn't one organization in charge. My feeling is there shouldn't be one organization in charge. Not only shouldn't it be the NSA, it shouldn't be anybody,' Schneier said."
This discussion has been archived. No new comments can be posted.

Schneier Says We Don't Need a Cybersecurity Czar

Comments Filter:
  • by Culture20 (968837) on Wednesday May 13, 2009 @02:46PM (#27941639)

    Our economic and political systems work best when there isn't a dictator in charge

    Next in News: Bruce Schneier asked to be member of a Cybersecurity Tribunal.

  • Makes sense (Score:5, Interesting)

    The internets are decentralized (mostly), so why shouldn't the security model be?
    • Re: (Score:3, Insightful)

      by hedwards (940851)

      Because we don't want varying standards for security. The cybersecurity czar would more likely than not be mostly responsible for making sure efforts are coordinated and testing. In the past the various departments have done a piss poor job of verifying that systems are in fact hardened.

      • Re:Makes sense (Score:5, Informative)

        by Shakrai (717556) on Wednesday May 13, 2009 @02:53PM (#27941745) Journal

        The cybersecurity czar would more likely than not be mostly responsible for making sure that the public perceives that the feds are doing actually something while actually accomplishing very little other than to direct a few contracts to vendors who donated the right amount of money and/or were buddies of his while he was in school

        Fixed that for you. Given the track record of the other "czar's" appointed by the Federal Government, you'll forgive me for my skepticism.

        • by flyingsquid (813711) on Wednesday May 13, 2009 @03:06PM (#27941947)
          The problem isn't the basic idea of having a 'czar', which is a good idea. The issue is that we have too many czars appointed, so it has become difficult to keep track of them all and coordinate their efforts. What we need is a single individual given the executive power to oversee all of these czars, and appoint them, discipline them, and fire them at will, so as to centralize control of the czars. That person will be the Czar Czar.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          And given the track record of this administration, will either have cheated on taxes or be so inept at cyber security that every computer he owns is a member of multiple botnets.

          Along with a recent investigation into his former employees that indicate they were running the botnets installed on his computers, with clues that he may or may not have been aware of this.

          The quality of appointees from this administration has so far been a bit on the disappointing side, to say the least.

          • by gadabyte (1228808)

            The quality of appointees from this administration has so far been a bit on the disappointing side, to say the least.

            and yet they're still somehow better than bush appointees...rumsfeld, gonzales, brown, et al...

      • Because we don't want varying standards for security.

        Actually, we do, especially when you think of it from an ROI perspective. For example, I don't secure my home network to the same standard I've secured my business' network. Two different entities, two different priorities: two different security strategies.

        Take it to the next level: A Fortune 500 company's security will be radically different than the one I use for my small business.

        Now, if you're talking standards as in encryption, I'd rat
      • by osgeek (239988)

        responsible

        That's where you went wrong, right there. Responsibility implies accountability. Accountability implies consequences like jail, or fines, or maybe just firing. When was the last time we ever saw any of those things for government officials? Scooter Libby? Poor sap was a scapegoat.

    • by 54mc (897170)
      Because your Uncle Sam knows best.
    • Why then it couldn't be controlled and the feds can't have that. This won't be the first time the feds have tried gettiing their hands on the inner workings of a system to "improve" it and it won't be the last. Their idea is that if it's "under their control" and centralized that it will mean things will be improved everywhere for the most part, unfortunately as is the case with other decentralized systems [the economy] centralization doesn't actually mean things will improve, often the reverse is true.

  • by Bentov (993323) on Wednesday May 13, 2009 @02:48PM (#27941673)
    I, for one, would be happy without an overlord.
  • I love Schneier (Score:5, Insightful)

    by PingXao (153057) on Wednesday May 13, 2009 @02:50PM (#27941701)

    He won't make any friends with the government research grant people with that attitude, though. Seriously, if you only occasionally read what Schneier has to say, and follow his advice and guidelines, you'll be more "secure" than 99% of everyone else. That's because 99% of the people (and companies) don't follow his advice, which is often simple and just requires a little effort and awareness. It's the "effort and awareness" thing that most people find challenging.

    • Re:I love Schneier (Score:5, Insightful)

      by moderatorrater (1095745) on Wednesday May 13, 2009 @04:34PM (#27943403)
      I completely agree. The biggest point people need to take from Schneier is that security is more of a mindset than anything else. If you care about security and you're willing to take a little effort to achieve it, you can (at least until you get humans involved, then there will be a willing idiot almost every time). Encryption is a solved problem, XSS attacks are easily dealt with if you know what you're doing and head the problem off early in development, etc. The biggest thing that would be accomplished is just to get people thinking about it and dealing with it proactively.
    • by galego (110613)

      >>"effort and awareness" ...

      And next, you're going to expect "reason and logic" to prevail too, right!?!?!

    • While I agree with Schneier that ideally security should be a mindset, the fact is the culture of most businesses and government doesn't support it.

      Not having a central authority doesn't mean that nobody is in charge, it means everybody is in charge. This model is the best fit for things like safety and security which are effected by the decisions of individuals at all levels. It also requires that all individuals have the knowledge to make the correct decisions. Unfortunately, people have not been educ
  • by Anonymous Coward on Wednesday May 13, 2009 @02:53PM (#27941743)

    I couldn't agree more. I wrote this blog post [mobiusdevelopment.com] a few months ago arguing the exact same thing. There will always be crisis situations where government intervention and coordination may be necessary, but the first line of governance and management should be at the personal, community, and company level.

  • by MikeRT (947531) on Wednesday May 13, 2009 @02:59PM (#27941873) Homepage
    DHS is a hodge podge of federal agencies that performs like the Keystone Cops in Gestapo uniforms. Not only is the NSA more qualified to take over federal infosec in a time of crisis, but it is statutorally safer for the general public because as a member of the intelligence community, it is not legally a part of the law enforcement apparatus. In order for information to flow to law enforcement, the NSA would not only have to be willing to cooperate, but have to jump a large number of hoops and hurdles to hand off the information. There are a lot of restrictions on the intelligence community with respect to information about Americans that simply don't exist for law enforcement like DHS.

    The real reason why we don't need a Cybersecurity Czar is that 99 times out of 100, the systems that are getting hacked are not sensitive systems. Who cares if the Department of Labor or Interior gets hacked here and there since the intelligence community and military are generally competent at securing their classified networks?
  • I could see someone who will do testing and be the point person for the money. We need someone to do penetration testing with a white hat on.

    Any volunteers?

  • Czar? (Score:5, Insightful)

    by DarthVain (724186) on Wednesday May 13, 2009 @03:08PM (#27941991)

    Better question is why the USA needs Czars of anything?

    Weren't they leaders of imperialist Russia?

    Why would that label seem appropriate?

    • The title of the former rulers of Russia was "Tsar".

    • Why would that label seem appropriate?

      But it's completely different! The American Czars are honorable representatives of the people who are held accountable for their actions!

      Right?

    • The USA already has many Czars, they just don't call them that. They call them CEOs instead.

    • Perhaps you haven't seen the news in the last 8 months?

      • by DarthVain (724186)

        No I haven't seen any news in the last 8 months...

        Did McCain win the US election, build a time machine, travel to Russia and steal their titles?

        'Cause that is what I figured he would do if he won the election. That or raise an army of zombie cadavers to take over the world (aka republican party).

  • by hey! (33014) on Wednesday May 13, 2009 @03:09PM (#27942003) Homepage Journal

    Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.

    Bottom up works too -- for tasks that involve things that are too complex and fluid for a single person or chain of command to comprehend and react to. Where creativity is at a premium, bottom up is the way to go.

    No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.

    It seems to me that something like cybersecurity needs a bit of each approach. It's organizationally difficult, if not impossible to approach such a problem perfectly. However, I think the rough appearance of a structure to handle this would be top down with expertise pushed out to the various groups in the organization and discretion allowed.

    • Re: (Score:3, Insightful)

      All good points. I would add that top down is valuable when budgeting is most important and bottom up works better when transparency is needed. I think I want the people who are deciding what hash functions are secure to be different from the people worrying about whether it will annoy their vendors to ask for a patch and how much it will cost to push the patch to all vulnerable systems. There doesn't seem to be enough overlap between, say, testing encryption, securing the root DNS servers, and locking d
    • Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.

      And not one aspect of that sounds anything like systems security, where attacks are fluid and the definitions of success are countless.

      We do not need to fund federally a position that is far better met by people closer t

      • by hey! (33014)

        It seems to me that this issue has different dimensions, some of which are fluid, others of which are not.

        You would not expect the so called czar to direct a response to an attack by himself. That's not feasible. However the czar could oversee the aspects of the problem that are repeatable, for example ensuring training programs exist for system administrators; making sure groups working with critical systems have contingency plans; ensuring that vulnerability testing is done; investigating open installat

        • You would not expect the so called czar to direct a response to an attack by himself. That's not feasible. However the czar could oversee the aspects of the problem that are repeatable, for example ensuring training programs exist for system administrators; making sure groups working with critical systems have contingency plans; ensuring that vulnerability testing is done; investigating open installations which haven't installed recommended security patches. That sort of thing.

          All done today by private indu

    • by GigsVT (208848)

      No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising.

      You mean like every editor on Wikipedia understanding every detail about how to write an encyclopedia?

      • by hey! (33014)

        Well, what are the requirements of an encyclopedia?

        You will find that when it comes to consistent scholarly accountability, Brittanica is the way to go. If responsiveness to changing needs is at a premium, Wikipedia is far more useful, albeit not entirely reliable. No responsive medium could be.

        • by GigsVT (208848)

          Are you missing my point on purpose?

          How about another example: Economic markets.

          There's plenty of "no organization" systems that work just fine, without everyone understanding or even anyone understanding everything.

          • by hey! (33014)

            No, we're talking past each other, making different, although not incompatible points.

            My characterizing of task types was not meant to be exclusive; we might well add a fourth category of tasks whose component subtasks have no demonstrably optimal method.

    • Re: (Score:3, Informative)

      No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.

      I am not sure about Shaker barn raising, but I am pretty sure you actually meant Amish barn raising. I know something about Amish barn raising (I have relatives among the Amish).
      Amish barn raising is not "no structure". There is no formal structure, but there is a fairly strict informal structure. As a general rule everybody at an Amish barn raising has known everybody else there as long as they can remember and almost all of them are related to one degree or another.
      The structure used for Amish barn rais

    • Wish I had mod points - this is one of the most-insightful thoughts about the relative values and uses of differing organizational structures I've ever read (and I've worked in organizations sized from less than 50 to over 15k employees)...

    • by grcumb (781340)

      Top down works --

      Bottom up works too --

      No structure works too --

      It seems to me that something like cybersecurity needs a bit of each approach.

      So... kind of like a porn shoot, then?

  • There is already a set of standards and an agency with responsibility for setting and updating them, namely the Computer Security Division of the National Institute of Standards and Technology. We don't need another czar; we're running out of Fabergé eggs and gaudy uniforms.

    What they need is a solid system of IT auditing to make sure the standards are followed. To the extent they are done now, IT audits are done within each agency and rarely receive attention at the department secretary leve
  • First, it's not a dictator.
    Second, Government works best when it's open and has a top down functionality.
    Third, Do you propose that some account be in charge of handling his own security? that every agency works in a bubble?

    Do we need a Cybersecurity position? maybe not, but we do need a person security guideline and procedure come from. This way they can be vetted, and you don't ahve to train your entire staff in computer security.

    • Re: (Score:3, Insightful)

      by Corbets (169101)

      and you don't ahve to train your entire staff in computer security.

      Actually, you do. That's Bruce's whole point most of the time, and it's what makes my job as a security consultant so difficult (and well-paid).

      Security is a mindset. Every person has to have the concept of "secure environment" in their head every day, be they developers, users of IT systems, or even the seemingly-rare non-IT user (i.e. custodians). People need to understand why security is so crucial, and they have to be involved in the process; just designing technical controls around them always fails qu

      • Security is a mindset. Every person has to have the concept of "secure environment" in their head every day, be they developers, users of IT systems, or even the seemingly-rare non-IT user (i.e. custodians). People need to understand why security is so crucial, and they have to be involved in the process; just designing technical controls around them always fails quickly, because people who don't value security will abuse whatever privileges they have, thinking that they're helping someone.

        And you need a

  • We Don't Need a Cybersecurity Czar.

    ... These are not the droids you're looking for.

  • by macraig (621737) <mark.a.craigNO@SPAMgmail.com> on Wednesday May 13, 2009 @03:48PM (#27942665)

    Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful treasonous behavior of the Bush administration is a useful demonstration of how it can go wrong very quickly.

    What Schneier is very reasonably suggesting is that we lessen that hierarchy, not add to it.

    • Re: (Score:2, Insightful)

      by mmaniaci (1200061)

      ...and the successful treasonous behavior of every administration after Kennedy is a useful demonstration of how it can go wrong very quickly.

      (And yes this includes Obama!) I do agree with you in principal. What can be corrupt, will be corrupt and we need less legislation that has the potential to become corrupt. Due to this, no Czar is a good thing, and I don't think I need to explain the connection with absolute power and corruption.

      P.S. "Czar" is the dumbest buzzword that the interwebs has given birth to in a long time and I for one am sick of hearing it. But I guess its not really birth... its more like stealing someone's kid, calling it you

      • by macraig (621737)

        No counter-arguments here, not even vis-a-vis Obama. He ain't no messiah, and he's not really even a reformer. He's a MEDIATOR, a true politician's politician. He'll dissemble and twist and manipulate just like Bush, though we may not catch him red-handed at it quite so often.

    • by oncehour (744756)
      I think you may misunderstand the Peter Principle, to some degree. At least to the degree that I've seen it implemented. The Peter Principle says that people are promoted to the level of their incompetence. This means as long as you're competent, you are continually promoted until suddenly you are no longer competent or can maintain a "baseline". Most organizations aren't run by complete idiots, if they were they wouldn't be multi-billion dollar enterprises.

      That said, once someone gets promoted into a jo
    • Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful

  • by brunes69 (86786) <slashdot@keirstea d . o rg> on Wednesday May 13, 2009 @03:49PM (#27942691) Homepage

    Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.

    http://geekz.co.uk/schneierfacts/ [geekz.co.uk]

  • Schneier's blog (Score:3, Interesting)

    by GoNINzo (32266) <GoNINzo@y a h oo.com> on Wednesday May 13, 2009 @03:54PM (#27942763) Homepage Journal
    I'm looking forward to his opinion directly from his blog [schneier.com] as well. I have a feeling that he has a lot to say on this topic, if only someone would listen.

    He mentioned last year about the last security czar [schneier.com] who had no security experience, but didn't do his rant right then. And his rant should be good. `8r)

    • by GoNINzo (32266)
      And awesome, I have a lower slashdot id than him [slashdot.org] as well. Time to remind him to talk to us!
      • by jdgeorge (18767)

        And awesome, I have a lower slashdot id than him [slashdot.org] as well. Time to remind him to talk to us!

        Good grief. Having a low Slashdot ID is like having been the first one on your block to wear polyester leisure suits. Sure, you were a trendsetter, but wearing a polyester leisure suit before your neighbors is nothing to be proud of.

    • by droopycom (470921)

      Yeah, it seems he has been repeating the same things in his newsletters for a while. I guess they needs to be hammered down, but frankly, I think I got his point already, and if I didnt then I probably never will. So I'm tired of reading the same things over and over, and I'm mostly ignoring his newsletters now...

      Too bad...

  • Which is worse? i donno.

    • Re: (Score:3, Interesting)

      by sethstorm (512897) *

      The one that exists in the private sector, and controls government.

      Or:

      The one that exists as a foreign government that controls us via large amounts of debt and/or business lobbies.

  • by brennz (715237) on Wednesday May 13, 2009 @04:16PM (#27943091)
    More was done to secure the US govt by OMB fiats [whitehouse.gov], than any other recent actions.

    Why? Because someone at OMB said:
    Harden every desktop installation of Windows XP & Vista [nih.gov]. One leader at the NSA, for the entire federal government, could greatly assist in doing the same for every piece of IT we operate. This is a start on the massive IT security problem the federal govt has. After that, a govt wide approach for software security would be nice.
  • by catmistake (814204) on Wednesday May 13, 2009 @04:31PM (#27943347) Journal

    Thanks to an old man of the stack I read S773, but I didn't need to, nor do you, to KNOW its unconstitutional. Take a look at Amendments 9 & 14 of the US Constitution (something something any powers not specifically set aside for the federal gov. is under the exclusive domain of the States or local gov.s something). They can't create a federal authority for cyberspace out of thin air... they'll need to amend the Constitution to do it. Well, they can, but they'll be destroyed in the courts. If they DO amend the Constitution, making such an appointment legal, then we can go over S773 with a fine toothed 4th Amendment comb... and again find it unconstitutional.

    • by pi_rules (123171)

      They can't create a federal authority for cyberspace out of thin air

      They'll just say it's authorized by the interstate commerce clause.

      • Re: (Score:2, Troll)

        by catmistake (814204)

        disclaimer: in my gp post, I said 9th (and that might work too) but I meant 10th.

        afa the Commerce Clause... they can't use it nowadays... but maybe they can. Rehnquist's Court put a stop to the broad interpretation of the Clause, argueing broad interpretation justifies a federal police state... and no one wants that now that the Republicans are out of office (and losing members left and right). Then again, Rehnquist has been gone a few years... it could swing back, but I doubt it will happen under a liberal

        • Then again, Rehnquist has been gone a few years... it could swing back, but I doubt it will happen under a liberal administration.

          You do realize that the liberal justices are more likely to allow the federal government to do whatever it wants under the Commerce Clause right? It's the conservatives who have tried to limit the federal power.

          • It's the conservatives who have tried to limit the federal power.

            In general, sure. Conservatives want less government, at the expense of liberties. Liberals want liberties, at the expense of government. In the case of the Commerce Clause and a proposed cybersecurity oversight mechanism, its not so clear cut as which is more government or which is less liberty. It seems to me it would be a conservative idea that cybersecurity needs oversight because inherently such an organization would limit liberties, not protect them. The 2009 Bill S773 was proposed by a Democratic sen

    • Uhm... you don't need a law degree to know that the federal government can certainly create an organization to oversee cybersecurity for the federal government. I guess you were modded "Insightful" because "paranoid" isn't a mod option.
      • yes they can... but the point is that it won't be around for long, if unconstitutional, someone will take them to the mat... uh, SCOTUS

  • Don't worry ... (Score:3, Insightful)

    by jc42 (318812) on Wednesday May 13, 2009 @05:24PM (#27944225) Homepage Journal

    If the NSA (No Such Agency) is in charge, it'll be the same as having no security oversight at all. They naturally keep everything secret, so if they want to tell you to do something, you won't have the security clearance to read the order or any of its details.

    Yes, they can write secret orders, not show them to you, and then prosecute you for not obeying them. But this has been true for around a decade now, so it won't be anything new.

    Anyway, the main area where security is important is in the corporate world's handling of its comprehensive information about all of us. And in the modern US, agencies of the government don't give orders to corporations; the corporations give orders to the government. So corporate databases will continue to be as insecure as always, which doesn't really matter because the information is always for sale to the highest bidder, secure or not. Security really means that the information can't be read by anyone who hasn't paid for it, y'know.

    If there are any changes, the most likely are that the NSA will be forced to adopt corporate-style "security" measures such as 4-digit PINs or password rules so complex that you have to write your passwords down and carry them in your wallet. And they'll routinely leave entire databases in laptops inside parked cars. This will be by policy, not accident. It'll result in more funny news stories; we'll mostly laugh and go about our lives.

    I'd add a ;-), but I'm not sure that this actually qualifies as humor ...

    (I'm sure that Jon Stewart and Steven Colbert will explain it much better than I can.)

Do molecular biologists wear designer genes?

Working...