Schneier Says We Don't Need a Cybersecurity Czar

Trailrunner7 writes "Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. 'Really what I think is it shouldn't be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn't a dictator in charge, when there isn't one organization in charge. My feeling is there shouldn't be one organization in charge. Not only shouldn't it be the NSA, it shouldn't be anybody,' Schneier said."

Our economic and political systems

[Culture20]

Our economic and political systems work best when there isn't a dictator in charge

Next in News: Bruce Schneier asked to be member of a Cybersecurity Tribunal.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why an ANYTHING Czar?

[Philip K Dickhead]

The second they use the term "Czar", to describe a person in administrative capacity over a regulatory body, they betray the authoritarian and anti-democratic ideology with which they conspire against representative government and individual rights and liberties.

Czar is the Slavic rendering of Caesar. Why anybody sees this as an expediency worthy of trade-off for democratic involvement and oversight is a question I leave you, the dear reader to resolve.

Bruce Windu says...

[geobeck]

"You don't need a cybersecurity czar... This isn't the issue you're looking for... They can go about their business... Move along."

I dunno, this whole thing smells like bantha poodoo to me.

Re:

[cathars1s]

... and Czars were also authoritarian monarchs in Russia, Serbia, and Bulgaria. Or was that too obvious?

Re:

[jonaskoelker]

Czar is the Slavic rendering of Caesar.

So it's really pronounced C-zar? ;)

Why an ANYTHING Czar?

[winwar]

So they can pretend to do something.

A position with the title of Czar is one that has absolutely no power to do anything.

Re:

[bob.appleyard]

http://xroads.virginia.edu/~HYPER/DETOC/toc_indx.html [virginia.edu]

Makes sense

[Captain Splendid]

The internets are decentralized (mostly), so why shouldn't the security model be?

Re:

[hedwards]

Because we don't want varying standards for security. The cybersecurity czar would more likely than not be mostly responsible for making sure efforts are coordinated and testing. In the past the various departments have done a piss poor job of verifying that systems are in fact hardened.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Makes sense

[flyingsquid]

The problem isn't the basic idea of having a 'czar', which is a good idea. The issue is that we have too many czars appointed, so it has become difficult to keep track of them all and coordinate their efforts. What we need is a single individual given the executive power to oversee all of these czars, and appoint them, discipline them, and fire them at will, so as to centralize control of the czars. That person will be the Czar Czar.

Re:Makes sense

[Tanktalus]

Also known as The President?

Mind you, maybe that's part of the problem ... and the Czar Czar should be the Speaker of the House...

Re:Makes sense

[snspdaarf]

....Gabor?

Re:Rule

[TaoPhoenix]

One Czar to Rule them all and in the Darkness bind them?

Re:

[dgatwood]

Meeesa ruler?

Re:

[Anonymous Coward]

And given the track record of this administration, will either have cheated on taxes or be so inept at cyber security that every computer he owns is a member of multiple botnets.

Along with a recent investigation into his former employees that indicate they were running the botnets installed on his computers, with clues that he may or may not have been aware of this.

The quality of appointees from this administration has so far been a bit on the disappointing side, to say the least.

Re:

[gadabyte]

The quality of appointees from this administration has so far been a bit on the disappointing side, to say the least.

and yet they're still somehow better than bush appointees...rumsfeld, gonzales, brown, et al...

Re:

[cayenne8]

"The Democrats aren't much better, but at least they're trying to spend money on people in THIS HEMISPHERE, let alone in this country."

While I'm very concerned about the amount of money they are currently spending.

Why in the HELL should/would they be spending our money (that we don't have) on any people that aren't citizens of the United States??

I don't mind helping out when you have excess.....but, right now, we do not, and one thing to do, would be to cut out foreign aid.

Re:

[galego]

>>The Democrats aren't much better, but at least they're trying to spend money on people in THIS HEMISPHERE, let alone in this country.

Well, then independent of who let this through (below), Bush's Admin. or the Democratic Congress ... maybe they should go kill this (heard about it on the radio):

http://www.cnsnews.com/public/content/article.aspx?RsrcID=47976&print=on [cnsnews.com]
http://mediamatters.org/research/200905130010 [mediamatters.org]

Re:

[cayenne8]

"If you have any discretionary income at all, then you have excess. In the US, that's most of us. In other countries.. not so much. Our definition of excess includes a car that costs more than $50,000. Most people's definition of excess is having their own car. Our definition of excess is a residence with more than 2 rooms per person. Most people's definition of excess is fewer than 2 people to a room. While poverty certainly exists in the US, odds are you're not in that group, and nobody you know is in

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Captain Splendid]

Because we don't want varying standards for security.

Actually, we do, especially when you think of it from an ROI perspective. For example, I don't secure my home network to the same standard I've secured my business' network. Two different entities, two different priorities: two different security strategies.

Take it to the next level: A Fortune 500 company's security will be radically different than the one I use for my small business.

Now, if you're talking standards as in encryption, I'd rat

Different realities = divergence

[SuperKendall]

It could easily be the same security framework or standard (ISO27000?), applied to different realities gives you a different strategy of course.

Actually no it cannot. If you are "applying a standard to different realities", you have divergence and two real de-facto standards.

Furthermore the data you are trying to protect varies wildly by domain. CC are protected differently from SSN are protected differently from medical records, for they all have different data paths.

The variances are great enough we do

Re:

[osgeek]

responsible

That's where you went wrong, right there. Responsibility implies accountability. Accountability implies consequences like jail, or fines, or maybe just firing. When was the last time we ever saw any of those things for government officials? Scooter Libby? Poor sap was a scapegoat.

Re:

[54mc]

Because your Uncle Sam knows best.

Re:

[fuzzyfuzzyfungus]

As soon as you drag "security" into it, that practically becomes a bipartisan article of faith.

Re:

[wizardforce]

Why then it couldn't be controlled and the feds can't have that. This won't be the first time the feds have tried gettiing their hands on the inner workings of a system to "improve" it and it won't be the last. Their idea is that if it's "under their control" and centralized that it will mean things will be improved everywhere for the most part, unfortunately as is the case with other decentralized systems [the economy] centralization doesn't actually mean things will improve, often the reverse is true.

No overlord necessary.

[Bentov]

I, for one, would be happy without an overlord.

Re:No overlord necessary.

[Ethanol-fueled]

I, for one, would be happy with an oversight committee that does its job.

Examples of oversight committees working, please

[Anonymous Coward]

All regulatory agencies, oversight committees, etc. are taken over by the regulatees.

This is a law of human social system-level nature as inexorable as the law of gravity.

History is full of layers and layers of oversight, none of which substitute for the self-interest of the operational group doing their job 'right'.

That doesn't happen very often even in large corporations, is rare in government : precisely what you expect from the relative levels of self-interest of employees in these orgs.

I have worked in

So you're saying, you want a pony

[SuperKendall]

I, for one, would be happy with an oversight committee that does its job.

So would be all, but the very nature of an oversight committee (heck, a committee in general) is to make no-one happy and basically consume funds as it grows.

Thanks for wanting me to pay for that, but no thanks.

Re:No overlord necessary.

[Farmer Tim]

I, for one, would be happy with an oversight committee that does its job.

oversight: (n) an unintentional failure to notice or do something.

Job descriptions don't come more accurate than that...

I love Schneier

[PingXao]

He won't make any friends with the government research grant people with that attitude, though. Seriously, if you only occasionally read what Schneier has to say, and follow his advice and guidelines, you'll be more "secure" than 99% of everyone else. That's because 99% of the people (and companies) don't follow his advice, which is often simple and just requires a little effort and awareness. It's the "effort and awareness" thing that most people find challenging.

Re:I love Schneier

[moderatorrater]

I completely agree. The biggest point people need to take from Schneier is that security is more of a mindset than anything else. If you care about security and you're willing to take a little effort to achieve it, you can (at least until you get humans involved, then there will be a willing idiot almost every time). Encryption is a solved problem, XSS attacks are easily dealt with if you know what you're doing and head the problem off early in development, etc. The biggest thing that would be accomplished is just to get people thinking about it and dealing with it proactively.

Re:

[galego]

>>"effort and awareness" ...

And next, you're going to expect "reason and logic" to prevail too, right!?!?!

Re:

[servognome]

While I agree with Schneier that ideally security should be a mindset, the fact is the culture of most businesses and government doesn't support it.

Not having a central authority doesn't mean that nobody is in charge, it means everybody is in charge. This model is the best fit for things like safety and security which are effected by the decisions of individuals at all levels. It also requires that all individuals have the knowledge to make the correct decisions. Unfortunately, people have not been educ

Cyber Security is OUR problem

[Anonymous Coward]

I couldn't agree more. I wrote this blog post [mobiusdevelopment.com] a few months ago arguing the exact same thing. There will always be crisis situations where government intervention and coordination may be necessary, but the first line of governance and management should be at the personal, community, and company level.

Re:

[outcast36]

This is my post, forgot to log in.

Re:

[outcast36]

see, it's my problem and yours as well. If you're ever in the DC area, you are +1 beer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The NSA is more qualified than DHS

[Beryllium Sphere(tm)]

At the Department of the Interior, "Alan Balaran, a court-appointed special master, soon confirmed that a team of hackers could break into the trust accounting system with relative ease and then write checks on the trust funds" [washingtonpost.com]. Those trust funds were held for the benefit of Native American nations, who filed a multi-billion dollar lawsuit over the security problems.

There are sensitive systems all over.

Re:

[geekoid]

The government does most things really well and spot on; however you are completly correct in your assessment of the Dept. of Homeland Security.

It should be abolished and it's fund be given to the FBI and FEMA.

It only exists to get around procedures in place to protect our rights.

why NSA shouldn't be used for defense

[SethJohnson]

The problem with the NSA is that it IS part of the intelligence structure. If you insert them as a defensive player, more often than not, they will take absolutely NO action in order to protect their spying capabilities.

At present, nobody knows exactly what the reach is of the NSA. Nobody knows what they can and can't hear. If you task them with defending assets, each probe or attack reveals new information about what the NSA has at their disposal, depending on what the response is. I really don't think the NSA is willing to compromise the secrecy of its capabilities in order to thwart hackers.

Seth

Re:

[ion.simon.c]

^^^^ THIS.

You cannot appoint a military organization whose effectiveness depends on ignorance of its capabilities and vulnerabilities to protect civilian infosec. The only way any newly discovered vulns will ever be disclosed to the public by this sort of watchdog is if it is felt that "The Enemy" already knows about them and has a workaround, and that the disclosure would not compromise the position of any spies/well placed janitors.

After all, we're *all* generally using the same basic computing infrastruc

Maybe someone to keep the feet on the fire?

[seer]

I could see someone who will do testing and be the point person for the money. We need someone to do penetration testing with a white hat on.

Any volunteers?

Re:

[moderatorrater]

We need someone to do penetration testing with a white hat on.

Can I use my wizard hat and robe instead?

Czar?

[DarthVain]

Better question is why the USA needs Czars of anything?

Weren't they leaders of imperialist Russia?

Why would that label seem appropriate?

Pedantry

[colinrichardday]

The title of the former rulers of Russia was "Tsar".

Re:

[colinrichardday]

I'm assuming that the proper transliteration for the Russian title is "Tsar". I believe that "czar" is the proper transliteration of a Polish title. I believe that Russian Ц is usually transliterated as "ts".

http://www.bartleby.com/61/87/C0848700.html [bartleby.com]

Re:

[jonaskoelker]

Why would that label seem appropriate?

But it's completely different! The American Czars are honorable representatives of the people who are held accountable for their actions!

Right?

Re:

[OolimPhon]

The USA already has many Czars, they just don't call them that. They call them CEOs instead.

Re:

[DarthVain]

Since when did a Czar ever beg for handouts? :)

Re:

[mattwarden]

Perhaps you haven't seen the news in the last 8 months?

Re:

[DarthVain]

No I haven't seen any news in the last 8 months...

Did McCain win the US election, build a time machine, travel to Russia and steal their titles?

'Cause that is what I figured he would do if he won the election. That or raise an army of zombie cadavers to take over the world (aka republican party).

Re:

[DarthVain]

Woosh.

I am questioning the relevance of the title.

You just did the same, yet say I am a "bozo" for doing so.

I am pretty sure that qualifies you as an idiot.

The business generalization is too crude

[hey!]

Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.

Bottom up works too -- for tasks that involve things that are too complex and fluid for a single person or chain of command to comprehend and react to. Where creativity is at a premium, bottom up is the way to go.

No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.

It seems to me that something like cybersecurity needs a bit of each approach. It's organizationally difficult, if not impossible to approach such a problem perfectly. However, I think the rough appearance of a structure to handle this would be top down with expertise pushed out to the various groups in the organization and discretion allowed.

Re:

[Crispy Critters]

All good points. I would add that top down is valuable when budgeting is most important and bottom up works better when transparency is needed. I think I want the people who are deciding what hash functions are secure to be different from the people worrying about whether it will annoy their vendors to ask for a patch and how much it will cost to push the patch to all vulnerable systems. There doesn't seem to be enough overlap between, say, testing encryption, securing the root DNS servers, and locking d

Exactly why we don't need a CSZAr

[SuperKendall]

Top down works -- for managing the efficient, repeated performance of a task with well defined and stable success criteria, and where performance can be improved incrementally by local adjustments. Top down has a place in the world. When consistent is at a premium, top down is the way to go.

And not one aspect of that sounds anything like systems security, where attacks are fluid and the definitions of success are countless.

We do not need to fund federally a position that is far better met by people closer t

Re:

[hey!]

It seems to me that this issue has different dimensions, some of which are fluid, others of which are not.

You would not expect the so called czar to direct a response to an attack by himself. That's not feasible. However the czar could oversee the aspects of the problem that are repeatable, for example ensuring training programs exist for system administrators; making sure groups working with critical systems have contingency plans; ensuring that vulnerability testing is done; investigating open installat

None of that needs to be federal

[SuperKendall]

You would not expect the so called czar to direct a response to an attack by himself. That's not feasible. However the czar could oversee the aspects of the problem that are repeatable, for example ensuring training programs exist for system administrators; making sure groups working with critical systems have contingency plans; ensuring that vulnerability testing is done; investigating open installations which haven't installed recommended security patches. That sort of thing.

All done today by private indu

Re:

[GigsVT]

No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising.

You mean like every editor on Wikipedia understanding every detail about how to write an encyclopedia?

Re:

[hey!]

Well, what are the requirements of an encyclopedia?

You will find that when it comes to consistent scholarly accountability, Brittanica is the way to go. If responsiveness to changing needs is at a premium, Wikipedia is far more useful, albeit not entirely reliable. No responsive medium could be.

Re:

[GigsVT]

Are you missing my point on purpose?

How about another example: Economic markets.

There's plenty of "no organization" systems that work just fine, without everyone understanding or even anyone understanding everything.

Re:

[hey!]

No, we're talking past each other, making different, although not incompatible points.

My characterizing of task types was not meant to be exclusive; we might well add a fourth category of tasks whose component subtasks have no demonstrably optimal method.

Re:

[Attila Dimedici]

No structure works too -- for tasks where there is a body of people who understand every part of that task. Think a Shaker barn raising. When you have a body of people who've mastered every aspect of a task and everyone can see what task needs more hands, then no structure is the way to go.

I am not sure about Shaker barn raising, but I am pretty sure you actually meant Amish barn raising. I know something about Amish barn raising (I have relatives among the Amish).
Amish barn raising is not "no structure". There is no formal structure, but there is a fairly strict informal structure. As a general rule everybody at an Amish barn raising has known everybody else there as long as they can remember and almost all of them are related to one degree or another.
The structure used for Amish barn rais

Re:

[Money for Nothin']

Wish I had mod points - this is one of the most-insightful thoughts about the relative values and uses of differing organizational structures I've ever read (and I've worked in organizations sized from less than 50 to over 15k employees)...

Re:

[grcumb]

Top down works --

Bottom up works too --

No structure works too --

It seems to me that something like cybersecurity needs a bit of each approach.

So... kind of like a porn shoot, then?

Just refine the idea a little

[Punk CPA]

There is already a set of standards and an agency with responsibility for setting and updating them, namely the Computer Security Division of the National Institute of Standards and Technology. We don't need another czar; we're running out of Fabergé eggs and gaudy uniforms.

What they need is a solid system of IT auditing to make sure the standards are followed. To the extent they are done now, IT audits are done within each agency and rarely receive attention at the department secretary leve

Has Bruce gone bat shit loco?

[geekoid]

First, it's not a dictator.
Second, Government works best when it's open and has a top down functionality.
Third, Do you propose that some account be in charge of handling his own security? that every agency works in a bubble?

Do we need a Cybersecurity position? maybe not, but we do need a person security guideline and procedure come from. This way they can be vetted, and you don't ahve to train your entire staff in computer security.

Re:

[Corbets]

and you don't ahve to train your entire staff in computer security.

Actually, you do. That's Bruce's whole point most of the time, and it's what makes my job as a security consultant so difficult (and well-paid).

Security is a mindset. Every person has to have the concept of "secure environment" in their head every day, be they developers, users of IT systems, or even the seemingly-rare non-IT user (i.e. custodians). People need to understand why security is so crucial, and they have to be involved in the process; just designing technical controls around them always fails qu

Re:Has Bruce gone bat **** loco?

[galego]

Security is a mindset. Every person has to have the concept of "secure environment" in their head every day, be they developers, users of IT systems, or even the seemingly-rare non-IT user (i.e. custodians). People need to understand why security is so crucial, and they have to be involved in the process; just designing technical controls around them always fails quickly, because people who don't value security will abuse whatever privileges they have, thinking that they're helping someone.

And you need a

Waves hand...

[fahrbot-bot]

We Don't Need a Cybersecurity Czar.

... These are not the droids you're looking for.

The "tyranny of the hierarchy"

[macraig]

Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful treasonous behavior of the Bush administration is a useful demonstration of how it can go wrong very quickly.

What Schneier is very reasonably suggesting is that we lessen that hierarchy, not add to it.

Re:

[mmaniaci]

...and the successful treasonous behavior of every administration after Kennedy is a useful demonstration of how it can go wrong very quickly.

(And yes this includes Obama!) I do agree with you in principal. What can be corrupt, will be corrupt and we need less legislation that has the potential to become corrupt. Due to this, no Czar is a good thing, and I don't think I need to explain the connection with absolute power and corruption.

P.S. "Czar" is the dumbest buzzword that the interwebs has given birth to in a long time and I for one am sick of hearing it. But I guess its not really birth... its more like stealing someone's kid, calling it you

Re:

[macraig]

No counter-arguments here, not even vis-a-vis Obama. He ain't no messiah, and he's not really even a reformer. He's a MEDIATOR, a true politician's politician. He'll dissemble and twist and manipulate just like Bush, though we may not catch him red-handed at it quite so often.

Re:

[oncehour]

I think you may misunderstand the Peter Principle, to some degree. At least to the degree that I've seen it implemented. The Peter Principle says that people are promoted to the level of their incompetence. This means as long as you're competent, you are continually promoted until suddenly you are no longer competent or can maintain a "baseline". Most organizations aren't run by complete idiots, if they were they wouldn't be multi-billion dollar enterprises.

That said, once someone gets promoted into a jo

Re:

[servognome]

Schneier seems to instinctively grasp what so many people don't: the hierarchical nature of virtually all human organizations - and derived from that vestigial alpha-male instinct - is prone to corruption, subversion, and ultimately ethical failure. Or to quote the old cliche: the Peter Principle applies here, with a twist: it's often the least ethical scum that rises to the top, not the least capable. Even the supposedly democratic United States government is organized in such a fashion, and the successful

Bruce Schneier Facts

[brunes69]

Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.

http://geekz.co.uk/schneierfacts/ [geekz.co.uk]

Schneier's blog

[GoNINzo]

I'm looking forward to his opinion directly from his blog [schneier.com] as well. I have a feeling that he has a lot to say on this topic, if only someone would listen.

He mentioned last year about the last security czar [schneier.com] who had no security experience, but didn't do his rant right then. And his rant should be good. `8r)

Re:

[GoNINzo]

And awesome, I have a lower slashdot id than him [slashdot.org] as well. Time to remind him to talk to us!

Re:

[jdgeorge]

And awesome, I have a lower slashdot id than him [slashdot.org] as well. Time to remind him to talk to us!

Good grief. Having a low Slashdot ID is like having been the first one on your block to wear polyester leisure suits. Sure, you were a trendsetter, but wearing a polyester leisure suit before your neighbors is nothing to be proud of.

Re:

[droopycom]

Yeah, it seems he has been repeating the same things in his newsletters for a while. I guess they needs to be hammered down, but frankly, I think I got his point already, and if I didnt then I probably never will. So I'm tired of reading the same things over and over, and I'm mostly ignoring his newsletters now...

Too bad...

dictator or bureaucracy?

[nurb432]

Which is worse? i donno.

Re:

[sethstorm]

The one that exists in the private sector, and controls government.

Or:

The one that exists as a foreign government that controls us via large amounts of debt and/or business lobbies.

Bruce got this one wrong

[brennz]

More was done to secure the US govt by OMB fiats [whitehouse.gov], than any other recent actions.

Why? Because someone at OMB said:
Harden every desktop installation of Windows XP & Vista [nih.gov]. One leader at the NSA, for the entire federal government, could greatly assist in doing the same for every piece of IT we operate. This is a start on the massive IT security problem the federal govt has. After that, a govt wide approach for software security would be nice.

S773 'Cybersecurity' Bill is unconstitutional.

[catmistake]

Thanks to an old man of the stack I read S773, but I didn't need to, nor do you, to KNOW its unconstitutional. Take a look at Amendments 9 & 14 of the US Constitution (something something any powers not specifically set aside for the federal gov. is under the exclusive domain of the States or local gov.s something). They can't create a federal authority for cyberspace out of thin air... they'll need to amend the Constitution to do it. Well, they can, but they'll be destroyed in the courts. If they DO amend the Constitution, making such an appointment legal, then we can go over S773 with a fine toothed 4th Amendment comb... and again find it unconstitutional.

Re:

[pi_rules]

They can't create a federal authority for cyberspace out of thin air

They'll just say it's authorized by the interstate commerce clause.

Re:

[catmistake]

disclaimer: in my gp post, I said 9th (and that might work too) but I meant 10th.

afa the Commerce Clause... they can't use it nowadays... but maybe they can. Rehnquist's Court put a stop to the broad interpretation of the Clause, argueing broad interpretation justifies a federal police state... and no one wants that now that the Republicans are out of office (and losing members left and right). Then again, Rehnquist has been gone a few years... it could swing back, but I doubt it will happen under a liberal

Re:

[DustyShadow]

Then again, Rehnquist has been gone a few years... it could swing back, but I doubt it will happen under a liberal administration.

You do realize that the liberal justices are more likely to allow the federal government to do whatever it wants under the Commerce Clause right? It's the conservatives who have tried to limit the federal power.

Re:

[catmistake]

It's the conservatives who have tried to limit the federal power.

In general, sure. Conservatives want less government, at the expense of liberties. Liberals want liberties, at the expense of government. In the case of the Commerce Clause and a proposed cybersecurity oversight mechanism, its not so clear cut as which is more government or which is less liberty. It seems to me it would be a conservative idea that cybersecurity needs oversight because inherently such an organization would limit liberties, not protect them. The 2009 Bill S773 was proposed by a Democratic sen

paranoid is as paranoid does

[Gary W. Longsine]

Uhm... you don't need a law degree to know that the federal government can certainly create an organization to oversee cybersecurity for the federal government. I guess you were modded "Insightful" because "paranoid" isn't a mod option.

Re:

[catmistake]

yes they can... but the point is that it won't be around for long, if unconstitutional, someone will take them to the mat... uh, SCOTUS

Re:

[catmistake]

Not so.
The 10th Amendment:

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

This 'cybersecurity' falls under powers NOT delegated to the US by the Constitution. The Founders really did think of everything.

Re:

[catmistake]

No, I'm not, and that's not my assumption. The assumption is a committee or a czar that oversees cyberspace is beyond the scope of the Constitution, as per Amendments 10 & 14. Should a state challenge the "FTC" (did you mean FCC?), on air wave regulation, they might very well win. If a state decides they want control of the airwaves in their state, meaning IN, not coming in or going out, i.e. not interstate, they'll have a case that the Supremes will have to decide.

Also, "cyberspace" is referring to the

Don't worry ...

[jc42]

If the NSA (No Such Agency) is in charge, it'll be the same as having no security oversight at all. They naturally keep everything secret, so if they want to tell you to do something, you won't have the security clearance to read the order or any of its details.

Yes, they can write secret orders, not show them to you, and then prosecute you for not obeying them. But this has been true for around a decade now, so it won't be anything new.

Anyway, the main area where security is important is in the corporate world's handling of its comprehensive information about all of us. And in the modern US, agencies of the government don't give orders to corporations; the corporations give orders to the government. So corporate databases will continue to be as insecure as always, which doesn't really matter because the information is always for sale to the highest bidder, secure or not. Security really means that the information can't be read by anyone who hasn't paid for it, y'know.

If there are any changes, the most likely are that the NSA will be forced to adopt corporate-style "security" measures such as 4-digit PINs or password rules so complex that you have to write your passwords down and carry them in your wallet. And they'll routinely leave entire databases in laptops inside parked cars. This will be by policy, not accident. It'll result in more funny news stories; we'll mostly laugh and go about our lives.

I'd add a ;-), but I'm not sure that this actually qualifies as humor ...

(I'm sure that Jon Stewart and Steven Colbert will explain it much better than I can.)

We Don't Need a CyberSecurity Czar

[Curunir_wolf]

Well... Duh!

Re:

[Tanktalus]

Really? You have video?

On second thought, I'll just take your word for it, and you keep the videos.

Re:

[homer_s]

God forbid somebody says something sensible...*sigh* indeed.

Re:

[flaming error]

> private interests are beholden to foreign countries that do not
> share our interests... and cannot be trusted
I don't know about that, but it's safe to say that the American government itself is beholden to the private interests you so distrust.

> government policy is not something in his league
You got it backwards - the US government's data security is not in Schneier's league.

> Take your "bash government" speech elsewhere.
Where would you suggest nerds go to discuss cyb