North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Whitehouse Tackels Cybersecurity

  • From: Sean Donelan
  • Date: Thu Sep 19 20:58:10 2002

On Thu, 19 Sep 2002, batz wrote:
> From a security perspective, the recommendations in this report are
> the same things that have been advocated for the last decade. In fact
> it looks like many of these recommendations could have been culled from the
> various vulnerability assessment report templates I have seen and even
> used over the years.  I don't mean to undermine the importance of the
> strategy, but I think its impact will be through adding weight to us
> Cassandras in the security industry.

People expecting the government to wave a magic wand and make us all safe
will be disappointed.  Security consulting firms probably aren't going to
get a windfall from the publication of the national strategy. But if you
had more modest goals, the strategy did accomplish some things.

Despite the daily drumbeat of vulnerability announcements, there really
aren't any new fundamental causes of security problems.  The National
Academies of Sciences published a report last year recapping 10 years of
computer and network security studies.  http://www.nap.edu/catalog/10274.html
The particular instance may change, but the classes of security problems
are unchanging.

Although the security problems are the same, the solutions can change. In
the 1980's I had a Multics/Dockmaster account.  Multics may have been
secure, but the system sucked.  Perimeter firewalls may not be the
security solution for the next decade.  Would anti-virus software
become obsolete with a better kernel? Are the same password  rules
we had for our one mainframe account applicable in today's web with
dozens of "logons"?

I think we need to re-evaluate our best solutions for our security
problems.

That National Cybersecurity Strategy did a nice job of collecting the
problems from all groups into one document, and showing an interdependence
between the groups.  Simply securing one industry, company or home user
isn't enough to solve the problem.  I especially pleased that at least
part of the US government now seems to recognize that security is more
than just secrecy.

Could the government move faster?

It took over 15 years from the introduction of seat belts on an American
car until they became "standard" items in American cars.  The government
only "mandated" seat belts after most car makers were already offering
them.  There were a lot of studies along the way.  A democratic government
can't get too far out in front of the public.

American Seat Belt History (http://www.lemurzone.com/airbag/belts.htm)

1947 The first time seat belts were offered in a American car was the
     Tucker. The state of the art then were Lap belts.
1956 Ford introduces seat belts in American cars
1964 Seatbelts became a "standard" feature in American cars
1966 Rear Seatbelts became Standard
1967 Front Seatbelts became Mandatory
1968 Shoulder Belts became Mandatory

Nevertheless, seat belts won't help unless the driver buckles up.