tag:blogger.com,1999:blog-4088979.post2011972224703394258..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: National Security Strategy is Empty on "Cyberspace"Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-65795881017134483382010-06-05T10:23:55.300-04:002010-06-05T10:23:55.300-04:00It is somewhat an idea to overcome any circumstanc...It is somewhat an idea to overcome any circumstances that may interfere.gihhttp://get-infoz.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-30132434818816934742010-06-01T13:40:43.818-04:002010-06-01T13:40:43.818-04:00Most of your good security folks spend too much of...Most of your good security folks spend too much of their time trying to fight the "checkbox" security model. They are also apt to succumb to the 'shiny keys' distraction, that is... somebody in government infosec has something that's "supposedly working" .. which gets the attention of "leaders" only to then change ship in mid-course of whatever they were doing (say, engineering) to chase down that new "shiny thing". <br /><br />Unfortunately, as I see in the leadership in DC when it comes to InfoSec, none of them were Ops people... all policy, no substance. This is why Rich and other's noting "threat management and identification" isn't grasped. Letting a former vendor rep sit as your "cybersecurity" chief, when that vendor is probably the WORST example (say, next to Adobe now) of a company who's got a grasp of things. While some of these folks are enthusiastic (Vivek) - I doubt many of them have REALLY cut their teeth doing the work to understand the problem. <br /><br />Vivek is my age... he's the CIO... dunno what he did previous to that, but I doubt it didn't involve actually say, installing and securing a *NIX environment in a live-fire network. Much of the same goes for those who participated in the simul-attack earlier this year... do any of them understand what they were trying to react to? Had any of them come and listened to Rich's TCP/IP Weapon's School? Until we get a hacker (in the traditional sense) up higher in these ranks, I'll still call B.S. on policy and direction.<br /><br />okay, rant off...emilyhttps://www.blogger.com/profile/09020755221727566171noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15710509562558889162010-06-01T13:11:40.721-04:002010-06-01T13:11:40.721-04:00I agree, this seems sorely lacking. Perhaps there ...I agree, this seems sorely lacking. Perhaps there is more going on behind the scenes, however? My guess is that the government is not going to lay out all their plans for their adversaries to see...Brianhttps://www.blogger.com/profile/16640260999072144665noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-6322645529674111382010-06-01T11:39:02.101-04:002010-06-01T11:39:02.101-04:00The first step toward a national security strategy...The first step toward a national security strategy for cyberspace is understanding what cyber war, cyber terrorism, and cyber espionage are, and what those terms mean. You can see my take on that point in <br /><a href="http://www.uoregon.edu/~joe/cyberwar/cyberwar.pdf" rel="nofollow">http://www.uoregon.edu/~joe/cyberwar/cyberwar.pdf</a><br /><br />The second step is to recognize that the government has a cyber security responsibility to the general public, it isn't just responsible for protecting itself online. See <a href="http://www.uoregon.edu/~joe/ecrime-summit/ecrime-summit.pdf" rel="nofollow">http://www.uoregon.edu/~joe/ecrime-summit/ecrime-summit.pdf</a><br /><br />The third step is begining to articulate concrete steps that those in the government, as well as private companies and individuals can take to actually improve their cyber security. Google, for example, reportedly just decided that it will no longer use Microsoft Windows because of the security risks they perceive to be associated with that operating system. What advice does the government have for American citizens? Surely we have some of the best cyber security minds in the world working in Washington, so why do we never hear any recommendations from them about how to be more secure online, eh?<br /><br />The fourth step is for the government to begin publicly documenting what it sees. Currently the best-documented public cyber intelligence is probably from Spamhaus. The describe what they're seeing, and they offer actionable intelligence in the form of IP and domain name block lists, and things like the Do Not Route or Peer (DROP) list. Why isn't the government doing the same thing?<br /><br />And finally, we need an aggressive program tackling cyber crime, particularly "franchised" cyber crime -- affiliate programs and the like -- and the infrastructure that supports it (particularly financial channels and product fulfillment/shipping channels).<br /><br />In my opinion, if you handle those five steps, you'll be well on your way to substantially improving our nation's cyber security. Will you fix all the issues we confront online? No. But you <b>will</b> substantially change the game, and substantially improve our chances of success.<br /><br />Regards,<br /><br />Joejoe st sauvernoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-21519504169883552292010-06-01T09:46:48.896-04:002010-06-01T09:46:48.896-04:00Harlan -- my post
http://taosecurity.blogspot.co...Harlan -- my post <br /><br />http://taosecurity.blogspot.com/2009/05/president-obamas-real-speech-on-cyber.html<br /><br />where I wrote as if I had the President's cyber security speech, outlines what I propose.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-35238569519056003832010-06-01T09:12:19.766-04:002010-06-01T09:12:19.766-04:00I thought Schmidt was a MicroSoft lobbyist? Oh, ri...I thought Schmidt was a MicroSoft lobbyist? Oh, right, ....<br />I agree it is lame, but what I truly find irresponsible is how long the govt. is languishing in this state of affairs without putting more funding into research. Not cheaper-faster-better technology enhancements, but theoretical understanding of this very complex problem.<br />Every day it seems those who claim to 'know better' need to take their vocation and work the system, and hopefully affect change. Yes, funding would be nice :)<br />Dan<br /><br />"If I'd asked my customers what they wanted, they'd have said a faster horse." <br />- Henry Forddearistahttps://www.blogger.com/profile/01972767855960952976noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-20347464471716611012010-06-01T07:40:15.799-04:002010-06-01T07:40:15.799-04:00Richard,
What would you suggest as a strategy?Richard,<br /><br />What would you suggest as a strategy?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com