title: embarrassing link: https://onemoretech.wordpress.com/2009/04/29/embarrassing/ author: lembobro description: post_id: 330 created: 2009/04/29 13:52:50 created_gmt: 2009/04/29 13:52:50 comment_status: open post_name: embarrassing status: publish post_type: post

embarrassing

From the BBC comes this: US cybersecurity ‘embarrassing’. On the occasion of the annual RSA Conference, this lead:

America’s cybersecurity has been described as “broken” by one industry expert and as “childlike” by another.

The money quote about the current state of things being “embarrassing” comes from Alan Paller of SANS.

Asheem Chandna of Greylock is also quoted as saying he:

believes the smaller innovative companies in Silicon Valley could help the government be more productive if they were not effectively locked out of the process by the big established firms.

While the reporter doesn’t tie together the two threads in his article, for anyone who has been in IT for awhile the implications are clear:

The Big Guys who have dominated the security market up until now have failed, and remain in position only because they’ve been able to successfully close the market off to competitors.

An interesting aside in all this is the relative responsibility of IT execs for the current situation. If CIO’s control IT budgets, then they’re the ones with the power to procure the best of the best in efforts to secure the networks they preside over. Of course it’s not as simple as that. The hard truth is that CIO’s for the most part have very little control over their own budgets. CFO’s, CEO’s and board members (or in a government context, legislative budget committees) actually control the purse strings. No matter how good a job the technologists at the bottom of the food chain do explaining what needs to be done to their management, in the end people who have no adequate technical background to even ask the right questions are the ones who decide.

Marcus Raynum, he of Outsource Your Data Center to Baghdad fame, has a more nuanced take on things in The Anatomy of Security Disasters. Ranum starts off with an explanation of why he wrote the piece:

The inspiration for this paper came from a discussion I had with Alan Paller, the founder of SANS and the CIO Forum. He was quoted in an article as saying that CIOs were regularly lied to regarding security by their technical staff. Bear in mind that this is the viewpoint as expressed from the position of the CIO: corporate executives felt that they had done their job when they told technical staff to “make it secure.” Technical staff had cheated by doing naughty things like leaving unauthorized connections between critical networks, leaving systems unpatched and so forth.

He goes on to discuss the “reality gap” between how secure networks are expected to be and how secure they actually are. That gap, Ranum opines, is “vastly” larger than IT executives think.

Using the example of the disastrous handling of problems in Space Shuttle design and maintenance, Ranum makes his points with brutal honesty. In a section entitled “Breaking the Cycle”, he makes this bold suggestion:

What can we do to break the cycle? The most important thing is to make sure you are direct and honest about expectations at all times. Do not allow management or clients to believe that they can do dumb things in safety, and do not hide behind bogus probability guesses. “Safety” is not the same thing as “relative safety.”

Pre-allocating blame is crucial to keeping the reality gap as small as possible. When management negotiates a control out of the loop, do not simply allow them to assume “it’s OK” - go back and remind them that the parameters of the design have changed. As Alan Paller said, executives feel that they are being lied to by technical staff who are taking shortcuts - reality check them by circling back with an update. E.g.: “By the way, since you asked us to keep the management costs on that system down, we have followed your directive and are now using an Internet-based remote control interface. Since the old system had zero chance of compromise over the Internet, and the new one has something more than zero chance, we can realistically say that it is infinitely more dangerous to proceed in this fashion.”

Again taking his cue from the Challenger disaster, Ranum goes further:

During (Nobel-winning physicist Richard) Feynman’s analysis of the Challenger disaster he describes a number of the memos from rocket engineers attempting to express concerns up the management tree. The general tone of the memos is uncertain and rich with weasel-words and “could be,” “might,” and “should.” To help bridge the reality gap, you must keep your communications as clear and unambiguous as possible.

i.e.: “Mister President, The US Government’s over-reliance on contractors in the area of federal government-related information technology represents a clear danger to the future of our national security.”

And there you have it. Honesty, integrity, and most of all, courage, are the answer to this issue. Just as they are to most other difficult situations we’ve got ourselves into. The only problem is that we have a culture of government and corporate governance that has over the years punished that sort of behavior, while rewarding those who avoided it at all costs. For his part, Ranum ends on a very pessimistic note:

Obviously, from the content and the tone of this presentation, I think it is already too late. There is too much momentum to an inherently dangerous process, and it will go forward until there are severe-enough disasters that something has to change. But, consider when you look at an organization like NASA that can lose not one, but two, multibillion-dollar space shuttles and their pilots to the same kind of reality gap, it will take something extremely severe to wake up a national-level response. What might that be? We already have US Pentagon spokespeople alleging that “Chinese hackers” have stolen “10+ terabytes” of information from the DoD’s unclassified networks - such an information leak could result in a superpower transitioning into a 3rd rate power, but the failure would be too complex for anyone to figure out.

I am afraid I have to agree with him.

Copyright 2004-2019 Phil Lembo