From: InfoSec News (alertsinfosecnews.org)
Date: Tue Oct 06 2009 - 03:36:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: security curmudgeon <jericho (at) attrition.org>

On Mon, 5 Oct 2009, InfoSec News wrote:

: http://www.cringely.com/2009/10/the-cybersecurity-myth/
:
: Listen to this post in Bob's sexy, sexy voice
: http://www.cringely.com/podcast/20091002.mp3
:
: Robert X. Cringely
: October 2nd, 2009
:
: The Department of Homeland Security (DHS) said this week it will hire
: up to 1,000 cybersecurity experts over the next three years to help
: protect U.S. computer networks. This was part of National
: Cybersecurity Awareness Month and the announcement was made by DHS
: Secretary Janet Napolitano, who also said they probably won.t need to
: hire all 1,000 experts, which is good because I am pretty sure THERE
: AREN'T ONE THOUSAND CIVILIAN CYBERSECURITY EXPERTS IN THE ENTIRE
: FRIGGIN. WORLD!!!!

This article is pretty spot-on, and amusing even. Two gripes though:

1. Using the math behind the number of CCIE's is a non-starter. Holding
   a CCIE isn't about 'cyber security' at all.

http://www.cisco.com/web/learning/le3/ccie/index.html

  The Cisco Certified Internetwork Expert (CCIE) certification is
  accepted worldwide as the most prestigious networking certification in
  the industry. Network Engineers holding an active Cisco CCIE
  certification are recognized for their expert network engineering
  skills and mastery of Cisco products and solutions.

2. The big point Cringely seems to miss, is that even if there were 1000
   qualified civilian security experts, then what? Let's say money was
   no object and DHS could manage to hire the top security people in the
   industry. What could they do for DHS exactly?

The key here is that DHS thinks they can "help protect U.S. computer
networks". Admittedly, it has been 3 or 4 years since i've gone stomping
through various .gov networks, but I can't imagine the atmosphere has
changed at all.

The atmosphere I was familiar with between 1999 - 2006 was one where a
given agency was very secluded from the rest of the government. They had
no intention of allowing other .gov agencies in their house unless it
came with a presidential order, warrant and armed federal agents. No,
this wasn't the spook agencies and high profile names you are familiar
with, these were agencies like the National Park Service or Minerals
Management Service.

The horror stories of inter-governmental communication are notorious to
anyone who has played in one of the many .gov sandboxes. Does anyone
really expect that 1000 cyber warriors sitting at DHS will be allowed to
do *anything* for "U.S. computer networks" in reality? I don't.

-=-

Forwarded from: Richard Forno <rforno (at) infowarrior.org>
& cc'd: security curmudgeon <jericho (at) attrition.org>

On Oct 5, 2009, at 04:54 , security curmudgeon wrote:

> This article is pretty spot-on, and amusing even. Two gripes though:

Good to know great minds think alike.

> 1. Using the math behind the number of CCIE's is a non-starter.
> Holding a CCIE isn't about 'cyber security' at all.

Yep.

> 2. The big point Cringely seems to miss, is that even if there were
> 1000 qualified civilian security experts, then what? Let's say
> money was no object and DHS could manage to hire the top security
> people in the industry. What could they do for DHS exactly?

More bodies = able to do more work = able to show more activity = able
to justify more requests for financial and policy authority. That's the
goal of all bureaucracies. Just ask Sir Humphrey.

> The horror stories of inter-governmental communication are notorious
> to anyone who has played in one of the many .gov sandboxes. Does
> anyone really expect that 1000 cyber warriors sitting at DHS will be
> allowed to do *anything* for "U.S. computer networks" in reality? I
> don't.

/dons cynical hat/

But then DHS can say it too has an 31337 cyber-command, just like its
DOD counterpart! And then a new joint fusion center can be created
between DOD and DHS to coordinate their efforts and further reduce
'stovepiping' within the national and homeland security organisations.
That means more Congressional committees will be involved (which makes
Congress happy) and thus we can keep working to secure America's
cyberspace, and more importantly, EVERYBODY GETS MORE MONEY TO CONDUCT
MORE ACTIVITY!!!! [1]

[1] "activity" =! "effective or meaningful activity"

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]