Saturday, December 04, 2010

Greatest Hits from the Arce/McGraw Article on Cyber FUD

These guys nailed it in Software [In]security: Cyber Warmongering and Influence Peddling and here are my favorite lines:

The (perhaps intentional) conceptual roll up of cyber crime, cyber espionage, and cyber war into the scariest of cyber boogeymen exponentiates the FUD factor, making an already gaping policy vacuum more obvious than ever before
Amen, I still don't even know what "CyberSecurity" really means. Back in 2003-2004 when I first heard about it I thought it was a was for "non-security folks" (putting physical security folks in that bucket) to refer to IT/Computer/Network Security. But I don't know anymore. This conflation is confusing.

The problem with these kinds of stories is that they have somehow worked their way to the halls of policymakers who repeat them without critical analysis. For every careful Dan Geer there are ten shrieking cyber security talking heads busy stirring the pot saying things like, "We may call it espionage, but it's really warfare.
The "World's Greatest Hacker" is the least of our concerns because he isn't influencing policy in the beltway.

What makes us particularly skeptical is the intentional blurring of the lines that helped to distinguish the military, the intelligence community, and the cyber security industry — a direct result of US government pouring of billions of dollars into the burgeoning maw of perpetual cyber security initiatives.
Is it any coincidence that the cyber-euphoria coincided with the US economy going to hell as IT security vendors "cyber-ize themselves." There are quite a few Austin startups (you know who you are) that have become "Cyber Security Vendors" to get that Federal money.
They point out that those beating the cyber war drums the loudest are at least partially responsible for the sorry state of affairs in computer security. Retired Director of National Intelligence (DNI) Admiral Mike McConnell bears the brunt of this criticism, as do one-time NSA Director and Deputy DNI General Mike Hayden, and one-time cyber czar Richard Clarke. We know all of these men and they are all honorable and careful. Like us, they are all capitalists as well.
Anybody that goes after "Digital Pearl Harbor" Clarke is OK in my book.

Public/private partnerships pander politically but they do no real good. As it turns out, security is not a game of ops centers, information sharing, and reacting when the broken stuff is exploited. Instead, it is about building our systems to be secure, resilient, survivable, and trustworthy.
They go after all my favorite buzzwords. The public private partnership is when the vendor and contractors (and sometimes critical infrastructure asset owners) write all the policy to their economic advantage

In conclusion, this is article is a strong defense of defense and building security in. We should let the military and the Intelligence Community do their job and the rest of us (in the Information/Network/Application/Internet Security profession) focus on ours and stop trying to play "soldier hacker." Of course the irony is some of the biggest "CyberWar Cheerleaders" have neither a background in the military, the intelligence community, or Computer Security.

No comments: