Welcome to Volume 4, Issue 14 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me. If you like the issue, let us know!
Enjoy, and be safe,
President Bush wants to protect our cyber-infrastructure, to "ensure that America has a clear roadmap to protect a part of its infrastructure so essential to our way of life." And he wants you to participate in defining our policy.
George W.'s hosting a policy party. Every sector is invited, nay urged, to "develop its own strategy to protect the parts of cyberspace on which it relies". Not a member of a sector? Worry not, Every concerned citizen can attend a town hall meeting: there's still time, eight more are scheduled. Voice your opinion, and help define cyber-security policy. Kewl.
If you're lost at this point, don't fret. I was, too, until Marcus Ranum asked if I'd had a chance to read the draft National Strategy to Secure Cyberspace. Well, I hadn't, so I did. I wished I hadn't.
Marcus not only read the strategy, but reacted non-violently and asked if TISC could provide a forum for an editorial expressing a qualified opinion. I am always delighted when Marcus makes such an offer. So put on your flame retardant outerwear, brace yourself for extreme candor, and enjoy today's guest editorial.
Consider reading the strategy before you read this column; like it says on the web site, click here to download the draft.
A fancy White House panel has been working on a National Strategy to Secure Cyberspace that it plans to present to President Bush in November. Based on "leaked" copies circulating on the Internet, I really don't see why they're going to bother. That Washington is entirely out of touch with Web reality is patently obvious: nearly two decades into the Internet age, and it considers publicly posting a draft on the Web at http://www.whitehouse.gov/pcipb/ a leak?
The White House's page announces that the "draft of [the] road map was developed in close collaboration with key sectors of the economy that rely on cyberspace, State, and local governments, colleges and universities, and concerned organizations." Indeed, the web site solicits opinions from all and sundry to the mail address firstname.lastname@example.org.
What's wrong with this? Let us count the ways...
A number of years ago, while consulting, I sat in a conference room at a major client's site and watched a group of very smart people working to hammer out a firewall access control policy. I was amazed to hear the office politics and negotiations taking place across the table. Folks from various business units would say, "in order to accomplish our mission, we need open FTP to some of our customers." And the security mavens would reply, "can't do that. Allowing FTP inbound is a terrible policy." To which the business unit would reply, "um, how about if we allow it only to selected addresses, then?" Basically, what these well-meaning people were doing was negotiating a firewall security policy. As I listened further, some really bad security decisions were made, in trade for a few good ones.
Finally, I had to point out to everyone in attendance that the crucial party to those negotiations - the hackers - hadn't been invited. And the hackers don't negotiate, anyhow. In other words, it doesn't matter if you achieve consensus or if you think you're doing the right thing; whether it works or not is subject to a different set of rules, ones over which your wishes exercise zero control.
Perhaps now you'll see why I am unimpressed by the government's approach of inviting comment from all "interested parties". The reality is that if the government wants to protect critical infrastructure, they're going to have to lead - not search for cooperation and compliance.
The very idea that "Key sectors that rely on cyberspace, state and local governments, colleges and universities, and concerned organizations" can possibly share a common goal - a necessity for useful consensus - is ridiculous. It's like the mice voting to bell the cat: they can all agree on that. But that's so obvious it's silly. We can all agree that hacking is bad and that hackers should stop - how's that for a national strategy? The reality is that in order to make things happen, you need to lead and say, "This is what will be done."
And this means you're likely to bend a few peoples' noses out of joint.
Personally, I am comfortable with our government bending a few peoples' noses out of joint. They do it to me regularly and I don't think they've done anyone a service by making their security "strategy" beholden to the financial interests of big corporations. That's another reason that "consensus" doesn't work - consensus is always driven by the folks who are willing to shout the loudest or pay the most. Or, participate at all. Remember the hackers? Nobody asked them.
Reading between the lines, and talking off record with key insiders, I learned that the CyberStrategy had intended to recommend that all ISPs offer personal firewall software to subscribers. Now, actually, that is One Fine Idea. Apparently, the recommendation was dropped because the ISP "representation" complained about the onerous burden of responsibility.
I'm sure the hackers would have been part of the consensus to drop that requirement, too.
Leadership is not about building consensus. It's about relentlessly doing the right thing and demanding it of others, no matter how loudly and often they complain. If the feds want a CyberStrategy that really helps secure the critical infrastructure they should mandate and enforce use of personal firewalls and anti-virus capabilities on every Windows, Mac, and UNIX machine in the federal government. Mandate and enforce are the two key words here: these are critical areas where the government has shown no ability to lead in the past. Remember "C2 by '92"?
As Napoleon Bonaparte showed us, it's easier to lead from in front than from behind. With the federal government's pathetic track record in computer security, any consensus effort it "leads" in the manner it's thus far attempted is going to be full of compromise and proportionately weak from the very beginning.
Remember: the hackers don't compromise or negotiate.
The CyberSecurity strategy appears to be re-oriented away from telling people what to do and toward encouraging education, awareness, and private/public sector information sharing and cooperation. This may come as shocking late-breaking news to the federal government, but we've been trying that for as long as I've been in the security industry and it hasn't shown any sign of working in the slightest, yet. Continuing to expect education, sharing and cooperation to work even eventually is silly. The draft of the CyberSecurity strategy reads primarily like a desperate plea for organizations to do something they should have been doing for a very long time.
Let's examine this more closely: if it has been an obviously good idea for a very long time, then the reason the right things aren't being done is different than "doing the obvious".
It probably has something to do with money.
During the Internet bubble we saw that money attracts money, and the lack of money scares people away. I'll bet my farm that the powers that wanted to remove the "firewalls from ISPs" mandate were the competitors of the personal firewall companies and the ISPs who (incorrectly) assumed such a measure would hurt their bottom line. These folks are clearly too stupid to see the enormous opportunity the feds laid at their feet. Tack a security surcharge onto Internet service and blame it on a federal mandate. (Note to ISPs: this strategy worked splendidly for airports post 9/11, and has worked for the cable and telephone companies for decades: universal access, 911, long distance carrier selection - need I go on?)
The federal government - one of the largest spenders of money, ever! - is ignorant of how to wield its buying power. I'm sure that the feds could have commissioned the development of a completely free anti-virus and firewall package for Windows for 1/100th of what producing the CyberSecurity strategy cost. But that would be anticompetitive, wouldn't it? SO WHAT? If CyberSecurity is really that critical - and I think it is! - it's O.K. for the government to intervene and mitigate the problem.
The government deals with issues of public health in precisely this manner: don't argue, just roll up your sleeves and do it.
But the feds cannot even coordinate their own buying efforts. Rather than standardizing on a single enterprise firewall product, anti-virus product, and desktop firewall, federal computing is a mish-mash of incompatible solutions. If the feds wanted to make the single greatest impact possible on CyberSecurity they'd do what any FORTUNE 500 company does: standardize on a few good products and then use their status as an important customer (more precisely, a large source of revenue) to demand the features it wants and needs. Exxon-Mobil is smart enough to do this. Microsoft is smart enough to do this. Bank of America is smart enough to do this. Why do the feds sit there and ignore their own buying power? The greatest weapon in the world - the US Treasury - is completely ignored by the CyberSecurity strategy. Feds: use your buying power and influence.
I believe that when one massively large organization solves its own problems effectively, it will inherently solve the problems of thousands of smaller organizations that have the same problems to a smaller scale. That is the essence of technology leadership. The feds are left in this position where they have to basically beg the industry to listen to them, because they have no moral authority regarding computer security. (You can see how well industry listens by how industry interests gutted the draft document!) The feds beg the private sector to "do the right thing" but federal sites are cheap script- kiddie knock-down targets that don't even represent a challenge. If the feds solve their own security problems effectively and show some leadership and the private sector will watch, listen, and imitate. The reason they don't try to cooperate with the feds is because, in my experience, most commercial entities are far ahead of the feds on the computer security power curve. I've been in security for 15 years now and every year or 2 someone hacks into the Pentagon or some other DOD system and their only response to the press is: "It was no big deal. We fixed it and no classified information was compromised." Excuse me, but in a FORTUNE 500 corporation when that happens, the problem gets fixed, the people who were on watch get fired, and it doesn't happen again and again and again. Besides, "no classified information was compromised" is an insultingly lame excuse because anyone who understands computers knows that the SBU (Sensitive But Unclassified) systems are where the budgets are made, the material shipping is organized, the personnel data is kept, and the critical day-to-day stuff is stored.
So here's a Cyber Security strategy that would work. It's as anti- competitive as you can get and has a snowball's chance in hell of being adopted. It's downright Machiavellian. Or, perhaps, Napoleonic:
So it's anti-competitive and Machiavellian. National defense always is.
Don't sweat consensus. Lead.
You can find a bio for Marcus Ranum at http://www.ranum.com/.