Archive for the 'government' Category

30 vs 150,000

Published by adam on May 30, 2010 in Science of Risk Management, government and measurement. 9 Comments

For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:”

INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 children a year, according to the National Safety Council.

Janette Fennell is the founder and president of KidsAndCars.org, a safety advocacy group based in Leawood, Kan., that focuses on issues involving children and automobiles. In a telephone interview, Ms. Fennell made her view clear, saying she believed that carmakers must develop reminder devices to warn drivers if a child is left behind.

Second, “The Hard Sell on Salt:”

High blood pressure is rising among adults and children. Government health experts estimate that deep cuts in salt consumption could save 150,000 lives a year.

Bets on which problem is “addressed” first are encouraged in the comments.

“Cyber Economic Incentives” is one of three themes at Federal Cybersecurity R&D Kickoff Event

Published by Russell on May 3, 2010 in government. 0 Comments

From the announcement email:

Date:            May 19, 2010, 1:30-5:00pm PDT

Location:       Claremont Hotel, 41 Tunnel Road, Berkeley, CA 94705

NITRD representatives from NSF, DHS, and other agencies will present Federal cybersecurity R&D themes. This event will take place at the Claremont Hotel in Berkeley, California, and follows immediately after the IEEE Symposium on Security and Privacy. The themes will guide future Federal research activities and are components of the framework for cybersecurity R&D called for in the President’s Cyberspace Policy Review. This event will be the first discussion of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities.

Registration: http://www.nitrd.gov/CSThemes.aspx.  This event is free of charge.

Webcast:       http://www.nitrd.gov/CSThemes.aspx 

This is a follow-up to the National Cyber Leap Year process that I have previously critiqued.  Of their original five themes, they have down-selected to three (described here), including:

Cyber economic incentives — foundations for cyber security markets, to establish meaningful metrics, and to promote economically sound secure practices.  [emphasis added]

I’m thrilled that this made the cut and I’m also thrilled that it has been recast to focus on incentive systems and metrics.  I will attend this event and be listening for information about how this “theme” will be turned into tangible reality.

I look forward to merging your unique visibility into my own

Published by adam on March 23, 2010 in disclosure and government. 0 Comments

In “White House Cyber Czar: ‘There Is No Cyberwar’,” Ryan Singel writes:

As for his priorities, Schmidt says education, information sharing and better defense systems rank high.

That includes efforts to train more security professionals and have the government share more information with the private sector — including the NSA’s defensive side.

“One thing we are looking at is how do make sure that the private sector has the information it needs from the government,” Schmidt said, referring to what he called “some of the unique visibility the government has from the attacks on our systems.”

An excellent idea, if I do say so myself.

National Broadband Plan & Data Sharing

Published by adam on March 17, 2010 in government. 0 Comments

I know that reading the new 376 page US “National Broadband Plan” is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular:

Recommendation 14.9: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a process led by the White House Cybersecurity Coordinator.

This is a pretty clear step forward. It will be a much bigger step forward if the data shared includes evidence of effectiveness of defensive steps. Without such evidence, budget and authority are unlikely to flow, therefore, actionability requires such evidence.

Also interesting is section 14.10:

Due to the diffuse nature of cyberattacks, sharing of information is critical when responding to, mounting sufficient defenses against and remediating attacks. However, businesses are often reluctant to share information, either with other private sector entities or the government, due to worries about the potential disclosure of such an attack and related concerns about corporate liability, despite the fact that the resources necessary to successfully respond often exceed those of individual private sector organizations…To ensure that this occurs, protocols and incentives should be developed for the sharing of cybersecurity information, threats and incidents in a non-attributable manner. [Emphasis added]

I think this is a pretty big win in a couple of ways. 14.10 is most interesting because we’ve moved from need to share to discussions of what the blockers are. The use of the term “non-attributable” is a move forward from the typical “anonymous.” I’d prefer to see a strategy that called for protocols and incentives to overcome the problems and concerns, giving us more room for innovation and experimentation.

Is the strategy a silver bullet for information security? No, obviously not. On the other hand, these elements are (as far as I know) new in Federal strategies or plans.

Thanks to Brent Rowe for the pointer.

‘Experts’ misfire in trying to shoot down Charney’s ‘Internet Security Tax’ idea

Published by Russell on March 17, 2010 in Legislation and government. 2 Comments

The information security industry intelligentsia are often poorly qualified to evaluate economic and public policy solutions to systemic InfoSec problems.  They just don’t have the training or depth of knowledge.  That doesn’t stop them from being quoted in industry media as if they are the be-all-end-all ‘experts’.  I just wish the media would seek out people who knew what the hell they were talking about in this arena.   Here’s a case in point.

In a keynote speech at RSA 2010 (full text), Microsoft’s Scott Charney proposed proactive solutions to systemic problems like botnets.  Drawing analogies with  public health and environmental protection, he said it might make sense for ISPs quarantine infected consumer PCs. Then he said:

And then there’s a question of who would pay for that. Well, maybe markets will make it work, but if not, there are other models: use taxes for those who use the Internet. We pay a fee to put phone service in rural areas, we pay a tax on our airline ticket for security. You could say it’s a public safety issue and do it with general taxation. [emphasis added]

In other words, some collective action might be beneficial and either markets might pay for it, or taxes might be necessary.  Two days later, a Microsoft spokesperson clarified:

“Scott Charney did not suggest a new Internet tax to fund cybersecurity programs. As part of his keynote at RSA he recommended that the industry and government look at developing the equivalent of the World Health Organization to combat malware on the Internet,” the spokesperson said. “Within this context he mentioned the need to explore how to develop a sustainable funding model for this initiative, not suggesting that any particular funding model is best.”

To be even more clear, he definitely didn’t say that Microsoft should get the proceeds or play any part in how it is spent.   

In the following days, industry analysts, executives, and bloggers weighed in and their judgment was mostly negative.  A prime example is the Computerworld article with a headline that called it  ”a horrible idea”, quoting John Pescatore of Gartner Group.   Here are more ‘expert’ reactions quoted in the same article:

  • Pescatore: ” ‘Why not a tax on all retail goods for a standard antishoplifting service all merchants would have to use?’ A business, he said, can now select what it thinks is the best anti-malware solution, but that choice would presumably vanish if funding for battling the bad guys went national.”
  • Pescatore: “A general tax would reduce the services to the lowest common denominator”
  • Wolfgang Kandek, CTO of Qualys:  ”I have a hard time seeing [a tax] work. The Internet is an international body; you can’t regulate it, and you cannot levy a tax. ISPs might have to up their fees to pay for something like this, I can see that, but a tax that brings government into play — I can’t see that.”
  • Randy Abrams, Director of Technical Education at ESET Security: “A tax may be a bad idea, but people will pay for it one way or another.”
  • Andrew Storms, Director of Security Operations at nCircle Network Security: “I don’t have a problem with charging a fee and giving it to good works for the whole.  The problem is that one, you have to find a big, smart and trustworthy organization to handle this. And most people will agree that’s not the government, and that’s not Microsoft.”
  • Storms: “More likely is that an ISP will take the plunge, charge its users a little extra to keep their machines clean, and prove that it’s possible.  Then I could see a consortium of ISPs getting together to do that.”

Here are some of the negative reactions from bloggers:

“Let’s also not forget that Microsoft has gone out of its way to create a monoculture where one OS dominates, through legal and illegal methods. So the idea that we should now all pay to solve a problem that Microsoft not only wanted to create, but made billions of dollars in the process is frankly … ridiculous.”

“Microsoft’s “Trustworthy Computing” shtick has gone so far over the oxymoronic top that it’s just no longer possible to give the company the benefit of the doubt. … Really, Scott? … Did you really think we’d all look at each other with nods of agreement, impressed by the brilliance of your epiphany? Didn’t you realize that revelation might just backfire on you?

It’s unfathomable that a company with Microsoft’s resources can be so clueless and out of touch. … If Microsoft expects to be taken seriously as an enabler of “trustworthy computing,” it needs to do a lot more than this to demonstrate trustworthiness. Taxing users who find the software they bought is non-secure is like taxing Toyota owners for finding they have faulty gas pedals.”

This is where I step in an call “BOGUS!”

Q:  How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities?  A: Zero.

Even more basic Q: How many of them bothered to find out what Charney was really proposing – rather just reacting to the headline version: “Net tax to clean computers” or the fact that someone from Microsoft said it?  A: Of the articles and blog posts I saw, only two bothered to dig into the speech and seek to understand or clarify Charney’s comments: BetaNews and yinhuan.net.  Conversely, the comments by Pescatore and Kandeck lead me to believe that they didn’t really understand the proposed idea.  Others used this opportunity to throw rocks at Microsoft rather than deal with the substance of the ideas. 

Regarding the idea itself, I think the comment by Randy Abrams is on the mark: “… people will pay for it one way or another.”    Right now, we pay for it through the cost of security breaches and through the cost of inefficient security spending.

The idea of taxes as a way to counteract or pay for mitigation of negative externalities has been thoroughly researched in economics, especially environmental economics.  Here are some links if you want to learn more:

Myself, I’m more in favor of market-based funding methods (e.g. insurance, etc.): Incentive-based Cyber Trust.  But mandated insurance or other mandates can be seen as a form of “tax”, so the main question is what form of incentives and funding is most effective and most efficient.

This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

Krebs on Cyber vs Physical Crooks

Published by adam on March 9, 2010 in breach laws, data and government. 0 Comments

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.

Go read “Cyber Crooks Leave Traditional Bank Robbers in the Dust” by Brian Krebs. Then ask why we sweep these crimes under the rug.

Everybody complains about lack of information security research, but nobody does anything about it

Published by Russell on March 9, 2010 in Science of Risk Management, government and research papers. 9 Comments

For some years, I’ve been following the world of academic and industrial research on information security, especially interdisciplinary research.    There is wide-spread agreement on what needs to be done:

But no one seems to be able to mobilize any signficant research into solutions.   It’s been very frustrating to see so much talk and so little action.   

This reminds me of the quote by Mark Twain, shown at left, which is the inspiration for the title of this post.

The latest iteration of this was a panel at RSA: “The role of research in industry and government“.  SC Magazine summarized the discussion this way:

A disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals.

(read on for a diagnosis and two proposed solutions…)

Continue reading ‘Everybody complains about lack of information security research, but nobody does anything about it’

‘Don’t Ask, Don’t Tell in Davos’ — Act 3 in the Google-China affair

Published by Russell on February 1, 2010 in Amusements, breaches and government. 2 Comments

Taboos are willful ignorance, socially-enforced.  They are so not New School.  We have to deal with them, but we don’t have to be happy about it.

The Great Family Shame of incest between Oedipus and Jocasta

The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.).  It’s unfolding almost like a like a Greek tragedy. 

Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success).  Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.

Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“  (or “Advanced Persistent Adversaries“, a term I prefer).

Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland.  While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:

“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]

The Business Week article is here.  (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)

While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved.   While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.

An Open Letter to the New Cyber-Security Czar

Published by adam on December 23, 2009 in government. 7 Comments

Dear Howard,

Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but you know better than most how hard it will be to make a difference without a budget or authority. You know about many of the issues you’ll need to work through, and I’d like to suggest a few less traditional things which you can accomplish that will help transform cyber-security.

There are important things which you can achieve which are aligned with President Obama’s agenda and orientation that aren’t in the current strategy to secure cyberspace. They’re opportunities which have arisen in the last few years to increase transparency and accelerate new research that’s focused on security outcomes, rather than process.

Over the last 5 years, in the wake of California’s 1386 and ChoicePoint’s big breach, we’ve learned about thousands of security breaches. We’ve discovered that most of our fears don’t come to pass. Companies don’t go bust, and customers don’t flee. It’s time to embrace transparency, and admit that we all have security failures. Only by studying what goes wrong can we really expect to improve. So the first step is to de-stigmatize failure. That’s not to say accept failure, it’s disclose them, discuss them, and focus on what we can improve. You can set the right tone from your bully pulpit.

Next, as the nation’s cyber-security advisor, you’re in a position to push the heads of the federal agencies to open up about what they’re doing and how it’s working out. The data is already being collected by US-CERT, it’s a matter of transparency. Of course, some subset of the data will need to be appropriately redacted, but let’s embrace a need to share in information security. The President has committed to getting our data online, let’s make sure security data is included on Data.gov. (I’ve already sent a request for this to data.gov) As you work to expand public-private partnerships, why not start by sharing the data that the government has? It could reset the tone of the conversation. You can also support the non-profit Open Security Foundation‘s work on DatalossDB.org. The value they deliver on a volunteer basis is amazing, and the amount that would be required to take that to the next level by making it their day jobs would be a rounding error for any of the folks you’ll be working with daily.

Finally, I’d urge you to evolve our nation’s security research agenda. There are many smart, dedicated people working in information security. Many have been promoting approaches which have yet to take hold. You must bring new voices and perspectives to research. Emergent fields like “economics and security,” usable privacy and security, and security and human behavior bring important new perspectives of security as a human-centered discipline.

Each of these steps can be taken with your budget and authorities. Together, they’ll transform cyber security into an empirical, effective and outcome-centered discipline, and that would be an amazing legacy for any leader.

What should the new czar do? (Tanji’s Security Survey)

Published by adam on August 19, 2009 in government. 5 Comments

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

My three:

  • De-stigmatize failure. Today, we see the same failures we saw yesterday because we don’t talk about what went wrong. We laugh and point fingers. We need to admit that everyone gets hacked, get over it, and start talking about how it happened and what we can do to learn from it. (This isn’t the same as accepting failure, it’s saying that we understand it happens, and starting to distinguish between what failures might be in our control, and how to expound that set.)
  • Gather data. This is a mirror to the de-stigmitization of failure. The czar should gather as much data as they can on a need-to-share basis, starting with federal systems. What happened? How did the failure manifest? Were there controls in place? Were they credible? Were they managed and monitored?
  • Shoo the mathematicians. No, not shoot, shoo. Send them off the pedestal for a while. Security is a social value, and as a social value, we need to study the human aspects of it like we did at the workshop on security and human behavior. [Update: What I really want is not to eliminate math, but to move to a diverse set of analytic tools. Of course we need math to analyze data, but I think we've gone too far with mathematical models, proven security, and need more engineering rigor. Engineering rigor is obviously based on math, but not done by mathematicians.]

These three goals are possible from a bully pulpit. They don’t require a lot of budget. (Heck, the datalossdb.org guys do it on a volunteer basis.) They’ll be transformational in the way we approach security.

Bonus fourth task: fine anyone $20 each time they say “best practices.”

What’s your take? What should the czar be trying to accomplish?

[Update: Pete Lindstrom takes up the challenge in "If I were a Czar." Who else wants to take a whack at it?]