Posted on 06/08/2008 1:40:58 PM PDT by Dawnsblood
The U.S. government has quietly gone ahead and formed several special security organizations for policing the internet. Because there is such a (trained, not to mention talented) manpower shortage right now (and in the foreseeable future), this was done on the cheap. An effective force could not be recruited, even if everyone agreed to accept government pay levels, because of the huge expense. One solution that was suggested even before September 11, 2001, and eventually caught on, was to organize and reward the pro bono cybersecurity efforts that have been going on for some time. A lot of talented whitehats just get pissed off and go after bad guys on their own nickel. An example is HoneyNet (the pro bono network of honeypots set up to attract, analyze and document backhat activities and techniques). One suggestion that did not fly was setting up a "CyberCorps" as a separate corporation, with a few really good people to run it, and enough budget to pay market rate for the right people, and still have a close working relationship with government agencies and commercial firms that spend a lot on net security (banks and brokerages, for example.)
Instead, a "Cyber Corps" program was set up to give tuition assistance to college students studying computer security, in order to increase the number of qualified experts in this area. Meanwhile, the Department of Homeland Security established working relationships with existing computer security groups, while the Department of Defense encouraged the services to set up computer security operations. The air force established the Cyber Command, a major operation that, it is hoped, will give the air force the lead (and most of the budget) for defense related Internet security operations.
The U.S. Army sought to make something of the original CyberCorps concept, by recruiting existing army reservists with computer security experience, and organizing them into the Reserve Information Operations Command. So far, nearly 400 reservists have been assigned to man five Information Operations Centers. These reservists have civilian jobs in computer and Internet security, and most make more than the government could afford to pay them. But in the event of an Internet "battle", the Reserve Information Operations Command would quickly provide the army with a collection of expert operators to analyze, and deal with, the threat. The army is still recruiting for this duty, and will probably continue to, in order to expand this force as much as possible.
Certainly the right direction, but the folks who we really need on our side in this aren’t the ones studying Computer Science in college...
“document backhat activities”
backhats! We must document them!
I beg your pardon!
Be careful, some of those college students in Computer Science and related majors might be a whole lot better than you think.
Exactly right.
Many of the talented black hats just see the world differently, and that perspective can’t be taught from book and lecterns.
I was once on a conference call with a security expert high in the Bush administration after 9/11, speaking on the topics of cyber-security. While lots of people were talking about air-fairy attacks, I pointed out that I could haul a backhoe up to somewhere along I-80 between Elko and Wells, NV, and just dig through huge bundles of fiber and be gone with the backhoe before anyone would have a clue where to look.
The phone call went pretty quiet when I pointed this out.
And then I pointed out that smart guys (eg, guys with EE degrees) could take down large chunks of our electrical grid with scoped high power rifles, shooting out insulators on transmission lines in remote areas of the US in a particular sequence that would cause huge portions of the US grid to either partition or go down.
Again, very little response.
The single biggest problem we have in security (whether cyber or otherwise) in this country is that we’re fighting engineers (the terrorists love people with engineering degrees) with lawyers. In this sort of battle, the lawyers lose, because lawyers think that words on a piece of paper prevent someone from doing something. Lawyers also suffer from a delusion that words on paper prevent people from committing murder, rape, arson, etc.
That’s true. They *might* be.
Here’s an example from the 80’s, when lots of us in engineering had security clearances and worked in the defense sector:
I was consulting at a Very Large Southern California Aerospace Contractor (formerly run by an eccentric billionaire, back when a billion bucks was a lot of money) and we were trying to secure several computer systems that had security-cleared material on them. The systems were VAX/VMS, and the boys from Digital had tuned up this VAX with all sorts of ACL’s, access policies, credentials, yadda, yadda, yadda. They had constructed all manner of studies on how to restrict online access and immediately flag unauthorized access attempts, alert operators and security people automatically, etc. Oh, they were pleased with themselves, because no other minicomputer OS was quite so far along with ACL’s and security models at that time.
My partner and I decided that the DEC boys were just a bit too proud of all the security features on VMS and put just a little too much trust in this. So we decided to prove it to management.
We were due into a meeting to review whether the TS-level system was truly secure and sign off on the database contracting we had been doing. My partner and I knew full well that the system still had huge, obvious security holes, but management would not listen to us - we were a small shop up against the opinion of DEC, who was the computer industry darling at that time.
So we walked into the machine room. Spun down the disk pack of a drive that had nothing of importance on it. Pulled the disk pack out of the drive. Walked into the meeting room early. Put the pack on the floor under the table, out of sight. Got some coffees, sat down and waited.
We get into the review process, blah, blah, blah. We raised our objections about various security issues, physical and human, and DEC keeps shouting us down with all their technology. Management looks at us and says “Well, do you have a response to this?”
“Yes, we do. Here....” and we hauled the disk pack up on the table.
We thought the DEC reps were going to soil themselves. Management looked like a rabbit in the headlights of a truck, and with a quavering lip, asked us “Uhhhhh.... wh-.. whi.... which pack is that?”
Since the database and the almost unused pack were both the same type of drive, we played along: “Well, the database is on which drive again?” and “Which drive did we pull this from? The one by the door, or the one at the other end of the room?”
Needless to say, management finally got our point. Code locks went on doors. Drives with removable packs were changed out for fixed head drives, mag tapes were put into secured vaults, etc.
Didn’t have a darn thing to do with computer science.
Neither did the kid who hacked into other VMS systems inside the same contractor and downloaded the CAD datasets for the TOW missile system onto his dad’s home computer through TYMnet. That was another fun job where we showed up the DEC consultants. How do you trace a kid on an X.25 network? Well, you keep him online long enough for the boys at TYMnet to do the trace. The DEC guys kept wanting to enact another ACL widget to toss him off ASAP. He’d just socially engineer his way into getting the credential ID on the main system in the cluster (run by another, different group) and he’d keep coming back.
But talk about video games and girls long enough, and lo! The TYMnet boys can complete the trace and the FBI can make a visit.
What most CS people who learn CS early on aren’t being taught is that security is a human problem, and the technical issues are merely manifestations of the problem.
Bruce Schneier put it this way: When you are at a door do you check out how easy the lock would be to pick? When you walk into a building do you think about how easy it would be to get something past security? Same for the airport?
If your answer is "all the time" for these you have the proper mentality to be a computer security guy, on the attacking or defending end (same skill set, technically).
hmmm. Maybe I'm in the wrong industry. :)
Ping
Well, at least there's a silver lining to being paranoid.
You're right.
The problem is that the computing field (which includes computer science) has gone beyond its origins in electrical engineering and in mathematics, at least, at the post-secondary educational level.
Notice I said "computing" and not "computer science." The latter is focused on theory, not the real world. Security (just like HCI and user interface design, computer game and simulation development, and software engineering) is a field that is only now breaking free of the grip of traditional computer science.
Should security be a fundamental item to teach, alongside data structures, algorithms, and operating systems? I think so. But even if it's not (yet) that doesn't mean that some of us students aren't already aware of it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.