e-Idiocy: The Problems with The National “Strategery” to Secure Cyberspace.

World Tech Tribune.com ^ | Sept. 30, 2002 | Joseph D. Wagner

[Scott McCollum]

Rather than recycle the same security information that’s existed for over 15 years, the same information found in every computer security book on the shelves, I instead propose a solution, one that only the government can initiate because the solution needs to be mandatory. By “mandatory” I mean that it should be made into law. Legally compelling organizations to meet security requirements seems to be the only way to get them to take security seriously.

I propose three basic laws that will stiffen cyber-security...

[Scott McCollum]

Wagner's proposed three laws are at http://www.worldtechtribune.com/worldtechtribune/asparticles/sv/sv09302002.asp. After reading the author's views, it seems that the real debate concerns whether his idea is based on Assimov-like guidelines or predicated by allowing more stifling government intrusion on the World Wide Web.

[Scott McCollum]

There's only one "s" in the name Asimov... Sorry about that.

Also, for those who might not have understood the reference to the late Dr. Asimov, an explanation is at http://www.brainyquote.com/quotes/quotes/i/q136711.html.

[taxcontrol]

[full disclosure]
I'm a "security xspert" - meaning I have acheived one of the highest security certification in the industry - CISSP. The proposal would benefit me by improving either my chances of employment or the rate I could charge for consulting.

However,

While I agree with the author's conclusions on the draft of the National Plan to Secure Cyberspace, the three recomendations are poorly thought out at best and down right intrusive at worst!

First, the Internet (Cyberspace) is too large to be ruled by one government. Further, intervention by government should be kept to a minimum. There are very few things that governments do well and regulation of information exchange or technology is not one of them. Lastly, the rule of unintended consiquences makes me very concerned about any "simple" solutions. This is a complex problem that needs to be address with a light touch.

So, how do we secure cyberspace? Well the first answer is to develop a strategy - not tactics.

[getting up on the soap box]

In order to secure cyberspace, three fundamental strategies must be adopted. The main idea behind these recommendations is that they be voluntary -but- have additional value if adopted. For example, a company is not required to adopt this standard, but if the compan wishes to do business with the Federal government there will be additional value in doing so.

Three fundamental strategies
1) Reduce existing vulnerabilities and exposures (short term tactical)
2) Prevent new vulnerabilities and exposures (long term strategy)
3) Actively pursue criminals and provide background verification for security personnel (reduce the number of crackers)

----
Specific Recommendations.

[These recommendations are being passed to the CISSP (www.isc2.org) adhoc group putting together the "industry experts" response to the draft.]

#1 - Reducing vulnerabilities
a) Work with industry, security experts and colleges to create a "standard" security degree program. This program should have an emphasis in two areas. The business program should focus on policy and procedures - business practice improvement or ISO type material. The computer science program should focus on how to developed applications without vulnerabilities. Initial work could rely on existing certification programs.

b) Create Federal security testing program that will systematically test Federal IP addresses for known and common vulnerabilities. Think Nessus or ISS on a grand scale. This test needs to be done on a consistent basis and executive metrics provided to appropriate agencies for their information. Once this external abatement program has begun, a similar internal program will further reduce vulnerabilities.

c) Increase the number of security specialists in Federal service. Offer "specialty pay" for a period of time to boost the salaries of Federal employees who are performing security functions. Many in the security field are making over $100,000 per year. This level of pay would require GS-15 or SES level of compensation. A "specialty pay" would make it lucrative to security professionals to join the Federal government.

This will also require the Federal CPO to allow certifications like the CISSP (and others) to qualify individuals for a position. This is a departure from the traditional CPO requirement of a degree. Most of the security experts in the field do NOT have a relevant degree if any at all.

Once colleges start graduating security professionals from the degree programs mentioned in #1a, the specialty pay can be reduced and then eliminated as the pool of qualified professionals increases.

d) Increase the number of FBI agents that are focused on cyber crime. Standardize the means of reporting and investigating cyber crimes across the FBI. Make it easy for businesses to report an incident to the FBI

e) Increase investments in cataloging and reporting of vulnerabilities.

f) Don't buy vulnerable software!. This could be done by changing Federal procurement regulations. Create a stepped security certification process for vendors. The first step would be certification of an ISO like security aware development process.

The second step would be creating a testing program that would "certify" applications by testing for known vulnerabilities, buffer overflows, etc. Companies would submit their products for testing and if "clean" could be purchased. If vulnerabilities found, then the program would be returned to the manufacture to be fixed, and Federal contracting officers would be prohibited from purchasing these products.

Lastly, in a mixed vendor environment the competition would be limited initially to only those vendors who had "certified" applications. If no vendor met that requirement, the competition would then be limited to only those vendors who had passed the ISO requirement. If no vendor had received that certification, then the competition would be open to all vendors.


#2- Prevent new vulnerabilities and exposures
a) Require all publicly traded companies doing business with the Federal government to include a statement of their level of compliance with the above (#1f) in their SEC filings.

b) Provide "insurer of last resort" capability to the Insurance industry. This capability would only be extended to those insurance companies that accept the industry and government approved "best practice" (the ISO standard mentioned in #1f). These insurance companies would then offer insurance to the market place and compete with each other. Coverage should be limited to actual dollars lost or dollars spent on recovering from a cyber attack.

c) Consult with industry and security experts to create a "security best practice standard" for adoption by companies and that will serve as the measure for the ISO standard mentioned in #1f. These best practices should not DEFINE the policy, rather it should provide a checklist of issues that the policy should address.

d) Create a standard for conduct with regards to a corporation's obligation to responding to a software vulnerability has been reported.

For example, 15 days to public disclosure of the receipt of the vulnerability report, 15 additional day till a description of the vulnerability must be made public, Every 15 days thereafter provide an updated status of the vulnerability until a work around is provided. Once a fix for the vulnerability has been created, publish within 5 days. Vulnerability fixes can not be charged for and must be made publicly available for download along with instructions on how to implement the fix.

Again, this should be included in the ISO standard that Federal contractors will be required to meet in order to do business with the government.


#3 Pursue criminals and verify key personnel

a) Create a NORAD like capability to passively observe all "cracker" activity using intrusion detection software (IDS). This activity would serve as the Federal government's initial observation and notification of hostile activity. This would be a "global" security operations center that would alert the right folks to react to hostile activity.

b) Work with other countries to establish a "cross boarder" capability to track hostile activity across the internet.

c) Work with other countries and further clarify extradition treaties to enable the prosecution of criminals. This should establish common contact points and the standards of evidence for extradition.

d) Increase funding for the existing security clearance program (DIA, FBI, etc.) to reduce the backlog of existing clearance requirements.

e) Create a "credit agency" equivalent organization that would conduct a background verification of security professionals. The purpose of the "clearance" would be to provide a third party verification of professional experience, bio, degrees, certification.

f) Require contractors and companies doing business with the Federal government provide copies of the background verification of key job functions (CIO, CSO, CTO, CISO, Sr. Software Architect, etc.)



Note: none of these recommendations are mandatory. They are only required if you wish to do business with the Federal government. Carrot and stick approach.

[Cobra Scott]

Interesting. I think #3 should be the first step, though. as devastating as a thrill hack can be, there is generally some other criminal motive at work too; identity theft, fraud, malicious intent, espionage, theft, etc.

[taxcontrol]

I'm of the opinion that all three need to be implemented at the same time. But, if I had to decide on an order #3 would be my first choice as well.

Crackers need to be AFRAID that they will get caught, which right now, they arent. However, if they KNOW that if they attack from the Internet that they will be observed, cataloged, and reported - much of the "thrill" will be gone.