[Infowarrior] - The Cybersecurity Myth
Richard Forno
rforno at infowarrior.org
Sun Oct 4 15:00:28 UTC 2009
I don't agree with Cringley very often, but IMHO he's spot-on with
this assessment, and it echoes what I've been hearing since that
"1000" announcement was made the other day. -rick
The Cybersecurity Myth
http://www.cringely.com/2009/10/the-cybersecurity-myth/
The Department of Homeland Security (DHS) said this week it will hire
up to 1,000 cybersecurity experts over the next three years to help
protect U.S. computer networks. This was part of National
Cybersecurity Awareness Month and the announcement was made by DHS
Secretary Janet Napolitano, who also said they probably won’t need to
hire all 1,000 experts, which is good because I am pretty sure THERE
AREN’T ONE THOUSAND CIVILIAN CYBERSECURITY EXPERTS IN THE ENTIRE
FRIGGIN’ WORLD!!!!
So I polled six old friends who ARE cybersecurity experts and they
kinda-sorta agreed with me. More on this below.
But first I have to marvel that I even know six cybersecurity experts
and — even more amazing — I’m pretty sure they don’t know each other.
They seem to be like badgers, solitary creatures who only come out to
mate.
They are cynics, too. One questioned the term “cybersecurity” as
being inappropriate.
“(It) depends on your definition of expert,” said expert number one,
who works deep in the military-industrial complex. “If you mean
someone who can spell ‘cyber’ then sure (there are 1,000). If you mean
those who know that ‘cyber’ is short for ‘cybernetics’ and has little
to do with computers then probably not. I still occasionally use the
title ‘Cybernetic Psychophysicist.’”
Sure enough, there’s a very detailed definition of cybernetics here
and it doesn’t intrinsically have very much to do with computers or
networks, though don’t tell that to the DHS without first taking off
your shoes and placing the definition in a one quart plastic bag.
“Duh!” said expert number two who has spent his career at telcos and
cable companies. “Of course. You got it right. I doubt there are
1000 in the world. There are a lot of wannabees, or folks who think
they are…”
“Define ‘expert,’ said another friend from behind Door Number Three,
who comes from the security software business. “(An expert is) a
person with a high degree of skill in or knowledge of a certain
subject. Great, but the question is all about scope. I may be an
expert cook – but can I run a kitchen? Same thing with security there
are tons of experts – in specific areas. I was an expert in AV, IDS,
and other areas. But I was not the all knowing security guru. (even
though my knowledge base was very broad). This is where we run into
unintended actuated consequences. An expert will make a choice and
take an action. The end result may not be what they had anticipated
because of other factors beyond the realm of their expertise caused an
unanticipated consequence.
“Example: I am forced to use low sulfur gas because the experts say it
produces 20 percent less harmful emissions. Too bad they did not
notice it has a lower power quotient then a normal gas blend. As a
result I use 30 percent more gas that is 30 percent more expensive
(and puts four percent more sulfur into the air).
“So I believe there to be less then 30 real experts in security, but
there may be well over 500 subject matter experts and perhaps another
1000 sous-security people.”
Now I brought in the big gun — expert number four, an independent
security consultant to foreign governments:
“My bet is that they are going to just pull the bodies from the
Department of Defense and Department of Energy,” he said. ”DoD has
established a number of credentials required to be classified as a
security specialist like CompTIA Security+, CISSP, etc. None of this
stuff has any practical application because it is hardware/software
neutral.
“Even if a government agency, (over 550 or them) allows you to sniff
their network, are they going to let you evaluate the applications for
bugs? I don’t think so. Without scrubbing the software with products
like Ounce Labs (owned by IBM), what is the point of evaluating the
network?
“Another item of great importance is a security clearance to do the
work. This is where you will get only one brand of thinking; DoD or
DoE clearance. This will prohibit the security “black hat” types from
ever being involved in the project without coming from the DoD or
Energy.
“So you will end up with 1,000 Security Managers in the government
with Sec+, and CISSP certifications, talking to cisco, Juniper,
CheckPoint, Tipping Point, Microsoft, Oracle, Ounce Labs, etc.
security professionals at $300 an hour doing the actual work. That’s
1,000 jobs for window dressing, releasing reports that end up on
Drudge Report listing the number of breaches in Federal Government
Agencies.
“When you look at the private sector protection of data standards for
items like credit cards you have real teeth in your regulations. You
don’t have to take credit cards, but if you do then you need to be PCI
compliant. Don’t want to be PCI? No problem we won’t allow you to use
our credit cards. Where will that type of enforcement be with the wall
of 2,000 eyes protecting the USA?”
No there won’t be (this is Bob again) because governments are required
to provide services to their citizens. Even the DHS can’t shut down
the government to cure a security breach, though I am beginning to
believe they haven’t yet figured that part out.
“I’m not sure there are even a handful (of experts) with any sort of
broad experience,” said expert number five, who is usually associated
with security hardware. “There probably are pockets of them, with
specialized narrow experience, e.g. in banking, virus or DOS attacks,
military networks, etc.. And even if there were 1,000, what would they
be doing on behalf of Uncle Sam?”
That’s a great question given that we as a nation can’t seem to hire
and keep a national cybersecurity czar. So what are we doing hiring
1,000 experts given there is no boss?
While it is great to have a Cybersecurity Awareness Month, whatever
that is, and it might be great to add a thousand “experts” to protect
our nation, if you look deeper into this story it is for the most part
BS or HS and, I fear, CS to boot.
Look, the number of CCIE’s with security as a certification is 2,300
for the entire world. Subtract the 50 percent who work for cisco, then
50 percent again for those not working in the field any longer, and
you get 500 cisco CCIE Security Experts worldwide. The only way to get
another thousand in three years is by training them. But in the last
four months with 800 available seats to sit for the cisco CCIE
Security exam only one person has passed!
The DHS is extremely unlikely to be able to find and train 1,000
cybersecurity experts in three years. Maybe they’ll come up with 100
(more likely 5-10), but the DHS environment will make it unlikely —
very unlikely — that all of those 100 will stick around.
Secretary Napolitano says she might not need all 1,000, which to me
says she is really looking for 3-5 people. And frankly that ought to
be enough if they are truly experts and are both properly led and
supported (which they probably won’t be).
So this is the wrong approach entirely. It won’t work, the DHS
probably knows it won’t work (if they don’t know that, well God help
us all) but they see it as better than nothing. That doesn’t worry me
so much, though. What really worries me is the point brought up by
cybersecurity expert number six, who himself came in from the cold:
“Sure there are 1,000 (cybersecurity experts),” he said, ” but they
are already employed… as hackers.”
More information about the Infowarrior
mailing list