[Infowarrior] - The Cybersecurity Myth

[Richard Forno]

I don't agree with Cringley very often, but IMHO he's spot-on with  
this assessment, and it echoes what I've been hearing since that  
"1000" announcement was made the other day.  -rick


The Cybersecurity Myth
http://www.cringely.com/2009/10/the-cybersecurity-myth/

The Department of Homeland Security (DHS) said this week it will hire  
up to 1,000 cybersecurity experts over the next three years to help  
protect U.S. computer networks. This was part of National  
Cybersecurity Awareness Month and the announcement was made by DHS  
Secretary Janet Napolitano, who also said they probably won’t need to  
hire all 1,000 experts, which is good because I am pretty sure THERE  
AREN’T ONE THOUSAND CIVILIAN CYBERSECURITY EXPERTS IN THE ENTIRE  
FRIGGIN’ WORLD!!!!

So I polled six old friends who ARE cybersecurity experts and they  
kinda-sorta agreed with me.  More on this below.

But first I have to marvel that I even know six cybersecurity experts  
and — even more amazing — I’m pretty sure they don’t know each other.  
They seem to be like badgers, solitary creatures who only come out to  
mate.

They are cynics, too.  One questioned the term “cybersecurity” as  
being inappropriate.

“(It) depends on your definition of expert,” said expert number one,  
who works deep in the military-industrial complex. “If you mean  
someone who can spell ‘cyber’ then sure (there are 1,000). If you mean  
those who know that ‘cyber’ is short for ‘cybernetics’ and has little  
to do with computers then probably not. I still occasionally use the  
title ‘Cybernetic Psychophysicist.’”

Sure enough, there’s a very detailed definition of cybernetics here  
and it doesn’t intrinsically have very much to do with computers or  
networks, though don’t tell that to the DHS without first taking off  
your shoes and placing the definition in a one quart plastic bag.

“Duh!” said expert number two who has spent his career at telcos and  
cable companies. “Of course.  You got it right.  I doubt there are  
1000 in the world.  There are a lot of wannabees, or folks who think  
they are…”

“Define ‘expert,’ said another friend from behind Door Number Three,  
who comes from the security software business. “(An expert is) a  
person with a high degree of skill in or knowledge of a certain  
subject.  Great, but the question is all about scope. I may be an  
expert cook – but can I run a kitchen? Same thing with security there  
are tons of experts – in specific areas. I was an expert in AV, IDS,  
and other areas. But I was not the all knowing security guru. (even  
though my knowledge base was very broad). This is where we run into  
unintended actuated consequences. An expert will make a choice and  
take an action.  The end result may not be what they had anticipated  
because of other factors beyond the realm of their expertise caused an  
unanticipated consequence.

“Example: I am forced to use low sulfur gas because the experts say it  
produces 20 percent less harmful emissions. Too bad they did not  
notice it has a lower power quotient then a normal gas blend. As a  
result I use 30 percent more gas that is 30 percent more expensive  
(and puts four percent more sulfur into the air).

“So I believe there to be less then 30 real experts in security, but  
there may be well over 500 subject matter experts and perhaps another  
1000 sous-security people.”

Now I brought in the big gun — expert number four, an independent  
security consultant to foreign governments:

“My bet is that they are going to just pull the bodies from the  
Department of Defense and Department of Energy,” he said.  ”DoD has  
established a number of credentials required to be classified as a  
security specialist like CompTIA Security+, CISSP, etc.  None of this  
stuff has any practical application because it is hardware/software  
neutral.

“Even if a government agency, (over 550 or them) allows you to sniff  
their network, are they going to let you evaluate the applications for  
bugs?  I don’t think so.  Without scrubbing the software with products  
like Ounce Labs (owned by IBM),  what is the point of evaluating the  
network?

“Another item of great importance is a security clearance to do the  
work. This is where you will get only one brand of thinking; DoD or  
DoE clearance. This will prohibit the security “black hat” types from  
ever being involved in the project without coming from the DoD or  
Energy.

“So you will end up with 1,000 Security Managers in the government  
with Sec+, and CISSP certifications, talking to cisco, Juniper,  
CheckPoint, Tipping Point, Microsoft, Oracle, Ounce Labs, etc.  
security professionals at $300 an hour doing the actual work. That’s  
1,000 jobs for window dressing, releasing reports that end up on  
Drudge Report listing the number of breaches in Federal Government  
Agencies.

“When you look at the private sector protection of data standards for  
items like credit cards you have real teeth in your regulations.  You  
don’t have to take credit cards, but if you do then you need to be PCI  
compliant. Don’t want to be PCI?  No problem we won’t allow you to use  
our credit cards. Where will that type of enforcement be with the wall  
of 2,000 eyes protecting the USA?”

No there won’t be (this is Bob again) because governments are required  
to provide services to their citizens. Even the DHS can’t shut down  
the government to cure a security breach, though I am beginning to  
believe they haven’t yet figured that part out.

“I’m not sure there are even a handful (of experts) with any sort of  
broad experience,” said expert number five, who is usually associated  
with security hardware. “There probably are pockets of them, with  
specialized narrow experience, e.g. in banking, virus or DOS attacks,  
military networks, etc.. And even if there were 1,000, what would they  
be doing on behalf of Uncle Sam?”

That’s a great question given that we as a nation can’t seem to hire  
and keep a national cybersecurity czar. So what are we doing hiring  
1,000 experts given there is no boss?

While it is great to have a Cybersecurity Awareness Month, whatever  
that is, and it might be great to add a thousand “experts” to protect  
our nation, if you look deeper into this story it is for the most part  
BS or HS and, I fear, CS to boot.

Look, the number of CCIE’s with security as a certification is 2,300  
for the entire world. Subtract the 50 percent who work for cisco, then  
50 percent again for those not working in the field any longer, and  
you get 500 cisco CCIE Security Experts worldwide. The only way to get  
another thousand in three years is by training them. But in the last  
four months with 800 available seats to sit for the cisco CCIE  
Security exam only one person has passed!

The DHS is extremely unlikely to be able to find and train 1,000   
cybersecurity experts in three years. Maybe they’ll come up with 100  
(more likely 5-10), but the DHS environment will make it unlikely —  
very unlikely — that all of those 100 will stick around.

Secretary Napolitano says she might not need all 1,000, which to me  
says she is really looking for 3-5 people.  And frankly that ought to  
be enough if they are truly experts and are both properly led and  
supported (which they probably won’t be).

So this is the wrong approach entirely. It won’t work, the DHS  
probably knows it won’t work (if they don’t know that, well God help  
us all) but they see it as better than nothing. That doesn’t worry me  
so much, though. What really worries me is the point brought up by  
cybersecurity expert number six, who himself came in from the cold:

“Sure there are 1,000 (cybersecurity experts),” he said, ” but they  
are already employed… as hackers.”