Old 08-07-2008, 09:50 AM Offline   #1 (permalink)

coolmanhiphop's Avatar
Mr. News Guy
Since: Nov 2007
Posts: 109,399
Uploads: 0
eCash: $500
Thank Meter: 9973

coolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimescoolmanhiphop started pushin nickels an dimes
Rep Power: 2076
Default Memo to Next President: How to Get Cyber Security Right

Obama has a cyber security plan.
It's basically what you would expect: Appoint a national cyber security advisor, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.
I could comment on the plan, but with security the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is. They're too detailed for campaign speeches or even position papers, but they're essential for improving information security in our society. Actually, they apply to national security in general. And they're things only government can do.
One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production. Think software: The first copy costs millions, but the second copy is free.
You have to secure your own government networks, military and civilian. You have to buy computers for all your government employees. Consolidate those contracts, and start putting explicit security requirements into the RFPs. You have the buying power to get your vendors to make serious security improvements in the products and services they sell to the government, and then we all benefit because they'll include those improvements in the same products and services they sell to the rest of us. We're all safer if information technology is more secure, even though the bad guys can use it, too.
Two, legislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is <a href=""http://www.wired.com/politics/security/commentary/securitymatters/2006/06/71032">good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at.
Three, broadly invest in research. Basic research is risky; it doesn't always pay off. That's why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup, but the root cause was a desire for higher efficiency and short-term profitability -- not unreasonable in an unregulated business. Government research can be used to balance that by funding long-term research.
Spread those research dollars wide. Lately, most research money has been <a href="http://query.nytimes.com/gst/fullpage.html?res=9F04E1DB113FF931A35757C0A9639C8B 63">redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from <a href="http://www.ostp.gov/pdf/1pger_earmark.pdf">dictating (.pdf) how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.
If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.
Oh, and get rid of those post-9/11 restrictions on student visas that are <a href="http://www7.nationalacademies.org/visas/Statement%20on%20Visa%20Problems.pdf">causing (.pdf) so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will <a href="http://www.aau.edu/research/Gast.pdf">hurt us (.pdf) immensely in the long run.
Those are the three big ones; the rest is in the details. And it's the details that matter. There are lots of serious issues that you're going to have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It's not enough to get the broad policy goals right. You can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.
Security is both subtle and complex, and -- unfortunately -- it doesn't readily lend itself to normal legislative processes. You're used to finding consensus, but security by consensus rarely works. On the internet, security standards are much worse when they're developed by a consensus body, and much better when someone just does them. This doesn't always work -- a lot of crap security has come from companies that have "just done it" -- but nothing but mediocre standards come from consensus bodies. The point is that you won't get good security without pissing someone off: The information broker industry, the voting machine industry, the telcos. The normal legislative process makes it hard to get security right, which is why I don't have much optimism about what you can get done.

And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either. ---
Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

<a style='font-size: 10px; color: maroon;' href="http://www.pheedo.com/hostedMorselClick.php?hfmm=v2:a7dd7d358fec8ef69703 eff2b155c4b8:teE2kMAt%2BEith27VjSHVYY52UYb0GveaXG5 58QauN8mhvJVflkerXBYP6YTbTa7wg2EX97i3bHIkvW%2Bidsl JGo5ZsU%2FigrPKJAxShNu1EG0%3D"> <a style='font-size: 10px; color: maroon;' href="http://www.pheedo.com/hostedMorselClick.php?hfmm=v2:88a078ffbe71ab3b6c46 052416d0dab2:qEMDl%2BcwZxuCNLu9SO8EvkKy%2BksG6e1ei an4jrruiJ3fInVo9Z4KIvtZ3s7Em4tRwVVj%2FJSzomKLYZGv1 zsP5K3vVF%2BAdEa6%2FrNxIB0Hb9I%3D"> <a style='font-size: 10px; color: maroon;' href="http://www.pheedo.com/hostedMorselClick.php?hfmm=v2:ba59c0176047e3ab646d 40d0449ce0c4:0kk74CAdU0ynCMsIXiAyiuNBnLjqwtQodkLvH UzqUs3UypkYtpY8hQ9%2BMZ5PJMQcBpw%2BrrKitvC0ApbpDmN pq5xuzlLmez2lt3WcpFPweQE%3D"> <a style='font-size: 10px; color: maroon;' href="http://www.pheedo.com/hostedMorselClick.php?hfmm=v2:89cf5edc0ca2acc60790 bd2459962004:g9By7oXnTbJR66x2d4OCOkDh0o8wzpRyhfuLX hxkdZ6iy226YcgAAH%2BaKK5naJhg8KlE6dCWa2XCnxpAoYyPh k%2FJXtiZFNK%2FAmaydiH9LDQ%3D">
<a href="http://feeds.wired.com/~a/wired/index?a=3QtQhD"></img>

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Political Memo: In Balancing Act on National Security, a Stumble coolmanhiphop RSS Feeds 0 06-24-2008 12:30 PM
Power Company Slammed For Weak Cyber Security (TechWeb) coolmanhiphop Feeds 0 05-22-2008 10:20 PM
Report: Government's Cyber-Security Plan Is Riddled With New Spying Programs coolmanhiphop Feeds 0 05-15-2008 01:10 PM
Classified Cyber-Security Directive Puts NSA In Charge coolmanhiphop Feeds 0 01-26-2008 12:10 PM
New cyber-security rules for power cos. (AP) coolmanhiphop Feeds 0 01-17-2008 01:10 PM

All times are GMT -8. The time now is 07:07 AM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.3.2 © 2009, Crawlability, Inc.
Hip Hop Universe 2005-Forever