Beware the Cyber-Katrina!
Posted February 19th, 2009 by rybolovScenario: American Internet connections are attacked. In the resulting chaos, the Government fails to respond at all, primarily because of infighting over jurisdiction issues between responders. Mass hysteria ensues–40 years of darkness, cats sleeping with dogs kind of stuff.
Sounds similar to New Orleans after Hurricane Katrina? Well, this now has a name: Cyber-Katrina.
At least, this is what Paul Kurtz talked about this week at Black Hat DC. Now I understand what Kurtz is saying: that we need to figure out the national-level response while we have time so that when it happens we won’t be frozen with bureaucratic paralysis. Yes, it works for me, I’ve been saying it ever since I thought I was somebody important last year. =)
But Paul…. don’t say you want to create a new Cyber-FEMA for the Internet. That’s where the metaphor you’re using failed–if you carry it too far, what you’re saying is that you want to make a Government organization that will eventually fail when the nation needs it the most. Saying you want a Cyber-FEMA is just an ugly thing to say after you think about it too long.
What Kurtz really meant to say is that we don’t have a national-level CERT that coordinates between the major players–DoD, DoJ, DHS, state and local governments, and the private sector for large-scale incident response. What’s Kurtz is really saying if you read between the lines is that US-CERT needs to be a national-level CERT and needs funding, training, people, and connections to do this mission. In order to fulfill what the administration wants, needs, and is almost promising to the public through their management agenda, US-CERT has to get real big, real fast.
But the trick is, how do you explain this concept to somebody who doesn’t have either the security understanding or the national policy experience to understand the issue? You resort back to Cyber-Katrina and maybe bank on a little FUD in the process. Then the press gets all crazy on it–like breaking SSL means Cyber-Katrina Real Soon Now.
Now for those of you who will never be a candidate for Obama’s Cybersecurity Czar job, let me break this down for you big-bird stylie. Right now there are 3 major candidates vying to get the job. Since there is no official recommendation (and there probably won’t be until April when the 60 days to develop a strategy is over), the 3 candidates are making their move to prove that they’re the right person to pick. Think of it as their mini-platforms, just look out for when they start talking about themselves in the 3rd person.
FEMA Disaster Relief photo by Infrogmation. Could a Cyber-FEMA coordinate incident response for a Cyber-Katrina?
And in other news, I3P (with ties to Dartmouth) has issued their National Cyber Security Research and Development Challenges document which um… hashes over the same stuff we’ve seen from the National Strategy to Secure Cyberspace, the Systems and Technology Research and Design Plan, the CSIS Recommendations, and the Obama Agenda. Only the I3P report has all this weird psychologically-oriented mumbo-jumbo that when I read it my eyes glazed over.
Guys, I’ve said this so many times I feel like a complete cynic: talk is cheap, security isn’t. It seems like everybody has a plan but nobody’s willing to step up and fix the problem. Not only that, but they’re taking each others recommendations, throwing them in a blender, and reissuing their own. Wake me up when somebody actually does something.
It leads me to believe that, once again, those who talk don’t know, and those who know don’t talk.
Therefore, here’s the BSOFH’s guide to protecting the nation from Cyber-Katrina:
- Designate a Cybersecurity Czar
- Equip the Cybersecurity Czar with an $100B/year budget
- Nationalize Microsoft, Cisco, and one of the major all-in-one security companies (Symantec)
- Integrate all the IT assets you now own and force them to write good software
- Public execution of any developer who uses strcpy() because who knows what other stupid stuff they’ll do
- Require code review and vulnerability assessments for any IT product that is sold on the market
- Regulate all IT installations to follow Government-approved hardening guides
- Use US-CERT to monitor the military-industrial complex
- ?????
- Live in a secure Cyber-World
But hey, that’s not the American way–we’re not socialists, damnit! (well, except for mortgage companies and banks and automakers and um yeah….) So far all the plans have called for cooperation with the public sector, and that’s worked out just smashingly because of an industry-wide conflict of interest–writing junk software means that you can sell for upgrades or new products later.
I think the problem is fixable, but I predict these are the conditions for it to happen:
- Massive failure of some infrastructure component due to IT security issues
- Massive ownage of Government IT systems that actually gets publicized
- Deaths caused by massive IT Security fail
- Osama Bin Laden starts writing exploit code
- Citizen outrage to the point where my grandmother writes a letter to the President
Until then, security issues will be always be a second-fiddle to wars, the economy, presidential impeachments, and a host of a bazillion other things. Because of this, security conditions will get much, much worse before they get better.
And then the cynic in me can’t help but think that, deep down inside, what the nation needs is precisely an IT Security Fail along the lines of 9-11/Katrina/Pearl Harbor/Dien Bien Fu/Task Force Smith.
Similar Posts:
Posted in BSOFH, Public Policy, Rants | 6 Comments »
Tags: dhs • einstein • government • incidentresponse • infosec • itsatrap • management • NIST • obama • pwnage • scalability • security • transition
February 20th, 2009 at 12:19 am
You had me at Cyber…you had me at Cyber…
February 20th, 2009 at 9:04 am
Hi Hoff
I’ve been in DC so long it doesn’t even phase me anymore when somebody starts a word with “Cyber”.
The best I’ve seen was the personnel officer for the USAF Cyber Command who just used “Cyber” without any other word because he was a transportation pilot who had no idea WTF “Cyber” meant. =)
February 20th, 2009 at 2:58 pm
> the Government fails to respond at all, primarily because of infighting over jurisdiction issues between responders
Oh how true it is. I remember some years ago when some idiot was trying to jump off the old Wilson Bridge. I sat in the backup for hours. Afterwards I heard on the radio that most of time was spent not in trying to talk this guy down but in figuring out who had jurisdiction. Apparently MD and VA jurisdiction only extends so far from shore and the federal government takes the section in the middle. I can just imagine the arguments: “Said jumper is 50 yards from shore so it’s VA’s responsibility. No he’s 51 yards from shore so it’s the Fed’s responsibility. But he entered from the MD side so it’s really MD’s responsibility…”
Can you imagine the arguments that will take place during a full on cyber-attack? Good grief!
February 22nd, 2009 at 3:44 am
Y’ll are overthinking this:
n. cyber-czar= guerilla ciso
n+1. process
n+?. Fly fish.
February 23rd, 2009 at 5:05 pm
Regarding your reactions to the I3P report…
I know you tagged this as a “rant”, but I really wish you had made realistic and constructive suggestions. You sound like my 10-yr old son, who imagines that a “benevolent dictator” could solve all the tough problems in society by decree and force.
You complain about “psychologically-oriented mumbo-jumbo”. Damn… if we could only get people out of the loop, security would be so much easier! 🙂
The value of the I3P report, even if it reinforces the analysis and recommendations of previous reports, is that it further solidifies the professional consensus on research & development direction, and therefore funding priorities.
The main obstacles to actually making this R&D happen are organizational and cultural — in government, industry, and academia. There have been some efforts to break the mold, including NITRD in the US Government, and I3P itself. But these have not yet resulted in significant cross-disciplinary projects, programs, or centers on the scale needed.
For example, the I3P report and the others put security metrics as a key research challenge and enabler, especially metrics that link operational/technical “ground truth” to economic decision making — risk management, investment management, etc.
But, to date, there has been almost no funding for substantive research on this topic. DHS had a BAA a year ago, but this was just one of 9 topics, and they only had $17m for all topics. NIST had an SBIR topic recently, but this only provides $100K for a small business.
NSF is facilitating the “Cyber Leap Ahead” process with RFI,workshops,, etc. This might be the best venue for actually working out how to organize and implement public-private R&D initiatives, which could then lead to specific funding opportunities. We shall see how this turns out.
In the meantime, I applaud the I3P report as a valuable tool to educate non-technical policy makers and legislators.
February 23rd, 2009 at 6:24 pm
Hi Russell, thanks for the very good response.
In the back of my brain, I know that what we really need to do is to provide a bridge from the strategic down to the tactical complete with dollar amounts and a realistic, detailed plan of action. Until somebody provides that, I will remain unimpressed by any recommendations.
Yes, we can re-state the same recommendations that we have for the past 6 years. That hasn’t gotten us anywhere so far, and it won’t until the pain of not doing anything serious becomes more than the pain of funding. I seriously doubt if that will happen without serious disasters happening with an IT security cause.
Maybe it’s an INTJ trait: “We’ve already said that, why do you need to hear it again?”
And then deep down inside, the cynical part of me can’t help but view these recommendations documents as “throw more money at us so that we can do more research to tell you where you need more research.” Last I checked, I do work for a consulting firm–I’ve seen this in action. =)