Highlights from the US Senate panel on cybersecurity 23 February 2010.
Mary Ann Davidson, CSO (Oracle). Required reading! Ms. Davidson masters the subject in bright prose. This is an excellent indictment of the rush deploy smart grid technologies before we’ve had time to harden them from the types of attacks that routinely take computers off line. Thought experiment: what level of unplanned downtime would you be comfortable with for your house’s electrical power? water? energy? Would you try to save 10% on your electric bill if for a system that you couldn’t be sure would work more than 99.9% of the time?
Even better, Ms. Davidson points out a crucial flaw in education. Computer science is applied mathematics, and few departments teach young programmers how to write secure software. If university departments don’t teach secure programming, we will need professional certifications to substitute, as with medical residencies, CFA exams for financial analysts, and professional societies for engineers and architects.
Vice Admiral Mike McConnell (Booz Allen Hamilton). Sound byte: “If there were a cyber war today, the United States would lose.” Some excellent recommendations for training a new class of software engineers, security professionals, and managers. Don’t be distracted by the salacious and unwarranted assertion at the outset. The rest of the testimony is good, and nobody is better informed than the Admiral.
Dr. James A. Lewis (CSIS). A couple of interesting metaphors. He compares cyberspace to a condominium and to a shopping mall, meaning that the space is all privately owned, and that neighbors have a compelling interest in one another’s behavior. Therefore all should be willing to submit to greater regulation. I’m inclined to agree with Borg’s statement (below) that government regulations are unlikely to keep pace with the rate of innovation. Rather than ask the government to certify that buildings are safe, wouldn’t we be better off with private certification of a standard of risk, as we currently do with automobiles, houses, and financial management? Computers and especially software are endlessly complicated, and don’t lend themselves well to the same type of governance as broadcast media and airplane safety.
Lewis also makes a crucial overstatement when he says that there are no rules on the Internet or that the Internet is a wild west. Actually many national and state authorities have control over Internet commerce, fraud, and even transborder crimes. At a more fundamental level, Lewis’ lawless vision of the Internet is fundamentally at odds with Internet governance over every layer of the Internet, from the development of hardware standards and Internet protocol, to the assignment of names and numbers, to the software that runs servers and home desktops. Re-read Lessig, and see if you can imagine the Internet truly without rules.
Scott Borg (US-CCU). Focuses on 3 central problems: (1) the conflict is already here; (2) cyber conflict threatens future American prosperity; (3) fixing markets is the key to improving cyber security. I agree with Borg, but then I’m biased.
Rear Admiral James Arden Barnett, Jr., Ret. (FCC). An interesting point of view. I don’t have any problem with DHS assisting the country with situational awareness, but the philosophy of defense is extremely centralized. The greatest specific policy errors of homeland security in the last ten years have been efforts to provide one-size-fits-all information and requirements from a central national office: the national threat level scale, vastly increased expenditures on passenger screening at airports, and advice on creating a safe room for chemical gas attacks inside your home. There are too many computers, and too many businesses to expect that federal marshals can secure their IT infrastructure for them. Effective homeland defense will require businesses and individuals to have cheap, effective, and secure choices to accomplish the things they already know how to do: run their businesses and their households.