White House net security paper

The White House just put out a release on net security[1] - at first glance
a mission/vision/values paper, the release page[2] also containing a short
video[3].

At first glance, this looks promising - anyone else get a chance to
read/review? Comments?

-jamie

[1] http://www.whitehouse.gov/asset.aspx?AssetId=1732
[2] http://www.whitehouse.gov/CyberReview/ (other links here as well)
[3] http://www.whitehouse.gov/videos/2009/May/20090529_Cyber_Security.mp4

fine piece of work.

"The Nation’s approach to cybersecurity over the past 15 years has failed to
keep pace with the threat."

I think that they may be getting it...

between making something usable and how-high to build the fence. I know how to keep important data secure, but making it accessible and secure always exposes it to some level of risk. The question is where does that risk meter get set.

It's not obvious to me if this is a direct result of the 60-day cyber review (but I presume it is) that Melissa Hathaway completed. I need some more time to read this entire thing. The ISP community has provided input to this and various security efforts that the US Government has done. There is actually an entire (non-trade-association driven, non-lobbist, etc..) community that does get reached out to.

http://www.commscc.org/
http://www.it-scc.org/

I know that membership is FREE for the IT-SCC. This means that *YOU* (yes, You!) can be at the table and provide this feedback. This is in addition to you reading the notices in the Federal Register too

There are good people involved in these activities, but always room for more. Take a look at the charters for the it-scc & commscc and see if one (or both) is a fit for your org. Worst case scenario you get a few more emails. (The volume is way lower than NANOG).

  - Jared

At first glance, this looks promising - anyone else get a chance to
read/review? Comments?

You might hate Marcus Ranum, or love him, but the presentation he did
at the DojoSec in March
is related to this subject, and it is well worth the hour:
http://vimeo.com/3519680

So quoting the original document again: "The Federal government, with the
participation of all departments and agencies, should expand support for key
education programs and research and development to ensure the Nation’s
continued
ability to compete in the information age economy. Existing programs should
be evaluated and possibly expanded, and other activities could serve as
models for additional programs."

are any nanog'ers Educators, the newly educated or Employers of the newly
educated? Is Information technology Education really in as much trouble as
the report suggests? I work with two new graduates of computer science/IT
programs of state universities they demonstrate a high level of competence
in their work, but thats just my neck of the woods.

Its not the quality, its the quantity.

Two new grads are great, but over the next 10 years some estimates (yeah, I know about statistics) say there will be a gap of over 100,000 new IT Security jobs to fill in the US and close to a million unfilled positions world-wide.

How many ISPs have too many network security people?

Two new grads are great, but over the next 10 years some estimates (yeah,
I know about statistics) say there will be a gap of over 100,000 new IT
Security jobs to fill in the US and close to a million unfilled positions
world-wide.

and why do we think that throwing a jillion bodies at the problem is a
useful approach?

randy

No, but it does keep people employed.

Sorry, I think I reached a new low in my "stabby, jaded" level when
a past employer (a network consulting firm) blasted me for being
"too efficient" at solving a problem.

Adrian

Any organization moaning about unfilled slots is welcome to raise its
salary scale, and fill them. All such whining is really an implicit
statement that the job is not vital enough to fill. Funny, you never
hear complaints about being unable to fill CEO slots, or bond traders.

and why do we think that throwing a jillion bodies at the problem is a
useful approach?

No, but it does keep people employed.

As hire As. Bs hire Cs. Lots of Cs.

this problem needs neurons, not battalions.

randy

Randy Bush <randy@psg.com> writes:

As hire As. Bs hire Cs. Lots of Cs.

this problem needs neurons, not battalions.

this problem needs round-tuits, which Good Guys are consistently short of,
but which Bad Guys always have as many of as they can find use for. a few
battalions of B's and C's, if wisely deployed, could bridge that gap. the
key to all this is therefore not really "neurons" but rather "wiselyness".

i promise to, um, mention this, or maybe more, in my nanog-philly keynote.

Sean Donelan <sean@donelan.com> writes:

How many ISPs have too many network security people?

network security is a "loss center". not just a cost center, a *loss* center.
non-bankrupt ISP's whose investors will make good multiples only staff their
*profit* centers. the Good Guys and Bad Guys all know this -- the difference
is that the Good Guys try not to think about this whereas the Bad Guys think
about it all the time.

As hire As. Bs hire Cs. Lots of Cs.
this problem needs neurons, not battalions.

this problem needs round-tuits, which Good Guys are consistently short
of, but which Bad Guys always have as many of as they can find use
for. a few battalions of B's and C's, if wisely deployed, could
bridge that gap.

there is a reason Bs and Cs have spare round-tuits.

fred brooks was no fool. os/360 taught some of us some lessons.
batallions work in the infantry, or so i am told. this is rocket
science.

randy

network security is a "loss center". not just a cost center, a *loss* center.
non-bankrupt ISP's whose investors will make good multiples only staff their
*profit* centers.

this glib statement may have been true at the isps where you worked. it
is not true for the ones where i work(ed).

randy

It is true at every ISP I have ever encountered. I do not consider the statement glib. -Hank

network security is a "loss center". not just a cost center, a
*loss* center. non-bankrupt ISP's whose investors will make good
multiples only staff their *profit* centers.

this glib statement may have been true at the isps where you worked. it
is not true for the ones where i work(ed).

It is true at every ISP I have ever encountered. I do not consider the
statement glib.

well, i guess some of us are pickier than others, and have the luck of
having choices.

randy

If people think that support for R&E programs should be cut instead, I guess that is also a useful data point. It would be noteworthy that any group advocated a cut in their own funding.

   "The Federal government, with the participation of all departments and
   agencies, should expand support for key education programs and research
   and development to ensure the Nation~Rs continued ability to compete in
   the information age economy. Existing programs should be evaluated and
   possibly expanded, and other activities could serve as models for
   additional programs."

Jared's message earlier had the information about how you could participate
if you have suggestions.

There have been numerous recommendations over the years to improve education and training of IT/Security professionals directed at either DHS, EOP and other agencies. I see a critical gap in this space myself. There are not enough people that are truly skilled in this space. Perhaps this need will never be met, but with the consistent threat of compromise facing any network connected organization, there need to be people who are trained to respond.

There just are not enough skilled network & security engineers out there. US-CERT (as an example) is always hiring, and I have heard stories of people going from fast-food to trying to decipher intrusion data because they could get their TS/SCI.

I'm certain that anyone who can combine two skills (computers, computer networks or data forensics) with some criminal justice could help fight the bad guys. There is a severe lack of talent here.

  - Jared

Randy Bush <randy@psg.com> writes:

... a few battalions of B's and C's, if wisely deployed, could bridge
that gap.

there is a reason Bs and Cs have spare round-tuits.

fred brooks was no fool. os/360 taught some of us some lessons.
batallions work in the infantry, or so i am told. this is rocket
science.

to me "wisely" means backfilling 80% of what the Good Guys do that isn't
rocket science. (most A's are not doing only what only A's can do.)