
Pentagon Plans New Arm to Wage Wars in Cyberspace - robg
http://www.nytimes.com/2009/05/29/us/politics/29cyber.html?hp
======
tptacek
People think that military and homeland security networks would be better
secured than almost any private network... at least as well as, say, a bank.
They are't. They're less secure than many university networks.

If there's an opportunity for the administration to improve "cybersecurity"
(and you'll know they've gotten serious when they stop using that term), it's
in coming up with a coherent plan to manage and secure all the different,
crappy, parochial IP networks run by DHS and DOD.

There's no other government-scale opportunity.

Could the government act as a tie-breaker to aid adoption of sane security
standards across industry and DOD? There are no sane security standards to
choose from. What's on the menu today is the product of decades of vendor
manipulation and psuedo-academic handwaving.

Could the government fund better research into security? The government
already plows hundreds of millions into this objective, and yet virtually all
meaningful security research --- from protocols to cryptosystems to
programming environments --- is cradle-to-grave private industry. The academic
research that matters to security is nuts-and-bolts math and CS. Let's keep
writing those grants. But industry looks at overtly "infosec" government
research and laughs.

Could the government equip the armed services to sabotage the IT
infrastructure of an adversary? Yes. The available evidence suggests that they
already have. But there are, on the outside, low tens of thousands of people
with the expertise and focus to make a difference here. The majority command
compensation far in excess of what DOD will pay. Only a small minority are
willing to participate in work like this, not just for ethical reasons but
because it's a poor career move. My utterly unqualified guess here is that we
have all the "cyber-warfighting" capability we're prepared to utilize, and
that any attempt for the government to amplify that capability with money and
programs is just pushing on a string.

The government needs to fix government IT. Of course, it won't; it'll delegate
make-work projects to Lockheed and SAIC and talk about the problem in terms of
dollars spent and czars minted. Which is fine. Regardless of what Obama says,
this is _not_ one of our major strategic problems today.

~~~
ajju
>They're less secure than many university networks.

If you've worked in/with IT at any university with a decent sized
CS/Engineering program (and maybe even those without one), this is because
students will try most tricks out there to prod and test university systems.
It's like a 24*7 pen test for free. I wonder how that compares to security
audits at govt/military networks.

~~~
req2
"You're a spy! Tribunaled!"

------
csbartus
"Part of that debate hinges on the question of how much control should be
given to American spy agencies, since they are prohibited from acting on
American soil."

Clear, they have no strategy, it's another attack on the budget. They want to
use intelligence to detect people inside and outside US who plan and run
attacks.

They are not defending the network but offending citizens. They are not going
to secure their servers but analyzing your digital presence.

This week was an article on HN Turkish hackers entered US Army sites with a
simple SQL injection. Might your simple startup be more secure than US Army
servers?

~~~
tptacek
Obama's address on the subject today allocated an entire graf to saying that
monitoring private networks was _not_ part of their strategy. He said it in a
way that didn't leave a lot of room for interpretation. I think the privacy
concerns about this effort are scaremongering.

~~~
csbartus
> I think the privacy concerns about this effort are scaremongering.

I think implying usual intelligence in defending networks is scaremongering.

With all my respect to Obama he is still a politician who must defend
political decisions. US might have a better political class but here in
Eastern Europe we know to not take politicians seriously.

However i would be interested in some concrete solutions / strategy NSA would
offer to secure a network.

------
jzachary
This should be re-written as "Pentagon Plans Another New Arm to Wage Wars in
Cyberspace".

