[ga] Northcutt Commentary on the US Cyber Command

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Stephen and all,

  I believe this is well worth the read although as a IT security
professional for many years as well as a IT development Eng. I
have one small disagreement with Stephen commentary, that being
that throwing tax payers money at the ever growing and becoming
more technically sophisticated cyber miscrients/criminals/hackers
will not win the war, and in fact may embolden same even more.  Rather
using and/or leveraging the IT security community more fully and
being much more focused on providing much better defenses as well
as responding to reported complaints more strongly will go far
further then spending big taxpayers $$.  Unfortunately too many
politicians or policy wonkers are of the mistaken belief that
more money to solve tough problems is always the better or
only solution.  Nothing could be farther from the truth. Ergo
I for one want to see our cybersecurity budget cut and than
used far more efficiently and especially more effectively
accordingly. It seems very obviously that NIST's recent IT
security standards for tools and privacy protection are far
too weak as the latter has already been broken.  This is what
happens when mediocracy is considered acceptable.  The old
addage "Good enough for Government work" comes to mind here.

  Stephens otherwise execellent commentary begins here:

US Lawmakers should be taking a close look at the US Cyber Command.
Computers are Cheap; the Internet is easy to access; this is the perfect
playground for the gorilla fighter. We think we are smarter, higher
tech, better equipped than any adversary. But we have boys coming home
in boxes from Afghanistan where the same things are supposed to be true.
The USA has more to lose than almost any other country. We are more
dependent on computers and networks. I am sitting here typing this note
on Windows 7 with a 5 yr old Linux box on my left and an Apple on my
right; and all three are online. Can you say "huge target?" I love my
country; I want us to be ready with the best and the brightest; but no
sane person should agree that the rules of engagement are a state
secret. Rather the rules should be clearly posted on www.defense.gov for
the world to see, and we should hold the Cyber Command accountable to
follow them. We have already learned what happens when we go off
half-cocked thinking we are so big and bad that we can do whatever we
want to do. We need to continue to strengthen IT defense, (20 critical
controls anyone), build a strong offense, and use said offense sparingly
and in a manner that does not put us all at risk.

The Bit Torrent scam story in this issue ties right into my DOD
rules-of-engagement comment. Every month more evidence emerges that
attackers are getting better and better at reaching the everyday
citizen. I think what the BitTorrent folks are doing is wrong, but let
me tell you what is going to happen. The U.S. Cyber Command (aka NSA)
is going to evade accountability and transparency citing national
security.  Then, one day, Cyber Command will issue a press release about
an operation they just concluded probably against Islamics and it will
be just like President George Bush landing on the USS Abraham Lincoln
to give his "mission accomplished" speech for Iraq in 2003. For a few
days, everyone will cheer; Twitter users will retweet. However, then US
English language specific worms will start to spread; attacks we never
thought about will start to happen; people signed up to porn sites, wife
swapping sites, sites you don't even want to know exist will be
infected. And this malware will not be benign; it will destroy data. It
will send grammatically correct notes to your siblings telling them they
suck and that you never want to hear from them again. Will it throw us
back to the stone age? Of course not, but more than a few people will
lose all their family pictures because they are not backed up and wills
and business plans, designs that will one day be patents and more will
all be lost. It is easy to create a scenario where billions of dollars
of effort and productivity is lost. Perimeter security is fading fast.
Now it is all about the end point and the attacker sense that and they
are focusing on the endpoint and end user. Near as I can understand the
DoD's primary purpose is to keep us from being invaded and that means
regular folks like you and I. Whatever the Cyber Command does, it should
first focus on keeping the citizens of the United States of American
safe from invasion from afar.  If 80% of budget is focused on that, I
am very pleased to see my taxes used to support the US Cyber Comamnd.

Regards,

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 294k members/stakeholders and growing, 
strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
Phone: 214-244-4827