Feds fumble network security again

Most people I know have held at least one terrible job in their lives. But I think I’ve found the ultimate crap job: being the U.S. government’s computer security honcho. The next person to take the post will be the fourth head of the U.S. Department of Homeland Security’s National Cyber Security Division (NCSD) in three years, now that Amit Yoran  has thrown up his hands in frustration. The reasons for quitting had to do with influence, or his lack thereof.

That’s a big problem when one considers how funding levels depend on clout. What it comes down to is that the NCSD is getting lost in the bureaucratic shuffle. If someone expects the government to protect them from network-borne threats, they’re living in what the Germans call “cloud-cuckoo-land.” Richard Clarke, Howard Schmidt, and now Amit Yoran have all learned the hard way that the government’s concern with computer security ends when the photo op is over.

Things are going to stay that way until there’s a catastrophic Internet attack that rivets people’s attention the way Sept. 11 did. Even then, I expect that the Feds will wind up chasing the wrong guy for the wrong reasons. In the meantime, the government’s message to citizens and business alike is clear: Fend for yourselves.

That’s what we’ve been doing all along, with varying degrees of success. But because hardware and software vendors tend to disable security features in the name of “ease of use,” self-defense on the digital frontier is a measure of one’s tolerance for discomfort. I confess that I’m only human and I sometimes ignore best practices for the sake of convenience.

Of course, the next best thing to a convenient best practice is to convince oneself that best practice is convenient. That requires education (or propaganda, depending on your perspective), and that’s something at which private enterprise excels. Because the government has its hands full with nation-building in the Middle East, it’s also a vacuum that needs filling. It looks like Dewey the Turtle is going to wind up on the Island of Misfit Mascots, after all.

The worst thing about the impotence of the NCSD is that people are kidding themselves that there’s a plan. Although a strategy exists, NCSD can only point to a handful of policy documents when asked to justify its existence.

In the absence of any national plan to secure the Internet, what can the customers do? Well, there’s always the SANS Top 20 for starters. (No, I’m not going to write that column again.) There are the obvious steps such as keeping systems patched and disabling unnecessary services; however, educating end-users may have the best payoff with the least expense.

But there are limits to what education can achieve, as I’ll explain next week.