Recent attacks on the power grid, stolen fighter jet plans, and SCADA system security woes have thrust national cybersecurity into the limelight. The reaction has been as expected: Congress is asking tough questions, and the White House has reviewed federal networks and security processes. One key question remains unanswered: Which government agency should be running the show? Many have called for a newly created White House position to oversee cybersecurity and report directly to the president, while others wonder what role intelligence agencies such as the National Security Agency (NSA) will play in leading the country's cybersecurity efforts. Security experts Bruce Schneier, CTO of BT Global Services, and Marcus Ranum, CTO at Tenable Network Security, debate all sides of the issue in this Face-Off, a recorded version of their popular point-counterpoint columns published regularly in Information Security magazine.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Face-off: Who should be in charge of cybersecurity?
Marcus Ranum: Obviously, whoever should be in charge of cyber security for the Federal Government needs to be competent, needs to have an awareness, and more importantly, needs to have authority. I don't know about you, but I do not think that there is a single Federal Agency that meets those criteria.
Bruce Schneier: When I think of cyber security and who should be in charge on the government level, I think the real answer is nobody. The notion of ‘someone in charge’ is a very militaristic model, and it works well in a top-down system in a company where people have to have to listen to who their bosses are, and you have one person in charge of something, and that is what they do. In a capitalist economy, it almost really does not work that way. Even in the government you have a lot of different organizations with a lot of different responsibilities, and there is not one single chain of command. Think of regular law enforcement. The FBI is in charge of crimes, DOD is in charge of military security, the Secret Service is in charge of counterfeiting and other things, the Coast Guard, you got different areas of security and different people in charge, and this actually makes a lot of sense.
Marcus Ranum: The problem with the model that you just voiced is you are basically saying everybody is going to do the right thing. That is what they have been trying so far, and what we actually see is that nobody has done the right thing.
Bruce Schneier: Yes, but I am not sure that is the top-down model that is going to fix that.
Marcus Ranum: No.
Bruce Schneier: Yes, you assume that everybody is going to do what they think is the right thing. The whole point of a distributed security system is that you have overlapping spheres of responsibility, different ideas of how to do it; you have resilience. The problem with a top-down model is that single points of failure are more common, that you are going to have, someone had the wrong idea, everyone below them do the wrong thing, and you are completely wrong. At least in the distributed model, one side could think A, one side could think B, and you have some overlapping; a failure here does not mean a failure there.
Marcus Ranum: The overlapping and the checks and balances effect is absolutely critical. The thing that really informs my thinking about this is, I remember back when the Clinton Administration first came in, and we were trying to do some cyber security stuff for the White House, and basically, we discovered that the staffers, since they were a classification authority, they just said, ‘We are just not going to classify anything because it is a pain for us to deal with it.’ There was actually no one who could tell them, ‘You really do need to classify these things because they are crucial and they have to be treated that way.’ I think the reason that we are in the situation that we are in right now is, essentially, the agencies say, "Cyber security really is a pain in the neck, so we are going to wait until we get guidance from the National Security Agency, or NIST, or whoever.’ We got this rugby scrum to see who gets to carry the ball, and then another group of agencies that are frantically trying to throw the ball into other people's hands, and actually no one is competent, at this point, to carry the ball.
Bruce Schneier: I am not convinced that's horrible. We are doing OK. The notion that we need someone in charge because things are completely failing, I think, is overstated. Yes, everyone gets a C and a D in cyber security, but the government is basically functioning. We are doing quite well in the scheme of things. It does not surprise me that organizations are saying, "Too much security is affecting how we work." Business do that, I do that, nobody likes security. We all like doing what we are doing and we want as minimal security as possible. That is reasonable, that is not unsurprising.
Marcus Ranum: You cannot sit back and go, "What we are doing is working right now, up until the point where it stops working." You have to actually be thinking about, "What if it stops working really suddenly," and I do not think that there has been a lot of thought being paid to that. One of the things that really concerns me when I look at Federal IT security is that the IT savvy people have all been dragged into the private sector, so essentially, most of the federal IT practitioners that I have run into, all they really know how to do is read Power Points that are played for them by Beltway Bandits and outsourcers, and that really concerns me.
Bruce Schneier: That is certainly true. You are seeing a lot of IT infrastructure being run by contractors, by outsourcers because there is not the expertise in the Federal Government. Again, I am not sure consolidation solves this. These are endemic problems in large organizations, this is what you get. I am concerned a lot about the Federal Government cleaning their own house, I would rather them do a lot better on security, but I do like the fact that there is not one person in charge who can dictate how policy works, what the White House has to classify or what DOD has to do. What I want to see is coordination. Where we fail is that they do not talk to each other. I do not want top-down control, but I really do want coordination and consolidation; we'd do a lot better if we consolidate our buying, for example. If NIST could come out with one standard contract for an encrypted laptop or a firewall, we would do a lot better.
Marcus Ranum: There are 270, I think it is, cross-domain solutions, which is what the government calls a firewall. There are 270 of them, and trying to figure out what the properties of all of those are and why they all have to be different is really difficult. I think if you were an IT specialist working for Exxon, or something like that, and you went to the CTO and said, "We have 250 different kinds of firewalls," you would be out on the street looking for a job in 15 or 20 minutes. That, to me, is really the issue. Every time I hear people say, "The Federal Government is finally getting serious about IT security. They are going to really clean up their act now." When I actually hear about some federal IT manager losing their job because of a security failure, then I am going to be impressed. Otherwise, what we have is an environment where everybody fails, and fails, and fails,\ but they get passed on to the next grade anyway. If you can graduate college with a straight F average, nobody would ever do any work, and that is really what is happening with the federal IT security world, as far as I can see.
Bruce Schneier: That seems to be right. You see that in any bureaucracy, you see it in large companies. Thinking about IT security and federal IT security, I think the correct model is the human body. There is no organ in me that is in charge of security in my body. The endocrine system does something, the lymph nodes do something, the immune system does something else, and they all work. They overlap, there is redundancy, there is maybe extraneous redundancy, and different organs do things in different ways, and the result is security against known attacks and against unknown attacks. I think that is a real good model for government security. I would be worried if the NSA, for example, was in charge of cyber security, if they took charge of cyber security for corporate or critical infrastructure. Having one organization, no matter who they are, is going to put us at greater risk than having lots of overlapping, redundant organizations doing it more inefficiently.
Marcus Ranum: The other thing that is funny is you mentioned the biological model and one of the reasons why it works so well is there is such massive redundancy. There are these vastly complex systems that overlap hugely, so if we actually tried to have a defense in-depth model for a government that was centrally administrated, it would be so top-heavy, just in terms of command and control, I do not think it would actually be possible to build. I think you are right -- this stuff does need to be distributed, but my concern is just getting to square one. My concern is to just see that Federal Agencies are no longer being rewarded for incompetence. Every time I hear someone say, "We just spent $300 million on a system deployment, and we left security out. Give us more money," the answer should be, "We just spent $300 million, and you did not think about security? You screwed up. You do not get a budget increase, you get a demotion. You are now in charge of waxing cucumbers or something like that." Instead, what winds up happening is that the same bureaucrats who caused the problems are rewarded by being given more budget, and more staff, which essentially is pouring gasoline on the fire in an attempt to put it out.
Bruce Schneier: No argument.
Marcus Ranum: No argument.