Bruce Schneier and Marcus Ranum continue their face-off at ISD 2009 by discussing whether a U.S. cybersecurity coordinator is necessary. This segment covers the following topics:
- 0:10 Schneier: The case for a cybersecurity coordinator
- 2:22 Ranum: Bureaucracy shouldn't reward failure
- 3:40 Schneier: Whether it should be a government job
- 4:16 Ranum: Position demands authority to make changes
About the speakers:
Marcus Ranum is Chief Security Officer for Tenable Network Security.
Bruce Schneier is Chief Security Technology Officer for BT.
Check out other topics in this series:
- Part 1: The future of information security
- Part 2: Social networking
- Part 3: Compliance and security
- Part 5: Security metrics
- Part 6: Audience questions
Read the full transcript from this video below:
Schneier-Ranum face-off, part 4: Cybersecurity coordinator
Bruce Schneier: Yes, I actually think it's very important that, there is a need for
cybersecurity coordination on a national level. You know this, 'cuz cybersecurity's
really lousy at the national level. A whole bunch of things that a cybersecurity
coordinator can do that will help the government and help us.
One, they can get their own house in order. A lot of government websites,
government networks are really lousy, they get Cs, they get Ds, these are
organizations that should know better. A coordinator can do that and there'
s a lot of room for coordination, among different organizations. Two, they
can use their buying power. The neat thing about software is the cost is
all upfront, the first copy of Windows 7 cost $50 million. I'm making that
up. Second copy's free. If the government gets together and says, "We're
gonna have a standard spec for laptop equipment, for antivirals, for IDS',
for operating systems, database. We're gonna make these demands on security
and those companies that meet them, will get a whole big whooping
government contract." You bet that companies will try to meet those
demands. The products they developed, they'll also sell to us. We'll
benefit from that large amount of U.S. government buying power. It's a lot
we can benefit there.
Coordinating some R&D, I'd like to see a cybersecurity coordinator get a
lot more R&D dollars out to universities and national labs. Spread them far
and wide. Even simple things like that are truly huge, and would make a big
difference for government security and for our security. I'd like to see
one. The problem is gonna be, when you get one, the problem they had with
the last three, is they had no budgetary authority, so all they could do is
ask nicely. Which doesn't really work well in government. You need actual
budget authority. I'd like to see a cybersecurity coordinator be a better
politician than a cybersecurity person. You could have expertise under
you, but this is fundementally a political job, so I like it when I hear
noises about political people being considered for the job.
Marcus Ranum: I actually don't agree with that at all. There's some pieces of it where
I think you're right, but ultimately what we're talking about is a
political problem. Yes, but ultimately what we're talking about is a
bureaucratic problem. And if you've got an organization, which, if you look
at the federal government as a whole, has just failed repeatedly on cybersecurity.
It's the biggest cybersecurity disaster I've ever seen, except
maybe Estonia, or something like that, but it is really pathetic. It is
pathetic that the world's leading super power consistently has government
agencies that come back with Ds and Fs. What's the solution? You take the
management structure that's responsible for that failure, and you don't
reward them by giving them more money or coordinating with them, you fire
them. That's really the problem.
The reason that cybersecurity in the federal sector has been a disaster,
is because every time the government approaches improving cybersecurity,
the approach has been, "We're going to do more of what hasn't worked in the
past with a bigger budget, using the same people." I don't think we need a
cybersecurity czar, I think what we need is a simple law from Congress
that says, "If your government agency fails its FISMA compliance, and/or
is penetrated more than a certain number of times, and/or leaks more than
so many pieces of taxpayer information, the CSO gets to walk the plank."
Bruce Schneier: I don't care if it's White House or, I mean the White House makes sense, that's
where you have the bureaucracy and all the agencies. What matters really is
what the authority is. Where it sits matters less. It's no different than a
large corporate environment. If you have the authority, it doesn't matter
where you are and authority, I agree with Marcus, has to come with
accountability at all levels. If you get those things, then you can have
improvements. Without them, not so much.
Marcus Ranum: Who would want to walk into that position, and who would do it with any
kind of confidence that they were gonna have the ability to effectuate
change? If President Obama wants to have a cybersecurity czar, that's
nice, but they need to give him something more than a pretty hat. They
need to say, "This person has the authority to make changes." I recall one
of my corporate clients back in the early '90s was Exxon. They were
putting in place firewalls, and they had a problem where different branches
of the corporation were putting in firewalls from different vendors. And
one call went to the chief technology officer and all the firewalls except
for one went out and some people's careers were busted. That's how you
coordinate cybersecurity, and that's the way that cybersecurity,
honestly, needs to be coordinated in the federal government.