To round out this weekend's security hubris special, "Dr. Geer goes to Washington." To tell them how much trouble the net is in, seemingly. His points were 5-fold:
Summary
- We need a system of security metrics, and it is a research grade problem.
- The demand for security expertise outstrips the supply,and it is a training problem and a recruitment problem.
- What you cannot see is more important than what you can, and so the Congress must never mistake the absence of evidence for the evidence of absence, especially when it comes to information security.
- Information sharing that matters does not and will not happen without research into technical guarantees of non-traceability.
- Accountability is the idea whose time has come, but it has a terrible beauty.
Yes to his points 1,3,4,5, and we should read them. Which leaves:
Priority number two: The demand for security expertise outstrips the supply.Information security is perhaps the hardest technical field on the planet. Nothing is stable, surprise is constant, and all defenders work at a permanent, structural disadvantage compared to the attackers. Because the demands for expertise so outstrip the supply,the fraction of all practitioners who are charlatans is rising. Because the demands of expertise are so difficult, the training deficit is critical. We do not have the time to create, as if from scratch, all the skills required. We must steal them from other fields where parallel challenges exist. The reason cybersecurity is not worse is that a substantial majority of top security practitioners bring other skills into the field; in my own case, I am a biostatistician by training. Civil engineers, public health practitioners, actuaries, aircraft designers, lawyers, and on and on — they all have expertise we can use, and until we have a training regime sufficient to supply the unmet demand for security expertise we should be both grateful for the renaissance quality of the information security field and we should mine those other disciplines for everything we can steal. If you can help bring people into the field, especially from conversion, then please do so. In the meantime, do not believe all that you hear from so-called experts. Santayana had it right when he said that “Skepticism is the chastity of the intellect; it is shameful to give it up too soon, or to the first comer.”
Well! An alternate but not radically diverging opinion.
Thanks to Gunnar
Posted by iang at April 29, 2007 06:17 PM | TrackBackfrequently there needs to be a paradigm shift ... i.e. building on soft limestone or unstable shale ... rather than having a strong foundation.
i was on a security panel several yrs ago with high-level executives from major after-market security add-on companies and made the analogy to the old after-market seatbelt paradigm ... that the only substantial way of addressing the opportunity is building in integrity into the underlying foundation ... and stop treating it as an after-market add-on
(after-market add-on was better than nothing ... but it wouldn't be very effective at providing coverage for substantial portion of the market).
for a little drift ... also the analogy to the naked transaction/payment paradigm raised here several months ago
http://www.garlic.com/~lynn/subintegrity.html#payments
the current situation might also be compared to medical field where everything is treatment ... and there exist no preventive care & procedures (i.e. having clean water can do wonders for illnesses and death statistics) ... i.e. we are still in the dark ages compareable to bleeding the patient to let out the evil spirits.
At times, I'm even tempted to compare things to a medical treatment scenario where the doctor doesn't even bother to examine the patient ... just chooses a treatment at random.
Posted by: Lynn Wheeler at April 30, 2007 12:12 PM