While we’ve gone close to a decade since 9/11 without airliners smashing into skyscrapers, it is hard to see the Department of Homeland Security as an unvarnished success. Under a variety of directors the department has consistently taken a heavy-handed approach to security that upsets travelers on the left and right alike, relies too much on fear-mongering, and is frequently just plain incompetent. Yet these are the folks who are now about to take over cyber-security, too. I think there is a better way.
According to recent reports there is legislation moving shortly from the White House to Congress intended to put all U.S. non-military cyber-security responsibility with the Department of Homeland Security.
It’s logical, of course, to give policing power to the police. But the policing power we are talking about here is international and domestic, and because of automation would necessarily touch every Internet user, most of them without their knowing they were being touched. Worst of all, there’s a learning curve here, and the people who’ll be climbing that curve are the same ones presently touching our junk down at the airport.
In the 14 years I have been writing this column there have been a number of intrusive security initiatives proposed and abandoned and I have written negatively about all of them. But while I’ve criticized (it is so easy to do, after all) I’ve never proposed an alternative structure… until now.
First let’s admit that there is a huge Internet security problem. Between rogue states, organized crime, industrial espionage, and middle school script kiddies there is plenty of anti-social Internet behavior to go around. Those of us who exist on-line deserve both our privacy and safety from these threats. The problem is that when we invest enforcers with our protection they like to start enforcing before they even know how to protect. Sometimes they enforce and never protect, simply because they don’t know what they are doing.
This DHS cyber-security proposal: we all know it won’t work. How can lawyers and cops expect to build a secure network if they can’t even reboot their PC’s? That’s just wasted money.
So let’s take a lateral approach to this problem and instead of trying to turn cops into nerds, let’s get the nerds organized to better enhance data security for us all.
The model I would propose we follow is that of the Internet Engineering Task force (IETF) — a brilliant structure that has helped the Internet thrive now for a generation.
Why not take this extra money that’s about to be wasted on expanding DHS and instead offer funding for a security task force like IEFT but called the Internet Security Task Force (ISTF)? Industry would get behind it. The IT industry would love it. They’d even help pay for it.
Is your phone ISTF 1.0 compliant? Are your PC’s ISTF 2.0 compliant? You won’t get your ISO or PCI if they aren’t. IT providers would have the ability to recommend and help move us toward a more secure Internet using an open and iterative structure that would encourage what really works and discourage what doesn’t.
But we can’t allow government to take the lead in this, because they’ll just screw it up.
We need to convene a meeting right away to figure out how to organize the ISTF. Then we need to get DHS to oversee ISTF from the perspective of an evolving security process funded by research and corporations instead of GS-15’s with bloated staffs writing plans that will be funded yet fix nothing.
Who will join me at that first ISTF meeting?
One could do this regardless of what happens with the latest nonsensical DHS plan, right? Where does IETF get its funding?
Count me in.
In addition to securing PC’s, end users, and companies; we also need to secure ISP’s and domains. Part of securing them is to set policies for them. Once the program is up and running, then the real security can begin. Anyone who is not ISTF compliant can be flagged. They can be removed from “secure” DNS servers. Their email can be blocked. Their traffic can be blocked.
Anyone can get onto and operate on the Internet. However if you don’t follow the rules the world can now ignore and cut you off. In time my email provider’s job will get a lot easier when they start accepting email from only known, trusted mail domains.
John
2 or three years Microsoft would have seized control of such a committee and used it as a weapon to promote their products and attack others. Today that probably won’t happen – Microsoft has lost too much influence.
There is still the danger that big manufacturers and ISPs will steer the committee to their own advantage so the wider the variety of parties represented there the better.
If you mean steering the committee toward us having to buy new stuff, well you are probably correct. But I was going to buy new stuff anyway. I don’t see much IETF abuse, why should the ISTF be worse?
You’re definitely onto something here, Bob. Here in the UK we’re just beginning to recover from the Blair/Brown nightmare; 13 years of compulsive and neurotic legislating with a rampant culture of meddling, snooping, red tape and fines which blighted our lives, cost billions, and devalued the currency of justice.
I say keep government out of everything if at all possible.
Oh, and you mentioned security incompetence: I know of a fellow who made a transatlantic flight not so long ago and took his hunting jacket with him for warmth on arrival. He carried it onto the plane and when he put it on in the baggage hall he found three shotgun cartridges in the pocket from when he’d been shooting a month before. Maybe the guy on the scanner thought they were lipsticks.
Or perhaps a model similar to what some of the standards bodies use could be considered. I think T10.org is an example of one such body where any organisation/party is only represented by a single member, to prevent companies with more clout steering things selfishly in a direction they want. The Microsofts/Googles/Ciscos/IBMs/AT&Ts etc are all represented by one person each.
Thus industry consensus rules.
To be successful this would need to be international. As a government initiative that would be highly problematic, as you suggested would be the case fo the current plan. However an ISTF, as an independent group similar to the IETF, in theory that shouldn’t be a problem. I suspect it could be seen as being a problem by governments, which could cause problems.
It might be worth thinking about how to insulate this from security politics as much as possible from day one, or you could see it killed by the establishment before it even gets off the ground.
Full disclosure – I’m a Brit.
The Internet is global, you are correct, and an effective ISTF will have to be global, too.
I can’t help but think that getting everyone to upgrade to newer and more secure technologies would have some kind of an economically stimulative effect as well. Imagine all of those WinXP computers with IE7 still being run getting upgraded overnight. It would have an added benefit of allowing webmasters to make use of HTTPS SNI too, which could help lessen the IPv4 depletion problem and allow more sites to run HTTPS and help create a more secure internet.
Anyways… time to go back to making sure this web design still displays correctly under IE7.
Sounds good 😉 Maybe we could tackle all those unsecure root SSL certificates to start with.
Honestly though, I could see this working, as it would at least give a ‘brand’ to what we’ve been telling our in-laws for years. Simple things, like don’t open any old email etc.
I’m in.
It’s a better proposal vs the alternatives, that’s for sure.
Let’s keep in mind, however, that cyber security is not real security. It’s still important to keep the planes in the air and away from skyscrapers.
Good idea!! 🙂
Why not go the whole hog and make it GNU?? That way it will self-police to the point that if your don’t tow the line you’re booted out! In my view there’s no one so diligent as a volunteer! 😉
I’m all for better security. But at some level, it should be up to the individual user how much “security” they want to use. I don’t like the idea of having some “enforcer” tell me what I have access to. However, having the *choice* of whether or not my email should come only from certified sources, sure. Although I wonder how long it would take some bright kids or criminal group to overcome the protection used.
That’s not the way it works with the IETF, nor would it work that way with the ISTF.
You can do pretty much anything you like on the Internet. By definition to propose a new IETF standard, for example, it has to ALREADY be operating on the Net. That’s not the way an enforcer would to it.
This is primarily a matter of developing and publishing thoughtful standards then certifying that manufacturers are in compliance.
You wouldn’t build your own hard drives, would you? So what’s wrong with the company you’d be buying from anyway building drives that are ISTF-compliant and therefore built to security best-practices at the time the drive was assembled?
Not even Ayn Rand built her own Buick.
Bob,
I bow to your superior wisdom. But then again, how about the Cringley…
I’ve always been more of an ENFP, but I can warm up to ISTF given some time. But with a panicky populace and a power hungry government I see our legislative overlords (or should that be “overlards?”) deeming the Internet “Too Important To Not Be Handled By The Government.” TITNBHBTG (pronoounced tit’ ten buh hib tigy’). New acronym for the 21st century.
Maybe the real problem is that we have become complacent as voters, and, as a result our elected officials are generally idiots. They have lawyers deliver in wheelbarrows legislation they don’t read and couldn’t if they wanted to, and then they bring it to the floor and argue for it using their party’s talking points. Why should Internet legislation fare any better?
BTW, isn’t legislation supposed to start in the HoR (pronounced whore)?
I believe that only spending bills are required to begin in the House.
Sounds to me like you’re talking about a walled garden to a certain extent. It’s working for Apple. In the future, I can have confidence, not only in my ISP, but also the ISP of those communicate with, and do business with. Sounds like a great idea.
No.
I am talking about a process precisely like the IETF but limited to data and Internet security, nothing more.
Is the Internet presently a walled garden? No it isn’t, because that’s not the way the IETF works. Nor would the ISTF.
What you want is a Working Group within the IETF not another IETF. Then you leverage the participation of those experts.
Your comment about the IETF not accepting a standard unless it’s already running is not quite true.
The IETF i s a professional body meaning anyone can join and represent themselves. Standards and proposal are accepted as drafts to a working group base on “consensus and running code”. That doesn’t mean accepted by vendors and running as a product.
Just means you should show a working example.. That can be a prototype from your kitchen if you like. Also it’s not a strict rule. Plenty of submissions are accepted based upon simple publication.
Don’t reinvent a community. Leverage the one you have especially a sucessful one.
You can make a request for a working group right now based upon the number of people you have responding. Just submit a draft to an existing group, show up in person or virtually and ask. You’ll get consensus from this forum alone.
(been there done that)
Watch yourself, Mr. Cringley. “Arrogant complainers” like yourself will be added to The List, as per this article.
https://www.cnn.com/2011/TRAVEL/04/15/tsa.screeners.complain/
Quis custodiet ipsos custodes?
Quid custodiet ipsos custodes? Melius est securi aliquid facere per se non ita necesse servant. Quae est principium quaeritur hic.
No, I would support this idea you present far more than letting the Homeland Security Theater Company try and enforce their misguided discipline on the net.
However, by complaining about the efforts of the Homeland Sicherheitsapparates, you may end up being on their Naughty List.
My Latin is very rusty, Bob. But even Google translate couldn’t help: “What guard the guards themselves? It is better to do at some sense of security that he did not so that you were to guard them. What is the principle of what we seek here.”
Why not call it the Web Task Force?
I would like to hear more about how the major corporations will be prevented from gaming the committee.
I would also like to know how non-complient systems fit in here. Would DragonflyBSD, Hurd or Plan 9 be allowed. If my hobby is using systems that aren’t on the check list, will I still be allowed to play?
I guess I would be more comforted on both points if it were announced that Richard Stallman would have a seat on the task force. (So long as he wasn’t allowed to come up with any of the acronyms).
Because in theory the World Wide Web Consortium and the IETF already have that covered. The problem is that their portfoliae (damn that last comment in Latin) are too broad. Security has become important enough that it deserves its own task force. And just as I wrote before that the IETF won’t even consider a standard that isn’t already operating on the net, so can your funky operating systems continue to funk-away. Just don’t try to use one to host Gmail without first proving ISTF compliance.
If Portfolio is indeed a Latin word, it is the plural of portfolium.
Causeur: If Portfolio is indeed a Latin word, it is the plural of portfolium.
Not so fast. Each noun has many possible plural forms, depending on the declension the noun belongs to and the gramatical case. Portfolio derives from the latin portare (to carry) and folium (sheet). Since folium forms the ending of the word, that’s the one we need to focus on.
Folium (leaf, or sheet) is a second declension noun. Folio is either the dative or ablative singular form, not plural. The nominative plural form is folia. A portfolio is singular, even if it contains many folia.
So the World Wide Web Consortium and the IETF have several portfolia.
Hail Caesar, and write it down a hundred times by sunrise or John Cleese will come round and cut your xxx off 😉
Count me in.
Hmm, I think many governments in the world would not be at all happy with a highly secure internet. It would inhibit their ability to watch, monitor and control.
Then they’ll want a seat at the table, won’t they?
Allow me to point at the elephant in the room.
You cannot have privacy and expect rules to be enforced at the same time. Perfect privacy and anonimity are mutually exclusive with perfect surveillance for enforcing purposes. Freedom of expression and terrorism use the same bits to work because when you get down to it information is just information. It still works the same way no matter what people use it for.
The only way you could have both is if you appointed someone to oversee communications, and that someone would have to be perfectly fair and incorruptible. Short of Asimov’s Machines, I don’t see any viable candidates. Power corrupts and governments have traditionally always abused their power.
This entire “ISTF” proposal is flawed because it starts with the assumption that the government wants security. They don’t, really. What they want is control. The entire decade since 9/11 has been an exercise in curving civil liberties under the pretext of the greater good. It’s not about terrorism anymore. It’s about who controls your bits.
An initiative which attempts to put more technological power in the hands of the individual and let him control his own data will never be condoned by the government.
The gist of the previous comment is correct: you can’t have very much privacy or security if you expect to have them together. (There’s also a whiff of Black Helicopters about it, but I’m going to ignore that.)
Here’s where I have concern: as much as some people don’t trust the US govt, there have been several recent instances where other countries have acted much worse (ie China suddenly routing lots of the internet traffic through their servers, Egypt closing off the net or even Australia censoring content at a national level.) Anything that might be doable via a new security model will eventually be done, and if you’re concerned that US lobbyists wanted an internet kill switch know that other countries who have already used such a thing will want a role on the board. How can you tell China they do not get a voice? How do you get Russia to own a meaningful enforcement role? How do you get America to approve anything without a huge Patriot backdoor?
The only way to reconcile so many problematic issues is to engineer solutions that don’t address the topics. They might push everyone to IPv6, ban anonymous mail server access and add some new SSL standards. But to appease China they may just have to avoid DNS rules. To appease both the US DOJ and the EU there might not be rules around ISP montoring. To allow freedom of content without imposing unrest on dictators or porn on Australia or pedophilia on anyone else they may only take the barest of steps in establishing rules regarding filtering. The reality of a task force is that they usually avoid conflict rather than addressing it.
Here is a company doing “online collaborative standards development”: https://www.interactivestandards.com
Hi Bob!
I liked your idea but what about The Shadowserver Foundation which “is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware.”
https://www.shadowserver.org
Aren’t hey and others like them already quietly doing the work of ISTF?
Is a formal group the answer? Why not just let the good people out there be good without any govts getting involved?
Ciao,
Bob
I don’t really know what Bob is talking about, “internet security” what does that mean? I prefer to speak in terms of Threat & Countermeasure. For example if somebody is threatening me with a knife or with burglary, now that I know the nature of the threat then I can judge the effectiveness of a proposed countermeasure. In this article the actual threat is never mentioned nor is the actual countermeasure. Also, how good is it to “leave it to nerds” when we are already leaving internet security to nerds and they are failing at it?
That is the definition of insanity isn’t it: keep doing the same thing expecting a different result.
But security isn’t just about coming up with new ideas, implementing them, then documenting how they work, (and trying to get buy in to that document from whoever else seems to be interested), which is the core of what IETF does. It’s about analyzing current and possible practices, as well as technology. And verifying that the ones you choose are being done correctly and effectively. It’s about looking at systems, and company wide IT infrastructure and process as a whole, not about the pieces of software.
It’s no big deal to have 4 competing proposals for a protocol that does X, individuals just implement one or the other or all or none, and eventually one or two or none emerge as the most popular and the others fade into obscurity. It IS a big deal to have 4 competing proposals for securing Y. Which do you choose? How do you know which is the best or at least the most popular? Nobody publishes reports about their security activities and if they did who would bother reading all of them?
The thing is that we want -we need a global datacommunication network which is simultaneously #a secure and #b open (even anonymous, some would say). And ,although I do not have a certificate in anything network-related, I can’t see how you can do both within the same physical network.
Catch where I’m going?
The entire “Internet Security” issue could be heavily mitigated by breaking apart Microsoft’s stranglehold on the Desktop/Laptop markets, and severely limiting their ability in the Server market. Microsoft’s products are shoddy when it comes to security; yes, they’ve improved but they still have a long, long ways to go, and in the mean time are causing real harm to all industries using their software.
The rest, requires better software development practices. (For instance, see David Wheeler’s book on Secure Programming.) This would resolve the majority of issues – whether SQL injection or buffer overflows.
Of course there also needs to be an authentication side to this as well, but the President’s Internet ID is not sufficient there either and this isn’t really very applicable until you get the other issues under control.
If what you want is an organization that works like the IETF, why not just use the IETF? I would think that security should be among their considerations anyway.
“I’m from the Government and I am here to help you” is the scariest thing that I have ever heard in my life.
Lynn, consider yourself you lucky you’ve neither heard:
“We’re from the government, you and your family are coming with us!”
or
“We’re from the government, and we can’t help you.”
I may be wrong, but I believe the basis for this issue (its current iteration anyway) may need some clarification. Sometime last week, I read the Federal News Radio report, which your blog cites and links to; I believe I was taken there (originally) through a link on a major newsblog site under the headline ‘White House Plans Expands Internet Oversight’, or words to that effect. Yet this was not what the FEDNEWS article was about, nor was it even close. Instead the article discusses a White House proposal to concentrate responsibility for securing all U.S. Government Agency civilian networks with DHS, as its military/intelligence networks are the responsibility of DOD (“civilian agency as in Commerce, Treasurty, Interior, Education, etc. not ‘Civilian’ in general as in Public.) As discussed and described in the article, this has nothing to do with the “Internet”, or with its possible oversight, or control thereof, etc., as implied by the original ‘headline’ and further discussed in your blog. It is about securing federal government networks, intranets, etc, from outside (and inside) attack. Putting aside issues of DHS competemce or lack thereof, which I acknowledge is the central theme of your piece, the securing of all U.S. Government networks, civilian and military, is a perfectly legitimate, not to mention obligatory, objective, and centralizing that responsibility makes sense. But this has nothing whatsoever to do with issues of so-called ‘Internet Oversight.’
Industry would /not/ get behind such a body, nor would they love it. Lots of these groups already exist on the internet — look how many different groups release “security advisories” now. Have we ever seen any part of the IT industry rally around these groups and insist we follow their advice? Hardly! In fact, most industry players do everything they can do keep those groups from releasing any negative statements about their products or, when that strategy fails, they work to discredit the group entirely.
Why? Because there’s no money in security. The last 20 years have proven that — money is made by selling new features, not securing old ones. Software vendors only release security updates when the cost of *not* doing so is higher than the cost of doing so. (In this case, “cost” is measured in dollars, reputation and legal liability.) Users don’t want security. If they did, they would insist on some kind of guarantee. Instead they want higher framerates, faster load times and more disk space.
Bruce Schneier has been beating this drum for a long time now and he’s got a lot of good ideas. The simplest, easiest, fastest way to improve (not solve) software security (and, by extension, most internet security) is to make software vendors legally liable for security problems in their products. When Microsoft stands to lose billions of dollars because their browser is full of holes, you can bet security will actually become “job #1”, overnight.
In his most recent “Security Now” podcast, Steve Gibson chalks the situation up to cost: “…today’s operating systems. These are consumer toys. I mean, it is possible (computers obey strict rules) it is possible to have an absolutely bug-free, bullet-proof system. It’s very expensive. And we don’t have any. And I didn’t mean to imply that BSD and Linux were necessarily different…” https://www.grc.com/sn/sn-296.htm
I’m in! If they do it anyway and the internet becomes a Nazi police state we can just build a new internet with the batman protocol. That’s a real thing btw it stands for Better Approach To Mobile Adhoc Networking. It was recently added to the main linux kernel for third world countries; which is exactly what we’ll become if the government takes back control of the Internet. Maybe they should just provision a freedom free section of the internet for people that don’t mind their civil liberties being violated. Many people would prefer that over the potential risk of being in the real world. It’s always fear that gets people to give up all their freedoms.
Developed in collaboration between legendary music producer and artist Dr. Dre, engineers from Monster Cable and renowned industrial designer Robert Brunner. The Beats by Dr. Dre Studio headphones allow you to experience music the way the artist wants you to. These high definition headphones are precision-engineered to reveal the full sound of today’s digital music including the most sonically demanding rock.
An answer from an eprext! Thanks for contributing.
Anyone can get onto and operate on the Internet. However if you don’t follow the rules the world can now ignore and cut you off. In time my email provider’s job will get a lot easier when they start accepting email from only known, trusted mail domains.
DNS…
[…]I, Cringely » Blog Archive » Cyberpolice Academy – Cringely on technology[…]…
beats by dre studio red headphones…
[…]I, Cringely » Blog Archive » Cyberpolice Academy – Cringely on technology[…]…
new blogger interface with the new templates…
had some problems with changes in layout not showing up. also, the service seems to get overloaded at times, with users not being able to access design tools. i am using the simple, rather than the dynamic views templates at the…
quote is also useful because it allows…
you to draw attention to the most important phrases in a simple, natural way.a powerful image is useful for the top of the page but finding amazing images for your whole post is pointless. almost anything can be used for the…
well written, thought provoking, funny or smart,…
no one will share the article anyway. so follow the rules if they make sense, but never let them get in the way of creating a truly great post. i actually wanted to call this post 5 strategies, but only came…