I had the privilege of presenting a session on new federal standards for the protection of information at a recent conference. I was assigned a room for my talk and arrived in time to hear the preceding presentation by a team of law enforcement types.
The speakers represented both federal and state/local agencies, and they had a slick slideshow and videos of both victims and perpetrators of cybercrime. Additionally, they had brochures and even some nifty swag such as pens and mouse pads for the attendees. Their session was packed — standing room only. They did a great job telling war stories of crooks and miscreants and for some reason only spent a tiny portion of their presentation on how cybercrime is perpetrated, and nothing on how it is thwarted or managed.
I suppose that was not their intent, but it reminded me of my early days in what was then known as computer security. Back in those ancient, halcyon days of technology, bulletin board hackers, phone phreakers, and social scammers dominated the discussion of security. Groups like 2600 and the Legion of Doom were the big news. Talking about the Orange Book or secure coding was a snoozer for losers.
Fast forward to today. I was reading a New York Times article by Nicole Perlroth who cited a 15-person task force founded by homeland security secretary Janet Napolitano to make recommendations about how to attract more students to the DHS cyber security mission. Their recommendation? “Make Homeland Security cool again by partnering with the organizers of hacking competitions, whose participants would much prefer to ‘move fast and break things,’” the article says. Additionally, “they hope it will fill one of its top vacancies with a hacker ‘rock star’ not unlike Mr. Moss, whose Las Vegas conferences annually draw the best minds in computer security, or Peiter Zatko, the hacker better known as Mudge…” As an aside, Jeff Moss was the co-chair of Ms. Napolitano’s committee.
So, apparently, these experts feel people who are “cool” and like to “move fast and break things” are needed by DHS to help protect and manage the .gov and .mil domains. I am not sure what the report may have said about managerial skills, compliance and risk management expertise, or an understanding of government technology — it’s all about the cool factor.
Hacking is not necessarily a foundational skill of top-shelf information security practitioners. When a government CIO looks at the next dollar he or she needs to spend, they need to know whether to spend that on their organizational mission or on IT security. They need help making that decision. Exploiting IT vulnerabilities may be cool, but playing defense is a much bigger, and far more difficult job.
John McCumber is a security and risk professional, and author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].
