The Cyber Problem—A Nation Dependent and Dealing with Risk

I stumbled across some very interesting testimony by Bruce Schneier in front of the Subcommittee on Cybersecurity, Science, and Research and Development (part of the committee on Homeland Security for the United States House of Representatives) and it bares some resemblance to stuff I have been talking about recently.

He does an excellent job of providing insight to the state of cybersecurity without throwing FUD to drive points home. His recommendations are sound:

1. Stop trying to find consensus. Bruce clearly expresses the security community's concerns that documents coming out of the government try to be friendly to the industry in an effort to not offend particular parties. Why? Could it be because many of them don't want to fight with big business.... people that contribute to their campaigns?
   
2. Expose computer hardware, software, and networks to liabilities. Lets face it. There is no liability for the actions vendors take to secure their product. Its hard when software development as an engineering field is still in its infancy. Image though if the government would not purchase product from Microsoft unless they would assume liability for that code. Interesting concept. It would FORCE Microsoft to take a better stance and be more pro-active in their secure coding efforts. They have come a long way in the past year, but still have a ways to go. But I think it would be fair to say its not just Microsoft. Hell, I try to secure all my code, but even I fret about weaknesses in the code and have to seek third parties to do code audits. The discipline of secure coding is just not yet mature.
   
3. Secure your own networks. I call this "Eat your own dog food". Bruce brings up a good point. If the government funded projects securing its own infrastructure using commercial products and resources to put their house in order, the requirements for better security would improve the resources that are available to everyone, since everyone needs those same resources that the government does. Instead of making committees and ultra secret cells of security products/services, help build the commerical ones already in the industry. I think this would be a good argument on how CERT could get some money to strengthen its efforts.
   
4. Use your buying power to drive an increase in security. I like this one. Government procurement policies could DEMAND better security from its vendors. There’s a “rising tide” effect that will happen; once companies deliver products to the increasingly demanding specifications of the government, the same products will be made available to private organizations as well. Companies like Microsoft do not wish to lose their government and educational business. It makes up a fair amount of their sales. If the government held them more accountable, Microsoft would respond in kind and increase the security effectiveness faster than its currently doing it. I don't blame Microsoft for this, but all of us as consumers for accepting this for far to long. We should have been demanding for more secure product YEARS ago. Maybe then the infrastructure would be cleaner as we would have a larger window to fix these problems.
   
5. Invest in security research; invest in security education. The weakest link is the human factor when it comes to security. Education is key to the security management life cycle, and is something we need more of. I guest lecture at the local university about secure coding not to listen to myself speak about a subject I am passionate about. I do it to hopefully educate the masses in a way that will increase security-minded thinking, resulting in hopefully more secure code.. and in the end a better quality product. Top that off with funding to do more research, and investment in such endevours helps us all.
   
6. Rationally prosecute cybercriminals. Real cybercrime has to be punished. We aren't talking about cyberpranks here, but people who maliciously release havok on the Internet, and the critical infrasture connected. IANAL, so I have no clue were these boundries really are. But I know the legal system is way to far behind to be useful in this regard.
   

I applaud Bruce for well presented testimony in front of his government. If the US government takes heed, maybe some good will come of it. At a minimum, I hope it causes some ripples in the hardware and software industry as they begin to realize that we can't afford to NOT include more security minded thinking in our product development, management and deployment. I know it has me reflecting on myself and thinking of new ways to better secure my code, as I hold myself liable for what I do everyday. When customers start demanding it, I think all software developers will need to think about this more.