There was an interesting piece in The Wall Street Journal today on cyber security and the need for greater emphasis among non-security people in IT. The title tells it all - All IT Jobs Are Cybersecurity Jobs.
There are a number of repeated myths in this article which reminded me of the lack of progress being made in protecting networks from state-sponsored attacks like the ones by North Korea, Russia and China.
The first, as the title suggests, is that all jobs in IT are in some way, security jobs. If only it were true. I have been hearing most of the other myths that go with this one since 1977 when I got into the business. The IT people are not the ones who started or perpetuate this myth. This was started by security professionals who know they cannot possibly know all the things they have to know to do the job without help. I met a really good Oracle developer once who told me he did not know anything about security, but he was assigned to the task of building a really secure system being used by a number of different government agencies. We spent a day learning terminology, looking at the requirements, and trying out some user stories. In the next few days he understood what was required and did the development over several months. He presented his design to senior security professionals and they were astounded by the thoroughness he showed and how the system performed. I always felt that the reason he did so well was his admission that he did not know security very well and needed to start with the basics. There are plenty of today's security professionals who need to start at the same spot. The certificates being handed out like candy, do not make people security professionals. Some of the ones being criticized by IT professionals do not know much about anything IT. They try to impose impossible requirements where they don't fit and they don't understand the consequences of what they impose on the IT people they work with. They have credentials but no experience. By the way, try getting a job with experience alone.
The second myth is that security has to be baked into every app and O/S . We tried that by requiring testing to security standards by independent labels, but found too many different apps to keep up with. How does one check to see that software is secure before it goes on the Internet? It is almost all self-tested by the very companies who sell it to us because they got tired of a system that is expensive but buyers don't necessarily want to pay the extra cost. Software vendors are not liable for anything software does when it gets sold. What incentive do they have to make sure it is right the first time? These are extremely complex systems where the interaction produces vulnerabilities, but 99% of those interactions are not tested until they reach the Internet. Then hackers get to show us the way into those systems, which are then patched and we start the process all over.
Would we like India or China building in security features to the hardware and software we use? India is about to overtake the U.S in numbers of developers. The hardware is built in China. The SDKs that many people use are already infused with traps and backdoors planted by intelligence services of some of our best friends - well, at least our biggest trading partners. There are libraries full of these kinds of things. We have traded away any chance to bake it in in the name of globalization and software reuse.
International security standards are about as vague as the ones producted in NIST because that is where most of them came from. They are cookie cutter lists of things that one can do to be secure. You decide what that is. We don't have a good definition of what it means to be secure.
We have to have systems that are safe in spite of the Internet. People in the encryption business say that can be done, but it has to start with a basic system that is produced under U.S control. The Federal government is going to have to lead an effort to do that because the marketplace is not going to buy it. It doesn't really care about security.
No comments:
Post a Comment