October 17, 2002
6:20 AM   Subscribe

The US government recently released a draft of the National Strategy to Secure Cyberspace, essentially it advocates ensuring security through consensus, with vendors, government agencies and consumers taking responsibility for the tools they use. That's not enough for Marcus Ranman who in the TISC newsletter advocates passing legislation mandating consumers and ISPs to install firewalls and anti-viral software. At what point does an individuals (corporate or consumer) chosen level of computer security become a concern for the federal government?
posted by cedar (7 comments total)
Nobody talks about cyberspace anymore ... :P
posted by carter at 6:40 AM on October 17, 2002

At what point does an individuals (corporate or consumer) chosen level of computer security become a concern for the federal government?

At the same point that Richard Stallman's refusal to secure his own systems at the AI Lab became a concern for MIT: when trusted, but unsecure, systems are used as a platform for attacks on other systems.

MIT solved the problem by threatening to push the AI Lab off the campus network, turning it into an "untrusted" system. Which seems like the right approach here, too. Everyone knows how rapidly government mandates adapt to changing conditions, right?
posted by kewms at 6:47 AM on October 17, 2002

how the hell would you effectively enforce such a mandate?
posted by trioperative at 7:03 AM on October 17, 2002

how the hell would you effectively enforce such a mandate?

I don't think it would be all that difficult. Ranman would like to see it made illegal to sell a computer without anti-viral software and/or a firewall. He also suggests that the government produce such software and provide it for free.

Technically, embedding it into an OS wouldn't be a big deal and if you've ever tried to uninstall IE from Windows your aware that once embedded it would likely stay put.
posted by cedar at 7:14 AM on October 17, 2002

the federal government talks about 'cyberspace' all the time, which IMHO, is part of the problem. a pseudo-nonsense word to describe a non-existent "place". (perfectly aligned with the bush administrations public communication policy!)

the september 23 issue of Federal Computer Week features several articles that reveal the utter cluelessness of the administration to grapple with this very real issue. the policy is a joke, consisting largely of tentative "shoulds" and virtually no "musts" or "shalls".

quoting from a sidebar entitled "what it says":
"Federal information technology experts say the Bush administrations recommendations for how agencies should secure critical information systems from cyberattacks does not give IT managers enough direction and will do little to ensure that the systems are secure."

for my money, any report that refers to the internet as "cyber" anything is the work of morons.
posted by quonsar at 7:15 AM on October 17, 2002

If the feds want to mandate and enforce security policies for federal employees that's fine by me, in fact, I'm all for it. Federal computers should be secure.

On the other hand, when they tell me that I can't purchase a system without pre-installed (and I would assume configured) firewall I cringe. I see a few problems.

First, who's going to determine which firewall software is suitable and what level of security is suitable? Marcus just happens to write commercial firewall software (which I've been involved with evaluating in the past) so from his point of view we wouldn't need to look any further. Of course, in his world we wouldn't be allowed any inbound connections either, so you couldn't serve via FTP or other protocols. Hey, its secure, and that's a small price to pay for having to give up serving a MUD and FTP sites for the open source software projects I'm involved with.

Second, what do you do about linux, BSD and other open source operating systems? Sure, you could twist Red Hat's arm into supplying a firewall with the default install, but what's to prevent you from doing an install from scratch that doesn't have one? There's also an increasing number of devices with some sort of network connection, what about PDAs, game machines and cell phones?

Since Marcus also proposes having consumers foot the bill through a security tax some people will be penalized multiple times. Laptop, desktop, PDA, game machine, digital video recorder... it'll add up pretty quick.
posted by substrate at 7:37 AM on October 17, 2002

Marcus is a talented programmer and all, but he's not the brightest bulb on social issues. Security is, at the end, a social issue-- a fact that most technical professionals in security-related fields tend to forget. Even the most technically complex protections must involve the actions of people, and people are fallible.

That said, there's no denying that better security would benefit everyone. But the best way to acheive this is to make the owner of the system responsible for lapses in his security that lead to losses elsewhere; we already do this, to some extent-- if my system is used to compromise another, I can be sued in civil court for damages.

Most of all, we need to hold vendors responsible when lapses in their securty measures make their customers vulnerable. In other words, we need to enforce liability on software vendors.

Taxing and mandatory firewalls won't do diddly.
posted by Cerebus at 9:40 AM on October 17, 2002

« Older The shockwaves from Bali ripple outward.   |   An example of innovative web design Newer »

This thread has been archived and is closed to new comments