Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×

CSIS Cybersecurity Commission Chairman Jim Langevin Answers Your Questions 75

Posted by Roblimo from the yet-another-chapter-in-the-continuing-U.S.-government-cybersecurity-saga dept.
Last week we solicited questions for US Representative Jim Langevin (D-RI), one of the chairs of the CSIS Cybersecurity Commission. Here are his answers — along with contact information for him if you want to continue the conversation.
1) Red Teams
by Bananatree3
The NSA has had great success with Red Teams and competitions between security experts in helping learn how to better secure sensitive data and to keep up to date with the latest attack techniques.

What are your plans to utilize this powerful technique? If applied elsewhere, Red Team competitions can help better secure other aspects of the internet and to stay up to date.

Rep. Langevin: I couldn't agree more. I've been an advocate of moving away from the paperwork exercises that have become more prevalent in Federal government IT security towards a more operational-focused testing environment like red/blue teams and penetration testing. In fact, I wrote a bill (HR 5983) this year that would have required the heads of appropriate Federal agencies (DHS, NSA, DOD, etc.) to create security control testing protocols to ensure that the Department of Homeland Security's networks are protected against known attacks and exploits. The bill would have essentially given the DHS Inspector General the ability to red/blue team the Department's networks to determine whether or not the Department's security policies and controls were effective.

The DHS Inspector General does not have the same capabilities as the NSA red team. Unfortunately, there are a limited number of individuals who are members of these elite teams; what I'd like to see happen is groups like NSA red/blue engage with more Federal civilian agency security officers who can perform these functions when the NSA teams are not available.

Of course, the great value in red teaming comes from actually mitigating the vulnerabilities discovered by the red team. This takes time and money, which can sometimes be difficult to come by. So while we have to do more red teaming in the Federal government, we also have to be prepared to spend the money to fix the problems.

I find that red team competitions are a great way to refine offensive and defensive skills, and can also be a good recruiting tool for the Federal government. In the spring I congratulated the college participants in the 2008 National Collegiate Cyber Defense Competition that was held at the campus of UT-San Antonio, and encouraged them to look for Federal jobs when they graduate. We as a nation have to recruit and invest in these students because of their talent and potential.

2) Why run this out of the EOP?
by Animats
Why run this out of the Executive Office of the President? Trying to run operational units directly from the White House seldom works well; the environment is political, not operational. The present cybersecurity office, in Homeland Security, is ineffective because the incumbent is a former lobbyist. When Amit Yoran was in charge there, progress was being made. He quit because he wasn't getting backing from higher in Homeland Security. The office needs a high-level champion in the White House, but that's a liasion job.

Rep. Langevin: You are right - cyber operations should not be run by the White House. We have plenty of agencies that have the skill and capability to run various cyber operations throughout the Federal government. But as you've noted, at the end of the day, cybersecurity requires coordination of activities across agencies, and the CSIS Commission concluded that the White House is the best place to locate this function.

The Commission discovered that the central problems in the current Federal organization for cybersecurity are lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility. The Commission considered many options for how best to organize for cybersecurity. One particularly useful model was the Intelligence Reform and Terrorist Prevention Act (IRTPA). IRTPA imposed a new, more collaborative structure on the Intelligence Community. It mandated a distributed "intelligence enterprise." Congressional mandates, however, are not enough. It took a Director of National Intelligence with the appropriate authorities to build collaboration. This did not mean that the DNI became a centralized manager of the IC - agencies still have their unique operational functions. The DNI role is to provide the strategy and collaborative networks for the intelligence enterprise. This effort, although it is still a work in progress, helped to guide our thinking.

I hope that the Assistant to the President for Cyberspace will be that high-level champion that you described, a person who can provide programmatic oversight for the many cybersecurity programs that involve multiple agencies, but not take operational control over the agency responsibilities.

3) Re:Why run this out of the EOP?
by gclef (96
To build on this, how are you planning on addressing the credibility gap between what the executive wants to achieve, and what the rest of the internet community (at least in the US) believes you really can/should achieve?

For example, I was at BlackHat this year, and the keynote speaker was one of the Feds, speaking about the federal plans for cyber security. The discussions in the hall after his keynote were scathing. Many of the attendees concluded that he had no clue what he was talking about. This, I think, has to be the first hurdle the executive needs to clear before accomplishing anything. Put simply: the private sector just doesn't believe in government's ability to succeed. How are you going to fix that?

Rep. Langevin: The uncertainty of success should not prevent government from playing a role in securing cyberspace, but its questionable effectiveness means we have to find specific areas or roles where the government can add value. This is the challenge we face today.

I think back to some of the fundamental lessons of the government's efforts in Y2K. John Koskinen, the incredibly effective manager of this effort, asked himself what role the government could or should play with the private sector. His list was short: 1) Government could provide expertise to the private sector; 2) Government could provide a trusted meeting place for the private sector; 3) Government could provide a mix of positive and negative incentives for the private sector to implement security fixes. With this blueprint, Koskinen had his marching orders.

Government alone will not solve the cybersecurity problem because government alone does not own the infrastructure or the technical expertise. But government involvement is the key for success because of its ability to positively and negatively incentivize behavior. Today, just like 10 years ago, there are incentives that the government can provide to ensure better security in the private sector, and, like the government response to Y2K, I think this is where the government should focus its effort.

The trust relationship between the government and the private sector has been damaged over the years, so this will be an area for the next President to try to improve. The CSIS Commission recommends rebuilding the public-private partnership on cybersecurity to focus on key infrastructures and coordinated preventative and responsive activities. The Commission recommends the President direct the creation of three new groups for partnership that provide the basis for both trust and action: 1) A Presidential Advisory Committee organized under the Federal Advisory Committee Act (FACA) with senior representatives from the key cyber infrastructures; 2) A "town hall" style national stakeholders' organization that provides a platform for education and discussion; and 3) A new operational organization, the Center for Cybersecurity Operations (CCSO), where public and private sector entities can collaborate and share information on critical cybersecurity in a trusted environment.

There is one specific area that the government can establish some credibility with the private sector: become the gold standard for network security. Some of you have heard me discuss this vision during my DHS oversight hearings. The security of Federal networks has received attention from the highest principals in government, and I believe the increased attention will lead to better strategies, larger commitment of resources, and greater awareness throughout Federal agencies. Making the Federal government the gold standard demonstrates to the private sector that we are committed to security and we can be a trusted partner.

4) Regulation
by Hatta
The free and open nature of the internet is its biggest asset. How do you plan on enforcing "cybersecurity" without damaging its free and open nature? Are you sure that the cure (government regulation) isn't worse than the disease (cybercrime)? Remember there was no cybercrime before the internet. The internet has brought us both crime and prosperity, so far the prosperity has far exceeded the crime. I benefit far more than I suffer from having an unregulated internet, can you convince me that a regulated internet is even necessary?

What sort of measures can you take to fight cybercrime without affecting my unfettered access to the internet? The phrase "If you have nothing to hide, you have nothing to fear" is not an acceptable response.

Rep. Langevin: I disagree with the premise - neither I nor the CSIS Commission discussed a "regulated Internet". What we did discuss is the need to develop and issue standards and guidance for securing three specific critical cyber infrastructures - telecom, finance, and energy - with the intent of increasing transparency and improving resiliency and reliability in the delivery of services critical to cyberspace.

5)How will this power be controlled?
by Opportunist
I work in IT security and thus I wonder how you plan to deal with two conflicting problems: Rapid change of threat scenarios and ability to supervise and monitor the actions taken by the "cyber police". Threats in IT change rapidly. Over the course of days sometimes. So quick reactions to emerging threats is a necessity. You have to react fast when something emerges, you can't let debates go on forever with weeks passing to give various interest groups a say in the matter.

How do you plan to ensure that civil liberties will not suffer from the necessary fast response when trying to make the internet a safer place?

That whatever organization is supposed to make the "net safer" will have certain powers is a given. Whenever, though, someone who has power has to do something fast (i.e. before someone could complain or interfere), the temptation to abuse this power (claiming "danger in delay", when the only danger would have been that someone could find out that power abuse is afoot) is present as well. How do you plan to address this?

Rep. Langevin: It's a significant challenge to respond to threats that can hit in a matter of milliseconds. Specifically, to address abuses of power or compromises of privacy and civil liberties, we have to insist that privacy and civil liberties protections be built in from the ground floor into our cybersecurity programs.

The E-Government Act requires agencies to conduct Privacy Impact Assessments (PIA) before developing or procuring IT systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public, or initiating a new electronic collection of information in identifiable form for 10 or more persons. In general, PIAs are required to be performed and updated as necessary where a system change creates new privacy risks. I think this is one way that we can ensure that privacy and civil liberties concerns are addressed at the outset, but I am open to any suggestions from the readers.

6) Hiring Practices And Education
by codepunk
 I noticed briefly in the document that it mentions the inability of the Govt. to hire the necessary talent to combat these issues. Namely it mentions the drop in CS student enrollments and attempts to relate it to the .com burst. In reality the American IT profession is under assault by both outsourcing and the current H1B visa program. How do you intend to increase CS enrollment when the job market is being eroded by these two factors?

Rep. Langevin: I am concerned about the drop in computer science students, because it could portend of a decline in American competitiveness in science and technology At the same time, I also know that advanced degrees are not a necessity in operations. Some of the best operational experts I know - both in and out of government - only have high school diplomas.

There are a variety of different skill sets that we are looking for in the Federal government. The goal is to both increase the supply of skilled workers (to benefit both government and the private sector) and to create a career path (including training and advancement) for cyber specialists in the Federal government.

I have long advocated for a comprehensive approach to immigration reform that combines border security, enforcement of immigration laws already on the books, and a humane and common-sense approach to dealing with the millions of immigrants who are already in this country illegally. Reforming the system includes looking at all visa programs such as the one you mention.

The model for increasing the supply of skilled cyber workers is the 1958 National Defense Education Act, which improved national security and strengthened the economy. A larger effort poses complex challenges, however, and a focused program that emphasizes cybersecurity will be easier to obtain. The simplest approach may be to expand Scholarship for Service, a National Science Foundation scholarship program that provides tuition and stipends, in addition to requiring accreditation of schools where scholarships are provided for computer security studies.

The U.S. must also develop a career path for cyber specialists in federal service. Creating this career path entails a number of steps, including minimum entry requirements for cyber positions, training in specialized security skills, and a national cyber skills certification program. The Office of Personnel Management, working with key agencies engaged in cyber defense and offense, needs to establish rewarding career paths and advanced training.

This career path should transcend specific departments or agencies. I believe it should be modeled on the Federal Law Enforcement Training Center (FLETC), which provides training to all Federal employees in the Law Enforcement Officer skills. The program should initially focus on national security related missions (including critical infrastructure), but could later be expanded to other mission areas.

7) Why?
by poetmatt
Why must civil liberties be given up under any circumstance under the guise of "cybersecurity"? Why is there no open public review for people to proclaim that under no circumstance do they plan to give up civil liberties for sake of a bad us government cybersecurity plan? I for one do not plan to give up any form of "rights" just because the government has an inability to secure their own systems. I'm sure we all know the Thomas Jefferson quote for this.

Basically, my question is: why are we focused on balancing rights for security when we could spend more effort securing the existing government computer systems that we use, and it would be more effective? This is like pointing a finger at the washington monument and blaming it for the market collapse, and does not directly address the issue I just mentioned.

Rep. Langevin: No American should give up the liberties granted to him by our Constitution under any circumstances. I do disagree with your premise, however, that the Federal government is sacrificing the liberties of its citizens to ensure greater security of its networks.

Readers of Slashdot who share my concern about protecting privacy and civil liberties may be interested in reading the Privacy Impact Assessments (PIA) prepared by the Federal government for various IT systems that I mentioned in a previous response.

8) Over-reaching
by gclef
A) Are you concerned with biting off more than you can chew with the "Manage Identities" portion of the recommendation? (or, put another way, are you sure the government should really be doing any of those in the first place?)

A number of people are already uncomfortable with the idea of a national identity card (witness the problems that RealID is having these days)...your report goes even farther, though, by proposing a

government-issued identity card that consumers could use for purchases online. If I'm already suspicious of a national ID, why in the world would I want to use a government-issued online ID?

B) Also, your recommendations have some huge loopholes: point 17 says that you want to allow consumers to use strong government-issued credentials for online activities, but point 18 then says that there should be regulation preventing businesses from *requiring* the use of those credentials.In practice, one of these two lines will be pointless (companies will say that it's optional to do business with them, so it's not "required"). By way of example, it's illegal for a company to *require* an SSN for non-banking business, but just try to get water service in Maryland without giving it to them...you can't do it. Doesn't this sort of loophole make your "consumer protection" recommendations pointless?

Rep. Langevin: Government-issued identity sparks a wide range of emotions, but I have to be clear about one thing: the Commission did not recommend that the government issue strong credentials to individuals.

First, we recommended that strong authentication be mandatory for critical cyber infrastructures - energy, finance, and telecommunications. Second, we said that if people want to use their new strong credential (which does not necessarily have to be provided by the government) for commercial purposes, they should be allowed to do so when the other party in a transaction is willing to accept them. Finally, we said that as we are likely to see two classes of consumers emerge (those with strong digital credentials and those who have chosen not to have such credentials), the FTC should ensure that companies can't refuse low-risk online services to those without credentials. FTC rules can move companies to adopt a risk-based approach to authentication - low risk transactions can use weak or no authentication, high risk transaction can require more.

You are essentially already doing this if you use online banking services: you can browse the website without authentication, but you need strong authentication to access your account and engage in transactions. Banks issue the credential (not the government) but it is in a framework of rules and guidance issued by regulatory authorities. The Commission wanted to move the banking model to other critical sectors.

The real issue is how to construct a system that accommodates a minority that is afraid of strong authentication without blocking adoption for critical infrastructure or high value transactions.

9) Single Platform Vulnerability
by codepunk
It is no secret that our nations national security is threatened by the current single platform strategy. The lack of operating system diversity creates a fatal environment in which a single system flaw can expose all govt facilities and networks. As it stands today a single serious vulnerability could be exploited to blackout most if not all of our govt infrastructure. How do you intend to address this serious problem?

Rep. Langevin: We can do our best to build security in. Currently, most vendors deliver software with a very wide set of features and functions enabled including some that can result in less secure operations if not properly configured by the purchaser. However, as software systems become increasingly complex the difficulty of securely configuring these systems and maintaining that secure configuration has become a major technical and operational challenge.

The Federal government, taken as a single organization, is the largest buyer of most information technology products. Federal acquisitions rules provide a large mechanism for the government to shape private sector behavior. The CSIS Commission recommended that the Federal government require that the IT products it buys be securely configured upon delivery. Today, this effort is known as the Federal Desktop Core Configuration (FDCC). The FDCC is an OMB mandate that requires all Federal agencies to standardize the configuration of settings on operating systems and for applications that run on those systems. The FDCC is aimed at strengthening Federal IT security by reducing opportunities for hackers to access and exploit government computer systems.

A carefully crafted acquisitions regime, combined with an expanded FDCC initiative could help drive the market towards more secure configurations. The secure configurations mandated by the Federal government and produced in this collaboration with industry would be available for use by state and local government organizations as well as the private sector. A collaborative effort between government and industry to resolve software vulnerabilities and to deliver secure products could result in lower overall costs over the life of a system, even if secure configurations initially resulted in a higher price.

10) Secure what?
by fuego451
 Besides sensitive government computers, which for whatever reason need to be connected to the WWW, exactly what part of the US portion of the Web needs to be secured and why?

Rep. Langevin: I am focused specifically on Federal information networks and critical infrastructure networks, such as infrastructure that is used to operate energy utilities and banking and finance and telecommunications. Ineffective cybersecurity leaves us vulnerable to attacks on our informational infrastructure, and in an increasingly competitive international environment, such attacks undercut America's economy and security and put the nation at risk.

-------------

Thanks to everyone who took the time to participate in this thread. Obviously, we weren't able to cover everything here in one Q&A, but if you would like to contact me with additional thoughts, please send me an email noting your interest in cybersecurity.
This discussion has been archived. No new comments can be posted.

CSIS Cybersecurity Commission Chairman Jim Langevin Answers Your Questions More

CSIS Cybersecurity Commission Chairman Jim Langevin Answers Your Questions

Comments Filter:

  • CSIS? (Score:2, Insightful)

    by Anonymous Coward

    Shit, now we got US congressmen running the Canadian Security Intelligence Service?

  • You say potayto (Score:3, Insightful)

    by imamac ( 1083405 ) on Friday December 19, 2008 @12:52PM (#26174001)

    4) Regulation by Hatta The free and open nature of the internet is its biggest asset. How do you plan on enforcing "cybersecurity" without damaging its free and open nature? Are you sure that the cure (government regulation) isn't worse than the disease (cybercrime)? Remember there was no cybercrime before the internet. The internet has brought us both crime and prosperity, so far the prosperity has far exceeded the crime. I benefit far more than I suffer from having an unregulated internet, can you convince me that a regulated internet is even necessary? What sort of measures can you take to fight cybercrime without affecting my unfettered access to the internet? The phrase "If you have nothing to hide, you have nothing to fear" is not an acceptable response.

    Rep. Langevin: I disagree with the premise - neither I nor the CSIS Commission discussed a "regulated Internet". What we did discuss is the need to develop and issue standards and guidance for securing three specific critical cyber infrastructures - telecom, finance, and energy - with the intent of increasing transparency and improving resiliency and reliability in the delivery of services critical to cyberspace.

    I say potahto...

    • Translations from the potay's toe (Score:5, Insightful)

      by mcgrew ( 92797 ) * on Friday December 19, 2008 @01:16PM (#26174255) Homepage Journal

      The Commission discovered that the central problems in the current Federal organization for cybersecurity are lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility.

      We're mismanaged.

      The uncertainty of success should not prevent government from playing a role in securing cyberspace, but its questionable effectiveness means we have to find specific areas or roles where the government can add value.

      We don't matter

      The trust relationship between the government and the private sector has been damaged over the years, so this will be an area for the next President to try to improve.

      The citizens hate us. Maybe the next President won't be an asshat like this one is.

      I disagree with the premise - neither I nor the CSIS Commission discussed a "regulated Internet". What we did discuss is the need to develop and issue standards and guidance for securing three specific critical cyber infrastructures - telecom, finance, and energy - with the intent of increasing transparency and improving resiliency and reliability in the delivery of services critical to cyberspace.

      No it is NOT a spade. It is a pointed shovel, you insensitive clod!

      It's a significant challenge to respond to threats that can hit in a matter of milliseconds.

      We're fucked!

      I have long advocated for a comprehensive approach to immigration reform that combines border security, enforcement of immigration laws already on the books, and a humane and common-sense approach to dealing with the millions of immigrants who are already in this country illegally.

      I'm parroting what I think people want me to say

      No American should give up the liberties granted to him by our Constitution under any circumstances. I do disagree with your premise, however, that the Federal government is sacrificing the liberties of its citizens to ensure greater security of its networks.

      PATRIOT Act? What PATRIOT act?

      First, we recommended that strong authentication be mandatory for critical cyber infrastructures - energy, finance, and telecommunications. Second, we said that if people want to use their new strong credential (which does not necessarily have to be provided by the government) for commercial purposes, they should be allowed to do so when the other party in a transaction is willing to accept them. Finally, we said that as we are likely to see two classes of consumers emerge (those with strong digital credentials and those who have chosen not to have such credentials), the FTC should ensure that companies can't refuse low-risk online services to those without credentials.

      We will have two separate classes of people, pretty much like it is now: the haves and the have nots.

      However, as software systems become increasingly complex the difficulty of securely configuring these systems and maintaining that secure configuration has become a major technical and operational challenge.

      This shit's too complicated

      Ineffective cybersecurity leaves us vulnerable to attacks on our informational infrastructure, and in an increasingly competitive international environment, such attacks undercut America's economy and security and put the nation at risk.

      Like always, we defend the rich and the corporates against the unwashed masses, who all belong in jail anyway.

      • Re: (Score:3, Insightful)

        by poetmatt ( 793785 )

        I think that's a bit sensationalism.
        I do think some of this did indeed sidestep some issues, but let's not make the man sound like an idiot.

        For my question about giving up rights to secure things, he disagreed with my basic premise...not with my supporting evidence. So it is a subtle acknowledgment.

        • ...let's not make the man sound like an idiot.

          Are you recovering from Bush Derangement Syndrome or just an honest person?

          • I hate the shit he danced, but he's not stupid and the wording is if anything, a bit too careful. He is after all, not Bush, and is coming on slashdot of all places.

            As much as it trumps current wisdom I'd really like to see non-political majors and non-lawyers in our political system. It'd be a nice change from the word-dancing we get with situations like this.

      • Re: (Score:2)

        by AB3A ( 192265 )

        Instead of showing us your excellently tuned cynicism, what would you do differently? Would you prefer that companies shrug their shoulders every time a laptop with your identification data goes missing? Would you not mind if the credit card processing companies didn't feel like paying for real security? Would you mind if some pimple-faced kid with a grudge against the world hacked in to the electric utility grid and shut down the lights in your city?

        In short, the only other answers I've seen here are "d

  • Re: (Score:1, Troll)

    by account_deleted ( 4530225 )
    Comment removed based on user account deletion

    • Re: (Score:3, Insightful)

      by Gizzmonic ( 412910 )

      I'm no libertarian, but wouldn't they approve of national defense as one of the few legitimate uses of federal power?

      Also, is it true that cocaine use leads to impotence? I learned that from GTA but then I had a doctor tell me it's not true.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        It may not "cause" impotence, HOWEVER:

        At one point in my life I enjoyed smoking cocaine (aka crack).
        One lonely night I invited a prostitute to spend time with me, in the middle of being serviced, I reached for my favorite vice and........ party over.

        Wind sock on a still day.

      • A real libertarian believes in a well-trained militia, not a standing army. We should all be able to protect ourselves, not have the government take our money to spend in huge quantities on dubious "defense" costs. That's how you end up with multiple wars of conquest.

        (that was written in my fake libertarian voice... should only be taken half seriously).

    • Preamble: "provide for the common def"

    • Not sure how many people are familiar with how slashdot defines troll...
      • Troll -- A Troll is similar to Flamebait, but slightly more refined. This is a prank comment intended to provoke indignant (or just confused) responses. A Troll might mix up vital facts or otherwise distort reality, to make other readers react with helpful "corrections." Trolling is the online equivalent of intentionally dialing wrong numbers just to waste other people's time.

  • Hmm... (Score:5, Informative)

    by Ethanol-fueled ( 1125189 ) * on Friday December 19, 2008 @12:57PM (#26174075) Homepage Journal
    A couple choice quotes:

    A carefully crafted acquisitions regime...
    ...we have to find specific areas or roles where the government can add value...

    Those two alone make this whole thing a joke. But wait, there's more:

    ...and a humane and common-sense approach to dealing with the millions of immigrants who are already in this country illegally...

    Hmm, humane and common-sense. Like this [cnn.com], this [thesop.org], this [nytimes.com], and this [immigrantjustice.org] among others? I'm no apologist for illegal immigration, but the United States can do better than that. And, about privacy. The only reference he gave was to the Privacy Impact Assessments [dhs.gov] page which is only a vague public description of their banal, internal standard operating procedures. It says nothing about their interactions with other agencies. He lauds that the office must be top-level for the sake of interoperability with other agencies, but then behaves as if the DHS is the only one involved here. And nobody has yet answered the question: what does "homeland security" have to do with this [ice.gov]?

    It's nice to see high-ranking officials humor us by pretending that we exist and answering our questions, but they never say anything profound or useful. It's all Fluff and BS.

  • I don't have a good title for this post (Score:4, Insightful)

    by nasch ( 598556 ) on Friday December 19, 2008 @01:29PM (#26174395)

    You are essentially already doing this if you use online banking services: you can browse the website without authentication, but you need strong authentication to access your account and engage in transactions.

    Seriously? Username and password is strong authentication? That's not a good sign...

    And then his answer about how they're going to address the problem that "our nations national security is threatened by the current single platform strategy" boils down to "we're not".

  • Not a single question regarding security for the utility sector, specifically the NERC CIP standards. What is congress going to do about the way they are now? Are they going to take them from NERC and the utilies, and force a government standard, or are they going to let the utilities try again?

    What about expanding the control system security requirements through the EPA for water facilities?

    Rep Langevin's committee is much more than "ZOMG, my right to exchange pirated copies of The Dark Knight is goi

    • Uh...don't believe everything that FERC says, either to you or to Congress...

      • I don't. My point was that this set of questions didn't even touch some really important things Langevin's committee is responsible for.

        ~Sticky
        / Uh... don't (insert scare word) (insert quantity) that (Insert high Markov correlated word to highly used capitalized word in Post) says, either to you or to (insert highly used capizalized word from original article related to Capitalized word in Parent)...
        //Are you a bot? Cause if you are, I'm cool with that
        ///I've always wanted a bot friend...

        • Not a bot...just deal with the CIP standards daily. NERC is walking a tightrope between a calcified industry and FERC power grabs.

          • Me too, I am the Technical Lead for a group that is entirely focused on design and consulting regarding process control security. NERC CIP is a big part of my work.

            Looking for a job? :)

            ~Sticky

            • Looking for a job? :)

              Actually, just got started with one - IT compliance for a fairly large entity. Oddly, the CIP standards are vaguely comforting. They are at least a stationary target.

              I came from six years in the financial sector--GLBA is more like trying to find a black cat at the bottom of a coal mine. Totally subjective, with examiner skill level ALL over the map.

              Anyway, send me an email if you want to commiserate sometime. jbaxter at my website domain name.

  • "At the same time, I also know that advanced degrees are not a necessity in operations. Some of the best operational experts I know - both in and out of government - only have high school diplomas. "

    I have known this all along. Education != smart and/or capable. Some of the most educated people I know are complete idiots. Some of the most undereducated people I know are freaking geniuses.

    I know a 17 year old Kid that knows more about automotive engineering than all of the engineers that work at GM combi

    • Re: (Score:3, Interesting)

      by Overzeetop ( 214511 )

      Most of the undereducated people I know who are freaking geniuses qualify for that title only in their own minds. Most are poorly adjusted to producing anything of value and utterly unreliable. Add that to the horribly shallow knowledge of even those things which they feel they are masters of simply makes them dangerous in any regulated environment. Most of the younger geniuses I've known have been bored and either found ways to apply themselves and advance to really understand their areas of expertise, or

      • Re: (Score:2)

        by tnk1 ( 899206 )

        Additionally, a genius is only as good as what they contribute to what they work on. If they're unfocused, and unable to work with others, they're useless and possibly even dangerous.

        A group of "muscleheads" who collaborate together though tried and true methods can run any single or small group of "geniuses" to ground. Cooperation and experience trump raw ability at just about every turn.

    • Re:Finally ammo for the idiots in HR. (Score:5, Insightful)

      by FatAlb3rt ( 533682 ) on Friday December 19, 2008 @02:47PM (#26175493) Homepage

      Let me guess - you don't have a degree.

      I know a 17 year old Kid that knows more about automotive engineering than all of the engineers that work at GM combined.

      In case you're wondering, that's where you lost your credibility.

      • Re: (Score:2)

        by Lumpy ( 12016 )

        Nope hold 2 of them.

        But I'm not stupid enough to think they are magical or hold any value other than I had the money and time to get them.

    • Re:Finally ammo for the idiots in HR. (Score:4, Insightful)

      by mattwarden ( 699984 ) on Friday December 19, 2008 @03:04PM (#26175735)

      > Some of the most educated people I know are complete idiots.

      Ok, but most are not.

      > Some of the most undereducated people I know are freaking geniuses.

      Ok, but most are not.

      Education, like anything else, is not a panacea. But at the same time it's wrong to dismiss it, because there is definitely a strong correlation.

    • Some of the most educated people I know are complete idiots. Some of the most undereducated people I know are freaking geniuses.

      I know a 17 year old Kid that knows more about automotive engineering than all of the engineers that work at GM combined.

      You been telling me you're a genius since you were 17.
      In all the time I've known you I still don't know what you mean.
      The weekend at the college didn't turn out like you planned.
      The things that pass for knowledge I can't understand.

    • I know a 17 year old Kid that knows more about automotive engineering than all of the engineers that work at GM combined. etc.

      Yeah, but who is being told to get off the lawn? Ever think about THAT, Einstein?

    • And what level of education have you completed? Usually the ones who say "education != smart" haven't completed either high school or college. Which one is you?

      If you are willing to assert that a 17 year old kid knows more about automotive engineering than all engineers at GM combined, you obviously don't know what it takes to design a car, design a factory that makes a car, design the equipment that builds a car, design the processes needed to do it economically, and design how to ship and store the ca

  • Not the CSIS I know! (Score:3, Insightful)

    by B5_geek ( 638928 ) on Friday December 19, 2008 @02:07PM (#26174877)

    I was expecting a clever article about the Canadian Secret Intelligence Service.

  • Nobody asked him about his crime-fighting robotic exoskeleton, like the one worn by Stephen Hawking?

  • responses to a couple of my questions (Score:3, Insightful)

    by gclef ( 96311 ) on Friday December 19, 2008 @04:22PM (#26176675)

    His responses to my questions are not encouraging at all....let's start at the top:

    There is one specific area that the government can establish some credibility with the private sector: become the gold standard for network security.

    I've seen government security from the inside...since there are no actual consequences for failure, there is very little incentive to succeed. You will never manage this.

    Next, and the most discouraging:

    the Commission did not recommend that the government issue strong credentials to individuals.

    Yes, yes you did. Quoting from page 14, point 17 of the pdf at http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf [csis.org] :

    The United States should allow consumers to use strong government-issued credentials (or commercially issued credentials based on them) for online activities, consistent with protecting privacy and civil liberties.

    If that isn't what you meant, you shouldn't have written it that way.

  • Response to Q.9 doesn't impress and doesn't answer the question.

    P.S. Why does slashdot take half a minute to respond to the first press of the "preview" button when I only typed one line of ASCII? :-)

  • He did not answer either one of my questions, six and nine.

    All I see is , bla, bla, bla, bla...

    In fact did he answer any of them?

    • Perhaps this is why he tap danced around my question number nine...I see the VP for Trustworthy computing at Microsoft is involved.

      Langevin and McCaul are Co-Chairmen of the Commission, along with Lt. Gen. Harry Raduege (Ret.), Chairman of the Center for Network Innovation at Deloitte & Touche, and Scott Charney, Vice President for Trustworthy Computing at Microsoft.

  • Bunch of Bullshit (Score:2, Interesting)

    by PingXao ( 153057 )

    This is all a bunch of bullshit. It's intended to prop up more spending for questionable gain. If I was head of cybersecurity for the .gov there would be no problem and it would cost next to nothing to make sure of that. Got sensitive information or control systems? Keep them off the public internet. Next?

  • Well, I had some comments to him, concerning jobs and education - specifically, that the feds, along with an awful lot of companies, put out as requirements a laundry list that no one who hasn't worked in that office before can possibly meet, and that on-the-job training is off the table. I suggested that the government offer incentives, and lead the way by example, to promote this, and maybe get some of us back to work (including me).

    I also pointed out that usajobs.gov is a *dreadful* site, and even after

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close