April 05, 2004

cybersecurity FUD

The "Security Across the Software Development Lifecycle Task Force" has released a report on cybersecurity[1]. Released on the 1st April, 2004, this report was dismissed in some circles as an April Fool's joke. By others, it was seen to presage future legislation for this, that or the other favourite hobby horse (liability for vulnerabilities, exculpation from vulnerabilities...) [2][3].

Either way, the report is a scary document. Not for the security it promises, but for the power and assurance of its routine socialist claptrap. There is momentum in Washington-based circles to do something, anything, about security, and this report predicts some of those directions.

These people cannot grasp the nature of security, notwithstanding the "impressive credentials" assembled. The whole thing reads like the usual suspects, writing the report to steer criticism away, and curry favour towards. For that reason, it's a prediction of a direction, and not reliable in detail. The ultimate prescription to save America's cyberspace from harm will be subject to more political whim and weather before we know how much damage is to be done.

In summary form, what "simply must be done" is: educate, by instructing the universities on what they should teach, instruct software developers on suitable practices to be employed, fix the patches so they work, and align incentives for developers and against "Cyber Criminals."

Space and time do not permit a larger review, but one can make these observations. The prescriptions on education will cause more outsourcing, not less, as desired, simply because they talk in terms that will raise costs of education, to dubious ends. I.e., less and less ROI. Means more and more real work done where the barriers aren't so exhaustive.

Also striking was the absence of any mention of actual security: things like E, Eros, etc: "No processes or practices have currently been shown to consistently produce secure software [B1.iii]." Instead, we see calls to certify this, verify that, and measure those. In short, more window dressing is required (am I the only one who's offended by the ugly nakedness behind the panes?).

[1] http://www.cyberpartnership.org/SDLCFULL.pdf
[2] http://www.fortune.com/fortune/fastforward/0,15704,606544,00.html
[3] http://www.csmonitor.com/2004/0402/dailyUpdate.html?s=entt

Posted by iang at April 5, 2004 10:25 AM | TrackBack