PITAC Cybersecurity Town Hall Meeting

Nils Janson writes "The President's Information Technology Advisory Committee's Cybersecurity Subcommittee will be holding a town hall meeting on cybersecurity at the GovSec conference at the Washington Convention Center in Washington, DC from 8:00AM to 10:00AM on July 29 (this Thursday). The meeting is open to the public and people interested in cybersecurity are encouraged to attend. It should be a pretty interesting time -- the subcommittee members are actually trying to solicit opinions from people who're interested in and passionate about this sort of stuff."

Sounds good, but:

[Giant Ape Skeleton]

Will there be snacks?

Re:Sounds good, but:

[krital]

Yes, there will -- light refreshments will be served beginning at 7:30 :)

PITAC

[bobv-pillars-net]

How many people besides me initially parsed the acronym as "Pain In The Ass Committee" ??

Re:PITAC

[e9th]

I did, and it has the potential to become one. But the PITAC Members" [itrd.gov] actually look fairly impressive.

Re:PITAC

[Alsee]

Ahhh! COMMITTEE! Thanx!
I was wondering what the hell that "C" was doing there.

-

Re:PITAC

[bill_mcgonigle]

Yup. I took it as self-deprecating, since PITA is what Security is so often. Somebody has a good sense of humor.

Since we recently learned [slashdot.org] that Security guys like to listen to The Dead, you can imagine how the conversation went when they were picking a committee name. Lots of pizza was involved, no doubt.

Focuses

[Dachannien]

Hopefully this committee will take up issues of spy/mal/adware and identity theft, and will reach the conclusion that outlawing software that doesn't make its purpose and installation known to even the stupidest user is the only way to go.

On the other hand, it's unfortunate that there's not a similar committee to focus on issues of copyright/fair use.

Re:Focuses

[Alsee]

On the other hand, it's unfortunate that there's not a similar committee to focus on issues of copyright/fair use.

Oh, but they *are* addressing copyright and fair use implicitly.

When they talk about "Trustworthyness" and "cyber security" and "securing the national information infrastructure" they are reffering to Trusted Computing.

Trusted Computing exterminates fair use, and it is an attempt to abandon copyright protection and replace it with DRM enforcement.

At an earlier Washington DC Global Tech Summ [bsa.org]

C'mon, be serious

[nusratt]

I have absolutely no interest in saying anything which anyone appointed by Dubya would be interested in hearing.

Re:C'mon, be serious

[krital]

That's quite possibly the most inane sentiment I've ever heard. If you'd taken two seconds to research this, you would've realized two things:

1. The PITAC was actually created by President Clinton. The council appointed while Clinton was in office stayed there until 2002, which, I might note, is minimally a year after Bush took office.

2. The PITAC is composed of real, interesting, professional people who collectively have a huge breadth of experience in the industry. Having been appointed to the PITAC

Re:C'mon, be serious

[nusratt]

You're (mostly) right,

-- in that I hadn't even "taken two seconds".
But I'm not even sure that I feel apologetic about that. In the atmosphere of the last three years, now I see anything associated with Bush and/or his ilk and then just automatically assume that it's going to be bad news and raise my bp.

The man's a cynical condescending clown, but what's worse is that he and his gang are dangerous -- not just for peace & IR, not just for reason and science and medicine, not just for domestic security

Re:C'mon, be serious

[krital]

I agree with you wholeheartedly. Even with my misuse of "intelligible". The one thing I take issue with is being devoid of hope for _anything_ that will be touched by Bush & Co. -- there are still some good things happening out there, even with the PATRIOT Act, the (now-defunct, IIRC) Total Information Awareness program and other things of that ilk. Not that I feel up to naming the good things right now; it's always much easier to concentrate on (and remember) the bad.

Re:C'mon, be serious

[Alsee]

now-defunct, IIRC) Total Information Awareness program

Defunct in name only. Pretty much all of the projects under the TIA heading were spun off into various government departments.

PITAC is also pushing Trusted Computing, and Trusted Computing is using similar tactics - they are both publicly unpopular and attacked under the main name, so they use guerilla tactics and sneak in under a slew of different names while concealing the fact that they are related to the main objectionable issue. Trusted Computing

re "PITAC?"

[nusratt]

"How many people besides me initially parsed the acronym as "Pain In The Ass Committee" ??"

Actually, at first I thought it had something to do with Near Eastern finger-food.

My .02

[mbstone]

4. What are the biggest obstacles in developing pervasive trustworthiness in the Federal and private sector cyber infrastructure?

Stop placing non-technical people (e.g. political appointees who do not personally use computers or perceive them as having value) as managers overseeing Federal government IT operations and budgets.

5. What are the most essential, the most challenging, and the most promising technical research problems that need to be solved in order to substantially improve the security of the nation's cyber infrastructure?

I would start by establishing a national-level forensic disassembly lab, one that could analyze hard drives from a random statistical sample of servers and workstations and that would provide definitive answers as to how many machines are infected with malware and of what kind.

8. What are the advantages and disadvantages of the open source software model in supporting improved cyber security?

Theoretically OSS would be an advantage. But you have to learn to crawl before you can learn to walk.

9. How well do the operational practices within organizations manage the risk from cyber security threats?

Enumerating risks is easy. It's also a pointless exercise unless there is management buy-in as far as mitigating known risks.

11. Is the pool of knowledgeable researchers, developers, and managers in cyber security adequate to protect the nation's cyber infrastructure? If not, how does the pool need to be strengthened?

No. As just one example, there are thousands of job vacancies in the government cyber security field that require pre-existing security clearances, but very few sponsorship opportunities. One solution would be to allow individuals to apply for their own clearances.

Also, the government should provide its cyber security personnel with the same job security and dignity as its other employees, by hiring us as Federal employees. Hiring us through contractors wastes money and deprives us of important workplace protections.

12. What are the major legal issues that need to be addressed that would promote the development and deployment of cyber security technologies? What can be done to enhance the capabilities of law enforcement to prevent and prosecute cyber space attacks?

As it stands now, it's too much hassle for many government IT shops to report incidents or initiate prosecutions -- the response protocols can involve "freezing" production systems and other procedures that are inherently disruptive to business operations. IT shops need to have backup hard drives/machines for those incidents that truly require "frozen" machines -- and less disruptive protocols for less serious incidents to encourage incident reporting and to allow prosecution of more badguys.

13. Where and how should the Federal government invest its cyber security R&D funds? Is the Federal government investing enough in cyber security R&D? Is the allocation for research vs. development optimal?

In my experience lots of money gets spent on hardware, usually at the end of the fiscal year. But there is none available for training personnel to use the new gizmos.