US Cybersecurity Chief Beckstrom Resigns 117
nodialtone writes with a Reuters report that Rod Beckstrom, director of the National Cybersecurity Center (NCSC), has tendered his resignation, citing clashes between the NCSC and the NSA with regard to who handles the nation's online security efforts. In his resignation letter (PDF), he made the point that "The intelligence culture is very different than a network operations or security culture," and said he wasn't willing to "subjugate the NCSC underneath the NSA." He also complained of budget roadblocks which kept the NCSC from receiving more than five weeks of funding in the past year. Wired has a related story from late February which discusses comments from Admiral Dennis Blair, director of National Intelligence, who thinks cyber security should be the NSA's job to begin with.
Re: (Score:2)
Because he wants to work *more* than that.
Way to put a spin on it...
The latest as they go by (Score:4, Funny)
Security is like virginity...once compromised it is lost forever.
another decent man leaves government in disgust (Score:5, Insightful)
From Mr Beckstrom's resignation letter: "In addition, the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization (either directly or indirectly."
Amen, brother.
Re: (Score:2)
Re:another decent man leaves government in disgust (Score:5, Insightful)
Yeah, like, what happened to that concept of "Checks and Balances" that Founding Fathers thought up in a steamy room in Carpenter's Hall in Philadelphia?
So now the agency in charge of breaking security, and spying on people, should now be in charge of guaranteeing security?
I better check the latest release notes, it seems that "Checks and Balances" has now been deprecated.
Re:another decent man leaves government in disgust (Score:5, Insightful)
No, that's Congress's and the Supreme Court's job. They haven't been doing it lately.
The reason for competing departments in the US Executive department is to provide a department willing to disagree, and possibly arrest or even shoot, members of the other department to prevent mutiny against the President's orders.
Re:another decent man leaves government in disgust (Score:5, Informative)
They didn't think up checks and balances, they just implemented Montesquieu's theories in a more thorough and novel way than had been done. And it wasn't Carpenter's Hall, it was Independence Hall, then I think still called the Pennsylvania State House.
Re: (Score:3, Insightful)
Outstanding points all. While I have little faith in any US agencies at present, I do recall that the USAF Intelligence officially went on record, prior to the illegitimate Iraqi invasion by Cheney/Bush, as to their complete disagreement with Cheney's doctored CIA intel on the matter.
Also, awhile back when the USAF created its Cyber Security Command (or something like that), Cheney immediately shut it down.
Good recommendations all for the USAF being in charge of cyber security.....
Re: (Score:1, Troll)
This was the same USAF that stated they were standardizing all their computing on Microsoft software. Security? Microsoft? No, it just cannot be done, not here, not anywhere, ever, no how...
Gerry
Re: (Score:2)
All security is distributed (Score:2)
You have a security hole.
Re: (Score:3, Insightful)
And rightly so. Cyber security has nothing to do with flying planes, and so it did not belong to the US Air Force any more than to the Agriculture Department.
Yes, I am well aware that military branches have overlapping services (such as Marines having their own planes), but for USAF to have the main anti-hacking command — beyond what's needed to secure their own networks
Re: (Score:2)
OK - I am in agreement with all the posts, NO US government agency can be trusted in this matter.....(I just wanted to make those points about the soulless one, Cheney.....)
Re: (Score:2)
Re: (Score:3, Insightful)
'... threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization... '
Like the government?
Re: (Score:1)
In a large, fairly open government such as the United States has, there will be many interested parties, each with their own agenda and base of power. It is a mistake to think these agendas will all be the same, or even compatible with one another. A single faction may gain control of a department, or of several key departments, but gaining control of the entire government is much harder.
Thus keeping the task of information control and monitoring dispersed among several agencies is a protection, but not a
Re: (Score:2, Funny)
Clean up your fucking country already
Says the man from the perfect, anonymous country.
Re:another decent man leaves government in disgust (Score:4, Insightful)
Clean up your fucking country already.
Some of us are trying to do just that...
Re: (Score:2, Insightful)
Some of us are trying to do just that...
There's your problem. Why are you only trying. Say "I will do that."
Next thing you know is you imagining how you will actually be able to do it.
Now you "only" have to pull trough, and not lose your original intend on the way.
Of course it's hard work. But it all starts with the right mind set.
If they managed to be born, and drive the world in one direction, and you consider your self a more intelligent human, then you should in general also be able to do the opposite.
Problem is: It's still far from bad enoug
Re: (Score:1, Redundant)
The people who say "I will do that" are the kind who are already halfway up the clock tower stairs with a high caliber rifle.
Re: (Score:2)
The ratio of oil to WMDs in the States doesn't make a "regime change" very economically lucrative. :P
Re:another decent man leaves government in disgust (Score:4, Insightful)
Re: (Score:1)
NSA = leaky pipes (Score:1, Troll)
wrong (Score:4, Informative)
I'm sure the military branches use their own methods, which are even resistant to NSA spying
The entire point of the NSA is to secure government (and thus military) communications. DES, hello? That was developed so that the government could send shit privately, not for you and me.
The NSA takes charge of development of all the various devices used, and probably gives recommended policy and procedure too. For example, secure communications between embassies? That gear was designed by the NSA, as were the protocols for programming them. Same goes for the encrypted comms on military planes and whatnot. The military uses these fancy boxes to "load" encryption keys into radios and such- and assure their security, chain of custody, blah blah. NSA developed.
If you think the NSA has secret access and is running counter-ops or some bullshit like that, you've been watching too many bad movies and reading too many bad (Tom Clancy) novels.
Didn't see that coming.... meh (Score:2)
Who here actually thought that these new posts by the new administration are more than puppets? Reinventing the wheel is stupid enough, and it has relatively few features. Reinventing security? WTF already.
The fact that the NSA has been working on this for some time and the results we've seen only highlight that the previous system was broken, no matter that it did produce some good results. Change is needed, but you can't make it happen by decree, it only looks like you did something when that happens and
Re: (Score:3, Insightful)
Re: (Score:1, Funny)
How is it that a former NSA agent posts as Anonymous Coward. To be on the forefront of the war on terror, we do not need cowards. I say this, of course, as an Anonymous Coward.
Re: (Score:1, Interesting)
Further, the NSA is the most anal organization when it comes to following USSID, the (secret) laws that restrict what they can collect. I trust the NSA more then any other government organization, now that I've worked with them.
Re:wrong (Score:4, Insightful)
Either the so-called "rules" don't mean anything, or the NSA just has others break the law for them. Then Bush and Obama give those others immunity from prosecution.
I don't trust any agency with "security" in its name. Especially when they abuse their networks to commit industrial espionage among other dirty tricks.
Re: (Score:2)
Well, the DGSE has industrial espionage as one of it's chartered goals. Supposedly they spend about 25% of their resources on industrial espionage. Hate to break it to you, but if it's not the NSA, it's the DGSE, or MI6, or the FSB, or Mossad or (insert three letter agency here).
So to the think the NSA or the Untied States has some monopoly on using state intelligence services for corporate spying is rather naive.
The reality is there will always be those with power who will use it to their gain no matter
Re: (Score:2)
1) Hiring a boatload of polygraph examiners, and
2) Hiring a bunch of new security guards.....
Re: (Score:2)
Bin Laden is a wise guy not to use any kind of electronic communication. What guy uses for internal communications are actual donkeys and guys carrying handwritten notes. That is how all those multi billion state of art espionage satellites failed. There is no technology to trace a guy carrying a handwritten note in his pocket on Afghan mountains.
If he asked for polygraph examiners, it could be the reason.
Re: (Score:2)
Bin Laden is a wise guy not to use any kind of electronic communication.
Did everyone here (from the US) not see the NOVA special on PBS some months ago called the 'The Spy Factory'?
Fact: Bin Laden was using a satellite phone to contact his people.
Fact: The NSA was listening in...
Fact: The FBI was suspicious of one of the 9/11 hijackers' activities in California but didn't know the guy was talking with Bin Laden.
Fact: The NSA did know, but wouldn't tell the FBI
Fact: There is a reasonable possibility that 9/11 could have been stopped if the NSA and FBI had been sharing info
Divide implementation from development®ulat (Score:3, Interesting)
The current government cyber security system is broken by design. There is no way that one super organization can make every government network in the country secure. Each department and division in the government will have different needs. The only reasonable method to do this would be to have those departments and divisions implement their own security systems while the government at a whole creates a technology/advisory branch and a regulatory branch. Sort of like the DOE/NRC to nuclear reactor safety. The regulatory branch would audit the security (and potentially fine) the highest risk government agencies while the technology/advisory branch would be a big IT desk at which each department or branch could shop.
NSA Goals (Score:2)
Perpetrate and facilitate are not high on an actual security agenda.
That's crazy talk! (Score:3, Funny)
"...director of National Intelligence, who thinks cyber security should be the NSA's job to begin with."
Geezus, the would be like putting the thieves in charge of the banks! Uhhh, wait...
Even crazier (Score:1, Offtopic)
Giving your money supply completely over to money lenders. Doh!
Security (Score:5, Insightful)
Re:Security (Score:5, Informative)
Having different independant departments with different focus s not a bad idea. One of the concerns about FEMA after the New Orleans incident is that it had been reduced from a cabinet level agency and perhaps had lost some of its focus on natural disasters. In government there is transparency, so that a government agency can avoid duplicating the work of other agencies and as well they can also cooperate. So having a larger number of agencies also can allow for checks and balances to happen as well, so you dont have all of your eggs in one basket. Its important to have several indepandent agencies that can monitor each other. Different departments may also have different specialisation and may better able to fulfill certain needs than others.
Re: (Score:3, Insightful)
We'd have all the transparency with much less expense to individuals if we didn't have to PAY for these federal agencies in the first place. Let us give the money to the state rather than this cluster fuck in D.C.. At most the fed should have an agency that acts as a liaison between states for interstate crime/commerce and establish a few frameworks for open commerce and things like patents/copyright/etc. Then focus on global affairs, defense, all that noise. Giving them the authority to police within a sta
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
OP probably meant the NRO [wikipedia.org].
Re: (Score:2)
Because, where would the drama be if we did not have this redundancy?
Putting it in the hands of one agency is bad - giving it to legislators is bad too - this is where I hope we get some transparency, if there are threats we need to know, it is OUR country, all of ours, not just those 'elected' to represent us. Those that for some reason think that makes them ABOVE us.
Re: (Score:2, Informative)
Why not just close/merge a bunch of them. CIA FBI NSA NCSC US SS DoH DIA NRA really I could just start picking random letters (and i'm sure there are more than i've listed)
One of the key reasons that there are so many agencies is that there is a clear dividing line in US law between the military and civilian agencies. These agencies were divided because the goal was to have the military worry about external military threats while civilian agencies handled internal threats and non-military external threats. This division is a positive defense against making the US a police state or giving the military too much power. It costs more money, but it also restricts mission creep.
Historical accident, not design (Score:2)
"One of the key reasons that there are so many agencies is that there is a clear dividing line in US law between the military and civilian agencies. "
It has a lot more to do with historical accident than separation of powers. The agencies each formed from different power bases, with slightly different but overlapping missions, and have grown into institutions.
DHS is a *great* recent example. DoD, NSA, CIA, FBI, NRO, NCSC... what, we didn't have *enough* agencies that were already supposed to be protecting us for threats? But there was a crisis, so the existing power base creates a new organization to solve all the problems, rather than trying to fix t
Re: (Score:2)
And frankly, the whole "military" vs "civilian" thing is fairly specious. If we're worried about abuse of government power, the fact that the NSA is a nominally "civilian" agency doesn't really matter. They can still abuse their power just as well. What difference does it make that their CO is a "Director" rather than a "General"?
Disobeying a corrupt director won't get you hanged. Generals wield far more power and are thus far more dangerous a threat to democracy than civilian chief executives. How common is it for a coup d'état to come from a minister of interior security?
Civilian vs military (Score:2)
"Disobeying a corrupt director won't get you hanged."
In fairness, disobeying a corrupt order will generally not lead to hanging. It likely will lead to a Court Martial, but if the order truly was corrupt, you'll be let off. Not that "I don't agree" does not make an order corrupt.
Still, I think you do make a fair point, so touche. Generals do command large forces with large weapons. The DCI commands a rather smaller force, most of whom don't have weapons, and most of those who do have much smaller weapons.
Of course, the CIA used to operate its own air forc
NIST Computer Security Resource Center (Score:2)
"Wait, NIST? You mean the guys who sit around and define the meter and mile and kilogram? ;)"
The National Institute of Standards and Technology, yes. Check out the NIST Computer Security Resource Center: http://csrc.nist.gov/ [nist.gov] It's actually good stuff, but again, redundant with the eleventeen other US Federal agencies publishing guidance. Confusion over authority helps nothing, least of all security.
Oh, and BTW: It's actually the BIPM that defines the SI units like meter and kilogram. (BIPM = Le Bureau international des poids et mesures, the International Bureau of Weights and Measures, headquar
Re: (Score:2)
Re: (Score:1)
CIA - Limited to overseas espionage and intelligence. Does not have the capability to conduct a large scale military operation. Can do NOTHING* against U.S. citizens anywhere in the world, and can do nothing* against legal foreign nationals on U.S. soil.
FBI - Can enforce US Federal Law (which is different than state law, the FBI can do nothing to someone that breaks a state law unless it is also
What we need (Score:5, Interesting)
There should be a focus and funding on implementing BGPSEC and DNSSEC since this is where many of the major vulnerabilities lie, and developing new and improved encryption systems and so on. The goal being to assure the internet is a platform of freedom of expression where some cannot oppress the viewpoints of others.
Re: (Score:3, Insightful)
The goal being to assure the internet is a platform of freedom of expression where some cannot oppress the viewpoints of others.
From a national security point of view, being able to oppress the viewpoints of others is a feature, not a bug.
DNS and BGP are not the big problem (Score:2)
"There should be a focus and funding on implementing BGPSEC and DNSSEC since this is where many of the major vulnerabilities lie,"
Huh?
DNS and BGP are generally run by people who know what they are doing. While there are protocol vulnerabilities, they've historically been pretty resistant to attack. Compromises have been local and stayed local, like they should.
Compare that to the massive data breaches that major financial, health care, and government organizations have reported. Compare that to the hundreds of thousands -- if not millions -- of compromised home computers service as spam cannons and botnet members.
DNS and BGP are no
Re: (Score:2)
Actually it has gotten easier to hijack BGP and DNS and these vulnerabilities have been recently shown. So the network protecting itself from these attacks has grown more important. For instance, Pakistan and its global youtube reroute.
Re: (Score:2)
What's the need for new cryptosystems? (Score:2)
developing new and improved encryption systems
Really? What I hear people say at various security conferences is that you don't go through the crypto, but around it. You scan the guy's disk for things that looks like a password, then you try all of them. Or you do a timing attack. Or you...
None of it breaks the mathematical properties of the encryption function. Why do we need new mathematics?
So? (Score:4, Insightful)
Sounds like a good position to eliminate completely. Take the whole DHS with you on the way out the door. And possibly a good chunk of NSA too.
Can't really blame him... (Score:5, Informative)
When blueprints and stuff for Marine 1 show up in Iran because some contractor wanted to download Britney Spears mp3s, yeah. I'd throw my hands up and walk away too. Things are only handled as intelligently as the dumbest person involved, and the leading cause of aneurism these days is having to deal with dumb people.
Silly me to respond to an Anon-type (Score:2)
NSA? (Score:2)
You know, I could have joined the NSA, but they found out my parents were married.
~Philly
Re: (Score:1, Insightful)
Sorry. Cyberspace is way more complicated - (Score:5, Insightful)
than you military oldtimers can ever comprehend. cyberspace also doesnt go well with the military mindset. military mindset requires control over the venues that needs securing. cyberspace, internet, is a venue that refuses control. because it is against its nature. even if you try and succeed in getting an iron stranglehold over internet in your country, the rest of the world will keep a free internet. which will mean that your security issues will continue. because, internet IS people. its not an empty network with consoles attached. its no different than your own society with its people.
you should leave cybersecurity to people who understand online world and its people. you cant accomplish shit with military mindset. even more, heavy handed or controlling approaches lead to social online backlashes and spontaneous actions. portray yourselves as anti freedom fascists trying to control internet in a 1950s manner for any reason, and you may gain the attention of a varying multitude of people from hacking crowd, each of which could undermine whatever budget you can throw at security. portray yourselves as a friend of the people, and they harrass your enemies. (a la pirate bay case).
remember - internet is an infinite chaotic space in which individuals can outdo thousands. best security approach is to be 'friend of the people'. and no military knows shit about that.
so, NSA, leave it to people who know internet.
Re: (Score:3, Insightful)
Wow. What a fool you are..
The military helped originally create the internet in its present form. And their base assumption was that once it was properly built, it would grow by itself. It's reason was to create a network that one could never be quieted, even by nuclear attacks.
Now, about the NSA: They're not heavy handed thugs. They've always been sigint, are sigint, and will always be the sigint. They dont want the iron-fisted control of the Internet, because they love listening!
However, do you know why t
Re: (Score:3, Insightful)
it HELPED create the internet in its NOT PRESENT, but initial form. it was designed as a network that would route over damage in case of a nuclear war and keep functioning.
noone had ANY idea what the internet would be like in 15 years.
NSA is a government agency. government agencies reflect the policies of whomever installed on top of them. if nsa is not heavy handed today, it will/may be tomorrow. you cant trust liberty with government agencies.
NSA knows more than you do (no pun intended) (Score:2)
so, NSA, leave it to people who know internet
Um, yah. Do you have any real idea what you're talking about?
The NSA is full of very smart people. They employ more mathematicians and computer scientists than any other organization in the world. Their IA division is very good. They publish lot of very good, public computer security guidance. The computer world would be a more secure place if most organizations tried to adopt some of their recommendations.
Check out http://www.nsa.gov/ia/guidance/security_configuration_guides/ [nsa.gov] some time. Chances are,
Hierarchically defense can be stronger (Score:2)
I'd dispute your claim that hierarchy is at a disadvantage for defense. Loose groups are good for offense because you can't just counter-attack the command and control structures. But for building a foundation for attack, you want something strong and solid.
I say "your claim" because while I haven't read that RAND report in completeness, a cursory examination suggests that they don't particularly favor an unstructured defense.
They do nothing but Cyber Lip (Score:2)
Re: (Score:2)
Fox guarding the henhouse? (Score:3, Funny)
The object of cybersecurity is to prevent people from interfering with out computers. The NSA's JOB is to interfere with our computers. They can hardly do both at the same time.
Re: Fox guarding the henhouse? (Score:2)
NSA mission (Score:2)
The object of cybersecurity is to prevent people from interfering with out computers. The NSA's JOB is to interfere with our computers.
Actually, the NSA is charged with the security of the nation's communications, including the private sector. "National Signals Agency" would be a better expansion ("signals" including communications and computers in the GOVSEC world). Sure, they spy on everybody. How much spying they should do is a quagmire of a political debate I'm not about to involve myself in here. But they also work to make sure the nation's signals infrastructure is secure.
As I pointed out in another post, the NSA publishes a lot
Re: (Score:2)
NSA has given up on controlling crypto through law (Score:1)
Er, yes, I should I have written, "The NSA has given up on controlling crypto through legislation". Sorry for the unclarity.
Re: (Score:2)
cyber security should be the NSA's job :) (Score:2)
History didn't start in 2003 (Score:3, Insightful)
I wish journalists would do a little research. NSA has had the lead role in cybersecurity since before he term was invented, back to the National Computer Security Center when Bob Morris the Elder was Chief Scientist. Mid-80's, in other words. Communications security since Truman.
What this guy is complaining about is that he wasn't able to wrest control of cybersecurity away from NSA.
Re: (Score:2)
...
What this guy is complaining about is that he wasn't able to wrest control of cybersecurity away from NSA.
Exactly, my buildings security personnel are not in charge of the IT group they are our customer and we take their needs into account. If you work in IT (this is /. right?) would you like your security guys telling you how to manage the network/PC's.
Great sentence (Score:1)
That's a great example of a bad sentence. Did they receive five weeks of funding, or less than 47 weeks?
Uh-oh, have to read TFA to find out...
Times are changing IT has grown up (Score:2)
I would like to point out that what he was objecting to was the chain of command. You could use the analogy of a large company building. Like where I work.
I am in IT and we take security seriously but I don't answer to the building security personnel or their supervisors. This was the old mindset. I have seen old org charts where security, IT, and janitors are all lumped under facilities.
I administer the servers that control the badging and access cards. I work closely with them on many projects involving