Comments on: Proposed Cyber Security Legislation

By: Thinker 1

Thinker 1 — Fri, 04 Sep 2009 15:34:08 +0000

We had better be careful with this one. Giving control of the internet to our government puts us in the same league as Iran and N. Korea. Let’s not forget how Iran used that control after their last election.

By: Kevin

Kevin — Sun, 05 Apr 2009 22:22:35 +0000

Thanks Bradley

By: Bradley

Bradley — Sun, 05 Apr 2009 21:00:18 +0000

Well Mr. Coleman you really made an ass out of Rob Rosenberger of Vmyths !!!! Your were dead on target and he, of course slammed you on his blog. You think he would be professionally enough to say he was wrong. OH, wait a minute — he is not a professional!!! True professionals admit when they are wrong. I have followed your blog for over a year now and I must say you are RIGHT about cyber warfare/terrorism far more than anyone should be who is not on the inside. SO you must be connected. KEEP UP THE GREAT WORK!!!

By: Ptsfp

Ptsfp — Fri, 03 Apr 2009 21:38:40 +0000

I agree, the training would need to be continuous because the threat is always evolving. Just look at the anti-virus game.
A virus is written to exploit a hole in the operating system. The operating system is patched, and the anti-virus is updated to look for the threat. The virus is updated to look different, or attack a different hole in the OS. Again, the hole is patched, anti-virus is updated. And on and on…
It is for all intents and purposes an arms race. The bad guys attack with a new “weapon”, the good guys update their defense and close the holes, the bad guys create something new.
Most current computer industry training is very linear. They teach you the basics of the OS or software product. They teach you how to use the wizards, or if you have done steps one, two and three, your network should be protected. Many admins do not even go back and recheck servers after they are up and running. They are too busy fighting fires all day.
The hackers are successful, because they think “out of the box”. They do not follow checklists, or established rules. They have the time to spend to find the hole in your system.
Those involved in cyber security would need to be as active in upgrading their skill sets as the hackers are. We as a nation need to be in the forefront of this arms race. Staying static in this game will find us falling behind and becomming more of a target.

By: The Cenobyte

The Cenobyte — Fri, 03 Apr 2009 03:44:43 +0000

I have to agree with Ohwilleke here. A licensed and certified professional in the IT industry usually means someone with a lot of paper from a school somewhere that bascily doesn’t even know a SYN from an ACK. Don’t get me wrong there are lots of guys with lots of paper that know what they are doing, but they either got it cause the business unit wanted to look kewl (That’s me) or got it and then got lots of experense. The paper it self means nothing.
I know guys that just got their MCSE or A+ and I am not sure they are qualified to work on my helpdesk and these are exams writen by IT companies, do we think the govt. can do a better idea.
I am not sure I even want the govt. writing rules about what to do and no do. I have found that most times rules just end up just breeding in some new unknown weak point in the system. We use best practices and try to follow them but even they tend to make people think they are rules.

By: stephen russell

stephen russell — Fri, 03 Apr 2009 00:47:24 +0000

Cut the bureaucracy alone to Fund this
Combine like agencies etc into 1.
Place within estd AF CyberCommand.
Maybe the Cyberspace Panel for the WH.
But merge the rest, save time & money.
& expand to US Emb in China alone or Taiwan.
Prior cyberstrikes came from China.
We dont need More Govt, we need Less & More Efficent at that esp for DoD.

By: ohwilleke

ohwilleke — Thu, 02 Apr 2009 21:36:18 +0000

Kevin, my point is that many very good cyber security professionals have irregular education and training, and sometimes patchy (even criminal) backgrounds). For example, for at least a decade, the industry pay for computer professionals was so high that many of the best are college dropouts with little or no formal credentialing. Many have never even taken classroom instruction in computer technology, even though others have specialized PhDs in the subject. And, ot is not obvious that the PhDs are the more qualified workers in the field.
Licensing and certification would exclude many qualified people from the profession, while not necessarily improving standards for those who remain. Licensing and certification requirements presume that government regulators know what a cyber security professional needs to know — but they don’t.
Indeed, there isn’t even a strong consensus on who really is a cyber security professional. Does that include a small business LAN expert who handles the password protections and firewall for the business? What if the small business is a multi-billion dollar hedge fund? Are ISP managers who supervise computer experts charged with spam control cyber security professionals? Are telephone techs cyber security professionals? What if they do wiretap work for police departments?
Also, to the extent that one is discussing cyber security professionals working for government contractors, there is already backdoor regulation for “inside job” compromise threats through the established security clearance system, although even this minimal regulation has a negative distortion effect giving undue preference to those who already have security clearances from prior employment, even if they aren’t the most qualified, because of the cost and delay involved.

By: Kevin

Kevin — Thu, 02 Apr 2009 20:54:55 +0000

ohwilleke
GREAT POINT — that supports my recommendation that continuing education is required. Cyber Security Intelligence is the best defense. Knowing something is coming or likely to come give you the ability to reinformce your defenses