[NNagain] cybersecurity is not a talent problem

[NNagain] cybersecurity is not a talent problem

[Dave Taht]

Paul Vixie reposted this old piece of his, even more relevant today, than 2015.

https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/


-- 
Oct 30: https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
Dave Täht CSO, LibreQos

Re: [NNagain] cybersecurity is not a talent problem

[Dick Roy]

This is SO RIGHT ON AND RELEVANT NOW that it's hard to overstate!!! 

RR 

-----Original Message-----
From: Nnagain [mailto:nnagain-bounces@lists.bufferbloat.net] On Behalf Of
Dave Taht via Nnagain
Sent: Wednesday, November 8, 2023 11:22 AM
To: Network Neutrality is back! Let´s make the technical aspects heard this
time!
Cc: Dave Taht
Subject: [NNagain] cybersecurity is not a talent problem

Paul Vixie reposted this old piece of his, even more relevant today, than
2015.

https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/


-- 
Oct 30: https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
Dave Täht CSO, LibreQos
_______________________________________________
Nnagain mailing list
Nnagain@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/nnagain

Re: [NNagain] cybersecurity is not a talent problem

[Lee]

On Wed, Nov 8, 2023 at 2:22 PM Dave Taht via Nnagain wrote:
>
> Paul Vixie reposted this old piece of his, even more relevant today, than 2015.
>
> https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/

I disagree.  With a lot, but let's just go with this
> The "cyber" security problems that the US Government, and every other government, and every large and medium enterprise are all coping with today do not stem from lack of "cyber" talent.

Take a look at
  https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf

on page 9:
  The bottom line.  The longstanding failure of OPM's leadership to
implement basic cyber
hugiene, such as maintaining current authorities to operate and
employing strong multi-factor
authentication,  despite years of warnings from the Inspector General,
represents a failure of
culture and leadershit, not technology.

There is no substitute for talent.

Regards,
Lee

Re: [NNagain] cybersecurity is not a talent problem

[Dick Roy]

Yes, today one can argue that there is a shortage of talent, however Paul's point was that that I s not the first problem to solve, in fact the problem that must be solved first is:

" We're in a hole, here, folks. The first thing we should do is: stop digging.”

... and he is right IMHO!

RR

-----Original Message-----
From: Nnagain [mailto:nnagain-bounces@lists.bufferbloat.net] On Behalf Of Lee via Nnagain
Sent: Wednesday, November 8, 2023 2:47 PM
To: Network Neutrality is back! Let´s make the technical aspects heard this time!
Cc: Lee
Subject: Re: [NNagain] cybersecurity is not a talent problem

On Wed, Nov 8, 2023 at 2:22 PM Dave Taht via Nnagain wrote:
>
> Paul Vixie reposted this old piece of his, even more relevant today, than 2015.
>
> https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/

I disagree.  With a lot, but let's just go with this
> The "cyber" security problems that the US Government, and every other government, and every large and medium enterprise are all coping with today do not stem from lack of "cyber" talent.

Take a look at
  https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf

on page 9:
  The bottom line.  The longstanding failure of OPM's leadership to
implement basic cyber
hugiene, such as maintaining current authorities to operate and
employing strong multi-factor
authentication,  despite years of warnings from the Inspector General,
represents a failure of
culture and leadershit, not technology.

There is no substitute for talent.

Regards,
Lee
_______________________________________________
Nnagain mailing list
Nnagain@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/nnagain

Re: [NNagain] cybersecurity is not a talent problem

[Lee]

On Wed, Nov 8, 2023 at 7:58 PM Dick Roy via Nnagain wrote:
>
> Yes, today one can argue that there is a shortage of talent, however Paul's point was that that I s not the first problem to solve, in fact the problem that must be solved first is:
>
> " We're in a hole, here, folks. The first thing we should do is: stop digging.”
>
> ... and he is right IMHO!

If Katherine Archuleta had enough talent to heed the warnings from the
IG there's a chance there wouldn't have been a breach.  The
organization should have been well past the "stop digging" phase when
the breach occurred.

> > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
> > Nothing that happened at OPM, or failed to happen at OPM, was the fault of its leadership team.

Wrong.  At the very least, management should have been closing the
holes that had been identified.

again, looking at
  https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
on page 6

  How the Breach Happened.  Despite this high value information
maintained by OPM, the agency failed to prioritize cybersecurity and
adequately secure high value data.  The OPM Inspector General (IG)
warned since at least 2005 that the information maintained by OPM was
vulnerable to hackers.

The leadership team ***was warned***.  Given that they "failed to ...
adequately secure high value data", how is whatever did or didn't
happen at OPM _NOT_ the fault of the leadership team?

I'll agree that
> > Katherine Archuleta should not have had to ... be an expert on "cyber" security

But she _did_ need to listen to the experts that were warning her
about how bad security was.  And she needed enough talent to realize
that she should heed the warnings from her cyber security experts.

> and also because she had a reasonable expectation that somebody, somewhere, knew how completely and ruinously bad all of the IT (Information Technology) in the world was, and would have told her that there was no safety anywhere except on paper, in filing cabinets, guarded by the U.S. Military.

Seriously?  There is no absolute security so no matter how much
leadership ignores warnings, or how bad the security is in the
organization they're running, it's not their fault when a security
breach happens?
Do you really buy that?  Would you be OK with your bank or any other
organization that has your PII thinking like that?

speaking of which.. How do you feel about Equifax?  Oh well.. nothing
that could have been done, they should have been put out of business
or something in between?

Regards,
Lee



>
> RR
>
> -----Original Message-----
> From: Nnagain [mailto:nnagain-bounces@lists.bufferbloat.net] On Behalf Of Lee via Nnagain
> Sent: Wednesday, November 8, 2023 2:47 PM
> To: Network Neutrality is back! Let´s make the technical aspects heard this time!
> Cc: Lee
> Subject: Re: [NNagain] cybersecurity is not a talent problem
>
> On Wed, Nov 8, 2023 at 2:22 PM Dave Taht via Nnagain wrote:
> >
> > Paul Vixie reposted this old piece of his, even more relevant today, than 2015.
> >
> > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
>
> I disagree.  With a lot, but let's just go with this
> > The "cyber" security problems that the US Government, and every other government, and every large and medium enterprise are all coping with today do not stem from lack of "cyber" talent.
>
> Take a look at
>   https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
>
> on page 9:
>   The bottom line.  The longstanding failure of OPM's leadership to
> implement basic cyber
> hugiene, such as maintaining current authorities to operate and
> employing strong multi-factor
> authentication,  despite years of warnings from the Inspector General,
> represents a failure of
> culture and leadershit, not technology.
>
> There is no substitute for talent.
>
> Regards,
> Lee
> _______________________________________________
> Nnagain mailing list
> Nnagain@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/nnagain
>
> _______________________________________________
> Nnagain mailing list
> Nnagain@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/nnagain

Re: [NNagain] cybersecurity is not a talent problem

[Dick Roy]

Your points are mostly if not all quite valid. And so is Paul's.  AFAICT, you are speaking ex post facto, which is perfectly fine given that we all live "ex post facto".  IMO, Paul's point is that going forward the thinking must change from "filling security holes when you find them" to "do your best to eliminate the ability to dig holes in the first place." Thus, your arguments have merit "ex post facto", and Paul's have merit "a priori".  So ... you are both right! 

RR

-----Original Message-----
From: Lee [mailto:ler762@gmail.com] 
Sent: Wednesday, November 8, 2023 6:26 PM
To: dickroy@alum.mit.edu; Network Neutrality is back! Let´s make the technical aspects heard this time!
Subject: Re: [NNagain] cybersecurity is not a talent problem

On Wed, Nov 8, 2023 at 7:58 PM Dick Roy via Nnagain wrote:
>
> Yes, today one can argue that there is a shortage of talent, however Paul's point was that that I s not the first problem to solve, in fact the problem that must be solved first is:
>
> " We're in a hole, here, folks. The first thing we should do is: stop digging.”
>
> ... and he is right IMHO!

If Katherine Archuleta had enough talent to heed the warnings from the
IG there's a chance there wouldn't have been a breach.  The
organization should have been well past the "stop digging" phase when
the breach occurred.

> > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
> > Nothing that happened at OPM, or failed to happen at OPM, was the fault of its leadership team.

Wrong.  At the very least, management should have been closing the
holes that had been identified.

again, looking at
  https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
on page 6

  How the Breach Happened.  Despite this high value information
maintained by OPM, the agency failed to prioritize cybersecurity and
adequately secure high value data.  The OPM Inspector General (IG)
warned since at least 2005 that the information maintained by OPM was
vulnerable to hackers.

The leadership team ***was warned***.  Given that they "failed to ...
adequately secure high value data", how is whatever did or didn't
happen at OPM _NOT_ the fault of the leadership team?

I'll agree that
> > Katherine Archuleta should not have had to ... be an expert on "cyber" security

But she _did_ need to listen to the experts that were warning her
about how bad security was.  And she needed enough talent to realize
that she should heed the warnings from her cyber security experts.

> and also because she had a reasonable expectation that somebody, somewhere, knew how completely and ruinously bad all of the IT (Information Technology) in the world was, and would have told her that there was no safety anywhere except on paper, in filing cabinets, guarded by the U.S. Military.

Seriously?  There is no absolute security so no matter how much
leadership ignores warnings, or how bad the security is in the
organization they're running, it's not their fault when a security
breach happens?
Do you really buy that?  Would you be OK with your bank or any other
organization that has your PII thinking like that?

speaking of which.. How do you feel about Equifax?  Oh well.. nothing
that could have been done, they should have been put out of business
or something in between?

Regards,
Lee



>
> RR
>
> -----Original Message-----
> From: Nnagain [mailto:nnagain-bounces@lists.bufferbloat.net] On Behalf Of Lee via Nnagain
> Sent: Wednesday, November 8, 2023 2:47 PM
> To: Network Neutrality is back! Let´s make the technical aspects heard this time!
> Cc: Lee
> Subject: Re: [NNagain] cybersecurity is not a talent problem
>
> On Wed, Nov 8, 2023 at 2:22 PM Dave Taht via Nnagain wrote:
> >
> > Paul Vixie reposted this old piece of his, even more relevant today, than 2015.
> >
> > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
>
> I disagree.  With a lot, but let's just go with this
> > The "cyber" security problems that the US Government, and every other government, and every large and medium enterprise are all coping with today do not stem from lack of "cyber" talent.
>
> Take a look at
>   https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
>
> on page 9:
>   The bottom line.  The longstanding failure of OPM's leadership to
> implement basic cyber
> hugiene, such as maintaining current authorities to operate and
> employing strong multi-factor
> authentication,  despite years of warnings from the Inspector General,
> represents a failure of
> culture and leadershit, not technology.
>
> There is no substitute for talent.
>
> Regards,
> Lee
> _______________________________________________
> Nnagain mailing list
> Nnagain@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/nnagain
>
> _______________________________________________
> Nnagain mailing list
> Nnagain@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/nnagain

Re: [NNagain] cybersecurity is not a talent problem

[David Lang]

[-- Attachment #1: Type: text/plain, Size: 5431 bytes --]

Most of the places that I've worked, the security team have had no problem 
identifying problems that need to be fixed faster than the rest of the company 
can fix them.

At a few places, the Security team has been responsible for enough 
infrastructure that they struggle to fix things as well, but not many places.

So more manpower is needed, but not necessarily where you expect it.

David Lang

On Wed, 8 Nov 2023, Lee via Nnagain wrote:

> Date: Wed, 8 Nov 2023 21:26:27 -0500
> From: Lee via Nnagain <nnagain@lists.bufferbloat.net>
> To: dickroy@alum.mit.edu,
>     Network Neutrality is back! Let´s make the technical aspects heard this
>     time! <nnagain@lists.bufferbloat.net>
> Cc: Lee <ler762@gmail.com>
> Subject: Re: [NNagain] cybersecurity is not a talent problem
> 
> On Wed, Nov 8, 2023 at 7:58 PM Dick Roy via Nnagain wrote:
>>
>> Yes, today one can argue that there is a shortage of talent, however Paul's point was that that I s not the first problem to solve, in fact the problem that must be solved first is:
>>
>> " We're in a hole, here, folks. The first thing we should do is: stop digging.”
>>
>> ... and he is right IMHO!
>
> If Katherine Archuleta had enough talent to heed the warnings from the
> IG there's a chance there wouldn't have been a breach.  The
> organization should have been well past the "stop digging" phase when
> the breach occurred.
>
>> > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
>> > Nothing that happened at OPM, or failed to happen at OPM, was the fault of its leadership team.
>
> Wrong.  At the very least, management should have been closing the
> holes that had been identified.
>
> again, looking at
>  https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
> on page 6
>
>  How the Breach Happened.  Despite this high value information
> maintained by OPM, the agency failed to prioritize cybersecurity and
> adequately secure high value data.  The OPM Inspector General (IG)
> warned since at least 2005 that the information maintained by OPM was
> vulnerable to hackers.
>
> The leadership team ***was warned***.  Given that they "failed to ...
> adequately secure high value data", how is whatever did or didn't
> happen at OPM _NOT_ the fault of the leadership team?
>
> I'll agree that
>> > Katherine Archuleta should not have had to ... be an expert on "cyber" security
>
> But she _did_ need to listen to the experts that were warning her
> about how bad security was.  And she needed enough talent to realize
> that she should heed the warnings from her cyber security experts.
>
>> and also because she had a reasonable expectation that somebody, somewhere, knew how completely and ruinously bad all of the IT (Information Technology) in the world was, and would have told her that there was no safety anywhere except on paper, in filing cabinets, guarded by the U.S. Military.
>
> Seriously?  There is no absolute security so no matter how much
> leadership ignores warnings, or how bad the security is in the
> organization they're running, it's not their fault when a security
> breach happens?
> Do you really buy that?  Would you be OK with your bank or any other
> organization that has your PII thinking like that?
>
> speaking of which.. How do you feel about Equifax?  Oh well.. nothing
> that could have been done, they should have been put out of business
> or something in between?
>
> Regards,
> Lee
>
>
>
>>
>> RR
>>
>> -----Original Message-----
>> From: Nnagain [mailto:nnagain-bounces@lists.bufferbloat.net] On Behalf Of Lee via Nnagain
>> Sent: Wednesday, November 8, 2023 2:47 PM
>> To: Network Neutrality is back! Let´s make the technical aspects heard this time!
>> Cc: Lee
>> Subject: Re: [NNagain] cybersecurity is not a talent problem
>>
>> On Wed, Nov 8, 2023 at 2:22 PM Dave Taht via Nnagain wrote:
>> >
>> > Paul Vixie reposted this old piece of his, even more relevant today, than 2015.
>> >
>> > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
>>
>> I disagree.  With a lot, but let's just go with this
>> > The "cyber" security problems that the US Government, and every other government, and every large and medium enterprise are all coping with today do not stem from lack of "cyber" talent.
>>
>> Take a look at
>>   https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
>>
>> on page 9:
>>   The bottom line.  The longstanding failure of OPM's leadership to
>> implement basic cyber
>> hugiene, such as maintaining current authorities to operate and
>> employing strong multi-factor
>> authentication,  despite years of warnings from the Inspector General,
>> represents a failure of
>> culture and leadershit, not technology.
>>
>> There is no substitute for talent.
>>
>> Regards,
>> Lee
>> _______________________________________________
>> Nnagain mailing list
>> Nnagain@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/nnagain
>>
>> _______________________________________________
>> Nnagain mailing list
>> Nnagain@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/nnagain
> _______________________________________________
> Nnagain mailing list
> Nnagain@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/nnagain

Re: [NNagain] cybersecurity is not a talent problem

[David Bray, PhD]

[-- Attachment #1: Type: text/plain, Size: 10420 bytes --]

I'd submit we also need more cyber talent - staffing Congress (or elected
to Congress).

And we need more cyber talent rotating in and out of NIST - the National
Institutes of Standards and Technology.

The reason why are three-fold:

1.) It's easy for Congress to position themselves as outraged and concerned
if/when something goes wrong (and things will go wrong - in the case of OPM
it was valuable information being targeted by what appears to have been PRC
for potentially intel-related purposes) - however Congress has both the
authorization and appropriations function. Which means they can authorize
(and thus request) agencies to do 100+ things and appropriate funds to do
only 25 of them. Remember that the OPM breach happened around the time that
government had experienced the "do more with less" rubric and so sure there
are plenty of more things they could have done - the question that you
never see an IG nor a Congressional heading ask, was whether the agency had
been given enough money to do all those things by their Congressional
committees?

2.) NIST usually puts out great audience on all the things that need to be
done to secure systems. However they're usually again missing the
realpolitik of 100+ priorities and only funds for 25+ of them. Auditing
firms, who usually do the work of IGs (they contract out to them) love NIST
checklists as they can take anywhere between 8-10 months to do, tying up
the cybersecurity and other IT Team resources of an agency's team to answer
all the questions and reviews. Then the findings are shared - and you can
be sure there's always "more needed here" because the auditing firm wants
to come back next year and the IG exists to find things wrong - and usually
the agency's management team has 2-4 months to mitigate whatever was found
before the process will continue again next year. When we're spending more
time auditing vs. fixing the things the audit found, I don't think that's a
recipe for "winning"?

3.) So how do we fix this?

* Rotate people from operational agencies to NIST to balance the "if you
had perfect time, perfect budgets, and no other priorities" with the
realpolitik of none of those things are true. Also tie this to a mechanism
to link any IG findings of serious issues needing to be fix to an immediate
presentation by the IG themselves to the Congress on why Congress should
authorize and appropriate funds *now* to fix the issue asap. Yes, ask the
IG to do this - not the poor management team who has to get dinged by the
IG and then go to Congress and ask for funds to fix the issue - only to be
told either not now or sure, however you still have to do these 25+ other
things with the same budget we already gave you.

* Rotate cyber talent between Congress and the Executive Branch too. This
way Congress can learn what it's really like in the Executive Branch + the
Exec Branch can appreciate the priorities of Congress (to include Congress
exists to get re-elected). Also fix the fact that while there's plenty of
"Oversight" committees for bad things, the other part of Congress - namely
Ways and Means - does not have a forum for when things go well. It's almost
like Congress is perfectly designed to focus on all the bad things that go
wrong in the Executive Branch but lack any mechanisms to celebrate and
spotlight goodness in the Executive Branch. And so this creates the
dysfunctions - and bad perceptions - we see today.

* Find ways to do cybersecurity reviews that aren't checklists. The
checklists continue to grow - while NIST tries to do its best - things get
more and more voluminous each year and we're now at 8-10 months for an
audit which leaves precious little time for remediation and fixes. Require
any annual audit done by an IG and third-party firm to not consume more
than 1/3rd of the year to leave 2/3rd of the year for fixes before it's
repeated again. Also deconflict the new executive order on Artificial
Intelligence which (at 110+ pages) adds tons of new responsibilities and
checklists to executive branch agencies - with **no** additional funding
for this and **no** deconfliction of the existing FISMA, FITARA, and other
annual IT audits government agencies have to do.

Hope this helps.



On Thu, Nov 9, 2023 at 4:19 AM David Lang via Nnagain <
nnagain@lists.bufferbloat.net> wrote:

> Most of the places that I've worked, the security team have had no problem
> identifying problems that need to be fixed faster than the rest of the
> company
> can fix them.
>
> At a few places, the Security team has been responsible for enough
> infrastructure that they struggle to fix things as well, but not many
> places.
>
> So more manpower is needed, but not necessarily where you expect it.
>
> David Lang
>
> On Wed, 8 Nov 2023, Lee via Nnagain wrote:
>
> > Date: Wed, 8 Nov 2023 21:26:27 -0500
> > From: Lee via Nnagain <nnagain@lists.bufferbloat.net>
> > To: dickroy@alum.mit.edu,
> >     Network Neutrality is back! Let´s make the technical aspects heard
> this
> >     time! <nnagain@lists.bufferbloat.net>
> > Cc: Lee <ler762@gmail.com>
> > Subject: Re: [NNagain] cybersecurity is not a talent problem
> >
> > On Wed, Nov 8, 2023 at 7:58 PM Dick Roy via Nnagain wrote:
> >>
> >> Yes, today one can argue that there is a shortage of talent, however
> Paul's point was that that I s not the first problem to solve, in fact the
> problem that must be solved first is:
> >>
> >> " We're in a hole, here, folks. The first thing we should do is: stop
> digging.”
> >>
> >> ... and he is right IMHO!
> >
> > If Katherine Archuleta had enough talent to heed the warnings from the
> > IG there's a chance there wouldn't have been a breach.  The
> > organization should have been well past the "stop digging" phase when
> > the breach occurred.
> >
> >> > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
> >> > Nothing that happened at OPM, or failed to happen at OPM, was the
> fault of its leadership team.
> >
> > Wrong.  At the very least, management should have been closing the
> > holes that had been identified.
> >
> > again, looking at
> >
> https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
> > on page 6
> >
> >  How the Breach Happened.  Despite this high value information
> > maintained by OPM, the agency failed to prioritize cybersecurity and
> > adequately secure high value data.  The OPM Inspector General (IG)
> > warned since at least 2005 that the information maintained by OPM was
> > vulnerable to hackers.
> >
> > The leadership team ***was warned***.  Given that they "failed to ...
> > adequately secure high value data", how is whatever did or didn't
> > happen at OPM _NOT_ the fault of the leadership team?
> >
> > I'll agree that
> >> > Katherine Archuleta should not have had to ... be an expert on
> "cyber" security
> >
> > But she _did_ need to listen to the experts that were warning her
> > about how bad security was.  And she needed enough talent to realize
> > that she should heed the warnings from her cyber security experts.
> >
> >> and also because she had a reasonable expectation that somebody,
> somewhere, knew how completely and ruinously bad all of the IT (Information
> Technology) in the world was, and would have told her that there was no
> safety anywhere except on paper, in filing cabinets, guarded by the U.S.
> Military.
> >
> > Seriously?  There is no absolute security so no matter how much
> > leadership ignores warnings, or how bad the security is in the
> > organization they're running, it's not their fault when a security
> > breach happens?
> > Do you really buy that?  Would you be OK with your bank or any other
> > organization that has your PII thinking like that?
> >
> > speaking of which.. How do you feel about Equifax?  Oh well.. nothing
> > that could have been done, they should have been put out of business
> > or something in between?
> >
> > Regards,
> > Lee
> >
> >
> >
> >>
> >> RR
> >>
> >> -----Original Message-----
> >> From: Nnagain [mailto:nnagain-bounces@lists.bufferbloat.net] On Behalf
> Of Lee via Nnagain
> >> Sent: Wednesday, November 8, 2023 2:47 PM
> >> To: Network Neutrality is back! Let´s make the technical aspects heard
> this time!
> >> Cc: Lee
> >> Subject: Re: [NNagain] cybersecurity is not a talent problem
> >>
> >> On Wed, Nov 8, 2023 at 2:22 PM Dave Taht via Nnagain wrote:
> >> >
> >> > Paul Vixie reposted this old piece of his, even more relevant today,
> than 2015.
> >> >
> >> > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
> >>
> >> I disagree.  With a lot, but let's just go with this
> >> > The "cyber" security problems that the US Government, and every other
> government, and every large and medium enterprise are all coping with today
> do not stem from lack of "cyber" talent.
> >>
> >> Take a look at
> >>
> https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
> >>
> >> on page 9:
> >>   The bottom line.  The longstanding failure of OPM's leadership to
> >> implement basic cyber
> >> hugiene, such as maintaining current authorities to operate and
> >> employing strong multi-factor
> >> authentication,  despite years of warnings from the Inspector General,
> >> represents a failure of
> >> culture and leadershit, not technology.
> >>
> >> There is no substitute for talent.
> >>
> >> Regards,
> >> Lee
> >> _______________________________________________
> >> Nnagain mailing list
> >> Nnagain@lists.bufferbloat.net
> >> https://lists.bufferbloat.net/listinfo/nnagain
> >>
> >> _______________________________________________
> >> Nnagain mailing list
> >> Nnagain@lists.bufferbloat.net
> >> https://lists.bufferbloat.net/listinfo/nnagain
> > _______________________________________________
> > Nnagain mailing list
> > Nnagain@lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/nnagain
> _______________________________________________
> Nnagain mailing list
> Nnagain@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/nnagain
>

[-- Attachment #2: Type: text/html, Size: 13538 bytes --]

Re: [NNagain] cybersecurity is not a talent problem

[David Lang]

[-- Attachment #1: Type: text/plain, Size: 11009 bytes --]

Far too many companies devolve into 'what do the auditors require' rather than 
'what makes security good, if it's good we'll pass the audits (with some 
minimal tweaking to prove what we're doing'

I've been fortunante enough to work at some places where a new audit type was 
proposed, and the security team jumped on it with glee 'these are the things 
we've been trying to do anyway', but also unfortunante enough to work at places 
where the security team did vitually nothing except respond to audits (ours and 
out customers) and had no time or resources to actually drive fixes.

David Lang


On Thu, 9 Nov 2023, David Bray, PhD wrote:

> I'd submit we also need more cyber talent - staffing Congress (or elected
> to Congress).
>
> And we need more cyber talent rotating in and out of NIST - the National
> Institutes of Standards and Technology.
>
> The reason why are three-fold:
>
> 1.) It's easy for Congress to position themselves as outraged and concerned
> if/when something goes wrong (and things will go wrong - in the case of OPM
> it was valuable information being targeted by what appears to have been PRC
> for potentially intel-related purposes) - however Congress has both the
> authorization and appropriations function. Which means they can authorize
> (and thus request) agencies to do 100+ things and appropriate funds to do
> only 25 of them. Remember that the OPM breach happened around the time that
> government had experienced the "do more with less" rubric and so sure there
> are plenty of more things they could have done - the question that you
> never see an IG nor a Congressional heading ask, was whether the agency had
> been given enough money to do all those things by their Congressional
> committees?
>
> 2.) NIST usually puts out great audience on all the things that need to be
> done to secure systems. However they're usually again missing the
> realpolitik of 100+ priorities and only funds for 25+ of them. Auditing
> firms, who usually do the work of IGs (they contract out to them) love NIST
> checklists as they can take anywhere between 8-10 months to do, tying up
> the cybersecurity and other IT Team resources of an agency's team to answer
> all the questions and reviews. Then the findings are shared - and you can
> be sure there's always "more needed here" because the auditing firm wants
> to come back next year and the IG exists to find things wrong - and usually
> the agency's management team has 2-4 months to mitigate whatever was found
> before the process will continue again next year. When we're spending more
> time auditing vs. fixing the things the audit found, I don't think that's a
> recipe for "winning"?
>
> 3.) So how do we fix this?
>
> * Rotate people from operational agencies to NIST to balance the "if you
> had perfect time, perfect budgets, and no other priorities" with the
> realpolitik of none of those things are true. Also tie this to a mechanism
> to link any IG findings of serious issues needing to be fix to an immediate
> presentation by the IG themselves to the Congress on why Congress should
> authorize and appropriate funds *now* to fix the issue asap. Yes, ask the
> IG to do this - not the poor management team who has to get dinged by the
> IG and then go to Congress and ask for funds to fix the issue - only to be
> told either not now or sure, however you still have to do these 25+ other
> things with the same budget we already gave you.
>
> * Rotate cyber talent between Congress and the Executive Branch too. This
> way Congress can learn what it's really like in the Executive Branch + the
> Exec Branch can appreciate the priorities of Congress (to include Congress
> exists to get re-elected). Also fix the fact that while there's plenty of
> "Oversight" committees for bad things, the other part of Congress - namely
> Ways and Means - does not have a forum for when things go well. It's almost
> like Congress is perfectly designed to focus on all the bad things that go
> wrong in the Executive Branch but lack any mechanisms to celebrate and
> spotlight goodness in the Executive Branch. And so this creates the
> dysfunctions - and bad perceptions - we see today.
>
> * Find ways to do cybersecurity reviews that aren't checklists. The
> checklists continue to grow - while NIST tries to do its best - things get
> more and more voluminous each year and we're now at 8-10 months for an
> audit which leaves precious little time for remediation and fixes. Require
> any annual audit done by an IG and third-party firm to not consume more
> than 1/3rd of the year to leave 2/3rd of the year for fixes before it's
> repeated again. Also deconflict the new executive order on Artificial
> Intelligence which (at 110+ pages) adds tons of new responsibilities and
> checklists to executive branch agencies - with **no** additional funding
> for this and **no** deconfliction of the existing FISMA, FITARA, and other
> annual IT audits government agencies have to do.
>
> Hope this helps.
>
>
>
> On Thu, Nov 9, 2023 at 4:19 AM David Lang via Nnagain <
> nnagain@lists.bufferbloat.net> wrote:
>
>> Most of the places that I've worked, the security team have had no problem
>> identifying problems that need to be fixed faster than the rest of the
>> company
>> can fix them.
>>
>> At a few places, the Security team has been responsible for enough
>> infrastructure that they struggle to fix things as well, but not many
>> places.
>>
>> So more manpower is needed, but not necessarily where you expect it.
>>
>> David Lang
>>
>> On Wed, 8 Nov 2023, Lee via Nnagain wrote:
>>
>>> Date: Wed, 8 Nov 2023 21:26:27 -0500
>>> From: Lee via Nnagain <nnagain@lists.bufferbloat.net>
>>> To: dickroy@alum.mit.edu,
>>>     Network Neutrality is back! Let´s make the technical aspects heard
>> this
>>>     time! <nnagain@lists.bufferbloat.net>
>>> Cc: Lee <ler762@gmail.com>
>>> Subject: Re: [NNagain] cybersecurity is not a talent problem
>>>
>>> On Wed, Nov 8, 2023 at 7:58 PM Dick Roy via Nnagain wrote:
>>>>
>>>> Yes, today one can argue that there is a shortage of talent, however
>> Paul's point was that that I s not the first problem to solve, in fact the
>> problem that must be solved first is:
>>>>
>>>> " We're in a hole, here, folks. The first thing we should do is: stop
>> digging.”
>>>>
>>>> ... and he is right IMHO!
>>>
>>> If Katherine Archuleta had enough talent to heed the warnings from the
>>> IG there's a chance there wouldn't have been a breach.  The
>>> organization should have been well past the "stop digging" phase when
>>> the breach occurred.
>>>
>>>>> https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
>>>>> Nothing that happened at OPM, or failed to happen at OPM, was the
>> fault of its leadership team.
>>>
>>> Wrong.  At the very least, management should have been closing the
>>> holes that had been identified.
>>>
>>> again, looking at
>>>
>> https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
>>> on page 6
>>>
>>>  How the Breach Happened.  Despite this high value information
>>> maintained by OPM, the agency failed to prioritize cybersecurity and
>>> adequately secure high value data.  The OPM Inspector General (IG)
>>> warned since at least 2005 that the information maintained by OPM was
>>> vulnerable to hackers.
>>>
>>> The leadership team ***was warned***.  Given that they "failed to ...
>>> adequately secure high value data", how is whatever did or didn't
>>> happen at OPM _NOT_ the fault of the leadership team?
>>>
>>> I'll agree that
>>>>> Katherine Archuleta should not have had to ... be an expert on
>> "cyber" security
>>>
>>> But she _did_ need to listen to the experts that were warning her
>>> about how bad security was.  And she needed enough talent to realize
>>> that she should heed the warnings from her cyber security experts.
>>>
>>>> and also because she had a reasonable expectation that somebody,
>> somewhere, knew how completely and ruinously bad all of the IT (Information
>> Technology) in the world was, and would have told her that there was no
>> safety anywhere except on paper, in filing cabinets, guarded by the U.S.
>> Military.
>>>
>>> Seriously?  There is no absolute security so no matter how much
>>> leadership ignores warnings, or how bad the security is in the
>>> organization they're running, it's not their fault when a security
>>> breach happens?
>>> Do you really buy that?  Would you be OK with your bank or any other
>>> organization that has your PII thinking like that?
>>>
>>> speaking of which.. How do you feel about Equifax?  Oh well.. nothing
>>> that could have been done, they should have been put out of business
>>> or something in between?
>>>
>>> Regards,
>>> Lee
>>>
>>>
>>>
>>>>
>>>> RR
>>>>
>>>> -----Original Message-----
>>>> From: Nnagain [mailto:nnagain-bounces@lists.bufferbloat.net] On Behalf
>> Of Lee via Nnagain
>>>> Sent: Wednesday, November 8, 2023 2:47 PM
>>>> To: Network Neutrality is back! Let´s make the technical aspects heard
>> this time!
>>>> Cc: Lee
>>>> Subject: Re: [NNagain] cybersecurity is not a talent problem
>>>>
>>>> On Wed, Nov 8, 2023 at 2:22 PM Dave Taht via Nnagain wrote:
>>>>>
>>>>> Paul Vixie reposted this old piece of his, even more relevant today,
>> than 2015.
>>>>>
>>>>> https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/
>>>>
>>>> I disagree.  With a lot, but let's just go with this
>>>>> The "cyber" security problems that the US Government, and every other
>> government, and every large and medium enterprise are all coping with today
>> do not stem from lack of "cyber" talent.
>>>>
>>>> Take a look at
>>>>
>> https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
>>>>
>>>> on page 9:
>>>>   The bottom line.  The longstanding failure of OPM's leadership to
>>>> implement basic cyber
>>>> hugiene, such as maintaining current authorities to operate and
>>>> employing strong multi-factor
>>>> authentication,  despite years of warnings from the Inspector General,
>>>> represents a failure of
>>>> culture and leadershit, not technology.
>>>>
>>>> There is no substitute for talent.
>>>>
>>>> Regards,
>>>> Lee
>>>> _______________________________________________
>>>> Nnagain mailing list
>>>> Nnagain@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/nnagain
>>>>
>>>> _______________________________________________
>>>> Nnagain mailing list
>>>> Nnagain@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/nnagain
>>> _______________________________________________
>>> Nnagain mailing list
>>> Nnagain@lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/nnagain
>> _______________________________________________
>> Nnagain mailing list
>> Nnagain@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/nnagain
>>
>