I fear for the state of computer and network security because the industry is becoming a lot like diet and nutrition news. One day, this food is good for you, the next day it’s not. After a steady barrage of security news, the average user can hardly pay attention.

Should Obama appoint a cyber security czar? No, some say. Instead, he should appoint a “federal chief of information security.” That certainly clears up the issue for me. If you’re still feeling fuzzy on the point, I suggest you keep reading.

Cybersecurity is an “operations issue”…all well understood, according to the Gartner group. Cybersecurity is just a lowly operations issue – old hat, we’re told. What we need to focus on instead: “improve security in cyberspace…” Ah, the light is now dawning on Marblehead. It’s all so clear now.

In case you were ready to pack it in on the hard-core security problems of our nation’s infrastructure, you may not ever want to search for anything that includes the words “free” – a free piece of advice proffered by our friends at ZDNet and McAfee in The Web’s most dangerous keywords to search for [sic]

Upon searching for 2,658 unique popular keywords and phrases across 413,368 unique URLs, McAfee’s research concludes that lyrics and anything that includes ‘free” has the highest risk percentage of exposing users to malware and fraudulent web sites.

Well, that pretty much takes the legs out from under Google since I suspect a fair number of people are looking for free stuff. And here we thought Wolfram Alpha was going to be the Google-killer.

To make matters worse, the CVE databases, instead of being a beacon of clarity, problem isolation, and direction, are evolving into a window into how muddled and complex some security vulnerabilities are, even for the developers themselves. (See OSVDB on Problems with Identifying Vulnerabilities.)

As Richard Bejtlich puts it in the article:

It’s really an problem of incentives. The group with the strongest incentive to fully comprehend the vulnerability is the group that seeks to exploit it. Once they understand the vulnerability they have a strong incentive to not tell anyone else so they can financially or otherwise benefit from their asymmetric knowledge.

So, in some sense, the news you hear about security issues is already pre-digested and potentially not a threat if the real vulnerabilities are those which are least well known and characterized, even by the developers themselves. Brian (jericho) from the article “if you can’t, how can we?”:

Lately, Mozilla advisories are getting worse as they clump a dozen issues with “evidence of memory corruption” into a single advisory, that gets lumped into a single CVE. Doesn’t matter that they can be exploited separately or that some may not be exploitable at all. Reading the bugzilla entries that cover the issues is headache-inducing as their own devs frequently don’t understand the extent of the issues. Oh, if they make the bugzilla entry public. If the Linux Kernel devs and Mozilla browser wonks cannot figure out the extent of the issue, how are VDBs supposed to?…

Is it just my perception, or is any government position with the word “czar” tacked onto the end of it bound to fail? I can’t think of any XYZ-czar we’ve touted that’s ever succeeded. So, just from a PR point of view, lets not talk in terms of a cybersecurity czar…that’s for sure the kiss of death, even if it’s superstitious.

Some real coordinated corporate, open source, and government leadership is needed – I wish I had the answer – but I’m not sure the latest hype about a cybersecurity czar is anything more than security theater.

About me

I’m an independent consultant who used to do a lot of work for OpenLogic. I greatly appreciate OpenLogic and the mission they are fulfilling as well as their willingness to let me contribute to this blog. Views expressed here are not necessarily those of OpenLogic and any mistakes are 100% attributable to me. You can contact me at: landon at 360vl dot com or visit http://sawdust.see-do.org Twitter @esawdust