The White House just put out a release on net security[1] - at first glance a mission/vision/values paper, the release page[2] also containing a short video[3]. At first glance, this looks promising - anyone else get a chance to read/review? Comments? -jamie [1] http://www.whitehouse.gov/asset.aspx?AssetId=1732 [2] http://www.whitehouse.gov/CyberReview/ (other links here as well) [3] http://www.whitehouse.gov/videos/2009/May/20090529_Cyber_Security.mp4 -- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs
fine piece of work. On Fri, May 29, 2009 at 11:37:58AM -0500, jamie rishaw wrote:
The White House just put out a release on net security[1] - at first glance a mission/vision/values paper, the release page[2] also containing a short video[3].
At first glance, this looks promising - anyone else get a chance to read/review? Comments?
-jamie
[1] http://www.whitehouse.gov/asset.aspx?AssetId=1732 [2] http://www.whitehouse.gov/CyberReview/ (other links here as well) [3] http://www.whitehouse.gov/videos/2009/May/20090529_Cyber_Security.mp4
-- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs
"The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat." I think that they may be getting it... On Fri, May 29, 2009 at 12:41 PM, <bmanning@vacation.karoshi.com> wrote:
fine piece of work.
On Fri, May 29, 2009 at 11:37:58AM -0500, jamie rishaw wrote:
The White House just put out a release on net security[1] - at first glance a mission/vision/values paper, the release page[2] also containing a short video[3].
At first glance, this looks promising - anyone else get a chance to read/review? Comments?
-jamie
[1] http://www.whitehouse.gov/asset.aspx?AssetId=1732 [2] http://www.whitehouse.gov/CyberReview/ (other links here as well) [3] http://www.whitehouse.gov/videos/2009/May/20090529_Cyber_Security.mp4
-- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs
-- Andrew Euell andyzweb [at] gmail [dot] com
On May 29, 2009, at 1:33 PM, Andrew Euell wrote:
"The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat."
I think that they may be getting it...
From my experience, people get it, but security is always a balance between making something usable and how-high to build the fence. I know how to keep important data secure, but making it accessible and secure always exposes it to some level of risk. The question is where does that risk meter get set. It's not obvious to me if this is a direct result of the 60-day cyber review (but I presume it is) that Melissa Hathaway completed. I need some more time to read this entire thing. The ISP community has provided input to this and various security efforts that the US Government has done. There is actually an entire (non-trade- association driven, non-lobbist, etc..) community that does get reached out to. http://www.commscc.org/ http://www.it-scc.org/ I know that membership is FREE for the IT-SCC. This means that *YOU* (yes, You!) can be at the table and provide this feedback. This is in addition to you reading the notices in the Federal Register too ;) There are good people involved in these activities, but always room for more. Take a look at the charters for the it-scc & commscc and see if one (or both) is a fit for your org. Worst case scenario you get a few more emails. (The volume is way lower than NANOG). - Jared
At first glance, this looks promising - anyone else get a chance to read/review? Comments?
You might hate Marcus Ranum, or love him, but the presentation he did at the DojoSec in March is related to this subject, and it is well worth the hour: http://vimeo.com/3519680 -- Marcin Antkiewicz
So quoting the original document again: "The Federal government, with the participation of all departments and agencies, should expand support for key education programs and research and development to ensure the Nation’s continued ability to compete in the information age economy. Existing programs should be evaluated and possibly expanded, and other activities could serve as models for additional programs." are any nanog'ers Educators, the newly educated or Employers of the newly educated? Is Information technology Education really in as much trouble as the report suggests? I work with two new graduates of computer science/IT programs of state universities they demonstrate a high level of competence in their work, but thats just my neck of the woods. On Fri, May 29, 2009 at 12:37 PM, jamie rishaw <j@arpa.com> wrote:
The White House just put out a release on net security[1] - at first glance a mission/vision/values paper, the release page[2] also containing a short video[3].
At first glance, this looks promising - anyone else get a chance to read/review? Comments?
-jamie
[1] http://www.whitehouse.gov/asset.aspx?AssetId=1732 [2] http://www.whitehouse.gov/CyberReview/ (other links here as well) [3] http://www.whitehouse.gov/videos/2009/May/20090529_Cyber_Security.mp4
-- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs
-- Andrew Euell andyzweb [at] gmail [dot] com
On Sun, 31 May 2009, Andrew Euell wrote:
are any nanog'ers Educators, the newly educated or Employers of the newly educated? Is Information technology Education really in as much trouble as the report suggests? I work with two new graduates of computer science/IT programs of state universities they demonstrate a high level of competence in their work, but thats just my neck of the woods.
Its not the quality, its the quantity. Two new grads are great, but over the next 10 years some estimates (yeah, I know about statistics) say there will be a gap of over 100,000 new IT Security jobs to fill in the US and close to a million unfilled positions world-wide. How many ISPs have too many network security people?
Two new grads are great, but over the next 10 years some estimates (yeah, I know about statistics) say there will be a gap of over 100,000 new IT Security jobs to fill in the US and close to a million unfilled positions world-wide.
and why do we think that throwing a jillion bodies at the problem is a useful approach? randy
On Mon, Jun 01, 2009, Randy Bush wrote:
and why do we think that throwing a jillion bodies at the problem is a useful approach?
No, but it does keep people employed. Sorry, I think I reached a new low in my "stabby, jaded" level when a past employer (a network consulting firm) blasted me for being "too efficient" at solving a problem. Adrian
Randy Bush <randy@psg.com> writes:
As hire As. Bs hire Cs. Lots of Cs.
this problem needs neurons, not battalions.
this problem needs round-tuits, which Good Guys are consistently short of, but which Bad Guys always have as many of as they can find use for. a few battalions of B's and C's, if wisely deployed, could bridge that gap. the key to all this is therefore not really "neurons" but rather "wiselyness". i promise to, um, mention this, or maybe more, in my nanog-philly keynote. -- Paul Vixie KI6YSY
As hire As. Bs hire Cs. Lots of Cs. this problem needs neurons, not battalions. this problem needs round-tuits, which Good Guys are consistently short of, but which Bad Guys always have as many of as they can find use for. a few battalions of B's and C's, if wisely deployed, could bridge that gap.
there is a reason Bs and Cs have spare round-tuits. fred brooks was no fool. os/360 taught some of us some lessons. batallions work in the infantry, or so i am told. this is rocket science. randy
Randy Bush <randy@psg.com> writes:
... a few battalions of B's and C's, if wisely deployed, could bridge that gap.
there is a reason Bs and Cs have spare round-tuits.
fred brooks was no fool. os/360 taught some of us some lessons. batallions work in the infantry, or so i am told. this is rocket science.
to me "wisely" means backfilling 80% of what the Good Guys do that isn't rocket science. (most A's are not doing only what only A's can do.) -- Paul Vixie KI6YSY
If people think that support for R&E programs should be cut instead, I guess that is also a useful data point. It would be noteworthy that any group advocated a cut in their own funding. "The Federal government, with the participation of all departments and agencies, should expand support for key education programs and research and development to ensure the Nation~Rs continued ability to compete in the information age economy. Existing programs should be evaluated and possibly expanded, and other activities could serve as models for additional programs." Jared's message earlier had the information about how you could participate if you have suggestions.
On Jun 1, 2009, at 8:32 AM, Sean Donelan wrote:
If people think that support for R&E programs should be cut instead, I guess that is also a useful data point. It would be noteworthy that any group advocated a cut in their own funding.
"The Federal government, with the participation of all departments and agencies, should expand support for key education programs and research and development to ensure the Nation~Rs continued ability to compete in the information age economy. Existing programs should be evaluated and possibly expanded, and other activities could serve as models for additional programs."
Jared's message earlier had the information about how you could participate if you have suggestions.
There have been numerous recommendations over the years to improve education and training of IT/Security professionals directed at either DHS, EOP and other agencies. I see a critical gap in this space myself. There are not enough people that are truly skilled in this space. Perhaps this need will never be met, but with the consistent threat of compromise facing any network connected organization, there need to be people who are trained to respond. There just are not enough skilled network & security engineers out there. US-CERT (as an example) is always hiring, and I have heard stories of people going from fast-food to trying to decipher intrusion data because they could get their TS/SCI. I'm certain that anyone who can combine two skills (computers, computer networks or data forensics) with some criminal justice could help fight the bad guys. There is a severe lack of talent here. - Jared
Any organization moaning about unfilled slots is welcome to raise its salary scale, and fill them. All such whining is really an implicit statement that the job is not vital enough to fill. Funny, you never hear complaints about being unable to fill CEO slots, or bond traders. On Sun, May 31, 2009 at 10:54:40PM -0400, Sean Donelan wrote:
Its not the quality, its the quantity.
Two new grads are great, but over the next 10 years some estimates (yeah, I know about statistics) say there will be a gap of over 100,000 new IT Security jobs to fill in the US and close to a million unfilled positions world-wide.
How many ISPs have too many network security people?
-- Barney Wolff I never met a computer I didn't like.
Sean Donelan <sean@donelan.com> writes:
How many ISPs have too many network security people?
network security is a "loss center". not just a cost center, a *loss* center. non-bankrupt ISP's whose investors will make good multiples only staff their *profit* centers. the Good Guys and Bad Guys all know this -- the difference is that the Good Guys try not to think about this whereas the Bad Guys think about it all the time. -- Paul Vixie KI6YSY
network security is a "loss center". not just a cost center, a *loss* center. non-bankrupt ISP's whose investors will make good multiples only staff their *profit* centers.
this glib statement may have been true at the isps where you worked. it is not true for the ones where i work(ed). randy
At 04:43 PM 01-06-09 +0900, Randy Bush wrote:
network security is a "loss center". not just a cost center, a *loss* center. non-bankrupt ISP's whose investors will make good multiples only staff their *profit* centers.
this glib statement may have been true at the isps where you worked. it is not true for the ones where i work(ed).
It is true at every ISP I have ever encountered. I do not consider the statement glib. -Hank
network security is a "loss center". not just a cost center, a *loss* center. non-bankrupt ISP's whose investors will make good multiples only staff their *profit* centers. this glib statement may have been true at the isps where you worked. it is not true for the ones where i work(ed). It is true at every ISP I have ever encountered. I do not consider the statement glib.
well, i guess some of us are pickier than others, and have the luck of having choices. randy
participants (11)
-
Adrian Chadd
-
Andrew Euell
-
Barney Wolff
-
bmanning@vacation.karoshi.com
-
Hank Nussbacher
-
jamie rishaw
-
Jared Mauch
-
marcin
-
Paul Vixie
-
Randy Bush
-
Sean Donelan