Ramblings

I'm a big fan of Bruce Schneier. I've been reading his blog for many years, and have even pretty much read all the back issues of his newsletter (to 1998 or so). He's got a lot of good stuff to say about security in general, and is widely respected as one of the top guys in computer security.

That being said, today on his blog he posted an essay that he wrote for the Wall Street Journal asking "Who Should be in Charge of U.S. Cybersecurity?" Schneier argues that it shouldn't be the NSA - claiming that its information security expertise is overshadowed by an unresolvable conflict of interest.

I left a comment at his blog, but I wanted to expand further.

The federal government wants to put someone in charge of cybersecurity of federal computer systems. Who to choose?

DHS - the new federal department whose mission is to protect America from harm
FBI - the law enforcement agency focused mostly on investigations and prosecutions - not preemptive enough in its mission to be a serious consideration here, and seriously constrained by its domestic focus.
NSA - the federal agency that already provides computer network defense for the most critical and most aggressively attacked computer networks in the world.

You could make a decent argument for DHS, but the NSA is absolutely the most appropriate federal organization to take a lead role in securing both government and other U.S. computer networks. The NSA beats out the DHS in the following Schneier concepts:

Security theater - While the NSA might possibly try to make themselves look good from time to time, they simply don't have the same incentive to do something ineffective just to look like they're doing something. They're secretive enough that they don't really gain from showing off. DHS (the parent organization of the TSA), on the other hand, is practically the reason why the phrase "security theater" is even in common usage today.

Security mindset - Schneier, in one of his more well-known essays from about a year ago:

Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.

Today he suggests that the NSA's mission of exploiting technologies is a hindrance to its ability to protect technology against exploitation. He was right last year, wrong this year.

Security is a tradeoff - This, to me, is where I trust the NSA to understand far better than DHS. The NSA can trace its lineage to the guys during WWII who would rather sacrifice innocent human life than the secret that the Allies had broken Enigma. If they couldn't get a plausible cover for why they knew the location of a U-boat, they let it live, knowing that it would kill Allied sailors and even civilians.

I mentioned in my comment that I trust NSA's intentions more than I trust DHS's competence. I understand that the NSA isn't a perfect candidate for the role of lead agency for cybersecurity. But they're the best available. Who would you rather perform a surgery - a) the experienced surgeon who has been sued for malpractice several times or b) the second year medical student with no experience and who has not yet chosen a specialty. I'll choose the questionable surgeon, because he at least has a decent chance of getting it right.

In the future, I would most prefer to see reforms addressing Scheier's reservations about the NSA taking on this role, but as to who needs to take charge at least for the next 5-10 years, the NSA's information security guys should be in charge of U.S. cybersecurity.