Feb 18 2005

An open letter to the new chairman of US-CERT

No Gravatar

Dear Howard (may I call you Howard?),

Long time no talk. Waitaminit, when’s the last time we ever gabbed on a phone? You never call, you never write. But enough chit-chat. Let’s discuss your new chairman position at US-CERT.

An open letter to Howard Schmidt, a former White House cyber­space secu­rity advisor who returned to Wash­ing­ton as chair­man of US-CERT

We’ll begin with the obvious. As a whole, the antivirus industry dismisses CERT/CC as a naïve little sister who gets injured every time she tries to play football with her big brothers. I don’t make this claim lightly. Worse: the antivirus industry views US-CERT as the siamese twin to CERT/CC. I myself hold neither agency in high regard due to their co-dependent relationships with some of the dead wood at DHS.

Richard Pethia’s leadership at CERT/CC certainly annoys me — but I felt a lot better about US-CERT when you got tapped for the chairmanship. I’m an unabashed fan of yours and I ain’t afraid to admit it. Call me crazy but I like you. So if you don’t mind, I’d like to advise you on three big issues you should focus on during your tenure.

First, we need another roundtable meeting to bring government computer security analysts together with the Fortune 1000 CISOs. My sources say you’ve tried to bring the corporate sector to Washington at least since mid-2004 so they can (in your own words) “articulate to the government” where they see the role of government. You’ll head in the right direction with this effort and you need to keep it up. Ignore anyone who thinks otherwise.

You’ll notice I didn’t say “conference” and I didn’t say “computer firms.” You specifically need a roundtable meeting with the Fortune 1000 CISOs. The U.S. corporate sector as a whole needs to tell the government what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they collectively need from the government. Conversely, the feds must reveal what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they need from the corporate sector. This explains why you need to set up a roundtable meeting rather than a conference.

And remember! You bestow true legitimacy on a meeting when you invite a true critic. Notice I didn’t say “me” and I didn’t include Vmyths. Richard Forno (InfoWarrior.org) would make an excellent choice, for example. I can name other critics if he declines.

You & I travel in some of the same circles, so let me point out a major issue for your roundtable meeting. You know many CISOs incorrectly fear the U.S. Freedom of Information Act (FOIA). A roundtable meeting may help to allay those fears. Government analysts are experts at assembling and sanitizing intelligence data. Computer security analysis is a realm best left to the intelligence community. You must make this clear to the corporate sector.

(I just hope those government cyber-analysts will someday realize their pecking order within the intelligence community. “Who needs HUMINT when you can monitor IRC chat rooms?” Bah. You don’t even want to get me started about the SQL/Slammer threat briefing you & Richard Clarke received at the White House. “This mIRC log conclusively proves a hostile nation-state ordered its über-warriors to blow up western civilization right after they finished the evening shift at Taco Bell!” Sheesh. I just hope you didn’t fall for such a shoddy intelligence briefing. Ah, but I digress…)

Second, US-CERT must continue to strive for a standard naming convention for viruses & worms. The industry’s historic lack of concern (and I do mean “lack of concern”) has reached a crucial point — not within the antivirus industry, but within the industry’s customer base. Critics want a single standard name for each virus. Customers want it, too. The U.S. government is a big antivirus customer. You gotta throw enough bucks at MITRE.org so they can get this project off the ground.

Trust me, Howard. Antivirus firms are lazy beasts. If Washington comes up with a virus naming convention, the global antivirus industry will moan & groan, but they will embrace it. And then they’ll usurp credit for it. But hey, that’s life.

Third, you need to reiterate the threat posed by our “blind trust in software firms,” as you yourself so eloquently put it. You’ve pointed out the P-Tech Software/Al Qaeda Terrorism investigation and the JECC Software/Aum Shinrikyo Terrorism investigation. This time, deep within US-CERT, you also need to point out how U.S. antivirus firms armed China for years under our very noses. Members of the antivirus industry now arm Cuba with viruses and they almost certainly arm North Korea, too. (Let’s hope your intelligence analysts already knew this.) We’d never trust some of these virus experts with the combination to a GSA safe, yet we blindly trust them to protect top secret government PCs. There’s something wrong with this picture and you know it.

Okay, now you know the three big issues you should focus on during your US-CERT tenure. Time for me to ramble incoherently for the next few paragraphs.

Amit Yoran struck me as an optimist who felt our top bureaucrats wanted to protect corporate infrastructures from suicide hackers. Neither you nor I (yet) subscribe to this view. We both realize the top bureaucrats need to nitpick over the political apparatus before they can police our corporate infrastructures. The bureaucrats lost sight of their true mission when they started fighting over turfs & budgets.

This explains why Amit Yoran resigned in frustration. He went to D.C. to guide cyber-security initiatives when in fact he should have guided the apparatus. Yoran was the wrong man for the job.

Poland’s Lech Walesa faced the same kind of problems you faced at Microsoft. Each apparatus needed someone to bring it back into focus. Granted, neither you nor Walesa got the credit you deserved for pulling the apparatus together during your tenures. But hey, you both realized what needed to be done and you did it. You were the right men for the job. This puts you above Amit Yoran.

Just remember: you’re starting over again and you’re quite a bit lower on the food chain this time around. Good luck.

So! Let’s end this on an upbeat note, Howard.

Your CERT/CC counterpart, Richard Pethia, missed Melissa‘s ultimate lesson in 1999. The antivirus industry dismisses him as a myopic figurehead — but they don’t dismiss you so far as I know. To be specific, you helmed Microsoft’s security teams at the turbulent beginning of real change. More to the point, I know for a fact your teams recognized Melissa‘s ultimate lesson the day it struck. Just be sure to get your virus expertise from real virus experts. (And I don’t mean myself.)

That’s it for me. Hope you enjoyed the holidays. Your unabashed fan, Rob.