Who Should Be in Charge of Cybersecurity?

IT Security

Who Should Be in Charge of Cybersecurity? - WSJ

U.S. government cybersecurity is an insecure mess, and fixing it is going to take considerable attention and resources. Trying to make sense of this, President Barack Obama ordered a 60-day review of government cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology is holding hearings on the same topic.

One of the areas of contention is who should be in charge. The FBI, DHS and DoD -- specifically, the NSA -- all have interests here. Earlier this month, Rod Beckström resigned from his position as director of the DHS's National Cybersecurity Center, warning of a power grab by the NSA.

先日参加したコンファレンスでINFRAGARDという団体の展示を見てから、この手の話題に興味が出てきました。

Not that government cybersecurity failings require any specialized wizardry to fix. GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs. These aren't super-secret NSA-level security issues; these are the same managerial problems that every corporate CIO wrestles with

アクセスコントロールも問題の一つとして上げられているけど、そうなんだ。

Moreover, the NSA's dual mission of providing security and conducting surveillance means it has an inherent conflict of interest in cybersecurity. Inside the NSA, this is called the "equities issue." During the Cold War, it was easy; the NSA used its expertise to protect American military information and communications, and eavesdropped on Soviet information and communications. But what happens when both the good guys the NSA wants to protect, and the bad guys the NSA wants to eavesdrop on, use the same systems? They all use Microsoft Windows, Oracle databases, Internet email, and Skype. When the NSA finds a vulnerability in one of those systems, does it alert the manufacturer and fix it -- making both the good guys and the bad guys more secure? Or does it keep quiet about the vulnerability and not tell anyone -- making it easier to spy on the bad guys but also keeping the good guys insecure? Programs like the NSA's warrantless wiretapping program have created additional vulnerabilities in our domestic telephone networks.

気になる所だけコピペしておこうっと。