Although Clarke's finger pointed at Congress sounds sensible at first, read on a little and you'll see the real agenda: The Clinton administration wants to create new agencies to deal with the problem of security, meanwhile blaming the Republican Congress for the government's security problems. Whichever party you support, the truth is that each organization is responsible for its own security, and always will be to some extent. Even with a special task force overseeing the problem, security will be more lax in some agencies than in others. Basically a dedicated computer security agency would be a waste of time and money.

While I agree it's extremely important to fund security, that money shouldn't be poured into the creation of a new agency that will itself likely be overworked, understaffed, and underbudgeted. Dollar for dollar, we'll see a better improvement in computer security in government by hiring and training better admins, and seeing that they have the staff and equipment necessary to do their jobs. If Clarke could point to Congress and claim they failed on this rather reasonable approach, I might agree with him; but then, it's not up to Congress but to the agencies themselves to dictate how much of the budget goes toward security.

The development community has begun to see things this way, too. It's been suggested that Microsoft, for example, include a security-knowledgeable person on each development team to work alongside the process, because even a dozen people looking over the same code for a pre-release security audit might miss something due to their unfamiliarity with the code. Software companies may soon start adopting this model, applying security as a program develops rather than afterward. The same would obviously apply to the Web, where each server has different functions and purposes, and a sensible security solution on one system might be ludicrous on another; people familiar with a system will understand how best to secure it.

If Congress is supposed to do something about this, then let's have them draft legislation to mandate that a certain amount of money (based on the size and degree of Web activity) in each organization's budget go to security. That way, they can force expenditures that, while necessary, might not otherwise be made. Furthermore let's get the admins together periodically to talk things over, sharing knowledge so that one agency doesn't make the mistakes of another.

Any plumber will tell you that if you fix something badly the first time, you'll have to come back a second time and do it right. The U.S. government has a bad track record for finding the wrong solutions to urgent problems, and letting the problems get worse before handling them the right way. Bureaucracy is part of the problem, not part of the solution; establishing more of it is just a waste of time and money.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/85/3360#3360