Hi, I'm a member of the ISSA and have seen Howard's talks from time to time. I can't really say that I'm impressed with him (or most of the other experts blowing their own horns out there) and I doubt he was put in his current position based on experience or merit. I know he was a civilian police investigator for the Air Force, but how computer forensics ties into that is unclear.

Basically you could take a cop from some small town who spent the last 20 years sleeping in his cruiser behind the Little League field, and give him a few computer forensics classes and say "He's got 20 years in law enforcement and computer forensics", and the ISSA would beg him to come and speak. Spend enough time hanging around the ISSA shows (and coincidentally not working in real-world InfoSec while you're doing it) and you could meet enough people to run for one of their officer positions.

You can't really base expertise on whether or not the person talks at ISSA, SANS, or any of the other trade shows. Most of those experts are in those positions because they're very good at self-promotion. There's a few exceptions, such as Bruce Schneier, who actually has a clue to the threats we face, and I think Bruce would have been a much better choice over Clarke or Schmidt.

As for the draft, it's horrible. I would not allow a consulting company to pass off such nonsense to me if I was engaging them to assess the threats to my environment. It's an embarrassment to the Bush administration to have these industry experts waste taxpayer money to produce a document that does little more than state the obvious.

We need someone who's going to establish a strategy where we identify the critical components of our infrastructure (research institutions, telcos, hospitals, etc) and provide clear direction to them and their bandwidth providers to actually ensure that these systems are not wide open to attack. Sort of a GLB or HIPAA for ISPs. Even if the ISPs just helped their customers by providing stateful inspection to ensure that the connections going to them were valid it would be a huge start.

It might take a little teamwork to get something like this started, but this is what I'm expecting as a taxpayer, and not a bunch of "change user passwords" statements.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/110/16585#16585