backtop


Print 37 comment(s) - last by noxipoo.. on Jun 15 at 12:17 PM


Microsoft security chief Scott Charney is a leading candidate for the cybersecurity czar position, created by President Obama.  (Source: Microsoft)
President Obama will soon pick a candidate to lead our nation's cybersecurity efforts

Cybercrime, particularly attacks from foreign sources, is on the rise.  In the past month, many government systems and systems of government contractors have been penetrated by hackers from China or elsewhere.  Meanwhile petty cybercrime also remains a problem with malware, phishing, and botnets a lucrative business for some cyber-criminals.

Past exercises have shown the U.S. to have weak cyber-defenses, largely because of poor coordination between the organizations tasked with our government's security.  President George W. Bush and his successor President Barack Obama have set out to improve on this situation by allocating money to security and creating a new cybersecurity czar position to organize the fight.

Two leading candidates have emerged for this job.  The first is Scott Charney, head of Microsoft's cybersecurity division.  According to a source close to Mr. Charney, Mr. Charney says he won't take the job, however, the source believes that he would change his mind if pressed.  In the past Mr. Charney lead PricewaterhouseCoopers' cybercrime unit and before that he worked for the Justice Department's computer crime section.

The leading alternative is Paul Kurtz.  Mr. Kurtz served on the National Security Council under both President Clinton and President Bush.  He was a member of President Obama's transition team leading the cybersecurity efforts.

There are also a handful of other candidates that stand a shot.  Rep. Tom Davis, a moderate Virginia Republican; Sun Microsystems executive Susan Landau; Maureen Baginski, a veteran of the National Security Agency and Federal Bureau of Investigation; Frank Kramer, an assistant defense secretary under Clinton; Melissa Hathaway, who led a cybersecurity review for the president; and James Lewis of the Center for Strategic and International Studies think tank, are all under consideration, says a source.

John Thompson, chairman of the board of Symantec Corp. who had previously been considered a front runner turned the position down.

One thing that adds to the difficulty of the efforts is that the exact role of the job and its authority (and jurisdiction) remains undefined.

Some candidates have already begun to criticize each other.  Mr. Lewis struck out at the corporate candidates, commenting, "Some guy from industry is going to write a national security strategy? No, they aren't. You don't just pick this up.  You need somebody who knows the national security game, who knows government and who knows about the technology."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Bad choices
By DigitalFreak on 6/12/2009 9:21:08 AM , Rating: 2
quote:
Mr. Lewis struck out at the corporate candidates, commenting, "Some guy from industry is going to write a national security strategy? No, they aren't. You don't just pick this up. You need somebody who knows the national security game, who knows government and who knows about the technology."


Agreed, though I doubt Lewis is any more qualified. They need a person who is at the top of their field in cyber-security, not some corporate executive douche.




RE: Bad choices
By Spivonious on 6/12/2009 9:28:21 AM , Rating: 4
I disagree. Who better to implement security than someone who does it as their job? Better than some bureaucrat in Washington who "knows about the national security game."


RE: Bad choices
By DigitalFreak on 6/12/09, Rating: 0
RE: Bad choices
By noxipoo on 6/12/2009 11:35:15 AM , Rating: 3
They are never going to just pick some professional, they need people that have been in positions of leadership. You think this czar will be actually doing the work? I rather have an exec that have done it then some politician talking about a series of tubes.


RE: Bad choices
By callmeroy on 6/12/2009 12:40:16 PM , Rating: 5
Yeah because I'm sure this MS guy used to be a short order cook then one day Bill Gates came into his diner and said "hey, you -- yeah you at the grill....wanna be a top level executive in the largest software company in the world?".


RE: Bad choices
By cnar77 on 6/12/2009 11:25:38 PM , Rating: 3
You obviously don't know anything about Information Systems security. It starts at the top. They don't need to do the work they just need to set the tone that the rest will follow. From there you put good people in place to implement plans and policies, people who can pull everything together but first you need to have a plan. Any person chosen has to be capable enough to work with others and agencies to create a workable, scalable and effective plan focussed on mitigating risk because that's what IS security is.

If you want to know about this topic just check out organizations like (ISC)2 and ISACA. Right now the US government needs IS governance and perhaps their own high standards for which to focus their complaince. Whether its based on COBIT or ISO/IEC 27001.

I resepct your freedom of speech and opinion but like many you're talking about something you "THINK" you understand. From what you've written I can assure you that you don't.

"People demand freedom of speech to make up for the freedom of thought which they avoid."
- Soren Aabye Kierkegaard (1813-1855)


RE: Bad choices
By bhieb on 6/12/2009 1:12:36 PM , Rating: 2
quote:
"knows about the national security game."


Ironically if the people that currently "know the security game" actually did, this would not be an issue.


RE: Bad choices
By JasonMick (blog) on 6/12/2009 9:29:45 AM , Rating: 1
Actually, I would think someone from a successful corporate security firm or branch like Microsoft's security or Symantec (which has been better of late) would be a *good* choice. They know how to run a large organization efficiently, they should have a good view over the overall state of security. Better than a bureaucrat at least.

I do think it would make more sense to have two czars though, one for Windows systems (likely Charney) and one for Linux systems as the DoD and some other government branches extensively use Linux. I think Mr. Charney would be good for the latter job, but not as good as someone with dedicated experience in the Linux security industry (though many threats are on the app level these days anyways).


RE: Bad choices
By Screwballl on 6/12/2009 9:58:39 AM , Rating: 1
agreed....

"oh it runs linux? Thats why that system is insecure, lets replace these 2 million computers with Windows"

They need someone who actually worked extensively in the security field but with at least SOME corporate leadership experience or training.
We need a trained professional, not some stiff in a suit that doesn't know the difference between TCP protocol and packet sniffing.


RE: Bad choices
By borowki2 on 6/12/2009 12:10:05 PM , Rating: 3
or

"Our most dangerous cyber-adversary is the European Union. Nelly Kroes is worse than Osama bin Ladin."


RE: Bad choices
By callmeroy on 6/12/2009 12:47:11 PM , Rating: 4
This thread irks me - where do you folks get off that this MS guy is not skilled in cyber security ? I read the article it even stated he head up a cybercrime unit at Pricewaterhouse and worked for the Justice Department as well in a similar capacity.

I think unless we have his full resume , including education history -- its very cynical to jump to assumptions this guy knows nothing about computer security. My hunch is at his level NOW --- yes he probably isn't hands on as much being an exec, he delegates to others...but you don't no smart employer will give you the reins of an entire division (much less when its about security) on a flimsy track record and sub-par resume.

My guess is this guy knows a GREAT deal more about computer security than any of us in this current thread do.....


RE: Bad choices
By mfed3 on 6/12/2009 10:01:19 AM , Rating: 2
I agree with your first comment, but I just wanted to make sure you knew the DoD definitely does NOT use Linux extensively. In fact they barely use it at all.

The DoD uses Windows almost exclusively, even on the server side. Linux is only really used for some embedded systems or for development servers for source control (ex: svn etc).

It was only recently that the DoD was even allowed to use Linux at all, since Windows was previously mandated as the only OS that was allowed to be used.


RE: Bad choices
By JasonMick (blog) on 6/12/2009 11:46:17 AM , Rating: 1
Tanks and fighting vehicles ran on Linux last I checked, and still do, to my knowledge.

Development machines used for hardware, software, and mechanical development of fighting vehicles and aircraft, both within the DoD and its contractors often run on Linux deployments.

I'd call that a major deployment. True most of the computers physically used by soldiers and officers (outside vehicles) are Windows, but the development systems are heavily Linux -- and that's a particularly critical portion of the IT infrastructure to protect.


RE: Bad choices
By Spuke on 6/12/2009 12:02:13 PM , Rating: 2
When I was in the military 12 years ago, all of our critical systems were Linux and Unix. We even had some Linux and Sun desktops.


RE: Bad choices
By theapparition on 6/15/2009 8:13:30 AM , Rating: 2
This issue here is two-fold.

What the OP was refering to was desktop, or standard computer use. And he was absolutely correct that most installations are on Windows.

The sector you are talking about falls into embedded computing. While aircraft systems may certainly run a very customized and stripped down version of *nix, external security threats to them are virtually non-existant since they don't offer the connectivity and interfaces that would necessitate a security threat.

So why techically a large deployment, your argument fails logic because those systems are generally isolated. The biggest security threat to those sytems is from foreign entities gaining access to source code. However, once deployed, there is not much that can affect embedded software (if it's designed right).


RE: Bad choices
By stmok on 6/12/2009 3:48:01 PM , Rating: 2
quote:
I just wanted to make sure you knew the DoD definitely does NOT use Linux extensively. In fact they barely use it at all.


In 2005, the DoD bought a super computer for weapons design...It runs Linux.
=> http://www.defenseindustrydaily.com/dod-buys-2048-...


RE: Bad choices
By DigitalFreak on 6/12/2009 10:48:37 AM , Rating: 2
Someone from a successful corporate security firm - yes. From Microsoft or Symantec - hell no.


RE: Bad choices
By cnar77 on 6/12/2009 11:37:14 PM , Rating: 2
At this level the OS used is irrelevant. Government first needs to have unified standards across the board, proper staff training, policies, standards and procedures. A policy doesn't speak to the OS however procedures do as these are carried out my admins. Procedures would be designed in alignment with the standards created which are devised to meet the policy requirements. So no need for 2 persons in this role. But don't kid yourself in the business world this role is usually filled by a comittee or board of directors. One man doesn't make the call.


RE: Bad choices
By SiliconAddict on 6/14/2009 3:21:02 PM , Rating: 2
Oh give me a break. Do you really think someone charged with securing our infrastructure would throw out the use of Linux because he previously worked for MS? I'm sorry but CIO's don't work that way. He would look at the roll that needs to be filled and pick the best solution. sometimes that would be Windows or a MS solution. Sometimes it would be Linux.


RE: Bad choices
By cnar77 on 6/12/2009 11:30:56 PM , Rating: 2
Understanding how the agencies work is one thing but understanding Information Systems security is another. An IS auditor such as a CISA credentialed holder would assimilate the environment fairly quickly. Afterall this is not a 6 month deal and could take a few years but its easier for an auditor to do the job, put forward recommendations, aid in policy definition, work with security managers and security teams to create standards and procedures in alignment with the policy and have them aim for 100% compliance than to take someone who doesn't know the business and have them do it.


"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki