Re: Homeland Security CIO wants 'network of networks'

[InfoSec News <isn () c4i org>]

Forwarded from: Ralph Forsythe <rf-list () centerone com>

Oh I just can't resist commenting on this one...  Text inserted below
at various points.

At 03:00 AM 11/8/2002 -0600, you wrote:
> "What if we take existing networks at all levels of government and
> the private sector as appropriate and integrate them? The challenges
> are true standards and interoperability. We can solve those
> problems," Cooper said at the Federal CTO Forum 2002 here.

I'm actually having difficulty finding the words on this one.  I
thought the whole point of establishing new security guidelines among
other things was because the existing networks were not cutting it!  
Obviously the challenges are true standards and interoperability - so
instead of working towards a new technology standards-based
methodology, let's just hook it all up together and hope it works?  
<hysterical laughter here> I'm just imagining the finger pointing that
happens when a problem arises inside a single company with lots of
departments and network devices, and trying to put it into perspective
on this scale.

> The day after the Republicans captured a mid-term majority in the
> House and Congress, Cooper stated that he is confident a Department
> of Homeland Security bill will be passed and that a national
> enterprise architecture could be a reality in two to three years.

<More hysterical laughter> "A national enterprise architecture could
be a reality in two to three years"...  Ahem, ok sure.  It takes some
corporate projects that long just by themselves, let alone connecting
all aspects of government and corporate networks into one big
conglomerate that's supposed to allow for efficient and accurate
exchange of data...

> "The priorities that we have set are focused on the information
> sharing and systems arena. ... We need to get the right information
> to the right people all the time. This is what we're about in
> Homeland Security," he said.

I just bet they are.

He needs to try putting down the Jack Handy self motivational books
for a few minutes and step back to look at the reality of the
magnitude of this project he has taken on, which is probably
historical in terms of size; If they even come up with a plan for it
in two to three years time that is complete and accurate, I will be
impressed.  It has taken that long for some government organizations
just to audit their own security, let alone map everything out well
enough to include it in the largest private WAN in the world.

> Citing the info sharing and systems integration models among various
> federal and local law enforcement bodies, Cooper called for the help
> of state and local governments and those companies that comprise the
> critical infrastructure, including utilities and transportation
> companies.

How many years has it taken just these organizations to adopt these
models?  And how many have still yet to do so?  Please.  And the
utilities and transportation will now be dependent on this network?

<snip!>

> "What if the right parties that have a vested interest all sat down
> and agreed on some shared objectives? And agreed upon a fair amount
> of work and how to divvy it up? Rather than everyone trying to do
> similar [functions] with the best of intentions and often
> inadvertently."

I agree that this is a good way to go.  However taking it from this
level, to an actual plan that will interconnect all of these networks
(a number of which are probably running systems that predate IP)
without introducing huge problems, and then building it right will IMO
take a lot more than two to three years time.

I'm not trying to slam the overall idea (yet), or government in
general, I just think this concept is overly optimistic having seen
firsthand how many corporations and some government bodies handle
change and interoperability.  Not to mention that this network would
at some point connect competing companies together I assume.  Would
you trust your local feds to protect your network from them?  What
about when these networks are connected up - someplace, somewhere,
there will be an Internet link on a LAN that has potential to tie into
this.  If that company is lax in security, they will have exposed the
entire infrastructure to a potential breach.  Perhaps I'm just being
paranoid, but this isn't just giving everyone a shiny new email
address and some message forums, he wants to bridge thousands of
things together.  I just don't trust the government to get it right,
which is unfortunate but experience and observation has caused this
viewpoint.

More power to them if they think they can pull it off, I will be
eagerly waiting to see how that's going to happen.  However my
skepticism far outweighs my confidence...  If I'm off-base on this
though, someone can email me by all means.

- rf



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.