There's nothing like a good government document. I think that from
now on, rather than counting sheep I'll count those blocky,
black-and-white documents that all look like IRS instructions telling
you want the US government is up to. Why can't they just all blog like
everyone else? Bruce Shneier turned me on to some interesting documents
about the government's look at cybersecurity. The first is GAO-10-466, or as
the kids like to call it "Cybersecurity: Key Challenges Need to Be
Addressed to Improve Research and Development." It talks about a lot of
the different government entities that are involved in Cybersecurity.
The list reads a little like the Department of Redundancy Department,
but I suppose that there are a lot of disciplines and appropriate
overlap. Within that document I was pointed to GAO-09-432T, or
"National Cybersecurity Strategy: Key Improvements Are Needed to
Strengthen the Nation's Posture." At first glance, it might seem that
government reports use a pretty dull and repetitive style guide for
titling things... and that impression is largely unchanged after a few
more glances, and even a long hard stare. Yet it is interesting to see
how ideas such as computer security is treated.
Both documents are interesting, but here is the list of the key points
that the work with in the second one:
- Develop a national strategy that clearly articulates strategic
objectives, goals, and priorities.
- Establish White House responsibility and accountability for
leading and overseeing national cybersecurity policy.
- Establish a governance structure for strategy implementation.
- Publicize and raise awareness about the seriousness of the
- Create an accountable, operational cybersecurity organization.
- Focus more actions on prioritizing assets, assessing
vulnerabilities, and reducing vulnerabilities than on developing
- Bolster public/private partnerships through an improved value
proposition and use of incentives.
- Focus greater attention on addressing the global aspects of
- Improve law enforcement efforts to address malicious activities
- Place greater emphasis on cybersecurity research and development,
including consideration of how to better coordinate government and
private sector efforts.
- Increase the cadre of cybersecurity professionals.
- Make the federal government a model for cybersecurity, including
using its acquisition function to enhance cybersecurity aspects of
products and services.
It's good that the government is getting involved, I guess.
Government can help mandate standards and provide a context for
research and development... but I've never seen government accomplish
what a curious group of technology enthusiast can do when they put
their mind to it.
Here's a gentle reminder of technologies that you can be using to
improve your security right now:
- Your operating system: I admit that I always lean toward Linux,
but any operating system that you use today has basic security such as
name and password restrictions. If you're bypassing that login screen
for convenience then you have likely created a number of other holes in
your environment that leave your system more open to attack or snooping.
- Learn a little about encryption. I know that encryption sounds
hard, but there are some fairly straight-forward ways of dealing with
it. Tools like Gnu Privacy Guard
(GPG) provide a pretty straight-forward way of encrypting and signing
just about anything digital. You don't have to buy a key. You can make
your own and register it with a public
key server so that others can find it and interact with you. (There
are also free locations to get certificates for your web sites, such as
SimpleAuthority.com and CACert.org.) There are also free
tools to encrypt your files and even create encrypted sections of your
hard drive. It's all very cool stuff. Some of it can be a little tricky
to set up, but once you develop habits of locking up your information,
they become second nature, like locking your car, or putting on your
- Share your security-mindedness with your friends and family. If
only one person has a key to encrypt things, it doesn't work. Spread
your new discoveries. Help others to see the value in securing their
information and participate by sending your information back and forth
through an encrypted key.
Like I said, I think this is all pretty interesting stuff. If others
are interested we can share more together here. It's actually a good
section for the Real
World Open Source Wiki (which really needs more brains in it than
just mine). If you take a personal interest in cybersecurity you can
help usher in the world of more accessible, more personal technology
with more control for you and less danger to your information. Ask
questions if you want to get started and I'll do what I can to help get
you started right now.