PRAGMATIC SECURITY: "I’m from the Government Cyber Security Agency, and I’m here to help."

National governments around the world are starting to focus heavily on “Cyber Security,” the politician’s buzzword for computer and network security. I’m gravely concerned.

May 29, 2009: “Obama Announces Cyber Security Czar”
http://thehill.com/leading-the-news/obama-announces-cyber-security-czar-2009-05-29.html

July 9, 2009: “France Creates New Cyber Security Agency”
http://www.pcworld.com/article/168135/france_creates_new_national_it_security_agency.html

In big companies, producers (the employees who make the product, as contrasted with the overhead staff) have an antagonistic relationship with the network security policies and their enforcers. In most cases, corporate security policies tend to militate *against* successful work and productivity. Cisco did a study in 2008 that found that a huge number of employees believe they must circumvent security measures to get their work done. Ironically for this week’s news, France had the “worst” record of all. “Of all the countries, France (84 percent) has the most employees who admitted defying policies, whether rarely or routinely.” http://www.cisco.com/web/BE/about/press/press08/10282008.html

The fundamental problem is that security policies often build too big of a hedge around the actual requirements for security. Scott Adams jokes about this with Mordac The Preventer of Information Services; Mordac once decided Dilbert’s password was too easy, so he replaced it with the entire text of the “Da Vinci Code”(*).

At one big corporation based in Portland, Oregon, they have a security policy that prevents any kind of audio recording. Yet this company builds and maintains voicemail platforms! The policy is silly; if they’re worried about corporate spying, bug detectors, not silly policies posted on the receptionist’s desk. And so the policy is actively ignored. (I used a publicly-visible voice recorder at one meeting there.)

At another firm I work with, they have firewalls and VPNs, but most of the passwords are the same common, english word. The truth is that they probably don’t need VPNs to begin with, and VPNs with trivial passwords just provide an illusion of security.

So now, the US and French government will be getting into the act. They’ll find a way to make rules requiring certain security policies to be enforced. The state of Nevada already require some companies operating in its state to comply with the Payment Card Industry (PCI) Security Standards, for example.

http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html

The “safe harbor” provision of Nevada’s law means that if you can pass the PCI DSS audit in Nevada, then you’re not liable for doing anything else to ensure security of your customer’s data.

But if big companies make security policies, what’s wrong with the civil government making security policies? Big companies can’t put you in jail for violating their policies. Big companies can’t declare you to be in violation, and therefore give all your assets to somebody else.

The federal government’s involvement is another expansion of power for government. I’m skeptical that it may do much good, since we already have laws against intrusion into somebody else’s computer, or theft of data, and because security compliance standards can be faked, and because security compliance audits don’t catch even the big stuff.

Even in profit-driven companies, security policies tend to be over-reaching, and prevent good work from getting done. I’m very skeptical that national governments are going to do any better since productivity is not a concern.

(*) The password didn’t include the parts Mordac didn’t believe.