[Cryptography] Should NSA & Cyber Command Have Separate Leadership?
Tom Mitchell
mitch at niftyegg.com
Wed Oct 5 15:04:29 EDT 2016
On Wed, Oct 5, 2016 at 6:31 AM, Jim Windle <jim.windle at gmail.com> wrote:
> This isn't directly related to crypto but separating offensive and
> defensive cyber capabilities and missions might have interesting
> implications.
>
This is an election year... vote and send love notes to the candidates
telling them what changes you would love to see.
This is an interesting question.
In peacetime the director of both will have a branched org chart to manage
both.
Thus there are already two but they are pushed deeper into the org chard
and further
from the commander in chief. The current director's office might be best
placed to
advise the oval office and congress in peace time.
In conflict both must answer to the commander in chief and other offices.
In a conflict it makes sense to look at the view that the commander in
chief has.
Some are seeing evidence that we are in a contest (conflict) now so
this issue seems to have a need to move up the chart and others down.
In the context of the never say anything roll, it seems the NSA leadership
cannot fully disclose their activities in a staff meeting of both
organizations.
A real problem with "black organizatons" is oversight. The CEO of a
billion
dollar company has no clear visibility to his organization. These
organizations
are bigger and sworn to secrecy..
Budgets.. The NSA is possibly a $10 billion dollar organization
while the U.S. Cyber Command is only a $6.5 billion dollar organization.
There is more $$: In FY 2016, the President's Budget proposes $14 billion
in cybersecurity
funding for critical initiatives and research.
https://www.whitehouse.gov/sites/default/files/omb/budget/fy2016/assets/fact_sheets/cybersecurity.pdf
But money is often an ill chosen poor choice for management and org charts.
By way of example I once worked at a Unix company and the infrastructure
for Unix was managed by a dozen engineers part time. The company relented
and allowed WindowZ machines which spawned an IT department to service
Windows. The IT department employed almost 200 staff and contractors inside
of two years. Product engineering was less than 200.
That staff of 200 gave that manager a seat at the big table while the dozen
mangers
of the dozen Unix infrastructure engineers had no such big table visibility.
I fear that the issue of Cyber security does not have knowledgeable talent
at the big tables of government.
I consider IOT devices to be the equivalent of the fields of Belgium and
the Ardennes forest paths
that negated the investment of the Maginot Line. The current invasion
into IOT class
home devices is a symptom of flawed management and comprehension of
risks.
So yes reorganize...
Closer to cryptography small devices operating in concert have sufficient
collective power
to attack many current crypto systems on a schedule that is faster than
quantum computers.
Since the IOT class devices are inside our homes and businesses they are
already
positioned inside and behind any real or imagined national fire wall
resource. A hacked router is physically
positioned to conduct MITM attacks and spoof or steal credentials. A
hacked storage device
can leak anything as a trickle or flood. In some cases once hacked
changing the pass word
has diminished value protecting the device. Most are difficult or
impossible to audit or restore to
a correct state with tools and knowledge available to homeowners and most
small companies.
<http://www.metzdowd.com/mailman/listinfo/cryptography>
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161005/96e6da25/attachment.html>
More information about the cryptography
mailing list