Forces for Good in the Universe
By User701213-Oracle on Mar 18, 2008
Between prime time television and the newspapers, the average person could be forgiven for thinking that most of life in America is sordid, self-serving and sensationalistic. If you go by news and TV, businessmen are always greedy exploiters of the poor/despoilers of the environment, veterans are always crazed gunmen, and hardly anybody takes marital vows seriously, if at all.
The negative emphasis of some media is all the more reason to enjoy those who practice excelsior living ("excelsior" is Latin for "higher" or "superior") instead of degradation and debasement.
One such event occurred for me last week when I attended the IT Security Entrepreneur's Forum. A friend of mine is the executive kahuna and founding force for good behind this event (though other organizations sponsor it, like the Department of Homeland Security and the Kaufmann Foundation). It's an opportunity for entrepreneurs in IT security to understand what security challenges the US government faces, and to learn how to work with the government. The topics covered everything from the VCs that have government involvement, like In-Q-Tel, to how to deal with system integrators and procurement programs. The idea was to get entrepreneurs' Cool New Security Ideas in front of people dealing with Large Scale National Security Challenges, for the betterment of all. (Mahalo nui loa, Robert, for a great event.)
I was reminded several times during the week that there are people who not only want to make the world better, they are committing their lives and fortunes (or at least, investors' fortunes) to doing so. (And, unlike the target of my last entry on Do-Gooderitis, these problems all need solving, badly.)
One of my happy "better world" moments occurred in the discussion of energy security at the Forum. Truthfully, I never thought much about the IT security implications of energy. You can see that protecting information about promising new energy sources, new extraction techniques and technologies would be important. Also (while I do not intend to be polemical or political) it is pretty clear that the extent to which we are dependent on non-US oil supplies does drive our involvement in the Middle East. Ergo, finding alternative sources of energy (and making wise use of the energy we have) has important national security implications.
We live in a country where we mostly take energy for granted: you plug in your whatever, you get power, no problem. (Though it can be expensive. It's been a cold winter in Idaho and my last two Idaho Power bills have been high enough to make me consider listing them as a dependent on my tax return.) We forget that not everyone lives in a place where there's a plug and ready access to a steady power supply. For example, soldiers and marines in war zones have an unbelievable plethora of electronic gadgets and gizmos on their person, many of which require them to carry God knows how many chargers, not to mention lots of batteries. For them, being able to eliminate unnecessary electronic chargers mean they could fight more nimbly (carrying less weight in their packs), or that they could carry an extra magazine or Ka-Bar instead of a power cord. Most of us, though not typically getting shot at on business trips, can relate to the annoyance of schlepping a bunch of cords and adapters along wherever we go. I think I carry about four on the average business trip (camera, iPod, computer, cell phone). Probably an extra cord or two to charge things in the car. For weight reasons alone, I'd like to carry fewer chargers (and then I'd have room for more books, instead of the three or four I typically carry on a trip).
Wouldn't it be really great if you could carry one charger that charged all your devices? A charger that would be smart enough to detect when a device is charged and automatically stop sucking power? Also, although I am not always the most ecologically correct person, I hate the idea of throwing more stuff into landfills. It probably comes from having parents who grew up during the Depression: throwing things away that are perfectly good to use again just doesn't sit well with me. One thing, energy efficient, that you can reuse over and over sounds pretty darn good.
There's a company called GreenPlug that would really - is really - making it a better world, because what I just described is the GreenPlug vision. Someday soon, I hope all those electronic gadgets we love to have with us can be GreenPlug-enabled, so we only suck the power we need to charge a device - and no more - and we have one thing that charges all our gadgets instead of rebuying charger after charger after charger. Back to security, I think about "GI Joe" or "Marine Bob" (Robert or Roberta) in the field, who could take five pounds of chargers and batteries out of their packs and replace the weight with more MREs or a couple of spare magazines. (Sometimes better security is as simple as having more firepower than the other guy.)
In the near future, I want to buy my very last power hub/charger/cord/thingy - ever. (Mahalo nui loa, Palani, na honua 'apau.) (Thanks, Frank, for all the world.) Special mahalo for helping the warriors in harm's way, who will one day carry more he mau mea kaua (weapons) and fewer power cords.
Another group out in force at the IT Security Entrepreneur's Event was one of my favorite government organizations, the National Institute of Standards and Technology (NIST). I have been a huge NIST fan for a long time. In fact, the title of this blog came from comments I have made about NIST in the past: "NIST: A Force for Good in the Universe." NIST has a long record of developing standards and benchmarks for things in a highly transparent way. That's their charter. So you think, why give them credit for "just doing their job?" Because of the way they do it, the fact they are so good at it, and the individuals who work there I deal with. (I am still wearing a black armband several years after Ed Roback left NIST to go work at Treasury. I miss him.)
The fact is that industry, despite much posturing, does not always do standards well. Too many times it is Big Companies A and B teaming up against More Big Companies C and D to duel over standards. A couple of disparate standards limp along, things don't work together, the companies involved may never want or work towards a truly independent standard. What they want is a lock-in to "their way or the highway" for competitive advantage. That's business.
There is, however, a public good argument for getting plumbing to work together so we can all have nice hot showers. NIST is in the "getting everyone a nice hot shower" business by working to help create the standards that make public good activities in IT security (among other areas) happen. If standards (true open standards, not "dueling standards") do not happen, what consumers end up with is stuff that has to be spliced together with digital duct tape. Try taking a hot shower with duct taped-together pipes sometime to see how well it works.
We need a truly independent group to do standards well. I realize I am going against the nerdy grain here, but really, most consumers do not care two hoots in hell for "elegant technical solutions" half as much as things that just work together without digital duct tape. NIST's only "dog in the hunt" is to solve a problem well and with broad industry feedback. Their entire MO is to help create standards by working with industry. When they are engaged in standards development, the result is typically really good, because they get great minds working on it and listen to people. What's better than that? NIST's purview also covers technical benchmarks (like security configurations) and there, too, there is a dialogue with industry, instead of a few people locking themselves in an ivory tower and creating drawbridge specs without ever actually using a drawbridge or consulting castle defenders.
NIST does a great job at working with all stakeholders to the point where lots of vendors, including me on behalf of Oracle, are happy to traipse up to the US House of Representatives Science and Technology Committee asking for more money for NIST to continue Doing Good Things. For all the times when you wonder where your tax dollars are going (and why), when it comes to NIST, they are doing good things with your money and if given more, will do more good things with it.
Both NIST and NSA folks graciously visited Oracle a couple of days before the Forum (as well as participating in the Forum) to talk about SCAP (Security Content Automation Protocol). Our goal for inviting them was for them to explain what issues the Defense Department is trying to address through SCAP and, on the Oracle side, what technology we have that gets at the problem space (with a view towards "can we play /talk/work with SCAP?") I have - and probably will continue to have - issues with some of the particulars of SCAP. What I don't have an issue with is the problem space. I also appreciate that we had a productive discussion with the experts from NIST (and NSA). Bilateral. Not, "We dreamed this up and we know everything."
(For those who are nerdy enough to know that there is a linkage between Federal Desktop Core Configuration (FDCC) and SCAP, you are probably wondering why I like SCAP and (per last blog entry) am less than thrilled about (some aspects of) FDCC. The issue is that the actual configuration required by FDCC was mandated instead of first being developed in conjunction with industry. Had pretty much any vendor who is affected by FDCC gotten a chance to comment on the benchmark before it was mandated, lots of issues would have - we think - been clarified. I still do not know what a "desktop" is because there is no definition yet. This is exactly the sort of dialogue NIST does and is good at, which is why the technical standards and benchmarks they work on are adoptable and adopted.)
The reason SCAP matters is that the lack of basic "security plumbing" puts all of us at a distinct disadvantage in protecting our systems. Can anybody answer the question, real time:
Who is on my network?
What is on my network?
What is my "mission readiness?" (my security configuration, patch level and so on)?
What is happening that I should be worried about?
You can think of the network as the battlespace (it surely is) and the answers to the above four questions are necessary to give you what the military calls "situational awareness." Nobody has it, and thus the advantage is all to the attackers. SCAP does not address all the above issues, but it does answer questions related to mission readiness (and also, "what's on my network?") Being able to get enough standardization so that you can determine whether your network components are locked down correctly, or what components you have that are subject to a particular vulnerability - in some automated way - would be really useful. Nobody adds any value by manually reading security bulletin FOO and then manually trying to figure out what they have on their network that is subject to FOO problem. No automated tool does this for everything, or does it well, or works with any other tool someone would use. Which is why everyone is using digital duct tape with predictable results: advantage to attackers.
One-off security products that do pieces of this but don't do it comprehensively are not enough. You need to know "what's my security posture?" real time, so if something is happening that you should be worried about you can "take evasive action" real time (e.g., reset a security parameter or turn off a service). Attacks are real time; defenses need to be real-time, too.
If there is any worse example of fiddling while Rome burns than people arguing over the elegance of their individual technical solutions instead of trying to make comprehensive, universal situational awareness a reality for everyone's networks, I don't know what it is. (Get over yourselves, people, it's national security.)
So, mahalo nui loa to NIST for - whatever one's individual issues with individual standards - creating not only a dialogue, but a climate for discussion, instead of diktats. And for being a force for good in the universe, especially for DoD. That goodness will trickle down to other communities, I have no doubt of it.
For More Information:
Book of the Week: Lone Survivor by Marcus Luttrell.
It is a source of ineffable sadness and more than a little pique to me that the average American can more readily bring to mind the names of celebutantes or tartlets (sorry, I meant starlets - I think) than the names of the last three recipients of the Congressional Medal of Honor (Paul Smith, Jason Dunham, and Michael Murphy, if you want to know). This book recounts the story of SEAL Team 10's actions in Afghanistan, which led to LT Michael Murphy's death, those of two others in the squad, and 16 people on a helicopter that came to extract Luttrell's SEAL team. Marcus Luttrell was the lone survivor (and recipient of the Navy Cross).
This book should be required reading for anybody who wants to know what real heroism is (hint: it's not the ability to putt, throw or slam dunk). And, in my opinion, there is something wrong when members of the armed forces are more afraid of violating the rules of engagement than they are of the enemy. As Luttrell puts it: "...any government that thinks war is somehow fair and subject to rules like a baseball game probably should not get into one. Because nothing's fair in war, and occasionally the wrong people do get killed."
The citation for Michael Murphy's Medal of Honor:
The citations for Paul Smith's and Jason Dunham's Medal of Honor:
More on the IT Security Entrepreneur's Forum:
More on GreenPlug ("One Plug, One Planet"):
Marines love their Ka-Bars, and who can blame them?
Unbelievably cool that KGMB9 station in Hawai'i is doing a regular news segment in the Hawaiian language. Maika'i nui loa! (Woo hoo!) 'A'ha'i 'olelo ola (messenger of a living language).