Friday, February 26, 2010

The power of the Off Switch: You'll never miss it until it's gone.

If you grew up a Star Trek fan, you've probably seen the episode where the computer runs amok, putting the whole ship into danger. The crew has to figure out some clever, complicated means to stop the computer and save the day: asking it to compute PI to the last digit.

If you were like me, you watched this and at some point asked "Don't they have an Off Switch for the blooming thing?" (At least in the movie 2001, they put a guillotine on the computer's power line.)

These memories came back to me recently when I read a stinging critique of the problems with the Toyota Prius and the fact that if it malfunctions, it doesn't have a proper Off Switch - just a button you have to hold down for three seconds (and hope the software bug doesn't make that malfunction). In the past, I'd seen similar criticisms of other devices, like the iPhone, but this is the most serious context for the criticism.

Bringing this into the context of security, I strongly believe being able to Prevent, Detect and Respond are the three pillars of any good plan. In the worst case, when you really lose control, Respond means being able to disconnect or turn off the device in question.

Well, without an Off Switch, you lose the ability to deal with this worse case scenario. With Prevent, Detect, Respond it is important not to put all your eggs in one basket, or, as not having an Off Switch points out, it's important not to remove all the eggs from a basket as well.

Friday, February 5, 2010

Google and the NSA

The NSA is going to help Google with figuring out what happened with the recent cyberattacks it suffered and how to make itself safer in the future. I've seen discussions about this, both pro and con.

I think it's a good thing, assuming NSA's involvement is limited to consulting as opposed to operating. Of all the government agencies, the NSA seems most advanced in terms of cybersecurity and I suspect they have enough expertise they could be of help, though I suspect Google has a great deal of expertise and the main thing NSA brings to the table in this case is information about the attackers and their techniques.

I think Google is important enough that anything that makes Google safer is good for all of us, in the same way improving the safety of airlines, food supply chains and the electric grid is good for all of us.

I also think it's natural for the Government to have a role in a company responding to cyberattacks. As a colleague pointed out, if a company found a body in their lobby they would have to call the police, no one would think twice about doing otherwise. But there is no such requirement for a company suffering a major cyberattack, and given how much data about and belonging to us companies are increasingly holding, I think having greater transparency in responding to cyberattacks is the right thing.

Though I think our government has a ways to go to really be up to this task in general.

Some good news: Cybersecurity Enhancement Bill passed by house

The house passed what looks like a very well thought out CyberSecurity Enhancement Bill. What I like about it in particular is it has an educational aspect and a social/behavior research aspect to it, both under the auspices of the National Science Foundation (NSF). I think this is a great direction - ultimately having more, better trained cybersecurity professionals and understanding the end-users better is at least as good as any new technology to make us safer. And having NSF do this gives me great confidence that the results will have broad impact rather than being sequestered as "sensitive".