Friday, October 16, 2009

Defcon's Jeff Moss on cybersecurity, government's role

c/o CNET

BTC - Jeff Moss. Defcon man gone HSGAC. PASS ID is still a Real ID. Someone tell Moss...

Q: So, how's it going on the Homeland Security Advisory Council?

Moss: It's going pretty well, it's pretty exciting actually. Recently we did a recommendation, I'm sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we've only been to red once. But we've never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn't work well at all.

Right. We don't understand it. We're like, what does it mean? Is it real?

Moss: How does it give us any actionable information? How should we change our behavior based on it? That's what came out of the report was that it's very hard for civilians to do anything with it and it causes confusion, and it's the No. 1 source of ridicule. The system needs to stay because it's valuable for the other two groups, but it needs to change was the conclusion of the report. So they had a couple of recommendations and one was to just get rid of the two lowest colors because honestly we've never been at them; make the new normal orange. Three levels is probably more realistic than having five. The U.K. doesn't have five either, I think they have three.

The other big thing was if something is happening in New York, you don't need to raise it for the whole country, so make them more applicable for a geographic location. Localize it more. And then some other recommendations I thought were reasonable were make it a default where the level is automatically lowered if nothing affirmative happens. So the onus is on the officials to constantly justify why it needs to stay at a higher level. They had some other really common-sensical recommendations. You should tell people without revealing any sensitive security information or sources why did it get raised? Why did it get lowered? Is the threat over or is this an ongoing threat that we just now think is less important?

Two (reports) before that we were dealing with the Real ID versus Pass ID debate. (The Bush administration was) trying to create basically a national identity card and when that didn't happen they created this Real ID standard that would cause all the states to have standardized features on their driver's licenses. That's different from an enhanced driver's license which is used in place of your passport when crossing into Canada or Mexico.They want make it all much more transparent to the public. So if they say we intercepted these people trying to board a plane with these liquids so we're going to go got a higher level around airports...something like that, instead of a blanket generalization that's applied to the whole country without explaining when the threat goes away or is mitigated. I know some members of Congress agreed with the report and it was generally really well received. Now the Advisory Council, we all unanimously agreed with it, and now it's off to the secretary (of Homeland Security). I was expecting a lot more bureaucrat-ese but that report I couldn't find anything to nitpick with because it make a lot of sense.

You need biometrics (and to) verify the information through approved two other sources. It's an attempt by the feds to make sure information getting into the DMVs is actually valid and there's a paper trail there and the information from one state can be easily shared with another state. It seemed fairly reasonable. But then you started looking at some of the provisions and it turns into another one of these giant unfunded mandates from the feds. A lot of the civil libertarians got up in arms over it and I'm not really pleased either. States started to rebel.

The DHS was saying if you don't have one of these driver's licenses that is approved you're not going to be able to fly. So these governors got together and came up with an alternative plan called Pass ID. It removed it from being a state unfunded mandate, reduced the database requirements, reduced some of the ID requirements, made it much more feasible and reasonable, phased in on not such an immediate time table, didn't seem to have Big Brother issues. DHS is not going to want to go to war with these states. I think there's a realization you have to come to some compromise and Pass ID seems like a good compromise, but now you've got to convince Congress. ::: ENTIRE INTERVIEW HERE:::

No comments: