Lessons, does anyone ever learn?

Wed Feb 17 22:14:24 UTC 1999

As a footnote referencing the budget request Sean lists below, take a 
look at http://www.ciao.gov/roadmap-c.pdf for specific information 
and http://www.ciao.gov/roadmap-main.pdf  (table 2.3) for a general 
summary.  These references are from the July 1998 Critical 
Infrastructure Assurance Office's summary of "Information and 
Communications Infrastructure."

It's old data for some of you, but still worthwhile as a refresher 
since the gummin't takes a while to throw some money and monkey 
wrenches at these reports...

So: Regardless of how often they regurgitate the same discoveries, we 
know that the government doesn't trust current development and risk 
assessment of "the network" (be that network the current Internet or 
some IP based network of the not-so-distant past.)  For those of us 
in the US that have to contend with the results any US-based 
legislation, what does it mean?  Will we have to build our IP 
networks according to a certain planbook?  Will we be required to 
allow inspections to confirm compliance?  Will international 
providers of traffic need to comply with US-specific guidelines 
before being allowed to "import" their packets?

I'll throw my opinion of "No" on the table and see if anyone 
disagrees.  I really see no way to implement meaningful risk 
assessment and coordinated security controls across such an already 
huge number and variety of private networks.  These risk assessment 
studies that CIAO is doing are interesting, but what can be the end 
result of so much expense and examination?  Not a lot that will 
directly change the higher-layer protocols (eg: layer 2/3 and up) 
that are currently being used, at least not without a lot of 
burdensome legislation that might stifle the industry.  I think such 
a burden will be enough to scare legislators away from passage of 
such laws.

Should this discussion really go on com-priv?  (or as the case may be 
in this throwback to governmental control of the network: "priv-com" 
;)

JT

At 2:26 PM -0600 2/17/99, Sean Donelan wrote:
>
> Under the heading, the more things change, the more the stay the same...
>
> I found this interesting paragraph in a government sponsored research
> report.  To make it more interesting, I'm not going to tell you the
> date of the report, or the network the authors were talking about.
> Since the US Government paid for the work, copyright isn't a concern,
> now if that ain't a hint, I don't know what is :-)
>
> "Among them they noted that while worst case analysis had been done, the
>  particular scenario had not been studied.  The also suggest operators
>  did not have all the data they needed to make proper decisions. 
> Particularly
>  notable was that no one could see the big picture across the entire
>  system.  The authors suggest that there is substantial improvement
>  needed to the modeling process.  For example, models used for planning
>  are different than models used for online monitoring and control.  Finally,
>  there are thousands of system components, and as many problems waiting
>  to occur.
>
>  Based on these observations the authors suggest the following:
>    - Online dynamic security assessment tools, and security indices.
>    - Wide area communication network and system monitoring process.
>    - National standards for operations and engineering.
>    - Improved system planning and risk assessment methods.
>    - Standard system planning and operating data models.
>    - Validated data in simulation models.
>    - Wide area measurement and controls."
>
> Since there is currently a $2.8billion budget request pending before
> Congress to fund critical infrastructure protection, do you sometimes
> get the feeling some researchers just cut & paste their old analysis
> into whatever today's hot topic is?
> --
> Sean Donelan, Data Research Associates, Inc, St. Louis, MO
>   Affiliation given for identification not representation