Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

Sean Donelan sean at donelan.com
Thu Oct 9 16:13:29 UTC 2008

On Tue, 7 Oct 2008, Valdis.Kletnieks at vt.edu wrote:
> You don't want "the securest implementation".  You want one that's
> "secure enough" while still allowing the job to get done.  You also don't
> want to be *paying* for more security than you actually need.  Note that
> the higher price paid to the vendor isn't the only added cost of too much
> security.

The most recent (September 15 2008) US Government DNI directive about IT 
systems security includes the concept of appropriate risk management.

   1. Risk Management
   a. The principal goal of an IC element's information technology risk
      management process shall be to protect the element's ability to
      perform its mission, not just its information assets. [...]
   b. [...] For example, a very high level of security may reduce risk to a
      very low level, but can be extremely expensive, and may unacceptably
      impede essential operations.

In practice, it often turns out a "secure" system that is unusable for its 
mission is both insecure and unused because people start using other ways 
that bypass the "secure" system just to get the job done.

So back to my original questions, what advice would you give to the US 
Government about protecting and defending its networks to maintain
its capability to perform.  And how can it be sure its getting what
it paid for.

More information about the NANOG mailing list