Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DHS Wants To Hire 1,000 Cybersecurity Experts

kdawson posted about 5 years ago | from the even-one-would-be-nice-if-you'd-listen-to-him dept.

Government 222

Cyrus writes "DHS Secretary Janet Napolitano plans to hire 1,000 security experts over the next three years. 'Department officials could not say precisely how many cyberexperts now work at DHS and its various component agencies such as the Secret Service and Immigration and Customs Enforcement. Napolitano said she doubts it will be necessary to fill all 1,000 of the authorized positions, but she is focused on making DHS a "world-class cyberorganization."'" Cringely points out, "There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!," except he uses all caps and bold.

Sorry! There are no comments related to the filter you selected.

Well, I've already had my DHS background check... (4, Funny)

bennomatic (691188) | about 5 years ago | (#29636875)

...may as well throw my hat in the ring.

Re:Well, I've already had my DHS background check. (3, Insightful)

oldspewey (1303305) | about 5 years ago | (#29636933)

If you have a good shot at faking your way through being a cybersecurity "expert", seems to me this would be a pretty sweet gig. Few things are more entertaining than being paid big bucks to be part of a giant clusterfuck as it unfolds.

Re:Well, I've already had my DHS background check. (0)

Anonymous Coward | about 5 years ago | (#29637285)

being paid big bucks

Government paychecks are capped at a maximum that is significantly less than commercial starting pay for cyber-security experts...

Re:Well, I've already had my DHS background check. (5, Informative)

El Torico (732160) | about 5 years ago | (#29637621)

Government paychecks are capped at a maximum that is significantly less than commercial starting pay for cyber-security experts...

No, they aren't. The Information Assurance and other Information Technology positions in the Federal Government are usually grade GS-13. A GS-13 Step 1 in the Metro DC Area makes $70,615, Step 10 makes $91,801. This is competitive with most commercial salaries. Factor in the generous benefits (retirement, commute cost compensation, flextime, etc.) and the Civil Service positions are lucrative.

Re:Well, I've already had my DHS background check. (3, Informative)

thoth (7907) | about 5 years ago | (#29637773)

No, they aren't. The Information Assurance and other Information Technology positions in the Federal Government are usually grade GS-13. A GS-13 Step 1 in the Metro DC Area makes $70,615, Step 10 makes $91,801. This is competitive with most commercial salaries. Factor in the generous benefits (retirement, commute cost compensation, flextime, etc.) and the Civil Service positions are lucrative.

You left off locality pay... a GS 13-1 in Metro DC makes $87K, step 10 makes $113K. So, even better!
http://www.fedjobs.com/pay/washington.html [fedjobs.com]

Re:Well, I've already had my DHS background check. (2, Insightful)

oldspewey (1303305) | about 5 years ago | (#29637797)

The key point here is that in order to be hired as a cyber-security expert in the private sector, you probably need to be an actual cyber-security expert. In order to be hired as a cyber-security expert by DHS, along with 999 other "experts" all being sought within the same timeframe, you probably just need to study up on your buzzwords and you're good to go.

Re:Well, I've already had my DHS background check. (-1, Troll)

Anonymous Coward | about 5 years ago | (#29637883)

...you probably just need to study up on your buzzwords and you're good to go.
You don't even have to that if you're a "diversity candidate".

Equivalent of the TSA... (5, Insightful)

Jah-Wren Ryel (80510) | about 5 years ago | (#29636897)

Cringely points out, "There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!,"

No matter. These guys will be the "cybersecurity" equivalent of the TSA goons at the airport, probably with a management culture even worse than those poor slobs have to live with.

Re:Equivalent of the TSA... (1)

Deltaspectre (796409) | about 5 years ago | (#29636975)

Sir, please take your USB keys out while we scan your network.

Re:Equivalent of the TSA... (5, Funny)

Tablizer (95088) | about 5 years ago | (#29637161)

Sir, please take your USB keys out while we scan your network.

If they use old-school terminology, it could sound really odd to onlookers:

"Sir, please take your dongle out while we sniff your nodes."
     

Re:Equivalent of the TSA... (5, Funny)

MrNaz (730548) | about 5 years ago | (#29637461)

Sir, please take your floppy out while we unzip your tarballs.

Re:Equivalent of the TSA... (4, Funny)

K. S. Kyosuke (729550) | about 5 years ago | (#29637677)

Hey, there is a stripped /usr/bin/man on his hard drive, and it he's not even several years old!

Re:Equivalent of the TSA... (2, Insightful)

sumdumass (711423) | about 5 years ago | (#29636987)

Or they could become overpaid IT techs who can't design an open access website to comply with government accessibility standards. How about 7 million to "install a firewall" from Norton or AVG or something?

The U.S. government is EXTREMELY corrupt. (-1, Troll)

Anonymous Coward | about 5 years ago | (#29637419)

The U.S. government is EXTREMELY corrupt. Those who want corruption make sure that government departments have incompetent leaders.

Re:The U.S. government is EXTREMELY corrupt. (4, Insightful)

hedwards (940851) | about 5 years ago | (#29637585)

That's bullshit, you're going to have to cite that. The US government does have issues with corruption, but it's not any worse that most places. And definitely not "EXTREMELY" corrupt. If you want to know what extreme corruption looks like take a looksy at all those African nations that have ultra riches in minerals but mysteriously can't find the money to pay for food for their own people and somehow manage to do worse than nations without any resources to speak of.

In this case I'd say it's about damn time, that's probably a good starting point considering that so much of the military network is so completely hopeless right now, depending upon who their looking for it would take a goodly number of entry level employees just to get the simple stuff done. Let alone the more complex tasks.

Re:The U.S. government is EXTREMELY corrupt. (0, Troll)

CarpetShark (865376) | about 5 years ago | (#29638149)

you're going to have to cite that.

No, he's not. What is it with people on the internet thinking that others have to sit and research topics for them? If you're that interested, go prove it right/wrong yourself. Some people are just having a conversation, and *gasp* aren't actually paid to provide your education.

Re:The U.S. government is EXTREMELY corrupt. (1)

onedotzero (926558) | about 5 years ago | (#29637593)

Those who want corruption make sure that government departments have corrupt leaders.

Re:The U.S. government is EXTREMELY corrupt. (1)

K. S. Kyosuke (729550) | about 5 years ago | (#29637687)

Russia called, they want their corruption back.

Re:Equivalent of the TSA... (3, Funny)

NewbieProgrammerMan (558327) | about 5 years ago | (#29637805)

Cringely points out, "There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!,"

No matter. These guys will be the "cybersecurity" equivalent of the TSA goons at the airport, probably with a management culture even worse than those poor slobs have to live with.

I'm sure DeVry and U.o.Phoenix will be glad to pump out several thousand associate degrees in Cybersecurity Expertry or something in the next three years for them to sort through. That way DHS can say they interviewed thousands of candidates and only took "the best."

Re:Equivalent of the TSA... (3, Insightful)

vegiVamp (518171) | about 5 years ago | (#29637943)

Exactly. They'll be paying (relative) peanuts, so they'll get the not-quite brand of expert, while the brunt of the real threat they're up against consists of a) the real experts they couldn't pay enough to hire, and b) the smart kids who've nothing better to do all day than figure out how shit works.

Their experts will be very effective, however, against the rather common type of attacker that you can block with the kind of network protection that anyone with half a brain already has. Their effectivity numbers will reflect the number of attacks repelled, and thus they'll be commended for their excellent work.

Nobody's going to work for a government salary.. (2, Insightful)

HerculesMO (693085) | about 5 years ago | (#29636905)

When they can make over 6 figures easily, with private company perks and bonuses working outside the government.

If the DHS wants qualified people, they need to pay a competitive salary. Of course, u

Re:Nobody's going to work for a government salary. (3, Interesting)

AnEducatedNegro (1372687) | about 5 years ago | (#29637097)

GS-15 pays 6 figures. combined with federal Job For Live(TM) job security, retirement perks that will allow you to continue as a "consultant" making the same salary for 20 more years, and virtually unlimited teleworking... i think that is pretty good deal. I'll sign up

aEN

Re:Nobody's going to work for a government salary. (0)

Anonymous Coward | about 5 years ago | (#29637355)

Government pay is capped at $149,000. If you know your stuff, you can start at $160k easily in commercial space, or more if you know people. Not to mention commercial benefits typically beat government benefits such as better travel (government travel rates barely get you into a super 8), better Per Diem, the ability to telecommute (you can't telecommute for secure government work), better vacation time (you only start with 2 weeks in government work)... I haven't had less than 4 weeks since I was fresh out of college, better medical, better retirement (matching 401k funds), stock options, better equipment and resources in your work, company parties (the government is very limited on what it can spend on holiday parties/etc)... etc...

The government has always trailed the commercial industry for IT compensation, and in specialist fields like security the government is pathetic.

Re:Nobody's going to work for a government salary. (1)

headhot (137860) | about 5 years ago | (#29637477)

There ain't too many Gs-15s. In the corporate world, they would be like SVPs. Most of the technical and engineering people are GS-12 to 13 outside of DC, and 13-14 inside DC.

Re:Nobody's going to work for a government salary. (1)

vegiVamp (518171) | about 5 years ago | (#29637959)

Could you translate that for us nonamerican types ? What would the numbers for those various GS classes add up to ?

Cool - how do I become a security expert? (4, Funny)

commodore64_love (1445365) | about 5 years ago | (#29636923)

Is there a major I can take in college?

Simple... (1)

denzacar (181829) | about 5 years ago | (#29637365)

All you have to do is become friends with this guy. [cringely.com]

Apparently, he decides on who gets to be one and determines the global quota of "Cybersecurity Experts". [cringely.com]
You may have to hurry though, as he might just decide that 640 "cybersecurity experts" should be enough for everyone.
And he already knows at least six.

Re:Cool - how do I become a security expert? (4, Funny)

arthurpaliden (939626) | about 5 years ago | (#29637555)

Take your general BA and add an Introduction to Windows course.

Re:Cool - how do I become a security expert? (0, Offtopic)

dontmakemethink (1186169) | about 5 years ago | (#29637775)

Is there a major I can take in college?

--
~0.5% of people who download buy ANY CD's. So as a rough estimate: song downloads = 99.5% lost sales

Fixed your sig for you.

Re:Cool - how do I become a security expert? (1)

CarpetShark (865376) | about 5 years ago | (#29638135)

Is there a major I can take in college?

Yes, but you'll need to find a military college program. When you get there and choose your major, try to make it quick and deadly. Majors are scary when they've just been half-clubbed with a 2x4.

Does this qualify? (1)

Charles Dodgeson (248492) | about 5 years ago | (#29636935)

Would knowing that there aren't a thousand experts out there make me an expert?

Re:Does this qualify? (2, Funny)

dontmakemethink (1186169) | about 5 years ago | (#29637789)

Would knowing that there aren't a thousand experts out there make me an expert?

In my expert opinion, no.

Re:Does this qualify? (1)

vegiVamp (518171) | about 5 years ago | (#29637971)

No, but it does make you way too smart to be a gubment exec.

And also 1000 other Field medal mathematicians (1)

arnhem (1371047) | about 5 years ago | (#29636937)

Yes, when a home land is equipped with 1000 security experts and 1000 other mathematics experts, that's the ultimate security and we can all sleep well.

Re:And also 1000 other Field medal mathematicians (1)

similar_name (1164087) | about 5 years ago | (#29637799)

Yes, when a home land is equipped with 1000 security experts and 1000 other mathematics experts, that's the ultimate security and we can all sleep well.

They can protect the homeland for 1000 years.

The American Way (1)

DynaSoar (714234) | about 5 years ago | (#29636997)

"...she is focused on making DHS a "world-class cyberorganization."'"

Because heaven forbid a US federal government agency should be satisfied with being only US class. After all, we have a world to protect from itself.

Re:The American Way (0)

Anonymous Coward | about 5 years ago | (#29637069)

Since when did the US have class?

Re:The American Way (4, Insightful)

mellon (7048) | about 5 years ago | (#29637759)

That's kind of a bogus observation. If you aren't world-class, then you are at the mercy of those who are. "World-class" doesn't mean "better than anyone else in the world." It just means "good enough to hold your own with the best in the world." Really, everybody needs world-class people. The pity is that not everyone can afford them.

tipp the scale a little down (1)

kubitus (927806) | about 5 years ago | (#29637015)

I know of a "freakin" security expert who discovered that one can make SQL exploits on Web-sites.

Of course after the web-site of the organisation was attacked.

And he then joined the ranks of NATO headquarters in Brussels

as a security expert.

level enough?

of course a US citizen

Doesn't matter if they hire 10,000... (2, Insightful)

John Hasler (414242) | about 5 years ago | (#29637031)

...as long as they can't hire Bruce.

Re:Doesn't matter if they hire 10,000... (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29637511)

Show me how good do you think your Bruce Schneier is. I only see him a noisily famous writer.

Cringely points out... (3, Insightful)

John Hasler (414242) | about 5 years ago | (#29637059)

..."There aren't one thousand civilian cybersecurity experts in the entire friggin' world!!!!,"

And he would certainly know, wouldn't he? World-reknowned expert that he is. On everything.

Re:Cringely points out... (1)

Tablizer (95088) | about 5 years ago | (#29637275)

If they cannot find 1,000 US experts, they simply outsource to Pakistan. You can find a lot of techies there [ox.ac.uk] .

Re:Cringely points out... (5, Interesting)

fwr (69372) | about 5 years ago | (#29637361)

I would have to agree. Having obtained my CCIE Security this year (no I wasn't the one that passed the new 3.0 blueprint), and having a CISSP for a few years, I can say from my experience that there are likely well over 1000 experts in the country. Heck, we have quite a few experts in the company I work for now, and no it's not Cisco. In fact, Cisco calls us in to fix problems they can't from time to time. I doubt that any of them would want to work directly for the government though; I certainly would not. Consulting work for the government, sure, but not a government employee. His point seems to be that he doesn't know that many security experts, so they must not be out there. From his article, it appears that he knows a few subject matter experts, but he points out himself that they are not all-around experts. To quote "I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru." That's two listed technologies and one all-encompassing "other" category. And apparently this expert "was," no longer "is." Now, I'm not calling them out, and I'm not going to compare resumes in a public forum. I'm just saying, when his own experts say they were an expert, maybe he's not talking to the right experts...

Re:Cringely points out... (1, Insightful)

Anonymous Coward | about 5 years ago | (#29637691)

Based on your post, you're a Contractor, which is who Government hires when actual work needs to get done.

Re:Cringely points out... (1)

tsm_sf (545316) | about 5 years ago | (#29637383)

And he would certainly know, wouldn't he? World-reknowned expert that he is. On everything.

Cringely's more than a bit impressed with himself, and definitely has an opinion on every subject. He also puts some thought into what he says. When he's wrong (frequently) it's always for interesting reasons.

Re:Cringely points out... (1)

vegiVamp (518171) | about 5 years ago | (#29637997)

I can't help but wonder what constitutes an "interesting" reason to be wrong.

Re:Cringely points out... (1)

Xugumad (39311) | about 5 years ago | (#29637767)

Some of the quotes are awesome, if you start reading the article in depth...

"So I polled six old friends who ARE cybersecurity experts and they kinda-sorta agreed with me." - so, they didn't agree, is what you mean?

"I'm pretty sure they don't know each other." - So we're talking a group that is apparently terrible at knowing about each other, to estimate how many there are?

"I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru." - So, the press release says "security expert" and Cringely decides to interpret this as "omniscient about computer security". Governments tend not to announce specific areas where they feel their security is lacking, in press releases. They like vague terms like "security expert", which give the reassurance they're doing something, without exposing too much real information.

Re:Cringely points out... (1)

NewbieProgrammerMan (558327) | about 5 years ago | (#29637969)

This is the same Cringely that's an "expert" on the user interfaces of nuclear power plants [slashdot.org] , isn't it? Does he have some sort of credentials that might actually make him an expert in cyber security? Looking on his site....

When it comes to information technology, Cringely knows what he is talking about. Thirty years in and around the PC business has earned him wisdom, if not wealth. It's not that he is so smart, but his friends are smart. The best and brightest in Silicon Valley talk to him all the time. It's Cringely's job to sift through their thoughts for valuable bits to share with you.

So just like his venture into nuclear power expert-ness, his IT knowledge is at best second-hand.

Thanks to the submitter for the links to an actual story, though. :)

How to be a linux expert (0)

Anonymous Coward | about 5 years ago | (#29637063)

type "sudo yes > /dev/sda"

It will secure /dev/sda by making sure only root can say yes to system operations.

Re:How to be a linux expert (0)

Anonymous Coward | about 5 years ago | (#29637281)

FAIL: The redirect will not have any extra privileges.
sudo sh -c "yes > /dev/sda"

Re:How to be a linux expert (1)

zippthorne (748122) | about 5 years ago | (#29637545)

That's not a pipe its a file handle. It'll work just fine.

they should hire george bush. (0, Troll)

h00manist (800926) | about 5 years ago | (#29637081)

he's their kinda guy.

Re:they should hire george bush. (0, Troll)

Tablizer (95088) | about 5 years ago | (#29637249)

Indeed, he speaks in an extra-special secret code language that sounds like meandering drunken gibberish to regular people. Clever cover.

"World-class cyberorganization"? (5, Insightful)

maugle (1369813) | about 5 years ago | (#29637101)

Will you idiots please stop prefixing stuff with "cyber"? I know you're trying to make yourselves sound all cool and tech-savvy, but all you're really doing is sounding like someone from a bad 80s sci-fi movie.

"Cyberorganization"? What the hell does that even mean? You use computers and computer networks? Computers and computer networks are your primary focus? Big goddamn deal! You don't see Microsoft or IBM or Cisco calling themselves "cybercorporations", do you?

Look at me, I spend a lot of my time on the Internet! I'm a cyberperson!

Re:"World-class cyberorganization"? (3, Funny)

BountyX (1227176) | about 5 years ago | (#29637183)

You must be out of the loop. Cyberorganization means its a cluster fuck. Literally. It's a huge online cyber session at cluster.usa.gov irc channel #fuck. You should cyber with us, its a grand ole' time!

Re:"World-class cyberorganization"? (2, Interesting)

Tablizer (95088) | about 5 years ago | (#29637213)

Well, if they didn't physically conduct most of their operations together, and instead did almost pure telecommuting, then yes, they'd qualify as "cybercorporations". It may be an imperfect term, but that does not necessarily make it useless (if used with some consistency).
   

Re:"World-class cyberorganization"? (1)

Like2Byte (542992) | about 5 years ago | (#29637329)

Will you idiots please stop prefixing stuff with "cyber"? I know you're trying to make yourselves sound all cool and tech-savvy, but all you're really doing is sounding like someone from a bad 80s sci-fi movie.

Is was 1995 [imdb.com] . Oh, come on! You liked it. :P

Aww... come on... (2, Funny)

denzacar (181829) | about 5 years ago | (#29637487)

EVERYTHING [cyber-yogurt.com] is [cyberrug.com] better [armandosports.com.au] with a [cybermelon.com] cyber- [linkedin.com] prefix. [worldwidewords.org]

Re:"World-class cyberorganization"? (1)

Hurricane78 (562437) | about 5 years ago | (#29637689)

Wait until you see a cybercyber! It's something that is steering, but in steering space!

Re:"World-class cyberorganization"? (4, Funny)

dontmakemethink (1186169) | about 5 years ago | (#29637803)

Quit cybercomplaining you cyberbitch.

Re:"World-class cyberorganization"? (1)

Hurricane78 (562437) | about 5 years ago | (#29637829)

So you would not use my new CyberCyber virtu@l e-SocialCloud Turbo iNetExplorer 2000 XFX GTX - Ultimate Web 2.0 Gold Edition?

Re:"World-class cyberorganization"? (0)

Anonymous Coward | about 5 years ago | (#29637875)

Look at me, I spend a lot of my time on the Internet! I'm a cyberperson!

Cyberman!

Re:"World-class cyberorganization"? (1)

turing_m (1030530) | about 5 years ago | (#29637995)

If they are looking to recruit Cybermen for their cyberorganization, they had better talk to John Lumic.

DHS = Gestapo (0, Troll)

mcnazar (1231382) | about 5 years ago | (#29637221)

I repeat:

DHS == Gestapo
to confirm, DHS === Gestapo

Re:DHS = Gestapo (1)

hedwards (940851) | about 5 years ago | (#29637667)

Hmm, I tried that and it gave me some sort of funky error. Perhaps the dozen languages I tried weren't the one you're using.

Am I leet enough to get into super sekrit organization?

Re:DHS = Gestapo (0)

Anonymous Coward | about 5 years ago | (#29637887)

uh no. The Gestapo was actually good at what they did.

DHS == Fail

Re:DHS = Gestapo (1)

vegiVamp (518171) | about 5 years ago | (#29638005)

Does that mean that any post referring to the DHS now also triggers godwin ?

The head guy is from Microsoft (5, Interesting)

Animats (122034) | about 5 years ago | (#29637241)

DHS's cyber security operation is headed by Phil Reitinger [washingtonpost.com] , who's from Microsoft. So DHS won't be allowed to do anything that would seriously impact Microsoft's business models. Which means nothing significant will happen. Here's his list of priorities. [thenewnewinternet.com] You'll see the problem.

The first guy in that job, Amit Yoran, came out and said the big problem was weak security in Microsoft operating systems. He was ignored, then quit in disgust. The next guy was Cisco's lobbyist, who was not only useless, the job was downgraded during his tenure.

I'm not expecting much from that crowd.

Security by Obfuscation (0)

Anonymous Coward | about 5 years ago | (#29637531)

DHS's cyber security operation is headed by Phil Reitinger [washingtonpost.com] , who's from Microsoft. So DHS won't be allowed to do anything that would seriously impact Microsoft's business models. Which means nothing significant will happen.
Here's his list of priorities. [thenewnewinternet.com] You'll see the problem.

+1

      1. Building Capability: âoeThatâ(TM)s primarily about people. I have some awesome people here at DHS; we have a great team, but we just donâ(TM)t have enough of them yetâ¦â
      2. Building Partnerships: âoeWeâ(TM)re defining our partnership models, making sure theyâ(TM)re as efficient as possible, that they let the private sector work effectively with us and as one, and weâ(TM)re starting the process of developing a national cyberincident response processâ¦â
      3. Building the âoeEcosystem of the Future:â âoeMaking sure that weâ(TM)re building the Internet and the cyberinfrastructure of the future that will have the foundations of a more secure tomorrowâ¦â
      4. Establish Cyber Metrics. âoe[Metrics] enable the people throughout government and industry to make better decisions about cybersecurity, so they donâ(TM)t do this or that based on religion, but based on dataâ¦â
      5. Identity Management. âoeIf weâ(TM)re going to allow people to protect themselves, theyâ(TM)re going to need to be able to make effective decisions about, do they want to communicate with this person or not, do they want to open this file, do they want to open this program, do they want to allow a machine to connect to their machineâ¦â

So, that seems to be his single-point agenda.
He starts well by obfuscating the aim itself !! :-)

Re:The head guy is from Microsoft (5, Insightful)

Hurricane78 (562437) | about 5 years ago | (#29637733)

Then you're forgetting the negative things that could happen. Like Linux declared a threat to national security.

Building Parnerships (2, Insightful)

Skapare (16644) | about 5 years ago | (#29637901)

From the referenced link on list of priorities:

Building Partnerships: "We're defining our partnership models, making sure they're as efficient as possible, that they let the private sector work effectively with us and as one, and we're starting the process of developing a national cyberincident response process..."

Translation: If it's a problem with a security exposure in Microsoft Windows, hand it over to Microsoft to deal with. Let them do the coverup.

Re:The head guy is from Microsoft (0)

Anonymous Coward | about 5 years ago | (#29638029)

Wow. That list of priorities is pretty scary. Sounds like rights could be taken away from users, and security issues will be just as bad as they are now.

Re:The head guy is from Microsoft (1)

NewbieProgrammerMan (558327) | about 5 years ago | (#29638075)

Wow, awesome selection of priorities. They're mostly subjective, with no way to measure whether they're achieved or not. Great for hand-waving excuses later about why nothing gets done.

Anyway, do you have a reference for Yoran's statements on weak Windows security? I must have chosen the wrong keywords when I looked for them.

Re:The head guy is from Microsoft (3, Insightful)

mikael (484) | about 5 years ago | (#29638211)

Notice the focus on words like "ecosystem", "religion" and placing the blame on machines and people. No mention of vulnerable drivers, protocols or applications.

Practical things would be

o Develop reliable methods of network protocol design to prevent vulnerabilites in network services.

o Proper application design so that the above aren't compromised by feature bloat of applications. "Hey, let's add macros and automatic E-mail sending/receiving to our application. Never know when it might come in useful".

They'll have choices to make ... (3, Informative)

ScrewMaster (602015) | about 5 years ago | (#29637247)

and here's a good first choice: pick a more secure operating system for their servers and workstations. Last I heard, Microsoft had a fat contract to supply Windows to DHS. If they really want to make themselves look good (from a security perspective) dropping Microsoft would be a good first step.

Yes Cringely, we have 1,000 security experts (5, Interesting)

gqx (1293372) | about 5 years ago | (#29637271)

I have a fairly long track record in the security industry, and I'm really puzzled by Cringely's assertion. It's hard to tell if he is trying to make a point out of a semantic squabble, or if he genuinely believes that the information security community has fewer than 1,000 competent experts.

If the former, yeah, the term "cybersecurity expert" is unfortunate - but it's clear it's just PR speak for "information security professional". Cringely then attempts to define that first, largely meaningless term, and then polls his anonymous friends (who themselves probably do not fall within that definition) to come up with wild guessess.

If the latter, yes, we definitely have more than 1,000 security experts. There is something around 500 emitent, internationally recognized folks publishing books, research, and otherwise contributing to the "cutting edge" of the industry. Then there's another 500-1,000 top-tier, notable security VPs, CEOs, etc, working for Fortune 500 companies (they may not all be technically savvy, but they *are* the industry). Then, there is probably something close to 200,000 security professionals working for companies around the world - we have something like 50,000 registered CISSPs alone (which is a certification largely inaccessible to hobbyists, and pursued by a minority of infosec workers), something around 50,000 subscribers to BUGTRAQ and other security mailing lists, etc.

Does this mean that DHS would be able to hire 1,000 competent experts? Unlikely, as the government historically did a pretty poor job of competing with commercial corporations (in terms of compensation and work culture), and many agencies may lack the hiring rigor and expertise to make the right calls. Given the size of the networked infrastructure in the US, this number is high, but does not sound outlandish by itself, though (many large corporations have 20-100 security people on their payroll).

What is a security expert? (4, Interesting)

MrOion (19950) | about 5 years ago | (#29637273)

What is a security expert? Is it people who believe that they are experts in one single area, and that area is called security?

I work with IT security for a living, and there are many areas within that field. We have people who are good at network and data analysis, some who can reverse engineer malware, others who do a good forensics job, one group focuses on incident response and others works with standards and procedures. And this is just a few areas. Encryption is a part of this. Tempest too.

So again, what is a security expert? One who is an expert in one or all of this areas? What is DHS looking for?

Re:What is a security expert? (0)

Anonymous Coward | about 5 years ago | (#29637755)

I agree here. When someone states they are a "security expert", I have to ask for more info. This can mean a lot of things:

A person who has lead a special ops team to take over a building or area and ensure that any hostiles are neutralized.

A CISSP or some other professional with the documentation to show it.

Someone who is a security officer for a classified and up secured area.

Someone who is a leader of a private security firm and offers employees to watch buildings.

Someone who knows bank notes (the other meaning of security/securities.)

This is great. (4, Funny)

arthurpaliden (939626) | about 5 years ago | (#29637299)

Now we can get all those BA's and MBAs with a single computer course on how to use Windows out of the commercial job market and into the government where they belong.

Takes one to know one... (1)

mr_josh (1001605) | about 5 years ago | (#29637307)

I sure hope that DHS knows exactly what a cybersecurity expert is...

I'd apply, but... (1, Flamebait)

Eggplant62 (120514) | about 5 years ago | (#29637341)

I feel like I have no faith in the Homeland Security Agency's stated mission. Other than securing airports and border checkpoints such that it makes things even more difficult to get in or out of the country than it is going to visit inmates at your local correctional facility, I have no faith in that agency whatsoever. It was created in a knee jerk reaction to a terrible event that was likely orchestrated if not pulled off entirely by our very own government. Nah, I liked it better when we had much less security in this country and we could come and go as we pleased. I don't think body cavity searches are needed just to get on a bus, do you?

Yes, it's hight time to fight the Spam! (4, Insightful)

Max_W (812974) | about 5 years ago | (#29637371)

Spammers brings much more harm to the world economy than Afghan tribesmen. Billions of people are working as slaves for free for spammers sorting out and deleting their junk day and night. Billions of hours of working time are being stolen as matter of course.

Maybe the DHS decided at last to tackle this problem? These experts and predators could make the word to sigh with relief. Godspeed!

The Missing Link (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29637431)

What Cringely don't realize is that the DHS has been raising an army of Bruce Schneier clones this whole time...

Translation: (2, Insightful)

Anonymous Coward | about 5 years ago | (#29637459)

security expert=security professional

And as everyone knows, professional=employed

So, they are saying that they're going to employ 1000 people with security nametags.

Business as usual, in other words.

Security clearances? (2, Insightful)

TSHTF (953742) | about 5 years ago | (#29637469)

This paragraph from the article is probably the most interesting point:

"Another item of great importance is a security clearance to do the work. This is where you will get only one brand of thinking; DoD or DoE clearance. This will prohibit the security "black hat" types from ever being involved in the project without coming from the DoD or Energy."

This will limit the pool of resources to such an extent to make the project worthless.

Re:Security clearances? (4, Insightful)

dave562 (969951) | about 5 years ago | (#29637769)

I'm going to go out on a limb here and guess that the DHS doesn't need uber-black hat types doing security for them. What they are looking for is a small army of semi-competent employees who can go from agency to agency, department to department and secure them by implementing generally accepted best practices. They need firewalls installed with the rulesets locked down. They need IDS and IPS devices configured. They need anti-virus and anti-malware on the workstations. They need VLANs configured, servers locked down, disaster recovery plans designed and implemented, etc.

This is the government we're talking about. They aren't looking for the best of the best. They're looking for good enough to get the job done. Maybe you guys have heard of the saying, "It's good enough for government work." ?? The DHS doesn't need anything that your average small business or Fortune ## organization doesn't need. They just need clean workstations, secure servers and reliable data. They need to be able to process their reams and reams of paperwork and forms and all the other nonsense that comes with the huge machinery of the Federal government.

Re:Security clearances? (2, Insightful)

hedwards (940851) | about 5 years ago | (#29638173)

Except that none of the major anti-virus companies will hire black hat types and I'd be surprised if other forms of anti-malware were going to hire those sorts. It's just more hassle than it's worth. You're not sure when, if ever, they'll be arrested, if they're still active at their craft, going to try and sneak out proprietary information for sale to others.

It's not accident that reputable companies won't hire them.

The DHS may *WANT* to hire experts (3, Interesting)

erroneus (253617) | about 5 years ago | (#29637519)

But that doesn't mean they will. And quite frankly, my experience with DHS has been that to make something happen, they hire an incompetent contractor to do the screening and hiring for them which, in turn, hires a the first 1000 people with resumes who have enough of the right keywords matching on their resumes.

I once worked for the TSA and I was astounded by the criteria, or lack thereof, in their hiring practices. One teenager was hired on in a supervisory role simply because he applied for it and was early enough in the list of applicants to have not yet filled out their supervisor staffing. Why was this teenager qualified? He wasn't. We knows this because it was his first job...ever! This kid hadn't even mowed a lawn for pocket change.

The DHS screens at airports but barely anywhere else. The airport screeners are beholden to the air carriers and quite literally have to follow their instructions at times. Meanwhile the border crossings of the U.S. were wide open for years and years before people took any notice.

Putting important organizations like FEMA under the DHS showed the world what a great move that was when the hurricane season came in with great force. The only thing we really got out of that was "FEMA Camps" where the angle of the razor wire seems to be be intended to keep people "in" rather than "out" and has U.S. Army equipment parked on it. (Google "FEMA Camps" for more information on the topic... scary... freakin' scary)

The DHS is the agency under the executive that most represents the words "power grab" and "power consolidation."

Re:The DHS may *WANT* to hire experts (0)

Anonymous Coward | about 5 years ago | (#29637847)

Of course airport security is just for show. Anyone who hasn't been brain-washed knows that.

World Class? (1)

pha3r0 (1210530) | about 5 years ago | (#29637529)

Napolitano said she doubts it will be necessary to fill all 1,000 of the authorized positions, but she is focused on making DHS a "world-class cyberorganization.""

Umm I thought the TSA was supposed to secure the American transit systems from terrorist and non terrorist threats alike. How does being a world class cyberorganization help achive that goal? Or more blatantly why does the TSA need to be 'world class' in anything?

I don't mean to rant but come on shouldn't Napolitano be saying that they are hiring these people so they can provide a better service to the American people. It is nice to have world class organizations at our national level but with world class comes world class cost and world class complication. Two things America could do without right now if you know what i mean.

Re:World Class? (2, Insightful)

vegiVamp (518171) | about 5 years ago | (#29638073)

Because *obviously* Al-Qaeda is on the verge of launching an all-out cyberattack on the US, from the crank-driven laptop they have in their cave. Why, the CIA confirmed only yesterday that they forked out on an amazing full megabit of sattelite bandwidth for exactly that purpose. That's 1.000.000 bits per second !

Time to become a mole (0, Troll)

Hurricane78 (562437) | about 5 years ago | (#29637533)

Seriously. If I'm even close to how fucked up those are, who direct the DHS & co, becoming a mole and after some time publishing all the data anonymously but provable, would be good for nearly everyone on this planet. Except for some fucked up bastards.
Americans, non-Americans, all alike would profit.

Who's in? ^^

The real reason for this (2, Insightful)

Alain Williams (2972) | about 5 years ago | (#29637583)

is that they can then say that "we are doing everything that we can, look: we have employed lots of experts. By the way can we have some more budget."

Summary: DHS gets to look more important.

If that is all that they do then be thankful. Be fearful that they start to push pointless rules on everyone.

Sigh (0)

Anonymous Coward | about 5 years ago | (#29637697)

This brings back bad memories of the Scholarship for Service program I applied for nearly a decade ago now. Was supposed to get a job with the DoD when I graduated. In practice--it was impossible to get a clearance.

I stayed in a hotel and went to conference with nearly 2000 other students. With the exception of the ones from the NPS in Monterey, a few from CMU, and the some other rare individuals--most of them didn't know their ass from a hole in the wall. Three students from my university who knew way less than me did get into it (Really--two of them couldn't differentiate between a port scanner and a rootkit on their exams, and none of them were familiar with sanitizing input or fuzzing)

I didn't make it--and was specifically criticized multiple times in the application process for independent learning. Wrote a virus myself to see if I could. Used to run warez nearly 15 years ago, and after that got into system cracking. Yes, I said cracking...not hacking. But unlike most of the applicants I understood the tools that were out there, and had developed skills to a point where I could write them myself. After that I kept developing tools, but ran them on my own system--period. It didn't matter to most of the interviewers--one equated it to building bombs in my dorm room.

They'd rather have incompetent people with a scotchguard background, who don't know the difference between TCP and UDP after four years of school, than somebody with independent learning that willingly left the blackhat culture.

If things haven't changed--and I've heard no reason to think they have--this program will be a disastrous waste of money.

DHS (0)

Anonymous Coward | about 5 years ago | (#29637749)

The Department of Homeland Stupidity.

and just another bureaucratic fail belonging to the 16 plus security agencies of the u.s. known as the alphabet soup gang.

Maybe there aren't 1000 security experts (2, Insightful)

Skapare (16644) | about 5 years ago | (#29637813)

... but there are surely tens of thousands of people that currently have, or can get, cyber security certification. This is good enough for government work.

Yes there are over 1000... (1)

haus (129916) | about 5 years ago | (#29637999)

"Secretary Napolitano says she might not need all 1,000, which to me says she is really looking for 3-5 people. And frankly that ought to be enough if they are truly experts and are both properly led and supported" Cringely is insane (or very misinformed) if he thinks that 5 really good people will be able to make a dent in the role that will be required of DHS as they attempt to secure there own network. When the DHS takes on the task of guarding all government networks.

And yes there are over 1000 experts. I know 5 myself, plus another 100+ who make there living doing InfoSec work. This is not to say that the DHS will have an easy time finding real experts that are willing to work in the environment that DHS will provide for the wages that they will be able to offer.

Why Chicago lost the Olympics (2, Insightful)

kurt555gs (309278) | about 5 years ago | (#29638117)

I think you can lay the blame at Chicago's loss of the Olympics squarely at the feet of DHS and Customs enforcement. The USA is NOT a friendly place to visit. I wish President Obama would have put an end to this Bush era foolishness, but it seems he wanted to cuddle up with the right wing Republicans instead. Strike, one. Strike, two.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?