Focus Questions for this Section: How might the three themes be refined or enhanced to further improve cyberspace? What are the research, development, implementation and other challenges in achieving the goals under each themes?
I tend to agree with Lewis. Everything in cyber-security other than cryptography is essentially cr@p. We would not be participating in this forum if it weren't so.
The fact that the cyber-security industry has not figured out that the network security problem is identical to the software reliability problem is proof that they really have nothing to offer in the way of solving this problem once and for all. They have no clue. The only way to solve the problem is to switch to a new software model. None of the players out there are suggesting a new software model. Why? Because they don't really understand the problem. That's why.
In the first post in this discussion, I explained what I think the computer industry and the government should do to create a final solution to the software reliability crisis. If NITRD is interested, they should contact me. However, considering that NITRD and every other entity in the federal government are probably infected with the same boomer geek mentality that gave us these crises in the first place, I am not holding my breath.
I think I have said all I needed to say in this forum. Good luck to you all.
Excellent point! I'd suggest one twist: switch to new software and hardware models.
This isn't a new theme. Many will recall an icon of broad technical excellence who contributed much to National Security, Dr. Rod Sorkin. When he left NSA and became a consultant, the Presidential Decision Directive on Critical Infrastructure Protection had just come out. Synopsis of Dr. Sorkin's advice: we need to consider building critical all IT components and security solutions using a non-Von Neumann architecture.
Whether that's the specific right choice or not, the current rate of tech refresh and layered functionality probably makes considering the switch to new models more feasible than 'twas a decade ago. Parallel research tracks in software and hardware, grounded in frequent proof-of-concept pilots and sound analytic models, could transform the cyber world before the end of this decade.
Please find enclosed a consolidated list of collective comments to the R&D Themes. The comments have several authors, and are combined in one document for the sake of simplicity. Please don’t hesitate to contact me if there are any questions. Apologies about the late delivery of these comments.
Microsoft is pleased to provide input to the White House Office of Science and Technology Policy and to the Federal Networking and Information Technology Research and Development (NITRD) Program for the public comment opportunity, “Toward a Federal Cybersecurity Research Agenda: Three Game-Changing Themes”. Cybersecurity is an important part of the foundation of the world economy and a critical element of the defense and security of the United States. It is crucial that quality research on real problems be conducted by outstanding researchers and that the best of this research become the focus of commercialization by US industry.
We’ve included two attachments. The first is our specific Federal Cybersecurity R&D themes input and the second attachment is a supporting Microsoft R&D paper as described in the R&D input paper. This particular paper isn’t publicly available on the Internet so we’ve attached it here.
We look forward to possible future discussions on the Federal Cybersecurity R&D themes.
Very Best Regards,
Patrick W. Arnold
Chief Technology Officer
[Reposted by NCO Staff on behalf of Patrick Arnold]
your roi formula is one whacky strange and youll notice flawed formula. Once you eliminate the redundancy in it you end up with ROI = gain divided by cost. Its typical of MS bloatware, but funny nonetheless.
Its great you tell the government to stick to R&D and leave you to do the implementations....ROFL.
Its great you forced the governement to not make you liable for your crappy software in the event it is used in (terrorist) cyber crime.
Its great you only deal with (your) vendors and suppliers and not real people or groups that can help improve security.
And putting forth a document that actually reiterates what the NITRD have all ready put together and asked for is like a child explaining to an adult what the word trust means, when clearly we/they know. I cant believe you actually say we need to to work on architecture, metrics, code and binary analysis which as you know this forum is about addressing. We are saying you need to do it...you dont need to say someone else needs to do it.....YOU are the one writing the software.....YOU are the one that needs to include metrics in your software for people. You are the one that needs to put together a new architecture....YOU not us...YOU.
Damn i hate the stupid microsoft people.This Patrick has got to be the stupidist CTO I have ever come across.
I can think of many metrics that would be useful in your os. i can think of many improvements in your os and architecture changes and responsibility changes that would reduce the majority of problems in the world. What i wont do is put a document together telling someone else to do it.
You telling people that signatures are reactive really drives smart people (like me) crazy. Activation codes and worms etc aside, im sure you can eliminate all application issues by buffering all network access through an abstraction layer. This abstraction layer would be a single point of failure that can be updated but would be a single focal point for ALL applications on top.
The iso 7 layer model just needs to be modified because its great for individual application development but also great for individual application attacks.
Did that take long to think about....no, but probably less time than it took for you to copy and paste a document you never read.
Yeah. I was not going to post anything else to this forum but I just have to chime in here. Microsoft does not have a leg to stand on. They almost singlehandedly invented insecure computing. They are as clueless as can be on this issue. Windows will never be secure. But then again, neither will any current OS.
There is only one solution. We must reinvent the computer and begin immediately by replacing all critical nodes on the net with truly secure systems based on deterministic timing and a reactive, signal-oriented software model. Anything else is cr@p. Sorry to be so blunt.
I spoke to MS about improvements to their product and you know what they said back....lol.(including forming a business to research and prepare a proof-of-concept for them)
They informed me they only deal with their vendors and suppliers and that i can look at there jobs site to see if anything suits me.
They have NO interest in dealing with cyber-crime and i got that directly in an email from them. (Not unless you have lots of money or they own you.)
They want someone else to do the RFC's that they can implement if you like with their curious ways, but they themselves don't want to do any RFC's about there product ....because they know they can point out billions of flaws people missed.
Unfortunately this forum group from NITRD is now all MOOT and a waste of time as you can see from the glimpse from their response further up. Its strange they dont spell it out to them, rather they say we are haopy to work with them. You can interpret this to read we are happy to sit back and see you do all the work for our software, because legally we dont have to.
Super constructive feedback Matthew --or as my children would say "NOT". And the personal attacks are fun to read as well. I sure hope the government is gaining lots of insight from this forum including all of the negativity you seem bent on injecting into the discussion.
You seem to understand jibber-jabber quite well and as such I'm sure you are well meaning, or not.
Im sorry if you felt you were singled out at microsoft...(joking)
While i will never get a straight answer for any question, because youll evade for feeling you would be quoted out of context or worse. I will say these retorical words.
Who understands operating systems better than the premier operating system developers...Therefore who in your mind should be able to put together new operating system architectures?
While the Government is unlikely to develop software directly you out-of-hand told them to stick to research while the Government is looking for more of a partnership. The governments will know more about security and threats (to a country) than any single vendor, hence they can provide a stronger base for partnership.
Why does your company dismiss out of hand ideas, concepts and people willing to go half-way with you and present ideas, methods, new strategies, without you saying they must be a vendor or supplier. Apparently you like innovation yet arent willing to look at it.
There are lots of smart people in the world with no money to build a business to provide a proof of concept for new ideas... and as you know it is impossible to get any funding for these types of things. Very few ideas get into production at all and thats basically down to persistence and lots of luck.
So why not add a new direction....remember those windows 7 adverts....Im a computer and windows 7 was my idea....meaning you want people to take part in your future....well nows your chance. Allow people to create documents and present their ideas to you in a nda environment, where you provide the funds for patents and analysis of the ideas further and the originator gets the recognition and ownership of any patents, while you have exclusive use or resell the use.
Would you not get people thinking Microsoft really is interested in what people have to say?
All thats needed is a fund that gets an idea started to a feasibility stage, whether on paper or a working prototype. You could provide each idea say 8 months of funding and at the end of that you could decide its usefulness. Remember people are trying to go half way with you.
You're probably thinking why should microsoft do any such thing, seeing as the world works perfectly fine as it is. Well if that were so, you wouldnt have so many people complaining about the current state of security in their nations and a government pleading with you to look at new ideas....
Dear, Honorable Esteemed Notable National Coordination Office (NCO) for the Federal Networking and Information Technology Research and Development (NITRD) Program Interagency Working Group Officials
In relation to the three themes encompassing the Work Group I must state that they maybe better arrange as folisted below within this post. This comes in lieu of being established to facilitate both interagency coordination,a nd policy implementaion both foreign and domestic within The United States White House Office of the Cybersecurity Coordinator in relation to the following three areas of concentration or concerns.
Information Assurance Engineering Sciences
Mr. Garrett Hord
Computer Security Specialist
Greetings Russell, I think that your ideas are certainly on the right track! Your discussion around the economic incentives is very much in keeping with approaches that are being advanced by the Administration and elsewhere. I would add that some of the challenges ahead include leveraging some of the best practices and approaches being advanced by others who are working to find solutions in this space (e.g. DHS ITSCC, ISA, and others) and defining some solid long, mid and short term objectives that will help the community know when we are making progress. Thoughts?