This makes yet another year I didn’t make it to DEFCON, the longest-running hacker conference now in its 15th year. Which is unfortunate, because I really would have loved to have been at the opening speech at the Black Hat Briefings, held just prior to the main event this weekend, and at which the National Security Agency got up and asked the hacker community for help.
Tony Sager, chief of NSA’s Vulnerability Analysis and Operations Group, addressed the crowd Wednesday, saying that IT security and information assurance is now too big a problem for government to solve on its own.
As part of its information assurance mission, NSA participates in various computer security initiatives such as the Common Vulnerabilities and Exposures security vulnerability index and the Department of Homeland Security’s Security Content Automation Program. NSA also publishes security configuration guides for various operating systems such as Windows Vista and Mac OS X, as well as SELinux, a version of the Linux kernel with improved security.
“We’ve got to figure out how to solve this problem with solutions that scale across the entire community,” Sager said. That means his agency has to bring its information to the table and find common ground with the private and academic sectors. “‘We’re from the government and we’re here to help’ doesn’t work with this crowd.”
Although much of NSA’s work remains secret, Sager’s group is a reflection of the need to develop open and standardized security and research practices.
When he began working at NSA in 1977, “it was a dramatically different security problem,” he said. IT security was a government monopoly. “The government owned the problem” and could control the technology. “Those days are over.”
NSA has struggled with the change in culture. “But you have no choice but to be concerned about the security of commercial products” over which the government has no control, Sager said. “We changed the way we behaved” to gain the trust and cooperation of the security research community. — Government Computer News
I’m always amazed on those rare occasions when government actually admits that it can’t do something. Government can’t really do much of anything very well, though it hates to admit it. Anything government isn’t doing means less taxpayer money lining bureaucrats’ and contractors’ pockets, and what government isn’t doing gets done better.
I just wish I could have been there to see it myself. Unlike last year, I could easily have afforded to go, but I waited too long to get my travel plans in order. Oh well, there’s always next year.
(Hat tip: Fergie’s Tech Blog)