The Chinese are at it again. Canadian Business Online reports that the Chinese government has now required Chinese banks to stop using foreign information security technology. You’ll find another good review of the regulation here at SiliconValley.com. The program is called Multi-Level Protection System (MLPS). From these early reports, it’s hard to tell whether the Chinese government is genuinely concerned with foreign government spying or if this is just another effort to protect their own technology sector. The articles did mention Cisco a lot, but I assumed that it’s because Huawei (a Chinese competitor) is getting deeply into the firewall business. I expect that we will know more as the full story is reported in the media.
Before anyone gets too worked up about this, let’s remember that this type of thing happens all the time and in every major nation on the planet. I personally remember conversations with several security pros in the U.S. government who described a quiet effort by a U.S. Security agency in the 1990s to curtail government use of a firewall technology built overseas. We all know that the French required that encryption technology sold in France include keys so that government agencies could decrypt all traffic. For a long time it was against the law to sell encryption technology in South Korea. It is also very similar to the dispute between RIM and the governments of Saudi Arabia, Dubai, and India, don’t you think?
In this country, we often require that companies providing technology to the government make that technology inside the USA. Our government also requires that U.S. banks use approved U.S. algorithms for encryption and data protection. Finally, we have the International Trafficking in Arms Regulation (ITAR), which restricts technology that can be exported to other nations. That’s been in place since 1976 and China was embargoed for a long time under ITAR.
And if we go back even earlier in the history of information security we could talk about the debate that raged around the crypto key length of the original Data Encryption Standard. At the time it was rumored that the key link had been shortened from 64 bits to 56 bits, simply because the NSA did not have the computing power to effectively decrypt messages with a 64 bit key. This is purely rumor, but I’m sure someone inside the People’s Republic is well acquainted with these restrictions on the use of security technology.
As they say: “What goes around, comes around.” So it’s reasonable to expect that the Chinese would also try some form of prohibition on the importation of security technology. I only hope that their leaders will look back on all of these prior efforts and realize that these kinds of trade barriers hurt competitiveness and technology adoption. I hope they will realize that general prohibitions are generally unproductive. Otherwise they may spend several years and several billion dollars, while their own suppliers make the mistakes and learn the lessons of this industry.
Jim Molini, CISSP, CSSLP
I’m doing part 2 of my review of the CSIS paper on the human capital crisis in IT security. I think anyone who’s ever participated in development of a certification program has dreamed of the kind of certification they describe in this report. Wouldn’t it be great if we could build it and develop a group of world class security gurus? This is the kind of “build it and they will come” scenario that makes me think of cornfields and Kevin Costner.
However, I was surprised that the authors of this report could look at all of the certification work done over the past 20 years in the security profession and declare it “dangerous.” In response, the commission would create a brand new organization that could start from scratch and come up with a technical certification program that would meet the needs of a diverse federal workforce. As someone who was deeply involved in the design of the CSSLP certification, I can assure them that the devil is in the details. Any one of the listed organizations could have built a certification program like the one described, but they didn’t. There’s a reason for that.
Having worked on both the CISSP and the CSSLP I have also yearned for a more technical exam, possibly with code analysis. I didn’t get what I wanted when we developed the CSSLP, but I’m now willing to admit that I could have been wrong in my initial assessment. Although most technical security people will tell you that they’re happy to test their skills against a standard, it’s extraordinarily difficult to put a standard test onto paper (or into bits). Then, how do you build equivalent tests using both Windows and Linux, or C++ and Java? When you pair the subject matter experts up with the psychometricians, the discussions get messy.
IMO, the closest anyone has ever come in the federal government to this kind of program is the ISSEP concentration, started in 2004. The ISSEP is a coordinated security concentration between the (ISC)2 and the US National Security Agency. It is a very tough concentration that tests candidates across a range of security engineering functions. Incidentally, it also requires the CISSP as a base certification before a candidate can request the concentration. It’s a very difficult technical program to complete and I wish the authors of this report had spent some time studying the lessons from the ISSEP.
So, in order to get this out onto the blog, I’m going to stop by asking 3 questions:
- Did the committee perform an evaluation of the legal ramifications of this type of certification in the federal workforce? If so, we should hear more about this in the report.
- Did the committee look at lessons from the existing ISSEP program? There was no mention of this program in the document, so it would help to hear about direct experience with a program that most closely matches the one they describe.
- At least 10,000 highly skilled intrusion analysts have passed through the SOCs of the federal government in the past 15 years. If we have fewer than 1000 today, why did so many of them fall behind the technology curve? If there is a half-life on deep security expertise, we should consider addressing that issue before training another 10,000, shouldn’t we?
That’s my take on the issue – in two installments. I hope that the authors will take some time to take a closer look at the problem. If you think I’ve missed something, please add a comment and we can talk.
Best,
Jim Molini, CISSP, CSSLP
