Posts Tagged ‘TIC’

Choose the battlefield

July 13, 2009

By: Tim Cronin

PC World’s Jaikumar Vijayan recently reported on the attacks against US government public information infrastructure.  In the article, Karen Evans, a Bush administration Information Systems executive outlined what she thought should be fast-tracked.  It includes using TICs (Trusted Internet Connections) for all public infrastructures.  This would include making sure that the internet connections for public access are consolidated and then served by only trusted parties.  In my calculations, this has many benefits with only one glaring weakness.

What happened?

A single quote of the story stuck out.  “the most important lesson learned is that many federal agency security people did not know which network service provider connected their Web sites to the Internet,” said Alan Paller, director of research the SANS Institute. “So they could not get the network service provider to filter traffic.” That quote takes my breath away.  If this is accurate, then the preparedness of network security for the government’s infrastructure is simply not up to par.  There is not much else that can be said.  What are we as a community to do?

Choose the battlefield. 

Often used as a text of inspiration to security professionals is Sun Tzu’s “The Art of War”.  There are two quotes that are relevant to this discussion.  “…And therefore those skilled in war bring the enemy to the field of battle and are not brought there by him.”  And “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  The lessons of Sun Tzu show that we want to essentially choose the battlefield and lay in wait for an attack.  We want to be wise about our battlefield and prepared for the enemy.  Using the TIC approach is similar to how the Spartans chose the battlefield for the battle of Thermopylae.  They chose a small gorge that a small force could successfully defend and then they put up the biggest fight in history.  This is the idea behind the TIC.  Secure the path to the prize.  When you secure the only way to get to the servers, you secure the servers.  At the moment, the servers are too distributed to mount an effective defense.

Weakness?

The only glaring weakness that I can calculate is that this can easily turn into a bureaucratic nightmare resulting in weak TICs.  Weak TICs will result in a much wider path to the prize (what if the gorge at Thermopylae was twice as wide?). 

 TICs will have to comply with some standard.  Not only that, but likely the TIC will have to be the lowest bidder on the project.  So what are the standards?  Will they be robust enough?  Will the lowest bidder do just enough to get the grant?  Will the lowest bidder have qualified personnel?  Will there be a process that the TIC and government will need to follow that essentially slows response time?  All these are questions that should be answered among many more.

Advertisements