RE: [iwar] 21 club

From: John Sforza (jsforza@rochester.rr.com)
Date: 2001-07-24 07:51:26

Next message: JunkMail Rosenberger: "RE: [iwar] Code Red worm"
Previous message: Fred Cohen: "Re: [iwar] 21 club"
In reply to: Fred Cohen: "Re: [iwar] 21 club"
Next in thread: Mohammad Ozair Rasheed: "RE: [iwar] news"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <iwar@yahoogroups.com>
Message-ID: <FMEBKCCNDNLCDGCDNJAOIEGJCAAA.jsforza@isrisk.net>
In-Reply-To: <200107241351.GAA11701@big.all.net>
Importance: Normal
From: "John Sforza" <jsforza@rochester.rr.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Tue, 24 Jul 2001 10:51:26 -0400
Reply-To: iwar@yahoogroups.com
Subject: RE: [iwar] 21 club
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Thank you Fred, much more elegant than my words.

-----Original Message-----
From: Fred Cohen [mailto:fc@all.net]
Sent: Tuesday, July 24, 2001 09:51
To: iwar@yahoogroups.com
Subject: Re: [iwar] 21 club

Per the message sent by John Sforza:

> > > e.r. says:
> > >" Most of its members are without a clue on IWAR and cyber-terrorism,
and
> > >the firm which they ran have all been  victums[sic] of cybers attacks
> > > already."

> > Jim Says
> > ..and your justification for this opinion is...? What substantiates the
idea
> > "21 CEOs" are worse then what currently exists?

> John Says:
> Among those individuals with enough 'name' to be taken seriously by
private
> and government entities, who hasn't had an experience with some form of
> cyber attack. As to 'clue' these individual's need to lead the process -
not
> fight in the trenches and that requires vision. Perhaps a new set of
> viewpoints would be productive. On the other hand I am reminded of the
poem
> 'The Blind Men and the Elephant' by John Godfrey Saxe (with credit of
course
> to it's Indian origin), it will be very difficult (Fred, how about a
> probability model of group consensus here) if not impossible to define and
> drive an effective cyber security policy with out a dominant leader and I
am
> not sure that Condoleezza Rice can provide that among other
> responsibilities. I also have reservations regarding an 'all Federal'
group,
> let's let everybody play. Bottom line - 21 individuals in a room is either
a
> cocktail party or an unlawful assembly.

Fred Says:

[2^(i pi) / 17^23] /273.44323 = nothing of value.

As far as I recall, the ideal size for a group in order to be effective
is on the order of 4-7 - one of the reasons we choose groups of this
size for most projects (or chunk the projects in to this many subgroups
- recursively).  A manager can supposedly manage 20 people effectively -
so Condo should be able to handle that part of it.

Without these agencies represented you are unlikely to have the
concensus you need to get things to work in the government anyway, but
that isn't really the issue at all and never has been.  They were all
consulted (for certain) by Mr.  Clark.  The issue is whether Ms.  Rice
can effectively deal with this issue at this level while also dealing
with the many other issues she has to deal with.  She could presumable
manage 20 people if that was all she was doing - but it's not.  The
question is whether the US needs a single, full-time top-level manager
in charge of this issue.  Bush thinks not.

My experience and the history of the last many years has shown that
companies and organizations that do not have a high quality top level
person in charge of this function tend to have poorly coordinated
programs and tend to be less efficient, less effective, and more
susceptible to high consequence incidents.  For effective organizations
this spreads down the organizational structure recursively so that
something like 5% of the IT effort is oriented toward information
protection.  In other workds, if the US government had a CIO, 1 of the
20 people reporting to them should be a top-level full-time information
protection manager.  This should hold for every other level of
management and staff involved in using computers to do their jobs.

So if there were 40 million federal employee hours per week spent using
computers, there should be 2 million employee hours per week spent in
information protection.  This figure includes systems and network
administration tasks as well as 'computer security' tasks - which can
not realistically be separated.

Just my view.

FC
--
Fred Cohen at Sandia National Laboratories at tel:925-294-2087
fax:925-294-1225
  Fred Cohen & Associates: http://all.net - fc@all.net -
tel/fax:925-454-0171
      Fred Cohen - Practitioner in Residence - The University of New Haven
   This communication is confidential to the parties it is intended to
serve.
	PGP keys: https://all.net/pgpkeys.html - Have a great day!!!

------------------
http://all.net/

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Next message: JunkMail Rosenberger: "RE: [iwar] Code Red worm"
Previous message: Fred Cohen: "Re: [iwar] 21 club"
In reply to: Fred Cohen: "Re: [iwar] 21 club"
Next in thread: Mohammad Ozair Rasheed: "RE: [iwar] news"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:37 PDT