back to article America enlists Big Tech to help it develop and execute cyber security plans

The United States' Cybersecurity and Infrastructure Security Agency (CISA) has announced the "standup" of a body called the "Joint Cyber Defense Collaborative" (JCDC) that it hopes will spark ideas for new and improved national responses against electronic threats. The aim of the effort is to get the private sector working …

  1. YetAnotherJoeBlow Bronze badge
    FAIL

    Here we go again...

    Great, lets let those companies who have failed us time and time again, sometimes deliberately, to design a system to protect us all. Great!

    "CISA plans to expand the group's activities over time and will enlist more private sector partners to help as and when needed."

    Albeit always not needed. Would not it be superior to get the security community involved from the beginning instead of head slapping later?

    What is their absolute aversion to getting help from the security community? I know folks who are every bit as good - and better than the corporate "experts." Until they significantly open this process up to enable "participation," this will just be more theatre with the same tired predictable result - FAIL.

    After all, is that not the expectation?

    1. amanfromMars 1 Silver badge

      Re: Here we go again...

      What is their absolute aversion to getting help from the security community? ..... YetAnotherJoeBlow

      That question can be easily answered, YetAnotherJoeBlow. Too many unpleasant and self-defeating secrets are exposed to untested and unvetted second and third parties regarding established systems attempts to secure the exclusive means required to deliver an inequitable overwhelming advantage controlling power and energy rather than having anything at all to do with the provision of security itself per se, although of course whenever such can be supplied is security also thereby provided.

      The well trodden paths of a RFP/RFI/RFQ/RFT ....[A request for proposal/information/quotation/tender is a document that solicits proposal/information/quotations/tenders, often made through a bidding process, by an agency or company interested in procurement of a commodity, service, or valuable asset, to potential suppliers to submit business proposals/information/quotations/tenders] ..... are a popular tool engaged to wean/extract/discover what is available in the wider market space for copying if at all possible or purchasing if made available and suitable for sale.

      The difficulty though which creates more than just a few irreconcilable differences and many a great problem for some, is whenever the information that will be shared is of such an explosive nature and highly sensitive significance as to be best deemed totally unsuitable for general knowledge because of the catastrophic damage to established systems which can be so easily wrought with it, .... and which can so easily still be wrought with it, even whenever only a very few would know of it.

      Such are ........ well, Greater IntelAIgent Game Changers do them justice.

    2. Lil Endian

      Re: Here we go again...

      YetAnotherJoeBlow: "sometimes deliberately" ?often deliberately

      I agree with the selection of involved organisations being biased.

      How about they add a few more such as: Amnesty International; Internet Security Research Group; Center for Democracy & Technology; Demand Progress; Fight for the Future... well, there a tonnes.

      [Disclaimer: I don't know if any of my referenced orgs are subverted. I hope there are some that are not. I'm just making the point.]

    3. hoola Silver badge

      Re: Here we go again...

      Yes but it then means the pen-pushers and policy makers can all have a warm-fuzzy-feeling thinking that everything is no completely secure.

      I am not sure that the poacher turned gamekeeper analogy really works with these companies.....

  2. Pascal Monett Silver badge

    "develop and implement better cyber security plans than are currently in operation"

    How's about the US military start by upgrading its IT to 2020 standards ?

    Don't they still have XP machines on the network, or is that old news now ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "develop and implement better cyber security plans than are currently in operation"

      Years ago I worked at a big aerospace company. We were going for List X certification and had spent a lot of time, effort and money on the system, policies, testing and training so we thought we were well prepared. When the review team turned up one of the first things they said was that there were too many gates and doors on site and that one of the doors was too close to parked cars. If we thought that people were pissed off with dongles and new password policies then it was nothing when we permanently locked some external doors and people had to walk a hundred yards or more to their cars which previously had been less than 20 yards away.

      The point I'm making is that security isn't just about the tech stuff. You're correct about XP and unsupported kit, of course, and good IT kit, policy, process, etc. will help and certainly limit the impact of any cyber hits, but the primary access point for cyber attacks, theft and espionage will always be people and poor physical security, no matter how good the IT is.

  3. HildyJ Silver badge
    FAIL

    Yet another whitepaper

    CISA and the rest of the group are very experienced at creating whitepapers which is what we will see in a year or so.

    The only actionable item will be an increase in funding for CISA and its contractors.

    What will be missing is any recommended legislation or regulation which will mandate that companies do something and which will hold the Executive Management and the Board of Directors personally liable for failure to do the mandated items.

  4. Unbelievable!

    Security for security's sake - a self fulfilling nightmare

    "...security isn't just about the tech stuff."

    there is also the phenomenom of "secuirty for security's sake." As a reg article i read (a very long time ago), suggested that often, security efforts were complex, expensive and just for 'show'. And it was wise reporting. Sorry i can't find it right now. Anyway, I'll say why the article was correct and summarise.

    When your budget is super tight, manpower overstretched, skillset limited, you have few options.

    But the essence is simple;

    Harden the business critical, but don't harden the difficullty in applying it.

    What is critical? All data. But namely email, finance, crm and product related databases. Everything else can be reinstalled etc.

    HARDEN FROM IN TO OUT. Protect your CORE. Necessary access only. Grow the hardening OUT and only add authed users as required.

    Too many throw up arbitary ring fences on remote access and closing a few ports, but this is lazy "keep the punters happy" style. it should be later. The CORE of your business needs to be solid. Especially backing and TESTING BACKUPS and failover, Frequently. D.R starts from the same place. The core of the business. it should be the same for protection.

  5. amanfromMars 1 Silver badge

    What Factors/Vectors Distinguish and Define a Confidential Collaboration from a Criminal Conspiracy?

    For some of the latest news on JOINT AIdVentures, please see https://forums.theregister.com/forum/all/2021/08/06/edge_super_duper_security_mode/#c_4310897 for more escaping details.

    1. Cliff Thorburn

      What Factors/Vectors Distinguish and Define a Confidential Collaboration from a Criminal Conspiracy?

      “The best way to predict the future, is to create it” - Abraham Lincoln

      1. amanfromMars 1 Silver badge

        Re: What Factors/Vectors Distinguish and Define a Confidential Collaboration

        “The best way to predict the future, is to create it” - Abraham Lincoln ... Cliff Thorburn

        Quite so, CT, it is no more difficult than that. And what does everyone on Earth presently think IT and AI and Networks InterNetworking JOINT* Applications. … NINJApps for Joint Operations Internetworking Novel/Noble/NEUKlearer HyperRadioProACTivated IT Technologies ..... are primarily for? Fun and Games or something else altogether considerably more engaging and entertaining and exciting and exhausting and exorcising?

        Words Create, Command and Control and Destroy Worlds. Share Strings of Them Wisely is Perfect Advice. ....... https://forums.theregister.com/forum/all/2021/08/06/edge_super_duper_security_mode/#c_4310344 ..... is similar sound counsel re Special Deliveries, and especially so whenever unwrapping and dealing with those unexpected magical parcels courtesy of Special AIdDeliveries of Advanced IntelAIgent design beta trialing and trail blazing Strange Alien Phorms.

        Surely Humanity does not expect the Future to be like the Present with just Ignorant Conflicted Clones of the Past available for Virtually Augmented MetaPhysical Realisation/Practical MetaDataBase Construction and Remote Creation ‽ .Surely they must have picked up some heavenly skills over the millennia ‽ . Or are they naturally retarded and of limited intellectual and metaphysical ability and/or simply plain lazy and totally unaware of the Universal Virtual Forces and Immaculately Resourced Assets available to them which abound and found new life around them?

  6. A random security guy Bronze badge

    Big Tech will not help with security

    You have 100's of billions of cash flow; this security thing will slow it down. Are you going to give up a billion to protect people?

    Big Tech is responsible for the mess.

    Microsoft: single handedly responsible for helping create the virus infrastructure and supply chain. They changed only after the DoD refused to buy their software. They made sure that there was a huge malware business model that survives in spite of all efforts to squash it. It is simply too big.

    Google: Android and their App Store are single biggest source of mobile malware. They may have changed their ways a bit but not much.

    Apple: Closed world. Doesn't help the security community find issues. They try to make some noise about it but it is not in their DNA.

    Facebook: Zuckerberg comes and personally demands that security controls be taken off. Security and FB are poles apart.

    Cisco: For years they had backdoors, badly code software, extremely bad admin authentication.

    Intel: Their security engineers knew about the pitfalls in their speculative instruction execution. The performance guys rule, however.

  7. Anonymous Coward
    Anonymous Coward

    Hypocrisy Writ VERY LARGE...................

    Quote: "...prevent and reduce impacts of cyber intrusions...."

    *

    .....what about the proposed "cyber intrusion" into my iPhone....as Apple deploys AI (allegedly!) to look for kiddie p**n!

    *

    If the US government were to get hot and heavy about that "cyber intrusion", then I will be mightily impressed!

    *

    I guess a lifetime is too long to wait!!

    *

    Ref: https://www.theregister.com/2021/08/05/apple_csam_scanning/

  8. Tron Bronze badge

    Creating a military-industrial tech complex.

    What better way to get back doors in everything and Apple-style autoscanning into OSs, webmail and social media.

    You really will have an Orwellian telescreen then.

    Guess what OS Brexit command are using on their Dell boxes and iThings as they negotiate for a US/UK trade deal: An American one, an American one, or an American one?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021