DHS Hiring Spree
The DHS is indeed committing to hiring 1000 clearable US citizens over the next three years. If you’re interested, you can “attend” their cyber job fair:
http://www.dhs.gov/xabout/careers/cyberjobfair
They are looking to fill these types of roles:
- Cyber Incident Response
- Vulnerability Detection and Assessment
- Networks and Systems Engineering
- Cyber Risk and Strategic Analysis
- Intelligence and Investigation
I’m glad that this amount of hiring is happening, but I’m still unconvinced that this will bring DHS (and the American people) 300 high-quality cybersecurity professionals per year. I’m guessing 80 to 90 percent of the hires in any given year will be trainable Computer Science and/or Computer Engineering B.Sc. students — those who can gradually obtain cybersecurity skills over the course of their govt. careers. And that’s not necessarily a bad thing, except that in three years, the US cybersecurity defense posture and capabilities won’t be measurably improved.
One thousand extra people does not translate directly into an improvement — not at the rate at which network traffic flows, attacks and exploits of software vulnerabilities happens, the complexity of real systems software increases, new technologies come on line, etc. Most of the roles that DHS is seeking seem to be more on the strategy end of things rather than the tactics or operational side of the house — and I see that as a good thing, but it’s easy to misuse a sudden influx of manpower on the tactical side, even if they’re initially meant to have a strategic, forward-looking focus.
Information Considered Harmful
It looks like a manual containing information about TSA screening procedures has been posted to the web (with yet more poor redaction — will they never learn? Actually, software vendors should really improve their redaction function to eliminate all versions of sensitive info from the given file, and prove it to the user).
http://us.cnn.com/2009/TRAVEL/12/08/u.s.tsa.training.manual/index.html
Although most quotes in the above article express alarm and frustration at the release of this “sensitive” information, and the TSA claims that the information about procedures is “outdated” and “unimplemented” (which I see as simply a thin way to re-create some uncertainty in an attacker’s mind), I see this sort of release of information as a good thing: it lets the traveling public understand the actual level of security the TSA achieves rather than some vague, fuzzy notion of safety.
Responsible or ethical disclosure of information (be it vulnerabilities, exploits, proof-of-concepts, proprietary or confidential information, etc.) has long been a favorite sawhorse and controversial subject in the information security community. At least some forms of whistleblowing have some public value, and in general I think more information is a good thing.
The key question, however, is this: if indeed the act of creating uncertainty in an attacker or adversary’s mind has value, why does it have value and how can we measure this value? Although security through obscurity is an oft-derided “technique” (even that word gives it too much credibility as a defensive mechanism), keeping secrets has arguably had at least some value in a variety of contexts (mostly espionage or military operations). The problem, of course, is measuring how much your ability to keep information secret has limited the enemy’s options, and so counterintelligence is needed. Such active techniques, however, seem distasteful as an academic research area, since presumably many of the techniques would require attack techniques, and thus some loss of moral authority (hey, we’re not the “good guys” anymore).
Followup & Updates: (added 9 Dec)
CNN has a followup: some heads rolled (predictably — this is a terribly MAJOR BREACH of national security).
http://us.cnn.com/2009/TRAVEL/12/09/tsa.training.manual/index.html
A good article from Wired:
http://www.wired.com/threatlevel/2009/12/tsa-leak/
The Wired article has a link to an Adobe guide to “proper” redacting techniques.
Finally, those wishing to actually read the manual can download it here:
