At 10:28 AM 10/8/96, Bob McKisson wrote:
>>I wish they'd publicly release their reports on Sidewinder, too.
>Doubt it will happen during your career Rick. Unless Congress and the DoD
>rewrite the rules, NCSC's refusal to endorse Sidewinder is a good business
>lesson for those who might be thinking about looking to the Department of
>Defense for financial support in commercial product development and then
>looks again to the DoD to endorse what it funded.
Just as a clarification, Sidewinder development was *not* paid for with
Government funds, just good old fashioned venture capital. And it *is*
typical of buyers to not release independent evaluations they've paid for.
Bob is probably aware of this, but it wasn't clear from the above
>...the notion of establishing an industry driven, government
>supported organization to get a grip on rules, standards, criteria, etc., for
>approval, and certification of commercially developed information security
>systems, products and services, ... The proposed
>organization, called the ISSB or Information Systems Security Board already
>is in trouble on two primary issues:
>First, coming up with an acceptable business model to fund and manage the
>organization will be a real exercise...as is the case whenever you attempt
>to get a consensus of a number of powerful agendas not the least of which
>is the USG.
No surprise here.
IMHO the commercial world will take care of itself. I find it interesting
to watch just how slowly these highly touted Public Key Certification
Infrastructures are growing -- businesses are cautious perhaps because of
the uncertain liability situation. They are not being foolish by being
>Secondly,(and this will bring some of you out of your chairs), apparently
>the biggest impediment to getting the ISSB off the ground is that some
>influential folks feel that puting up the effort and expense is not
>justified by the size and nature of the threat.
On the military/government side, with NIPRNET and SIPRNET, I'm a little
more surprised, but not too much so. We can theorize about threats all day
long but until people start attacking it's hard to tell how to protect
yourself in a cost effective way. I guess it's like advertising: 50% of the
cost is wasted, but you rarely know which 50%.
There are interesting parallels with the history surrounding Pearl Harbor.
They made an honest effort to protect against their highest priority
threats: they just picked the wrong ones. Speaking from inside a vendor
organization I have to say I'd love for them to spend money in some
defensive direction that includes our products. But given the absence of
real "infowar battles" to study, I can appreciate their reluctance. The
best I hope for is that the DOD will be "embarrassed" into installing
stronger defenses (like what we offer) given the example of the DOJ, CIA,
and Dole campaign.
com secure computing corporation