At 10:28 AM 10/8/96, Bob McKisson wrote:
>>I wish they'd publicly release their reports on Sidewinder, too.
>
>Doubt it will happen during your career Rick. Unless Congress and the DoD
>rewrite the rules, NCSC's refusal to endorse Sidewinder is a good business
>lesson for those who might be thinking about looking to the Department of
>Defense for financial support in commercial product development and then
>looks again to the DoD to endorse what it funded.
Just as a clarification, Sidewinder development was *not* paid for with
Government funds, just good old fashioned venture capital. And it *is*
typical of buyers to not release independent evaluations they've paid for.
Bob is probably aware of this, but it wasn't clear from the above
paragraph.
>...the notion of establishing an industry driven, government
>supported organization to get a grip on rules, standards, criteria, etc., for
>approval, and certification of commercially developed information security
>systems, products and services, ... The proposed
>organization, called the ISSB or Information Systems Security Board already
>is in trouble on two primary issues:
>
>First, coming up with an acceptable business model to fund and manage the
>organization will be a real exercise...as is the case whenever you attempt
>to get a consensus of a number of powerful agendas not the least of which
>is the USG.
No surprise here.
IMHO the commercial world will take care of itself. I find it interesting
to watch just how slowly these highly touted Public Key Certification
Infrastructures are growing -- businesses are cautious perhaps because of
the uncertain liability situation. They are not being foolish by being
cautious.
>Secondly,(and this will bring some of you out of your chairs), apparently
>the biggest impediment to getting the ISSB off the ground is that some
>influential folks feel that puting up the effort and expense is not
>justified by the size and nature of the threat.
On the military/government side, with NIPRNET and SIPRNET, I'm a little
more surprised, but not too much so. We can theorize about threats all day
long but until people start attacking it's hard to tell how to protect
yourself in a cost effective way. I guess it's like advertising: 50% of the
cost is wasted, but you rarely know which 50%.
There are interesting parallels with the history surrounding Pearl Harbor.
They made an honest effort to protect against their highest priority
threats: they just picked the wrong ones. Speaking from inside a vendor
organization I have to say I'd love for them to spend money in some
defensive direction that includes our products. But given the absence of
real "infowar battles" to study, I can appreciate their reluctance. The
best I hope for is that the DOD will be "embarrassed" into installing
stronger defenses (like what we offer) given the example of the DOJ, CIA,
and Dole campaign.
Rick.
smith @
sctc .
com secure computing corporation
|
|
