IMO now is a good time to review how we are doing as an industry, fulfilling our destination (that is, securing).

On Jone 2003, Gartner declared that IDS are dead and “recommends that enterprises redirect the money they would have spent on IDS toward defense applications such as those offered by thought-leading firewall vendors that offer both network-level and application-level firewall capabilities in an integrated product.”

6.5  years later, are we there yet?

Then once a pigeon is felled, the trained hounds are released. These specially trained hounds find the pigeon and bring it back into your castle unharmed and intact. Then, the pigeon is take to a special room where it is left to recover the effect of the drug. If the message carries the royal seal, which only your majesty wears, then it is reattached to the pigeon and sent – while a cryptologist reads the rest of the messages and deliver it to your majesty after it has been duly decoded.

After you get to trust our cryptologists, you may order them to perform an action on your behest your majesty, for example, to burn the message so it never reaches its destination, or to send it unharmed, based on its content. Some messages may not be of interest to your majesty, and may be taken to one of your trusted viziers for consultation to await their decision, so your majesty may be free to rule the kingdom. Others may be delivered to your majesty directly, while others may just be copied verbatim and saved for later reference.

My inbox today carried a fresh bit of news from CIO magazine. An opinion column by Eric Lundquist, labelled “We need a national CIO, not a CTO” stipulated that CIO are a better match for US national role than a CTO. To paraphrase Lundquist’s message, CIO’s are firmly planted in the business realities of the day, while CTO focus on technologies “looking for uses”. Reminds me of the old adage of “legs firmly planted” vs. “head in the clouds”.

I firmly disagree.

Now I understand that I read CIO magazine and that is why I received this message. I also assume that by the nature of politics, all kinds of special interest groups raise their heads, so I would expect a similarly opinioned “Shepard’s Weekly” would have discussed a similar topic ”We need a national shepard, not a CTO” and that the international association of circus performers would like to propose “We need a national court jester, not a CTO”.

Joking aside, Mr. Lundquist put forth some good arguments. He stipulated that CIO can better manage a project. That CIOs hold the business first and technology second. To quote “Technologists are great at creating new companies, new products and new markets. They are not great at orchestrating lots of conflicting opinions, managing projects or – especially in the political realm – settling on the best possible choice given budget constraints and political realities.”. Mr. Lundquist is correct, but altogether misses the point.

YAPM (Yet another project manager) is NOT what the US needs. In a former life I frequented Crystal City often. There were many project managers there. 25% of them were very good. 50% were mediocre. 25% were awful. But there were lots of them. They crammed public transportation, caused the beltway to jam, and filled the cafeteria’s at lunch. You could not throw a rock without hitting a project manager for some obscure government entity.

The US needs a future. To be driven, its future needs to be based on a seemingly unachievable target. We had been driven like that many times in the past. The US developed the trasistor and the chip (which 40 years later made our lives mobile). The external combustion engine for the torpedo (which crammed power into tiny spaces). Composite materials for space exploration (and which later improved our golf and tennis games). It was a government sponsored program (DARPA) that created the Internet. Not Google, nor Microsoft, nor Facebook. Nor was it rear view mirror preening dudes on Sand Hill road on their way to their ranches outside Bozeman in a well appointed G5. No. It was the government. And for all the wrong reasons. A lot of it was due to the US government chasing the Soviet’s dream of ruling space. How I miss the Soviet’s for that reason (if only for that reason!).

While both the technology industry and the venture capital industry oppose “leapfrog” technologies (they can ”eat your cheese” and thus risky for business and are difficult to predict and thus risky for VCs, respectively), the US government should indeed drive technology forward. But not on a predictable, linear trajectory, as Sand Hill road does with social networking and other “me too” technologies, but in a hockey stick fashion. Sending a man to mars. Cloning sheep. Really analyzing our climate. Teleportation. Whatever.

For that you need a visionary CTO with a set of brass balls. Not a Cisco kowtowing CIO. And to address Mr. Lundquist’s example of the revolving doors for the national cybersecurity czar: Nor does the standard Symantec or McAfee worshipping CISO make a good cybersecurity czar.

And to conclude, Eric Lundquist is, however correct (even if for the wrong reason) in identifying the fallacy in the current dredge of proposed CEOs. None of the proposed CEO’s is a visionary. Sure, they navigated their ships admirably through the murky tempramental waters of the American economy, but none have really shown a vision for disruptive innovation. They have been keen followers, seeking the market scouts and then bearing down upon their cheese with their mighty heft. Cheese snatching should never be confused with vision and innovation. For that you need the likes of J. Craig Venter or even some “down to earth” science fiction writers. People who’d invest even if the future is still murky and the benefits, for now, unclear.

/al

PS – The opinions expressed are my own. Not my employer’s, Barack Obama’s, nor Cisco’s. As an entrepeneur and business man, I like my customers to stick with me. I dislike churn, except my competitor’s churn. I therefore dislike the term disruptive.

But I also know that healthcare for generations X Y and Z, as well as fuel costs, etc. are liable to eat up a vast chunk of our GDP, and the only way to prevent that is to increase our GDP. To increase GDP we need disruptive technologies, techniques and methodologies. I also know that the linear thinking preferred by the bankers that manage industry in general favors baby steps within established markets and does not foster disruptive technology.

Hence the opinion piece.

But here is a real cool use of DLP to detect plagurizing of dissertations:
http://ondlp.com/?p=9#respond

Notes:
1. Really cool use of the fingerprinting technology
2. I did not know that Dave’s wife was a professor

/al

Now everyone knows (or should know) that the jury is out about the accuracy of lie detectors. Now why is that significant?

There are 4 possible outcomes of a lie detector test:

In the case of lie detection testing, the consequences of the “True results”:(0,0) and (1,1), the outcomes are appropriate. For example, the thief was caught and made to serve time. Or the person was acquitted or allowed to continue the hiring process.

However for the “false results”: (1,0) and (0,1), the outcomes can be devastating. Some of the most damaging spies that the world has ever seen (e.g. Aldrich Ames, Robert Hansen; See the rather opinionated https://antipolygraph.org/cgi-bin/forums/YaBB.pl?num=1123602616) routinely passed lie detector tests. Similarly, try to imagine a husband that just happens to be overly anxious about participating in the Fox’s ”The Moment of Truth” and is mistakenly ousted as having an extramarital affair. Try to imagine explaining that one to a tearful significant other (BTW – one reason to object to programmers’ decisions to broadcast these shows to a public that is ignorant of detection theorem and statistics).

The dilemma for security: Since a person passed a lie detector test can you assume they are trustworthy? Can you take considerably less care in securing their access to resources?

The science of detecting a certain quantity or quality of a signal from an environment of surrounding noise is called Detection Theory. It has been around for ages, was developed initially for the development of the radar (http://en.wikipedia.org/wiki/Detection_theory). It is what I concentrated on for the first ten years of my engineering life in designing and evaluating SONAR and other detection systems.

In Detection Theory, the same outcomes as in the lie detector diagram above are used:

Assuming the results of the detector are positive, then assuming the probability of detection (true positive) is α, the probability of getting a false positive is (1-α). Unless α is pretty high, the probability for a false positive will be significantly high (so that it cannot be ignored).

The same logic works for the False Negative and False Negative pairs. See http://en.wikipedia.org/wiki/Type_1_error#Type_I_and_type_II_errors for more data.

So what affects α? What are the parameters that would affect the quality of the results? What would we need to improve the results of the lie detector?

In RADAR, α is related to a mathematical ratio between the signal and noise (amply called the SNR or Signal-to-Noise-Ratio). Signal would be the property we want to detect while while noise would be any other noise source.

So it is imperative that if a detector is to be used, that it is fully understood in the context of its usage.

For example, I would assume that lie detectors will be fairly reliable in detecting teenagers that are using drugs. I say this because of the following:

1.   Teenagers have probably been using the drugs for a limited amount of time. So the emotional response to the concept of lying about it is still strong.

2.   Making a mistake is reasonably ‘acceptable’:

a.   False positive: blood test will clear that up, or at worst the teenager will go to counseling

b.   False negative: Same result as having not conducted the test

Note: Sure there might be extreme responses to these types of tests, but overall the use is appropriate.

Using the same criteria I would stipulate that testing if a long term FBI agent is an existing spy is a bad use for lie detection:

1.   If the FBI agent is an existing spy, it is more than likely that their false reality has become their reality. Lying is real to them, so they have no emotional response associated with lying (it is the least of their “vices”)

2.   Making a mistake can lead to disastrous results:

a.   False positive: Agent is “caught” and researched. Trust is no longer there and a good person is removed from activity.

b.   False negative: How many American operatives were compromised by Robert Hansen? Need more be said? Trust is, in fact, accentuated and reestablished by the results of the test.

But detection theorem is not limited to the military or to lie detectors. As more and more systems are used to make sense of the world around us, to package and repackage information automatically, we see the results of different detectors around us:

Search engines – What do false positives mean? Well, ask the founders of all the search engines that competed with Google. Relevancy counted. And the results were translated into countless Billions of dollars.

Cell phone – Just how better is digital coding of the transmission? Just compare the modern language of cellular technology “can you hear me now?” vs. the past (fading in and out). Sure you can squeeze more channels in, but analog (like Verizon) is still a better quality medium for our human detectors.

Security – In the past, security was ‘1’ or ‘0’ either a port was open or not. Tapping into a NIC would allow us to step through the traffic. An application was allowed to load or not. Today, we see the first waves of “intelligent systems”. Systems which try to elevate (detect) the “nasty” stuff by prioritizing the display of activities related to un-patched vulnerabilities among the clutter of less disruptive activity. Similarly, DLP solutions have detectors included within the applications (to distinguish between confidential and other data). Cost of a bad choice? Perhaps 17 FTE…

Auto-defibrillators: yes, those yellow boxes at airports and upscale malls. These detect heart activity, and based on heart activity can provide defibrillation pulses. For the sake of the users, I hope that automated detector is designed right.

As a summary, detection (as opposed to a simple decision) is here to stay, and to have detector design compromises that will have certain systems providing better results than others.

]]> http://securitypie.com/what-is-all-this-about-lie-and-other-detectors/feed/ 1