1 Comment
⭠ Return to thread

I tend to dig in, sorry.

If it takes one world war to get security working that seems way too long but it might be okay. If it takes two world wars, I won't matter. There won't be anything left to protect.

Pick one "agency" and do a proof of concept, learn from that. I know nothing about how data is organized and secured in the siprnet - how long would it take to do zero-trust at one agency? At which agency do you start? Does it require hardware - special laptops with no USB ports and keycard readers? If yes, can they go with COTS or does everyone have to have their own acronym? Maybe it would be best to have air gaps between agencies - that would keep that PFC from looking at DOS cables.

About "need to know", "who decides?" If the originator decides, maybe they don't know enough to make a good decision - they include too few people. That is the classic case - if you don't tell anyone, then you get no value from the information. If you tell too many people, the target hears about it and changes stuff so the information half-life drops to nothing and maybe your source ends up in cement overshoes. Seems to me that we pretend to have compartmentalization but the compartments include way too many people - the "information sharing" problem.

How about a central authority? Kim Philby was one step from running the British Secret Intelligence Service and a long term spy for Russia.

IT sysadmins do NOT need to have the credentials to decrypt information stored on their servers.

Expand full comment