Internet/Network Security/Securing Cyberspace
Dear Mr. Crout,
My school project is to find a solution to secure cyberspace. How would YOU approach this project? What solutions could you use to help secure cyberspace? From your expertise bio, I know that you safely develop software. What precautions do you take in developing software so that it can't get hacked?
I'm exploring ways to teach Cyber Health and would like to know more about your project. If time permits please advise. To answer you:
RTCA/DO-178B, "Software Considerations in Airborne Systems and Equipment Certification" revision B was used for 18 years as "The" certification guideline used by world-wide airworthiness authorities for certifying all things that are airborne. None has ever fallen from the sky as a result of a software error. (Comments from an editor at SANS suggest otherwise but, after reading the report he referred to its clear he didn't read it -- or he didn't understand it.) Dan O'Dowd of Green Hills Software has also said this. I'm biased; I was on the committee that wrote it. In short, precautions include name accountability and traceability to requirements. Neither exists outside of airborne and military software. Most companies don't know how to do this in a cost-efficient way. But the process is analogous to Phillip Crosby's Zero Defects approach to Quality Assurance for manufacturing. And a guy named Watts Humphrey wrote about similar concepts in the 1980s and 1990s. (He passed away recently).
This would address most vulnerabilities. The bad guys in avionics, are the elements. Risk do to social engineering exists too, but is more like what defense contractors need to protect against.
Today's software is designed to make incredibly complex technology usable, even for an 8 year old. It isn't necessary to "read the manual". This has given rise to generations of people who have no idea how to use the tools safely. In contrast, using a lawnmower improperly can make you bleed -- so the outcome of realized risk is obvious. Since vendors don't talk about breaches and most people are too embarrassed to talk about being had by cyber criminals we don't hear about these events in the media. But they're their and the FBI's website makes this clear. And by those who do data mining for local law enforcement.
The other side to this is addressing users. They need to be educated/trained enough to compensate for the lack of a user's manual. The Department of Homeland Security (DHS) has struggled with this for years. They've been making headway, largely because they finally asked for assistance from The Anti-phishing Working Group (APWG) in 2010 or so.
If the government established an agency to handle cyber "illness" in the same way the Centers for Disease Control does, we'd be set. That is, it would be as safe as safe can become. APWG knows this
and seems to be apolitical. I wish more people knew about them. We should teach Cyber Health in the same way we teach Public Health.
The DHS website is here:
I hope this was helpful.