[Novalug] importance of SSN

Bryan J Smith b.j.smith@ieee.org
Sun Jul 12 11:17:48 EDT 2015


greg pryzby wrote:
> IF 'enemies' can access the computer systems (they have shown this time and
> time again) why involve people? It slows the process and increases the
> chance of getting caught. Sitting somewhere and attacking over the internet
> leaves the enemy anonymous and 'safer'.
> Regardless, since we have kept secrets, the data has been at risk. We can
> think/pretend the data is safe, but it never was. The difference NOW is we
> "KNOW" it isn't safe. We can't kid ourselves any more.

I don't disagree.

At the same time ... you don't put these materials on general
computing networks like you don't connect a nuclear power plants
control systems or a bank's financial trading systems to them either.

E.g., "airgap" networks are used in SIPRNet and JWICS for a reason.

It's funny how much costly "due process" and "human capital" we spent
in these investigations, yet we make it so f'ing easy to
download/upload from any computer or portable device.

It's why Ohio FirstEnergy's control systems network, including those
at nuclear power plants, was overloaded by a rampant Windows virus
when the blackout occurred in the northeast back in the early '00s,
unable to trip fast enough.

It's how financial systems get compromised as well.

I've been in those rooms, and had the multi-layer or even airgap
(e.g., "technician will access systems from separate support console")
designed peer-reviewed and, then, utterly destroyed by management.

Licensing Engineers and Engineering Technologists have addressed this
for so many other fields, like Environmental.  That way it becomes a
criminal act for the Engineer to not enforce a peer created statute

But for some reason, other than the state of Texas, the snobby
engineers refuse to do it for IT and software, much like the bridge
builders said environmental engineering wasn't a "real engineering"
until after the '70s and all those problems.  And the problem
continues.

It's not until you make people _criminally_ liable for this, that
things will change.  Licensing is the best, because you stop things
_before_ they are put in place, instead of after, and then _only_ the
result of a compromise or misuse.

-- bjs

[3a] https://en.wikipedia.org/wiki/SIPRNet
[3b] https://en.wikipedia.org/wiki/JWICS



More information about the Novalug mailing list