I don’t read CF much, but this one caught my attention and it is worth a look. Not because he’s entirely right but because he missed something. My comment is there, and it is also here:
The most appalling part of this is that NSA has been the most important contributor for decades to the conceptual models and implementations of information systems that do not have “superuser” system administrators who are autonomously all-powerful and capable of escaping audit trails.
Such systems are not mythical but they are rare, at least in the universe of organizations whose IT staff speaks openly with outsiders about their work. They are very costly, but that is not because of any really special hardware (although there are performance costs) or expensive licensed software. Rather it is because they require very careful planning and configuration up front before they are handling protected data and when in production demand ongoing support by staff in larger numbers and with higher skill levels than is required for normal systems. It is only a slight exaggeration to say that relative to normal IT environments, a rigorously secure “trusted system” environment demands twice as many sysadmins, a revival of a large “operator” job class that has almost vanished from modern normal IT, and a brand new staff layer for policy governance and audit. Oh, and end users need retraining too, because they can’t use such systems (including the devices that might normally be described as “personal” computers) in the same ways as they would in normal environments.
Trusted systems are a tough sell to IT managers outside of the snoop world.They may come to their security folks begging for seriously secure systems but when they learn that it means hiring more neckbearded oddballs at $80k and WAY up, for systems they won’t see for a couple of years, they reconsider their commitment to security. A sometimes-winning argument has for a long time been that the standards over the years and even some of the tools have come from the serious spooks in the DoD, the public face of he NSA. In short: “military grade security” is a powerful phrase with CIOs.
Manning and Snowden have shown that “military grade security” is no such thing. Sure, some outsiders use NSA tools and rules, but the NSA and DIA clearly do not. Keith Alexander has shown himself to be much like so many IT managers who like security on paper but flinch in practice when faced with the fact that security is the enemy of efficiency, agility, and low-cost staffing. In his insane plan to replace sysadmins with automation, he has provided evidence to group him with the dominant class of plodder CIOs who reflexively resort to cutting headcount (which saves money, right?) whenever they see a problem that would take courage, imagination, and investment to truly solve.