[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
re: CERT funding
>From Mark Hittinger:
> Don't get too worried about CERT and its budget.
It is precisely when someone says "don't get worried about _____" when
I begin to wonder exactly what they have to hide.
> The staff seemed to be all comp-sci grad student types. The main guy was
> your typical visionary professor type. Before I spoke with him he was
> interrupted by a call from someone at DARPA about their funding. I am
> certain that he was having trouble convincing his funders that the problems
> were growing and that CERT's budget should expand. I got the impression
> that continued funding of CERT was not a done deal and that even keeping
> the current level of funding was uncertain.
Every government bureaucrat I have met says exactly the same thing.
The idea is to always give the impression of being "hungry" -- if you
think your budget is adequate, obvious it is too much, and if you
think your sources of funding are "secure", then you are taking them
for granted. Believe me ... I played the game for many years.
> My point - the funding was not substantial and it was not "reliable"
> funding. Their hardware was fairly recent but I did see a lot of
> "old soldier" type computer equipment still in service. There was
> mostly SUN, some DEC R4000 stuff, and maybe a microvaxII. Most definetly
> not NSA funded. It is funded by DARPA/USAF just like most old arpanet
> activity was.
You are very naive! Just because something is funded by an
intelligence agency does NOT mean that it is going to be a brand-new,
state of the art system. The 3-letter agencies have LOTS of old but
serviceable Suns, DECs, Macs, PCs, etc. internally and their
contractors have the same. Yes, if they were doing cryptanalysis
they'd have beefier gear, but that is not what CERT does.
The problem is that when one is funded by DARPA or directly by one of
the armed services, the amount of your award is supposed to be public.
Usually companies announce it via a press release -- it is
prestigious. HOWEVER, it is usually a condition of doing business
with the intelligence community that the existence and amount of your
contract award is kept secret. THat's just the way they work.
Don't be lulled by the "grad-student" types either. the intelligence
agencies have funded a lot of university-affiliated research. Most of
the grad students and first-real-job people aren't privy to the
internal funding and resposbility and deliverables of the group.
Were you asked about your ability to get a security clearance?
According to one article, CERT people now are getting clearances.
Interesting.
> I was also surprised to find out that there were several organizations
> other than CERT executing the same functions for each government agency.
> I learned that there was one for the navy, the dod, the cia, and probably
> even the coast guard! :-) I wondered aloud about how much information
> these groups shared and I got the impression that the other groups might
> not have trusted CERT too much with good information. In other words
> there is probably a group that you guys should be worried about because
> they are deeper in the black and they don't trust the CERT guys either!
> :-) :-)
Yes, other CERT-type teams exist. They are collected in an
organization called FIRST, the Federation of Incident Response Teams.
They do share (some) info. Blackworld teams have different issues and
do not generally participate, since their risk exposure is different
and their issues are usually different as well. But they exist too.
Sign me... "one who knows"