Skip to Content
MIT Technology Review
Sign in
Uncategorized

Yoran and Spaf’s Law

eWeek has a nice tip-of-the-hand to Spaf’s “first principle of security administration: “If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when…
October 31, 2004

eWeek has a nice tip-of-the-hand to Spaf’s “first principle of security administration: “If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.”

The principle was first published in the book that I co-authored with Professor Gene Spafford of Purdue University, Practical UNIX and Internet Security. It’s directly applicable to the case of Amit Yoran, who resigned from the National Cyber Security Division of the Department of Homeland Security. According to author Ben Rothke, “Yoran lacked both an important title and appropriate authority–which are everything in government.”

Personally, I think that the cybersecurity problem is one that needs to be solved by slowly building consensus — not with the computer security establishment, but with the computer users throughout government. We have a very deep problem that comes from deploying a series of computer systems that are very difficult to secure. Fixing the situation is going to be a multi-year project—one where the authority will come from consensus, bridge-building and the persuasiveness of arguments, not from org charts and budget lines.

The whole “cyberspace security czar” approach is fundamentally flawed. I hope that the next administration can start things out with a new approach.

I should note that I co-authored Practical and UNIX Security with Dr. Spafford, but the law is all his.

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.