Yoran and Spaf’s Law

eWeek has a nice tip-of-the-hand to Spaf’s “first principle of security administration: “If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.”

The principle was first published in the book that I co-authored with Professor Gene Spafford of Purdue University, Practical UNIX and Internet Security. It’s directly applicable to the case of Amit Yoran, who resigned from the National Cyber Security Division of the Department of Homeland Security. According to author Ben Rothke, “Yoran lacked both an important title and appropriate authority–which are everything in government.”

Personally, I think that the cybersecurity problem is one that needs to be solved by slowly building consensus — not with the computer security establishment, but with the computer users throughout government. We have a very deep problem that comes from deploying a series of computer systems that are very difficult to secure. Fixing the situation is going to be a multi-year project—one where the authority will come from consensus, bridge-building and the persuasiveness of arguments, not from org charts and budget lines.

The whole “cyberspace security czar” approach is fundamentally flawed. I hope that the next administration can start things out with a new approach.

I should note that I co-authored Practical and UNIX Security with Dr. Spafford, but the law is all his.