Yoran and Spaf’s Law
eWeek has a nice tip-of-the-hand to Spaf’s “first principle of security administration: “If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.”
The principle was first published in the book that I co-authored with Professor Gene Spafford of Purdue University, Practical UNIX and Internet Security. It’s directly applicable to the case of Amit Yoran, who resigned from the National Cyber Security Division of the Department of Homeland Security. According to author Ben Rothke, “Yoran lacked both an important title and appropriate authority–which are everything in government.”
Personally, I think that the cybersecurity problem is one that needs to be solved by slowly building consensus — not with the computer security establishment, but with the computer users throughout government. We have a very deep problem that comes from deploying a series of computer systems that are very difficult to secure. Fixing the situation is going to be a multi-year project—one where the authority will come from consensus, bridge-building and the persuasiveness of arguments, not from org charts and budget lines.
The whole “cyberspace security czar” approach is fundamentally flawed. I hope that the next administration can start things out with a new approach.
I should note that I co-authored Practical and UNIX Security with Dr. Spafford, but the law is all his.
Keep Reading
Most Popular
The inside story of how ChatGPT was built from the people who made it
Exclusive conversations that take us behind the scenes of a cultural phenomenon.
How Rust went from a side project to the world’s most-loved programming language
For decades, coders wrote critical systems in C and C++. Now they turn to Rust.
Design thinking was supposed to fix the world. Where did it go wrong?
An approach that promised to democratize design may have done the opposite.
Sam Altman invested $180 million into a company trying to delay death
Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.