FCW cartoonist John Klossner, just back from a disconcerting visit to a Boy Scouts camp, wonders about how the Defense Department will proceed to improve the security of its networks.
Recently I accompanied my 7-year-old son to Cub Scout camp. The parents all looked at each other when, during the orientation, the Scouts were told that one of the first rules in this camp in the middle of the Maine woods was "don't run." Later that day my son and his friend were admonished for climbing on a rock. If I were to tell you how each child was leashed to a beach chair and had to be accompanied by three adults in order to enter the six-inch deep swimming area, it would be an exaggeration. But not by much.
My fellow parents and I ended up referring to the place as "Camp Don't." The kids still had fun -- they are 7-10 year-olds, after all -- but those of us who had grown up during the wildly unregulated camping years of our youth felt that something had changed. We even tried to instill some subversiveness in our sons: We would all start running when no one was looking. (I wonder if we're raising a generation that will never know stitches, leaving them open to all kinds of ridicule when their children and grandchildren re-discover the medical need to re-attach your skin after a laceration. I envision a world where these subsequent offspring will also have, in a generational revolt, learned the joy of running in the woods, socializing with friends without it being scheduled, and playing a team sport without several hundred adults/coaches in attendance. But I digress.)
I understand the Boy Scouts' need to protect themselves, liability-wise. They are covered within their fenced-in boundaries, and a Scout camp, with its waterfront, exposed rocks and roots, and BB gun and archery ranges, offers many excellent injury opportunities. But are these regulations really for the children’s sake? Or more for the organization's?
I'm reminded of the Chinese proverb, 'Give a man a fish and you feed him for a day; teach him how to fish, and you feed him for a lifetime.' In this case it would be, 'Tell a child not to run and you keep him safe in your sight; teach him when to run, and you keep him safe out of sight.' Or perhaps, 'Tell a child not to run and you keep him safe in camp; teach him to run and he can go to the store for you.' How about: 'Tell a child not to run and you keep him from falling down; teach him how to put on a band-aid and he can run anywhere he wants.'
This brings to mind the DOD's recent creation of a Cyber Command unit. Cyberspace now joins land, sea and air as a defensible domain. DOD is concerned with threats posed to military networks. The magnitude of those threats is best captured by three numbers bandied about by DOD leaders in the recent past: 15,000 networks and 7 million computers to protect, with 50,000 attacks occurring every day.
This sounds simple in principle -- observe and protect the cyberspace of military networks. But the cyber world, unlike the fenced-in Boy Scout camp in Maine, doesn't have such clearly defined borders. As stated in the above article, "NSA and DOD officials have said that although the new command would assume responsibility for defending the .mil domain, NSA would continue offering its expertise and assistance to defend the .gov and .com domains." This sounds like slippery slope material to me. Where does their jurisdiction end and begin? And, if regulations are passed, are they applicable in all domains? If there's no running allowed in .mil, can you run in .gov and .com?
One concern is that the DOD (and NSA) implement "don't run" regulations -- not designed to keep users and networks safe as much as shield those overlooking security from blame.
Better run.