Quote from Franklin

[Gary Stoneburner <gary.stoneburner@nist.gov>]

I recently ran across a quote attributed to Benjamin Franklin that has, I
believe, some profound implications toward computer security.

We are doing stuff, getting help from congress, and having auditors and
GAO produce scorecards.  Yet one has to ask - what is the difference
in terms of actually being safer from serious attackers?  Good
things to do, but is the concern and frustration commensurate with the
real benefit?

We recognize that risks cannot be removed, yet speak about securing our
systems and having all systems accredited,  The former sure sounds
like the risk is removed and the latter implies that this action will
somehow result in being safer instead of having just produced more tick
marks.

We strive to secure our systems.  But perhaps the real issue is the
equivalent of wanting to run with scissors (an inherently unsafe practice
:-).  To be safe we must first come to grips with the fact that we
are essentially running with scissors and only then can the safety be
increased.  Unfortunately, recognition that we are "running
with scissors" flies in the face of desires to use IT; for example,
the e-gov initiatives.  So we presume that running with scissors is
a requirement (instead of a choice) and strive to be secure
none-the-less.

Ben Franklin said: "The way to be safe is never to be
secure."

Cheers,
Gary

**************************************************************************
* Opinions expressed are not intended to reflect an official position
**************************************************************************
* Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930         
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************