Re: Presidential Internet Kill Switch

[Dan Kaminsky <dan () doxpara com>]

> I'm a touch ambivalent about the certification thing.  On the one hand it can be a pain (and one more damn course to 
> take), on the other hand I can understand how external non-expert regulatory regimes could desire reasonable 
> assurance that the folks doing the work are qualified.

Be that as it may, the data rather clearly suggests certification in
the security realm is (very) badly correlated with qualification.

> As it stands it is a [sic]"the prime contractor needs the cert" thing, so everyone under that person/organization 
> would not require it.  It would depend to some extent how onerous getting the cert is to tell how it might shape 
> contracting relationships.  In any case, it wouldn't hurt for everyone to get the cert if at all possible.

Ah.  You're seeing the cert as a test that can be objectively passed.
But there's nothing that requires that.  It's more a state that must
be subjectively granted.  If the certification authority doesn't like
you, you don't work -- no matter how qualified, no matter how much
certain people would like to hire you.  Don't think "well, it's only
the prime" that needs to sign protects you -- that just means the
stakes on getting you fired quick are much higher.

Bottom line:  What if the only people allowed to do security work were CISSPs?

(Yes, this applies to government systems and critical infrastructure,
for now.  But you know, that latter part isn't well defined either.
Is Linux critical infrastructure?)

--Dan

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.