A hundred small conservative decisions, and the impact on science.

Yesterday, I played a bit with some lightweight coding (which is neither my job nor my expertise). I was quite unsuccessful in getting my little project to work, but about half way through I realized that while I might be able to get the program to work, my code was certainly not going to be secure. I realized that even if I got it working, I wouldn't put it on an LBL server because of the off chance that it might be hacked.

You may think this is a morality tale about the importance of thinking about security, but in fact, it's almost the reverse. The truth is that my insecure code would have posed a very limited risk to the Lab, and if it had been exploited (unlikely) it would have done almost no damage to turn it off and clean it up. Yet, because of the attention to security, the perceptual risk is far greater then the real one.

Every day, a few thousand scientists - those the organization selects for their ability to ask new questions in new ways and to develop new tools to ask those questions - are faced with this same issue. And every day, perhaps a few small decisions are made to be conservative and not attempt to create the tool, try the new thing, or play with something interesting because of these kinds of worries. The losses from this behavior are unknown to us, they may be imperceptible, or they may be substantial. What we know is that the great research institutions in history have valued an atmosphere of open expression and freedom to explore the new, the unproven, and the risky.

Will the next World Wide Web or Cyclotron go unbuilt because a researcher feared what might happen if they didn't implement it securely?

First Quarter Preliminary Reportcards

We are now publishing our quarterly scorecards for the UC/DOE Contract for both IT and Cyber-Security. You can find the first quarter reports under the Assurance section.

Current policy projects include: revisiting non-consensual access, improving our assurance-crosswalk, and updating 9.02.

Current audit-management projects include the Internal Audit of data centers (ongoing), and continued response to both the draft IG Websites audit (see blog post) and related impacts from the previously published IG IT Hardware Audit (which we vehemently disagree with).

Current DOE policy projects include RevCom for the newly released 200.1A.

Current Contract-Management task: negotiation around the incorporation of the DOE Privacy Reporting directive, which we believe is duplicative with State Law (SB1386) and in conflict with other prime contract clauses.

Current Process Improvement Goals: Business Continuity Planning