The crux of the issue are FOIA requests. The government won't make these types of vulnerability reports immmune to FOIA requests - thus a foreign terrorist or home-grown "farmbelt fuhrer" could simply order up a list of the most vulnerable sites, and select some to attack. Due to the distributed nature of the internet, and the routing protocols that regulate it's traffic flow, there is no single point of failure. However, we have seen how concerted attacks can be made at multiple locations, almost simultaneously. If the government could agree to allow this information to remain confidential, it would greatly expedite the process of hardening appropriate facilities, and identifying weaknesses. - Daniel Golding
Sean Donelan Said...
On Thu, 5 Sep 2002 sgorman1@gmu.edu wrote:
very much like to avoid doing the research in a vaccuum. I was hoping a discussion on NANOG wold be a good first step. The project is quite hot with the politicos and I very much want to make sure to best recommendations are made. Formal industrsy cooperation is one side of this, but I think a lot of information can be gained from an informal approach as well. Any and all feedback is greatly appreciated
http://www.infosecuritymag.com/2002/sep/2002survey/voices/verylarge.shtml
On security reporting... "Since Sept. 11, state, local and federal authorities have tried to get their arms around the potential threats to the nation's infrastructure--including the telecommunications infrastructure. They have asked us questions like, 'What are your 100 most vulnerable places in the network?'"
"As much as we would like to help the government in its attempt to help us, we believe it would be counterproductive to share such information widely because if it were released, it would provide a terrorist with a roadmap to our key locations. Unless the government agrees that it can protect our information, we will continue to respectfully decline such blanket requests."
Bill Smith CTO and President of Interconnection Services, BellSouth