-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael.Dillon@btradianz.com wrote:
Finding 3: Correlation of Multiple Incidents between Public and Private Sectors. Correlation of multiple incidents across multiple infrastructures and between the public and private sectors remains a major challenge... And a question: Do network operators have something to learn from these DHS activities or do we have best practices that the DHS should be copying?
First impressions; The point here relates specifically to awareness across organizational lines, and I'd say that both public and private industries have issues with sharing information with anyone outside their organization, especially with competitors (ideological, national, or financial). It doesn't really matter whether you're public or private; what matters is how broad your scope is. I'm sure that backbone providers have a broader view than a leaf node, and that the networking unit in a particular government department is equally situated when compared to an individual remote site. I think that with cryptography we could alleviate some of the concerns with information sharing between enterprises; that allows us to establish a larger, shared view of things. This has a few benefits; we see the problems earlier than the average leaf, and we have more data to analyze trends than the average leaf. However, I think that nobody has made a proper business case for expending the effort, or if someone has that they have not communicated it widely enough. It's not enough for technicians to know, you have to have simple slogans or tragedies large enough that you can point to them and say "that's what this would have avoided". I would say that large banks have the best combination of bigness and resources that they can employ, and IIRC have some sort of exclusive information-sharing arrangement about security incidents; they are not allowed to share that information, even with the government, except perhaps under subpoena. Well, that was true in the pre-PATRIOT act days. I know that they are big enough to see malware on occasion before the anti-virus companies see it. Sadly, governments almost always seem to be preparing for the last war, or avoiding yesterday's problem. I believe that this is a direct consequence of the fact that they attract the most risk-averse employees. In the clearance world, being a risk-taker is considered a disqualifying factor. There's a lot of competitiveness for the limelight, and a lot of decisions are made based on trying to make others appear foolish, or to cover up your own mistakes, not only because they desire job security, but also because a lot of the attention is negative. It seems like the government's failures are usually public, and their successes unquantifiable. How many intrusions did you stop? Who knows? When it can't be quantified, or it's really technical, it's subject to internal spin or scapegoating or... well, politics. Also, government agencies have an inherent limitation on efficiency. An unregulated corporation can choose not to enter an unprofitable market. Governments are not allowed this luxury, in general. They also have to balance the desires of different constituents; privacy advocates complaining about any intelligence-gathering, lassez-faire libertarians who think the private sector would do a better job at everything, jingoists and politicians who want to score a point by blaming them for not stopping every bad possibility for every citizen everywhere, all the time, and so on. Personally, I'm not worried about terrorism. Not that long ago, we were worried about the entire planet being made uninhabitable and humanity quickly extinct by mutually assured destruction. Now we only have to worry about a cause of death with roughly the same probability of being killed by a snake bite. I didn't hear anyone calling for a war on snakes (not even on planes). I consider this excellent progress. PS: This is an excellent blog on security, technology, and homeland security: http://www.schneier.com/blog/ - -- The whole point of the Internet is that different kinds of computers can interoperate. Every time you see a web site that only supports certain browsers or operating systems, they clearly don't get it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFCixYPlSPhv5tocwRAisUAJ479RRbCOGTvhxPye3hxYkdTz1jVQCfc7Vq bGsuq5FuT+srq7usqQaN8Tw= =h775 -----END PGP SIGNATURE-----