That is the rub. Kind of like targeting treatment for AIDS to those with the most sexual partners - it helps solves the problem but is it worth rewarding irresponsible behaviour. Although not the best analogy, especially since in this case the worst offenders are fortuantely not the best connected. Still think that at some point you need to deal with raising the lowest common denominator. That said it would be good to see something concrete being done like the RFP inclusions. The incentive though should be greater than what is gained by ignoring security currently. Is the government willing to provide enough incentive to change the market place? If RFP's alone can't do it what else could be tried? ----- Original Message ----- From: Avi Freedman <freedman@freedman.net> Date: Tuesday, January 14, 2003 9:06 pm Subject: Re: Scaled Back Cybersecuruty
In article <103014.1607.23062@avi.netaxs.com> you wrote:
: Seems to be a case of prisoners dilema. The security of any one network: is to some extent at the mercy of all other connected networks. The : overall security of the network is only as strong as it's weakest link. : In a highly competitive market place there is going to be little : incentive to invest in security if it will just be compromised by your : cost cutting competitors.
Yes, but:
- Shouldn't we encourage our tax $ go with preference towards good network citizens?
- If only a few of the larger networks started implementing better practices that engineering groups can't get funded today, we're still getting better off.
- Starting at the core, which is who the Feds buy the most IP from, still makes life a lot simpler if and when we get the "big one" in terms of cyber-attack.
I think this is probably better for a BOF (maybe even the security BOF) discussion, though...
Avi
On Tue, 14 Jan 2003 sgorman1@gmu.edu wrote: :That is the rub. Kind of like targeting treatment for AIDS to those :with the most sexual partners - it helps solves the problem but is it :worth rewarding irresponsible behaviour. I don't think its fair or sensible to evaluate the outcome of a distribution scheme by the kind of message it allegedly sends, mostly because there is no mechanism within the scheme to satisfy the evaluation criteria. That is, the scheme has no way of deciding what is "responsible" or not, so it shouldn't be evaluated on that basis. It would be nice to raise-all-boats as the saying goes, but without the basic state of the network being secure (thanks to vendor default secure configurations), it's not going work. :Is the government willing to provide enough incentive to change the :market place? If RFP's alone can't do it what else could be tried? Security considerations have to be built into every process. The RFP process is a good start. Another would be the sales engagement processes, design considerations etc. It is an education issue. -- batz
participants (2)
-
batz
-
sgorman1@gmu.edu