Shostack + Friends Blog Archive


Bob Blakely on the Cybersecurity Conversation

Bob Blakely has a thought-provoking blog post which starts:

The Cyberspace Policy Review says “The national dialog on cyber-security must begin today.” I agree. Let’s start the dialog with a conversation about what sacrifices we’re willing to make to get to an acceptable worst-case performance. Here are four questions to get the ball rolling:

Question 1: Are we willing to give anything up?
Question 2: Are we willing to do anything different?
Question 3: Are we willing to take any blame?
Question 4: Are we willing to give any guarantees?

I’d trade 3 & 4 (today) for are we willing to broadly share information about outcomes? I understand that the review (which I’ve yet to read) calls for effective information sharing, which is a goal I support. Will the government lead, and share its own information?

Before we can get to blame and guarantees, we have to have something beyond “best practices” to work from. Without knowing which practices work and which don’t, it makes little sense to distribute blame or to offer a guarantee.

3 comments on "Bob Blakely on the Cybersecurity Conversation"

  • Bob Blakley says:

    I think we may be confronting chickens and eggs. California SB 1386’s requirement for breach notification required companies experiencing a data breach to take blame in public. It was this publicity that started to give us reliable breach information.

  • Bob Stratton says:

    The current “information sharing” discussion is directly parallel to the “incident reporting” discussion in which so many of us participated in the late ’80s and early ’90s. At the time, the legal frameworks were mostly non-existent. In the U.S. people were being charged with wire fraud for computer intrusions, and when I went to Japan in 1998, they told me the best they could do was charge intruders with tying up the phone lines. Very few of my commercial clients wanted to report incidents to authorities. Since then, there is a much better (if admittedly imperfect) legal infrastructure and significantly more savvy attorneys and police.
    I think we’re seeing a similar process now. I am witnessing a number of well-intentioned and at least partially functional efforts to bring together vendors, government(s) and sectors to figure out a) what to share, b) what the problems are around sharing it, and c) how to keep the cycle going.
    Are some of them influenced by hidebound bureaucracy? Absolutely. Nonetheless, it’s constructive movement. A process, not an event.
    I am actually looking forward to the point where some of the trickier issues really come to the fore and force a reevaluation of how governments view multinational commercial entities. We’ve all too often heard the refrain that “the private sector owns and operates ~85% of critical infrastructures.” It may just be my biases, but sometimes I think I hear frustration behind that when I hear it from governments.
    I’m hoping (perhaps wistfully) that the process of sharing rather sensitive information on outcomes will engender enough good will that the parties realize that industry isn’t and shouldn’t be government and vice versa.

  • Adam says:

    Bob Blakely–I fully agree there’s chicken and egg. Which is why we need a conversation which includes a strategic level.

Comments are closed.