BSides LV: Change Industry Or Change Professionals?
All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, Day One: The Business Of Fear.” Mr. Evans raises an interesting point: “the computer security industry is not in the business of openness, it is in the business of fear.” I’ve learned to be happy when people surface reasons that what I’m saying won’t work, because it gives us an opportunity to consider and overcome those objections.
At one level, Mr Evans is correct. Much of the computer security industry is in the business of fear. There are lots of incentives for the industry, many of which take us in wrong directions. (Mr. Evans acknowledges the role of the press in this; I appreciate his forthrightness, and don’t know what to do about that aspect of the problem, beyond pointing out that “company breached” is on its unfortunate way to being the new “dog bites man.”)
But I wasn’t actually asking the industry to change. I was asking professionals to change. And while that may appear to be splitting hairs, there’s an important reason that I ask people to consider issues of efficacy and burnout. That reason is I think we can incentivize people to act in their own long term interest. It’s challenging, and that’s why, after talking to behavior change specialists, I chose to use a set of commitment devices to get people to commit to pushing organizations to disclose more.
I want to be super-clear on my request, because based on feedback, not everyone understood my request. I do not expect everyone who tries to succeed. [#include Yoda joke.] All I’m asking people to do is to push their organizations to do better. To share root cause analyses. Because if we do that, we will make things better.
It’s not about the industry, it’s about the participants. It’s about you and me. And we can do better, and in doing so, we can make things better.
Like the slide deck. We should share STIX via TAXII and we should embed MAEC in the STIXes if relevant. Even if not relevant, we should add indicators to each STIX as indicator bundles, denoting OSINT (media) and DIGINT (social media) versus TECHINT, HUMINT, or FININT data. The next step might be to share how we collect each intelligence by revealing our sources, models, and methods.
What The Onion did was a below-average example by my standards because they did not follow the money, attribute the adversary leadership along with their plans/history, and did not tie it all back to an ST&I or warning analysis.