[Infowarrior] - Info-Sharing, A Simple Recipe

Richard Forno rforno at infowarrior.org
Fri Sep 19 19:48:38 UTC 2008 

(Mike's hit the nail on the head as always with this latest blog  
entry.  I agree 100% with his sentiment and is something I've been  
arguing has been necessary for over 10 years now.......-rf)


Sharing. Revisited. Again
http://haftofthespear.com/2008/09/sharing-revisited-again/

< - >


There are some things that would facilitate sharing:

    1. Make it Easy. When the only way to report data to Uncle Sam is  
through yet another closed system with more security credentials and  
more overhead, people won’t report or they’ll report trivial items  
that don’t take a lot of time. A PGP-wrapped attachment in email is  
secure enough (If your network is pwned what difference does it make?  
If it isn’t, what good is the data X years from now once the crypto is  
cracked?).

    2. Make it Fair. Feds take but never give, so eventually industry  
stops giving: a familiar refrain. So implement an anonymization system  
that allows meaning and insight to be communicated back and forth  
without revealing sensitive data. Adapting the “arbitrary unit  
designator” concept from intelligence analysis (e.g. If an IP address  
is too sensitive to share, give it a random but fixed alpha-numeric ID  
for the purposes of sharing) is a start.

    3. Make it Legal. Industry-government sharing initiatives tend to  
fail because industry has these people called “shareholders” and  
“auditors” that get riled up if a company says it’s been breached.  
Legal top cover for corporations would go a long way towards improving  
cooperation. It’s not about hiding misconduct or culpability but  
avoiding the fickle inclinations of the market.

    4. Pay for It. DHS has asked for private sector expertise, but  
only at the expense of industry. Corporations want to help, but when  
they pay someone a salary they like that person to show up to work.  
Industry experts will participate in secondments if the government  
stops trying to do everything on the cheap and just expands the IPA  
program to cover the people they want.

The fixes themselves are easy enough to implement; actually getting to  
the point where they can be implemented is hard and costs money.  
Again, if we’re serious about cyber security then we should be willing  
to deal with the expense and level of effort. You’ll know we’re not  
serious if more or less this same discussion is repeated in a year or  
two.

More information about the Infowarrior mailing list