[Infowarrior] - RSA 'news': here we go again ...

Richard Forno rforno at infowarrior.org
Thu Mar 4 11:59:46 UTC 2010 

Talk about a blast from the past!

This article could be ripped from FCW's archives with only the dates  
and names changed .... I mean, didn't we hear industry and gov folks  
say the same thing in 1997, 2000, 2003, 2005, 2007 and 2009 about  
critical infrastructure protection, Y2K, homeland security, etc?   
Heck, the Nation even has a "National Strategy for Information  
Sharing" issued by the White House. Lot of good that's done, too.

Yet after 15 years or so we're *still* talking about the same problems  
and obstacles to overcome involved with both information-sharing and  
infosec in general, in both human and technical terms.

...but that's okay, we can always levy a Charney-charge[1] on everyone  
to help subsidize the industry instead.  This is the decade of bailing  
folks out, isn't it?

Same stuff, different year.  And folks wonder why I am so damn cynical  
about this industry.

-rf

[1]  http://blog.seattlepi.com/microsoft/archives/196494.asp


Nation's cybersecurity suffers from a lack of information sharing
Despite progress, public and private sectors still don't trust each  
other, panelists say

	• By William Jackson
	• Mar 03, 2010

http://fcw.com/articles/2010/03/03/cybersecurity-policy.aspx

SAN FRANCISCO — The lack of trust between the public and private  
sectors continues to inhibit the sharing of information needed for the  
nation to effectively defend against rapidly evolving cyberthreats, a  
panel of industry experts and former government officials said Tuesday.

“We need to have more transparency in the public-private partnership,”  
said Melissa Hathaway, former White House advisor who conducted last  
year’s comprehensive review of government cybersecurity. “The trust  
does not exist between the two parties.”

Hathaway, who now runs her own cybersecurity consulting firm, said  
during a panel discussion at the RSA Security Conference that a “safe  
space” overseen by a trusted third party is needed to facilitate  
sharing.

William Crowell, former National Security Agency deputy director, said  
that it should be possible to share information without identifying  
the source, to make the parties feel more secure about providing it.  
“We need to be able to abstract the information we are are going to  
share,” he said. “That’s our best approach in the long run.”

The lack of sharing creates a lack of  wide visibility into threats,  
the panelists agreed. While cybercriminals and other evil-doers are  
collaborative and quick to take advantage of vulnerabilities,  
cyberdefense is hobbled by a fragmented response that includes too  
little cooperation.

“In order to respond to the threats we have to change the pace of the  
game on our side,” Crowell said. “The pace of our responses are not  
operating in Internet time.”

In most cases, companies that openly share information about attacks  
on their systems face the possibility of monetary loss. The private  
sector has little motivation to contribute to cybersecurity beyond its  
own immediate interests, said Greg Oslan, chief executive officer of  
Narus.

“We have to look at it as an end-to-end solution,” he said. He  
proposed a model based on that of the airline industry, which has a  
global framework of laws and regulations ensuring the safety and  
security of the industry, brokered by governments, adopted by industry  
and accepted by the public.

Cisco Chief Security Officer John Stewart faulted his own industry for  
the poor state of cybersecurity.

“We have succeeded in making the security industry so complex that the  
people who need it the most -- the public -- cannot use it,” Stewart  
said.

Exploiting vulnerabilities is simple, he said, but simplifying  
security is difficult, and industry has not yet succeeded in doing this.

There was general agreement among the panelists that the president’s  
emphasis on cybersecurity as a national security issue is a first step  
toward improving the situation.“But that’s not enough,” Crowell said.  
It has to be followed up with a structure within the White House that  
can continually drive execution of policies at the technical, legal  
and international relations levels.

Even then the problems never will be completely solved, he said. “Have  
we ever solved any criminal problem? No. We’re never going to solve  
the cyber problem, either. But we can limit it.”

More information about the Infowarrior mailing list