[Infowarrior] - Feds in Cyberspace - What's the Value Proposition?
Richard Forno
rforno at infowarrior.org
Sun Feb 6 15:30:00 CST 2011
Feds in Cyberspace - What's the Value Proposition?
http://1raindrop.typepad.com/1_raindrop/2011/02/feds-in-cyberspace-whats-the-value-proposition.html
There is a good debate to be had on federal involvement in cyberspace, arguments on both sides are being made around the various privacy tradeoffs. But one thing that I think is important is absent from the conversation, in tradeoff there should be gains and losses, right? Well what is the gain that Feds would provide to cybersecurity? Are we supposed to believe that the secrets of the lost cybersecurity ark, the keys to this knowledge actually exist just not in the private sector? That is pretty hard to swallow.
Recall the BP/Macondo oil leak. At the time it happened there was a tremendous engineering effort where all the oil majors cooperated and sent their best engineers with specific expertise to deal with the horrible situation. In the end it was an impressive engineering effort. At the same time there was hue and cry that the US Navy would help address the well, because there are only a few organizations on the planet that can operate at a mile below sea level. Here is the problem though - its not the same Use Case. The ability to operate stealthily, listen to things and launch torpedos does not help plug oil wells!
Let's leave aside, for now, that there is no evidence that major players understand how to secure a website, and instead focus on the practical matters.
The Flash Crash is a good example:
The May 6, 2010 Flash Crash[1] also known as The Crash of 2:45, the 2010 Flash Crash or just simply, the Flash Crash, was a United States stock market crash on May 6, 2010 in which the Dow Jones Industrial Average plunged about 900 points only to recover those losses within minutes. It was the second largest point swing, 1,010.14 points,[2] and the biggest one-day point decline, 998.5 points, on an intraday basis in Dow Jones Industrial Average history
Procter & Gamble (as blue a blue chip as there is) went $60-63/share to under $40 in a matter of minutes. I should point out that PG is $180B company, so losing 1/3 value is in effect $60B market swing!
Of all people, the voice of reason that day and in fact that minute was none other Jim Cramer, saying "if PG is trading there, you just go and buy it. That is not a real price." Here is the thing - it was the right call in real time. It was made in the context of the decision making timeframe and available domain information.
There are reports of hackers in various markets, what should we do to defend against that? I have some ideas, but to the question who should do the work? Let's look back at the Flash Crash, who is the best person to determine whether PG selling for $39/share is accurate? Answer- someone with domain knowledge.
Abstract security knowledge does not help unless its integrated into the domain that uses it. No amount of knowledge about security protocols substitutes. Subs don't plug oil wells, oil engineers do. Network security monitors don't clear trades, traders do.
Any tradeoff discussion needs to include an argument about the purported efficacy gains of non-domain specific knowledge; and accurately reflect the real limitations of that non-domain specific knowledge.
More information about the Infowarrior
mailing list