http://emergentchaos.com/archives/2007/11/how-government-can-improve-cyber-security.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2007/11/how-government-can-improve-cyber-security.html/comment-page-1#comment-4157 Jean Camp Thu, 15 Nov 2007 21:06:42 +0000 http://emergentchaos.com/?p=2555#comment-4157 Adam has an excellent point. In health and environmental risks we have standards for acceptable or hazardous risk. There are accepted methods for measuring risk. In finance there are also operational measures of risk. I think if I hired two consultants and asked them to evaluate a small business network I would get not just two approaches but also two units of measure. It is like I ask someone "How big is it?" and the result came in weight and volume with no understanding of how one might relate these with density. Security sometimes seems more like alchemy than chemistry. We are in sad need of measures and metrics. Having some basic data would be a good start. Adam has an excellent point. In health and environmental risks we have standards for acceptable or hazardous risk. There are accepted methods for measuring risk. In finance there are also operational measures of risk.
I think if I hired two consultants and asked them to evaluate a small business network I would get not just two approaches but also two units of measure. It is like I ask someone “How big is it?” and the result came in weight and volume with no understanding of how one might relate these with density. Security sometimes seems more like alchemy than chemistry.
We are in sad need of measures and metrics. Having some basic data would be a good start.

]]> http://emergentchaos.com/archives/2007/11/how-government-can-improve-cyber-security.html/comment-page-1#comment-4156 PHB Tue, 13 Nov 2007 20:51:12 +0000 http://emergentchaos.com/?p=2555#comment-4156 Adam, I agree that government spending on research is good (my work was funded by five governments over the years), but suggesting this as THE way government needs to help frames the problem as a research problem. I think we know what needs to be done, the big question is how to do it. How do we get from A to B? Adam, I agree that government spending on research is good (my work was funded by five governments over the years), but suggesting this as THE way government needs to help frames the problem as a research problem.
I think we know what needs to be done, the big question is how to do it. How do we get from A to B?

]]> http://emergentchaos.com/archives/2007/11/how-government-can-improve-cyber-security.html/comment-page-1#comment-4155 Adam Tue, 13 Nov 2007 15:01:59 +0000 http://emergentchaos.com/?p=2555#comment-4155 PHB, I think there is a component of government action that could be very helpful. Chris Walsh's work in getting reports from New York State online has been expensive in his time and money, and has exposed issues with the Attrition and PrivacyRights data sets. New Hampshire putting their reports online allows people to do less work gathering data, and more work analyzing it. I think it's a reasonable function of government to collect and distribute data, and one which could enable a tremendous amount of valuable research. PHB,
I think there is a component of government action that could be very helpful. Chris Walsh’s work in getting reports from New York State online has been expensive in his time and money, and has exposed issues with the Attrition and PrivacyRights data sets. New Hampshire putting their reports online allows people to do less work gathering data, and more work analyzing it.
I think it’s a reasonable function of government to collect and distribute data, and one which could enable a tremendous amount of valuable research.

]]> http://emergentchaos.com/archives/2007/11/how-government-can-improve-cyber-security.html/comment-page-1#comment-4154 PHB Tue, 13 Nov 2007 13:12:11 +0000 http://emergentchaos.com/?p=2555#comment-4154 Without trying to be contrarian, I think that Adam described how the research community can improve computer security. That is not the same thing as how government can help. More research is certainly good but I am strongly of the opinion that our Internet security problem is not a lack of tools. Instead the problem is how to put the tools to use. After three decades of PK and Fifteen years of the Web we have three cryptographic security infrastructures that are deployed and used at approaching Internet scale (hundreds of millions to billions of users). One of these is SSL, another is Chip and PIN, the other is DVD-CSS. Only two of those systems actually work. WiFi security, WPA and WEP is currently a runner up. One observation to make is that most 'Internet' crime isn't. Phishing is not an Internet crime, its bank fraud. Deploy strong authentication in the credit card infrastructure and we take a big bite out of phishing fraud. The question that only government can address is why Chip and PIN is deployed in Europe but not the US? The answer the bankers give is that the economics of the credit card industry are very different, lots of issuers, few acquirers. That makes it hard to deploy a security measure where costs fall on the acquirer but the benefit goes to the issuer. Particularly when anti-trust laws make renegotiation of settlement fees impractical. What government can do and no other party can do is to align responsibility to act with ability to act through regulation. That said, I do have some questions about the composition of this group. Despite the title it is clearly not a body appointed by the 44th President since we don't know who she is yet. What is the scope of the body? Is it only US nationals or is it looking to experiences in other countries. This is very important in my view because Internet crime has very different patterns in different countries across the world and many of the differences are due to the impact of regulation. At the very least governments must become aware of the cyber-security implications of new regulations they make. The license plate story elsewhere on this blog illustrates how government actions can have unforseen but entirely forseable impact. Without trying to be contrarian, I think that Adam described how the research community can improve computer security. That is not the same thing as how government can help.
More research is certainly good but I am strongly of the opinion that our Internet security problem is not a lack of tools. Instead the problem is how to put the tools to use. After three decades of PK and Fifteen years of the Web we have three cryptographic security infrastructures that are deployed and used at approaching Internet scale (hundreds of millions to billions of users). One of these is SSL, another is Chip and PIN, the other is DVD-CSS. Only two of those systems actually work. WiFi security, WPA and WEP is currently a runner up.
One observation to make is that most ‘Internet’ crime isn’t. Phishing is not an Internet crime, its bank fraud. Deploy strong authentication in the credit card infrastructure and we take a big bite out of phishing fraud.
The question that only government can address is why Chip and PIN is deployed in Europe but not the US?
The answer the bankers give is that the economics of the credit card industry are very different, lots of issuers, few acquirers. That makes it hard to deploy a security measure where costs fall on the acquirer but the benefit goes to the issuer. Particularly when anti-trust laws make renegotiation of settlement fees impractical.
What government can do and no other party can do is to align responsibility to act with ability to act through regulation.
That said, I do have some questions about the composition of this group. Despite the title it is clearly not a body appointed by the 44th President since we don’t know who she is yet. What is the scope of the body? Is it only US nationals or is it looking to experiences in other countries. This is very important in my view because Internet crime has very different patterns in different countries across the world and many of the differences are due to the impact of regulation.
At the very least governments must become aware of the cyber-security implications of new regulations they make. The license plate story elsewhere on this blog illustrates how government actions can have unforseen but entirely forseable impact.

]]> http://emergentchaos.com/archives/2007/11/how-government-can-improve-cyber-security.html/comment-page-1#comment-4153 Ed Felten Mon, 12 Nov 2007 13:45:52 +0000 http://emergentchaos.com/?p=2555#comment-4153 Thanks for a great suggestion, Adam. I'll keep it in mind as the commission discusses what to recommend. Thanks for a great suggestion, Adam. I’ll keep it in mind as the commission discusses what to recommend.

]]>