http://emergentchaos.com/archives/2009/07/bob-blakely-on-the-cybersecurity-conversation.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2009/07/bob-blakely-on-the-cybersecurity-conversation.html/comment-page-1#comment-5925 Adam Wed, 08 Jul 2009 11:48:03 +0000 http://emergentchaos.com/?p=3159#comment-5925 Bob Blakely--I fully agree there's chicken and egg. Which is why we need a conversation which includes a strategic level. Bob Blakely–I fully agree there’s chicken and egg. Which is why we need a conversation which includes a strategic level.

]]> http://emergentchaos.com/archives/2009/07/bob-blakely-on-the-cybersecurity-conversation.html/comment-page-1#comment-5924 Bob Stratton Tue, 07 Jul 2009 13:28:37 +0000 http://emergentchaos.com/?p=3159#comment-5924 The current "information sharing" discussion is directly parallel to the "incident reporting" discussion in which so many of us participated in the late '80s and early '90s. At the time, the legal frameworks were mostly non-existent. In the U.S. people were being charged with wire fraud for computer intrusions, and when I went to Japan in 1998, they told me the best they could do was charge intruders with tying up the phone lines. Very few of my commercial clients wanted to report incidents to authorities. Since then, there is a much better (if admittedly imperfect) legal infrastructure and significantly more savvy attorneys and police. I think we're seeing a similar process now. I am witnessing a number of well-intentioned and at least partially functional efforts to bring together vendors, government(s) and sectors to figure out a) what to share, b) what the problems are around sharing it, and c) how to keep the cycle going. Are some of them influenced by hidebound bureaucracy? Absolutely. Nonetheless, it's constructive movement. A process, not an event. I am actually looking forward to the point where some of the trickier issues really come to the fore and force a reevaluation of how governments view multinational commercial entities. We've all too often heard the refrain that "the private sector owns and operates ~85% of critical infrastructures." It may just be my biases, but sometimes I think I hear frustration behind that when I hear it from governments. I'm hoping (perhaps wistfully) that the process of sharing rather sensitive information on outcomes will engender enough good will that the parties realize that industry isn't and shouldn't be government and vice versa. The current “information sharing” discussion is directly parallel to the “incident reporting” discussion in which so many of us participated in the late ’80s and early ’90s. At the time, the legal frameworks were mostly non-existent. In the U.S. people were being charged with wire fraud for computer intrusions, and when I went to Japan in 1998, they told me the best they could do was charge intruders with tying up the phone lines. Very few of my commercial clients wanted to report incidents to authorities. Since then, there is a much better (if admittedly imperfect) legal infrastructure and significantly more savvy attorneys and police.
I think we’re seeing a similar process now. I am witnessing a number of well-intentioned and at least partially functional efforts to bring together vendors, government(s) and sectors to figure out a) what to share, b) what the problems are around sharing it, and c) how to keep the cycle going.
Are some of them influenced by hidebound bureaucracy? Absolutely. Nonetheless, it’s constructive movement. A process, not an event.
I am actually looking forward to the point where some of the trickier issues really come to the fore and force a reevaluation of how governments view multinational commercial entities. We’ve all too often heard the refrain that “the private sector owns and operates ~85% of critical infrastructures.” It may just be my biases, but sometimes I think I hear frustration behind that when I hear it from governments.
I’m hoping (perhaps wistfully) that the process of sharing rather sensitive information on outcomes will engender enough good will that the parties realize that industry isn’t and shouldn’t be government and vice versa.

]]> http://emergentchaos.com/archives/2009/07/bob-blakely-on-the-cybersecurity-conversation.html/comment-page-1#comment-5923 Bob Blakley Tue, 07 Jul 2009 12:22:58 +0000 http://emergentchaos.com/?p=3159#comment-5923 I think we may be confronting chickens and eggs. California SB 1386's requirement for breach notification required companies experiencing a data breach to take blame in public. It was this publicity that started to give us reliable breach information. I think we may be confronting chickens and eggs. California SB 1386′s requirement for breach notification required companies experiencing a data breach to take blame in public. It was this publicity that started to give us reliable breach information.

]]>