-----BEGIN PGP SIGNED MESSAGE-----
Finding 3: Correlation of Multiple Incidents between Public and Private
Sectors. Correlation of multiple incidents across multiple infrastructures
and between the public and private sectors remains a major challenge...
And a question:
Do network operators have something to learn from these DHS activities
or do we have best practices that the DHS should be copying?
The point here relates specifically to awareness across organizational
lines, and I'd say that both public and private industries have issues
with sharing information with anyone outside their organization,
especially with competitors (ideological, national, or financial).
It doesn't really matter whether you're public or private; what matters
is how broad your scope is. I'm sure that backbone providers have a
broader view than a leaf node, and that the networking unit in a
particular government department is equally situated when compared to
an individual remote site.
I think that with cryptography we could alleviate some of the concerns
with information sharing between enterprises; that allows us to
establish a larger, shared view of things. This has a few benefits;
we see the problems earlier than the average leaf, and we have more
data to analyze trends than the average leaf. However, I think that
nobody has made a proper business case for expending the effort, or
if someone has that they have not communicated it widely enough.
It's not enough for technicians to know, you have to have simple
slogans or tragedies large enough that you can point to them and
say "that's what this would have avoided".
I would say that large banks have the best combination of bigness
and resources that they can employ, and IIRC have some sort of
exclusive information-sharing arrangement about security
incidents; they are not allowed to share that information, even
with the government, except perhaps under subpoena. Well, that
was true in the pre-PATRIOT act days. I know that they are big enough
to see malware on occasion before the anti-virus companies see it.
Sadly, governments almost always seem to be preparing for the last
war, or avoiding yesterday's problem. I believe that this is a
direct consequence of the fact that they attract the most risk-averse
employees. In the clearance world, being a risk-taker is considered a
disqualifying factor. There's a lot of competitiveness for the
limelight, and a lot of decisions are made based on trying to make
others appear foolish, or to cover up your own mistakes, not only
because they desire job security, but also because a lot of the
attention is negative. It seems like the government's failures
are usually public, and their successes unquantifiable. How many
intrusions did you stop? Who knows? When it can't be quantified,
or it's really technical, it's subject to internal spin or
scapegoating or... well, politics.
Also, government agencies have an inherent limitation on efficiency.
An unregulated corporation can choose not to enter an unprofitable
market. Governments are not allowed this luxury, in general.
They also have to balance the desires of different constituents;
privacy advocates complaining about any intelligence-gathering,
lassez-faire libertarians who think the private sector would do
a better job at everything, jingoists and politicians who want to
score a point by blaming them for not stopping every bad possibility
for every citizen everywhere, all the time, and so on.
Personally, I'm not worried about terrorism. Not that long ago,
we were worried about the entire planet being made uninhabitable
and humanity quickly extinct by mutually assured destruction.
Now we only have to worry about a cause of death with roughly
the same probability of being killed by a snake bite. I didn't
hear anyone calling for a war on snakes (not even on planes).
I consider this excellent progress.
PS: This is an excellent blog on security, technology, and
homeland security: http://www.schneier.com/blog/
The whole point of the Internet is that different kinds of computers
can interoperate. Every time you see a web site that only supports
certain browsers or operating systems, they clearly don't get it.