Real problems. Real solutions.
Those of you who read this blog (all five of you) know that I’m an aggressively practical sort of security geek. (You thought I was going to use the OTHER “p” word, didn’t you? 
) One of the things that was so cool about the Lone Star Information Security Forum was the number of people there who were actually walking the walk. As in, they had holes in the bottoms of their shoes. When you’re under a confidentiality agreement, the amount of hair that gets let down is considerably more than you ever realized was there. There were lots of concrete stories that just blew me away.
Among the things I learned, in a gut-punching sort of way, is the real level of threat facing our critical infrastructure. Real people have died, and will continue to die, as a result of the compromise of automated control systems. Sure, I’ve heard the warnings for years, but all of them sounded like the bloviating of DHS drones trying to justify their tiny little piece of existence. And why? Because of the age-old dilemma of security information sharing. You don’t tend to believe assertions without real anecdotes (and, strictly speaking, you shouldn’t even trust the anecdotes, but go straight to the evidence, but let’s not dwell on that right now). And you’re not going to hear any serious security failure anecdotes in public records, such as testimony to Congress. This is why the same people who have made an incredibly strong case in private sound so ... tepid in the Congressional Record.
Luckily, we have some excellent writers such as Dan Geer, who can write both vividly and plainly at the same time. Read this. And if you don’t have time to click on a link, why, he’s provided an easy summary at the end:
• We need a system of security metrics, and it is a research grade problem.
• The demand for security expertise outstrips the supply, and it is a training problem and a
recruitment problem.
• What you cannot see is more important than what you can, and so the Congress must never
mistake the absence of evidence for the evidence of absence, especially when it comes to
information security.
• Information sharing that matters does not and will not happen without research into technical
guarantees of non-traceability.
• Accountability is the idea whose time has come, but it has a terrible beauty.
What hit home for me was the realization that my systems are directly linked to these critical infrastructure systems.
Yours are too.
They ALL are, thanks to the Internet. Each of us is the unattended back gate that could let in the attackers
next time
, if they but find it.
So let’s not lose sight of what really matters in information security. Every instant message or text message or email that you receive (O RLY?) should remind you how close we are, and that with closeness comes shared risk and shared responsibility. We are all each other’s keepers.
on 05/06 at 03:20 PM:
Sounds like that meeting you had is exactly the kind of thing I’ve written/pined for in previous months, about sharing information openly as opposed to the ever-guarded and vague statements share outside of disclosure agreements. Criminals and malicious users have no such stipulations and share information openly, or as much as they can and preserve their “market share.“ I like that second bullet as well, as I truly believe that. We’re not recruiting security properly yet (then again, is it possible when supply is low? the sec geeks of the future need to start somewhere…), but we’re certainly not training properly.
Sounds like you had a very positive experience at this meeting! I’m glad!