|
One of the problems with trying to secure systems is the lack of knowledge in the community about what has or hasn’t worked. I’m on record as calling for an analog to the National Transportation Safety Board: a government agency that investigates major outages and publishes the results.
In the current, deregulatory political climate, though, that isn’t going to happen. But how about a voluntary system? That’s worked well in avaiation—could it work for computer security? Per a new draft paper with Adam Shostack, Andrew Manley, Jonathan Bair, Blake Reid, and Pierre De Vries, we think it can.
While there’s a lot of detail in the paper, there are two points I want to mention here. First, the aviation system is supposed to guarantee anonymity. That’s easier in aviation where, say, many planes are landing at O’Hare on a given day than in the computer realm. For that reason (among others), we’re focusing “near misses” it’s less—revelatory to say “we found an intruder trying to use the Struts hole” than to say “someone got in via Struts and personal data for 145 million people was taken”.
From a policy perspective, there’s another important aspect. The web page for ASRS is headlined “Confidential. Voluntary. Non-Punitive”—with the emphasis in the original. Corporate general counsels need assurance that they won’t be exposing their organizations to more liability by doing such disclosures. That, in turn, requires buy-in from regulators. (It’s also another reason for focusing on near-misses: you avoid the liability question if the attack was fended off.)
All this is discussed in the full preprint, at LawArxiv or SSRN.
Sponsored byCSC
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix
The article was published five years ago. A quick observation is that the investigation of aircraft related incidents is profoundly more simple, and all the parties have similar strong incentives and relatively the same trust levels to exchange threat information and the remediations. That does not exist in the rather vast complicated world of networks and information systems overlaying all the jurisdictions of the world. In the aviation world, you also have a relative handful of vendors and carriers who are dealing with relatively stable, very closed systems.
What provides some solace and a move forward since 2012, is the emergence of STIX as a common platform among so many parties as a common platform for capturing and exchanging threat and remediation information. Getting beyond that will remain a challenge, notwithstanding the threat exchange mandates enacted in the U.S. and Europe among other venues in 2015.