Home / Blogs

Voluntary Reporting of Cybersecurity Incidents

One of the problems with trying to secure systems is the lack of knowledge in the community about what has or hasn’t worked. I’m on record as calling for an analog to the National Transportation Safety Board: a government agency that investigates major outages and publishes the results.

In the current, deregulatory political climate, though, that isn’t going to happen. But how about a voluntary system? That’s worked well in avaiation—could it work for computer security? Per a new draft paper with Adam Shostack, Andrew Manley, Jonathan Bair, Blake Reid, and Pierre De Vries, we think it can.

While there’s a lot of detail in the paper, there are two points I want to mention here. First, the aviation system is supposed to guarantee anonymity. That’s easier in aviation where, say, many planes are landing at O’Hare on a given day than in the computer realm. For that reason (among others), we’re focusing “near misses” it’s less—revelatory to say “we found an intruder trying to use the Struts hole” than to say “someone got in via Struts and personal data for 145 million people was taken”.

From a policy perspective, there’s another important aspect. The web page for ASRS is headlined “Confidential. Voluntary. Non-Punitive”—with the emphasis in the original. Corporate general counsels need assurance that they won’t be exposing their organizations to more liability by doing such disclosures. That, in turn, requires buy-in from regulators. (It’s also another reason for focusing on near-misses: you avoid the liability question if the attack was fended off.)

All this is discussed in the full preprint, at LawArxiv or SSRN.

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

interesting, but Anthony Rutkowski  –  Dec 5, 2017 5:06 PM

The article was published five years ago.  A quick observation is that the investigation of aircraft related incidents is profoundly more simple, and all the parties have similar strong incentives and relatively the same trust levels to exchange threat information and the remediations.  That does not exist in the rather vast complicated world of networks and information systems overlaying all the jurisdictions of the world.  In the aviation world, you also have a relative handful of vendors and carriers who are dealing with relatively stable, very closed systems.

What provides some solace and a move forward since 2012, is the emergence of STIX as a common platform among so many parties as a common platform for capturing and exchanging threat and remediation information.  Getting beyond that will remain a challenge, notwithstanding the threat exchange mandates enacted in the U.S. and Europe among other venues in 2015.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex