Call it the tragedy of the commons. Call it a problem with collective action. But whatever you call it, the problem ultimately is a lack of information sharing of vital information security event data within the private and public sectors. Gilman Louie, president and CEO of the CIA's In-Q-Tel venture capital firm, weighed in on this issue while speaking at the Black Hat Briefings in Las Vegas. "'We fundamentally don't have it,'" Louie said. "'We are crippled beyond your wildest imagination. We can't even get a simple thing like e-mail to work across agencies'" because no one trusts anyone else, he lamented." Such lack of trust is echoed by the private sector, where members of Information Sharing and Analysis Centers (ISAC) frequently lament the lack of useful data that is shared among members.
There are no doubt legitimate concerns that boil down to lack of trust, potential for embarrassment, and the competitive nature of the environment. However, the issue ultimately boils down to the underlying incentive: what's in it for me? Many may simply opt to take the free-rider approach of taking without giving. After all there are plenty of non-profit and for-profit security companies that plaster their web sites with all kinds of threat data. However, one only can guess on the size of their samples if no one is sharing information.
The real question, however, is what will it take to share this information. After all, it's taken acts of Congress, most recently the Sarbanes-Oxley Act of 2002, to prod public companies to give their shareholders an accurate view of a company's performance. Will the same thing be necessary for information security, and if so, will it work? SB-1386 served as the starting point when it came to a breach of consumer data. However, it remains to be seen whether much useful information can be gleaned from these breach reports that will help others protect themselves. For the government, the problem is deeper as enforcing its own laws is more a matter of politics than law. Getting agencies to play nice has been a fixation of reformer for decades. Ultimately, it has to come down to self-interest. When an agency's or an individual's performance is measured more by what they share than what they hoard, then maybe we'll see some progress.
Thursday, July 28, 2005
Subscribe to:
Post Comments (Atom)
1 comment:
Information sharing can both bring trouble and awarness. There are two ways on how an information can be of trouble. One, it would fall on the hands of irresponsible people. And two, abusing the power of it.
Post a Comment