funsec mailing list archives
Re: cyber-9/11
From: der Mouse <mouse () rodents-montreal org>
Date: Wed, 8 Apr 2009 19:00:09 -0400 (EDT)
Robert, let me rephrase my last question. Clearly, you oppose government regulation to force companies to take adequate security measures. What would you suggest that we do to get these companies to take adequate security measures?
I'm not Robert, but, as someone (else) who opposes such government regulation, perhaps I can say a little. I oppose such regulation because I believe it will not have any beneficial effect. This is not because I believe there is no beneficial effect possible, but rather because I believe that is not what would come out of such regulation. For example, the first thing I think needs mandating for SCADA systems is that they not run any operating system with at least, say, a 15% market share - it's just too dangerous to be part of anything even that close to a monoculture. But is that what regulation would produce? Of course not. It would, I feel sure, result in (for example) a mandate to run AV software - to which I reply "xkcd #463": if you're running anything even capable of running AV software, You're Doing It Wrong already. And, indeed, mandating running AV software actually _impairs_ security, because it mandates running something capable of supporting AV software and thus prevents sitting outside monocultures.
Surely, you would not advocate a position of "let them crash and burn"?
As bad as that is, I consider it better than bad government regulation. Good government regulation might be better, but I don't believe that will happen - indeed, I don't believe it _can_ happen at present; how to secure a network of computers such as we're talking about here is very much an open research problem. (It's easy to do in theory, but only theories that ignore or handwave the human elements, such as by assuming people will always follow defined procedures even when they are inconvenient. That works for cases like spooks, where people _do_ follow inconvenient procedures, because there's real enforcement to weed out those who don't; it won't work for subcontractors of subcontractors who are used to propping open doors while they step out for a smoke, who don't understand how there can be any risk in bringing a personal thumb drive in from home....) I really do not think the state of the art is up to setting up SCADA networks on the sort of scale we're talking about here. If we try, we _will_ crash and burn, with or without regulation; all we will have control over is exactly what sort of crash-and-burn mode we'll see. I would much rather the first half-dozen crashes-and-burns were on small test networks with good failover to tried-and-true backups, not on large-scale live infrastructure. I don't for a moment expect that'll be how it'll play out. And I also don't believe governments are capable of grokking the issues enough to cause it to happen that way. Heck, I wouldn't trust _myself_ to write regulations to make it happen.
A situation where the Federal government would once again be forced to come in and act in [hindsight] to correct for the excesses (inaction, in this case) of private industry?
If it's something that government can't afford to permit to crash-and-burn, it should not be privately run at all. (Governments made that mistake with financial infrastructure and most of the world is paying for it.) How to get there from here? I don't know. I fear it will probably take a few disasters to make it happen; the world certainly shows no signs of learning that lesson in the financial arena; I don't see any reason to think people will learn any faster here. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse () rodents-montreal org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: cyber-9/11, (continued)
- Re: cyber-9/11 Gadi Evron (Apr 07)
- Re: cyber-9/11 Barry Raveendran Greene (Apr 07)
- Re: cyber-9/11 Richard Golodner (Apr 07)
- Re: cyber-9/11 quispiam lepidus (Apr 08)
- Re: cyber-9/11 Robert Graham (Apr 07)
- Re: cyber-9/11 Jon Kibler (Apr 08)
- Re: cyber-9/11 Gadi Evron (Apr 08)
- Re: cyber-9/11 Chris Blask (Apr 08)
- Re: cyber-9/11 Jon Kibler (Apr 08)
- Re: cyber-9/11 Nick FitzGerald (Apr 08)
- Re: cyber-9/11 der Mouse (Apr 08)
- Re: cyber-9/11 Jon Kibler (Apr 08)
- Re: cyber-9/11 Donal (Apr 08)