Cyber Security And Politics
Hallo the bloggers see you again with me, the most handsome home. (but still jomlo, I was so gantengnya: v)
I will share a record information that may be useful for all of us.
Information that is sometimes forgotten but had a correlation that is essential for life. primarily a political problem.
Calm brother, don't go just yet. Although we would I convey relates to politics but do not hypocritical because our lives everywhere will always intersect with other people is mainly a political issue. So let's check out this entry.
Cybersecurity as realpolitik
Good morning and thank you for the invitation to speak with you
These days. Plaintext talks have been made available to the
organizers. While I won't take questions today, which
Welcome to call me later and I'll do what I can reciprocate. For
simple clarity, let me repeat an abstract to speak:
There is power to be used. Some desire for cyber security, which they
will not get. Others are hoping for cyber order, that they will not
Get. Some have eyes to distinguish the cyber policies "_ FITTED
The most worst thing; " Maybe they fill the void of wishful thinking.
There are three professions who beat their practitioners to
State of humility: agriculture, weather forecasting and security.
I practice two of them, and, as such, let me assure you that
the recommendations that follow are presented in all humility. Humility
does not mean timidity. On the contrary, it means that when the very holding
This belief is proven wrong, that people of modest changes their minds.
I hope that my proposal will result in a considerable push-back,
and change my mind may also follow. Although I will say it again
later, this speech is me talking to myself.
As if it needed saying, cyber security, attention is now
the top issue in a lot of places that are more important than this one. This is the
not to insult the Black Hat; rather it is to be noted that each speaker,
every writer, every practitioner in the field of virtual security
It has been hoped that with the topic, and we with it, has taken seriously
got their wish. Virtual security * is * considered serious,
which, as you know is not the same as brought useful,
coherent, or it could be saved. Whether we are talking about the law as
Digital Millennium Copyright Act or the computer fraud and abuse
Legislation, non-action or legislation but perhaps even more significant
that executive agencies do, "our" and cyber
the issue of security has never been more at the forefront of the policy.
And you don't see anything anymore.
I hope that I can tell you that it is still possible for one
people to hold the big picture firmly in their mind's eye, to track
everything important that happens in our field, to make it a little if
the sin of omission. This is not possible; sometimes passing phase
in the last six years. I certainly have tried to keep up but I
will be less bright though not to say that I know that I
'm not keeping, not even keeping up with what's going on I
own country let alone all countries. Not only has the cybersecurity
achieve a level of concern, it has spread to almost
every corner. If the area is the product of the height and width, then
in the footsteps of cybersecurity has gone beyond our understanding.
The rate of technological change is definitely part of it. When would
young people ask for my advice about what they should do or learn to
make a career in security, I can only advise specialties.
Those who are in the game early enough and that has been successfully
to maintain a generalist knowledge over arching cannot be replaced
It is very easy because while absorbing new information most most
time may perhaps when we start practice, there is no one
starting from scratch could do that now. Specialty series
Now all one can do in a practical way. Just look at the
Black Hat program will confirm that to be really good at one of
of the many topics presented here require all but shut out
good demands on others.
Why is it important? Speaking for myself, I'm not interested
excess or shortage of a few bits of technology unless I
can understand how it is that the technology works. Every time I see
marketing materials that tell me all the good things that are adopted
This or that technology makes possible, I remember what George
Santayana said, that "the skepticism the sanctity of the intellect;
It's a shame to give up too quickly, or to the first settlers. " I
assuming that most of you have similar skepticism--"is
Magic! " Security is not the answer someone will ever receive. By
and big, I can tell * what * something good for once I know * how *
the way it works. Tell me how it works and then, but only then, tell me
Why did you choose to use these specific mechanisms for
the things that you have chosen to use it
Part of my feelings stem from a long-held and Well-substantiated
the belief that all technology is dual utilization of cyber security. Maybe
Double utilization are a truth for any and all of the surgical knife to
hammer for gas can--they can be used for good or bad--but I
know that dual utilization of inherent in cyber security tools. If You Are
the definition of "tool" is quite wide, I suggest that the cyber
security breach favors set of tools today. Chris Inglis, just
retired NSA Deputy Director, said that if we want to Score cyber
how we Score soccer, tally will 462-463 twenty minutes
in the game, [CI] namely, all violations. I will take the comment as
confirmed at the highest level not only the utilization of double nature
Cybersecurity but also confirmed that the offence is where innovation
that only States can afford is going on.
However, this essay is the development of, the extension of
the importance of that increased cybersecurity. With humility
I speak, I do not claim that I have the last word. What I
do claim is that when we talk about our policy on cybersecurity
no longer engage in a kind of parlor game. I claim that the policy
things are now the things that are most important, that all topic areas,
such as cybersecurity, became interlaced with almost every aspect of
life for almost everyone, the differential between the good results
bad policy and expand, and the ease of finding the answers
fall. As H.L. Mencken so trenchantly put it, "for every complex
no problem is a solution that is clear, simple, and wrong. "
Four Government verities are:
. Most important interesting ideas
. Ideas are the most important interesting
. Not every problem has a solution that's good
. Each solution has its side effects
This certainly applies to the verities Quartet interaction between
Cybersecurity and daily affairs. During my life
have public expectations of what Government can and should do
spectacular expanded from ensures that you can engage in
"pursuit of happiness" to ensure happiness in and of
itself. Dynamic internal Government Center is, and always
already, the only way to Executive and legislative
to control many of the sub unit of Government is by the way how many
the money that they can hand out. Guarantee of happiness has the same dynamic
--that the Government is really the only tool has been achieving results
Everyone happy or everyone who is healthy or any person who is safe at all times
from things that go bump in the night is through dispenser
money. This is true in foreign policy; one can fairly argue
that United States troops 2007 "surge" in Iraq provides a
an increase in safety. One could also argue that their work
the troops, some of whom gave what Abraham Lincoln called the last "
full measure of devotion, "materially assisted by less publicized
the arrival of the C-130 is full of $ 100 bills that were used to buy from the potential
fighters. Why cybersecurity should be different?
Suppose, however, that oversight be too cheap to meter,
that is to say too cheap to limit the budget. Whether
that reduces the power of the legislature, or the power
Other executives? I think it's never cheap surveillance substantially
change the balance of power in favor of the Executive Branch and go
of the legislature. While President Obama was referring to the
something else when he said "I have a pen and I have my phone"
He speaks exactly this idea--things that don't need
the allocation is outside the system of Check and balances. Is
ever wider use of censorship in the name of cybersecurity
truly contributing to our safety? Or is it destroying our salvation
in order to save it?
To be clear through repetition, these essays are written by
someone as his own opinion and not on behalf of another person. It's
written without the benefit of supposed insider information; I
hold no Clearance but instead information solely by way of open
the source of the intelligence. This path may be poised to grow easier; If
the main benefit of having Clearance is to be able to look into the
the future a bit further than those without one, then it must be
Follow that as the pace of change accelerating the difference between
how far can you see with Clearance versus how much you can see
without one will shrink.
In other words, there are parallels between cybersecurity and
Intelligence function as far as predicting the future has a strong
role in preparing Your Defense a possible attack. As
Dave Aitel has repeatedly pointed out, the hardest part of the craft
good offensive tools to test them before deployment. Find out what
the tools you will find, and how to deal with it, must be hard
instead of finding exploitable Flaw by itself. This, too, may
grow in importance if the stiffness of the test causes the attacker to use
some parts of the Internet at large as their test platform is somewhat
rig than anything they are able to set up their own store. If
that is the case, then a full-scale traffic logs become indispensable
As far as intelligence tool when the attack seems to be de novo
them with full-scale traffic logs can be in a position to answer
the question "how long this has been going on?" The Company's Net
The witness, now part of EMC, is the one player that comes to mind is
things, and there are others. This idea of looking back to
evidence that you did not previously know enough to find if
must have good intelligence value to the nation State and
the company.
And there is a lot of traffic that we have no grip. John
Quarterman Internet dangers make guess number round that 10%
The Internet backbone traffic is known as Protocol. [JQ]
Did he die with a two-way factor either, that's
still a lot of traffic. Arbor Networks estimates that maybe 2%
All * personal * is the backbone traffic, by using the term, "raw
waste. " [AN] There are many other estimates of this kind, from the
the course. To my way of thinking, all the estimates continue to
reminds us that the design of end-to-end Internet [SRC] is not
some failures of intellect but avoid brilliant design features
to choose between the sad Internet toys are completely safe will
should be the main tool of the Internet versus the State
controls. In other respects, it is more likely to say that our choices
is freedom, security, comfort--choose two.
Let me now turn to some of the policy proposals on pressing suite
current topics. None of the proposals fully formed, but as
you know, people who don't play the game does not make the rules. This
proposals that are not in order of priority, although some more contradiction
with current practice than others and may, therefore, said unto
It became more urgent. There's more where this came from, but it is
Self-talk has a time limit, and there is a meta-analysis at the end.
1. mandatory report--Yes Tiered
United States Centers for Disease Control honored
the world around. When you really get down to it, the three abilities
Describe CDC and why they are as effective as they are: (1)
mandatory reporting of infectious diseases, (2) data stored and
data analytical skills to distinguish from statistical anomalies
plague, and (3) team went to take over, say, the appearance
from Ebola in Miami. Everything else is details. The most fundamental
This is a mandatory reporting of communicable diseases.
At the same time, we have also set the rules about medical
Privacy. The rules are useful; When you check into the hospital
There is a license-based accountability, enforced, need to know
the regime governing the handling of your data. [PHI] Almost every day,
But if you check with the Bubonic Plague or typhus or
Anthrax, you will have zero privacy because they are "compulsory
condition report infectious diseases "as the range of mandate
not just by the CDC but by public health laws in all fifty States.
So let me ask you, it would be reasonable, in public health
How the internet, to have a mandatory reporting regime for cybersecurity
failure? Do you support should You report cyber penetration
company or Your household waste into some branch of Government or some
non-governmental entity? You should face criminal charges if you
failed to create these reports? Forty-eight countries vigorously punish
failure to report child sexual abuse. [SMC] (Us)
Computer Fraud and Abuse Act [CFAA] defines a number of criminal law
with regard to computer penetration, and the U.S. code says that it
is the crime of failing to report the crimes of which you have knowledge. [USC]
Is cybersecurity event data types of the data around as you want
to enforce mandatory reporting? Forty-six States require mandatory
reporting a failure in the form of cyber class of their data
violation of the law, [CSB] Verizon Data breach investigations while
Report [VDB] found, and index of Cyber Security [IC] is confirmed,
that 70-80% of the data breach was discovered by unrelated third
Parties, not by the victim, which means that the victim may never
know if they are doing the discovery is to keep calm. If You Are
find a virtual attack, do you have an ethical obligation to report
is it? The law mandates that you must fulfill an obligation?
My answer to the question set is the mirror of the CDC, i.e.
for the strength of the law requires reporting of cybersecurity failure
that is above some limit the severity that we haven't had to negotiate.
Below the threshold, I endorse suggestions made in part two
Last week, "good Diet fruit intoxication," by Richard
Glenn Danzig which he made policy proposals: [RD]
Funding a consortium of data collection that will illuminate
the character and magnitude of cyber attacks against u.s. private
the sector, using the model of voluntary reporting near-misses
the in-flight incident. Using this company also helps
developing metrics about cybersecurity and a common terminology.
While the regulatory requirements for the reporting of the accident flight
established through national transportation safety
The Board, there is no requirement for reporting is much more
numerous and often no less informative near misses. The effort to
set these requirements certainly generate resistance:
The airline did not welcome more regulation and fear of reputation
and maybe the law of unintended consequences of visibility data; In addition,
close more ambiguous than intrinsic crash accident.
Alternative pathways are formed in 2007 when the MITRE, the Government
contractors, established an aviation safety information analysis
and the system of Sharing (ASIAS) receive data near-miss and give
the safety of anonymous, benchmarking and proposed improvement report
for a small number of initially participating airlines and
The Federal Aviation Administration (FAA).
Today, airlines 44 participated in the program on a voluntary basis. The
combination of models CDC cyber mandatory for above threshold
events and volunteer ASIAS model for events under the threshold
What I recommend. This left many thinking still to
done; diseases treated by professionals, but malware infections
treated by amateurs. The disease spread within the jurisdiction
before they became global, but malware global from the get-go.
The disease has been predictable behavior, but malware comes from sentient
opponents. Do not think this proposal is an easy one or one without
side effects.
2. net neutrality--options
There is considerable irony in the Federal Communications Commission
classify the Internet as information services and not as a
Communications services as far as temporary may have been gambit
to relieve the ISP telephone-era rules, value
The Internet is the more bits it brings, not train them
bits. The FCC decision is both a couple and now old, FCC
the cables are classified as information services in 2002, classified DSL
as information services in 2005, classified wireless broadband
as the information service in 2007, and classified over broadband
electric current as the information service in 2008. The decision by the
The DC Circuit Court of appeals at this point appear earlier
This year, [VZF] but settled a bit. The question remains, is
Telecommunications service or Internet information services?
I've had something new to tell to you about the facts, the facts, as well as close
distortion lay inherent in the debates over the network
neutrality so far or is still to come. What I can say is that the network
neutrality is no panacea nor a curse; different tastes
and so does the company. What I can say is that tastes vary
need to be reflected in the limited selection than
that the FTC or any other agency can assure happiness if and only
If that, rather than companies or individuals, do not vote.
Channeling to doctor Seuss, if I ran the Zoo I'd call YOUR ISP
and said this:
Hello, Uncle Sam here.
You can charge whatever you like based on the content of what
You bringing, but you are responsible for the content that if it
painful; check out the carry responsibility for what
You learn.
-or-
You can enjoy a common carrier protection all the time, but you
can inspect or act upon the content of the
carry and can only charge for the transportation itself. Bits are bits.
Choose wisely. No refunds or exchanges on this window.
In other words, your ISP get one or the other; they do not get both.
The FCC got some heartache, but also a natural experiment in whether
those who choose common carrier status turns out to be different than
those who choose the value of multi-tiered service with responsibility for exposure.
We already have plenty of precedent and the law in this space. The
United States Postal Service term of art, "sealed against inspection"
reserved for items that are of the highest postage price;
Is it also worth a toss into the mix?
As a side comment, I might add that it was Seuss ' books _ If I Ran
Zoo _ that the word "strange" first appeared in the language of the United Kingdom. If black
The CAP does not yet have an official book, I would suggest this one.
No comments:
Post a Comment
Feedback from readers of my posts show so I expected.
Comments written just typed the words were polite, suggestions for improvement are posting to constructive criticism.
A comment which has nothing to do with the post, leaving the active link or spam.
In order to create a discussion for the creation of useful knowledge sharing