It has been a very busy couple of months in the world of network breaches and incident response! The news has reported on a very complex and large attack against U.S. Bank JPMorgan. Most recently, retail giant Home Depot has been the victim of a breach that various news sources are saying could be larger than the Target breach. Once under the radar events that were only important to network security and IT professionals, network breaches are now seen and felt by tens of millions of consumers.
While cyber-attacks against Federal entities like the Department of Defense and the White House have been occurring for years, recently the target list has expanded to include corporations. This has in turn led to large amounts of intellectual property being compromised. The attackers have even begun targeting research and technological advancements under development at educational institutes. To combat this, the Defense Industrial Base joined together in 2011 and started sharing information to better protect themselves from these threats.
In 2008, we saw cyber-attacks used as a critical part of the war between Russia and Georgia. This was one of the first times the world saw a nation-state opening up a cyber-front in a physical war. Since then cyber-attacks occurring between feuding nations have become commonplace. While these cyber-attacks do not put the average citizen at risk for physical injury, they are none the less still becoming collateral damage on the front lines.
Before I dive in to the meat of this post, let me offer some friendly advice. I'm sitting at the food court adjoining the south conference center here at the Mandalay Bay, and I just saw an attendee plug his device directly into one of those convenient USB sockets provided for charging your gadgets. I guess it's probably safe all things considered, but on principle please don't do this. Not here. Not now.
Where was I? At the food court. Speaking of food, Dan Geer's keynote Wednesday morning was chock-full of food for thought. He proposed nothing less than a set of proposals intended to radically reset the balance between safety and order on the Internet, noting that its very nature prevents us from having much of both. I want you to go watch his speech for yourself, but I will provide a quick list of the ten areas he discussed today. Do watch the speech, as my gross oversimplifications will fail to do justice to Geer's ideas.
1) Enforce CDC style mandatory reporting rules for cybersecurity failures exceeding a (yet to be negotiated) severity threshold.
2) Net neutrality: Geer contended that if an ISP makes itself privy to the content, source or destination of the traffic flowing over its network, it necessarily makes itself responsible (and liable) for what it learns about this traffic. Or ISPs can be common (i.e., neutral) carriers. But not, he claimed, both.