Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

By Derek Slater

Page 7

Care to hazard a guess as to how many information security people understand that concept?

Boni: Well, a manager-level employee may not be personally equipped to have that dialogue or may not be organizationally well placed [for it]. You can pretty much track the maturity of the security program, typically, by its placement within the company. As we see more CISOs put in place, that's becoming part and parcel of how they interact with upper management.

It seems like a race to see whether a critical mass of companies can reach that level of maturity before regulation becomes a necessity. The Department of Homeland Security has expressed a preference against regulation and is in favor of public-private partnerships. The DHS is counting on the private sector getting its cybersecurity in order out of something like enlightened self-interest.

Boni: I attended a meeting where Tom Ridge and key DHS staff came to speak, and there was some very pointed questioning by attendees and a certain amount of private-sector skepticism. But my sense is that Ridge understands that. And [partnership] is the right way to approach it. They're talking about maybe assigning Secret Service agents to banks and big brokerages to help interpret laws and regulations, so there's nobody who accidentally handles things the wrong way due to a lack of understanding. They'd take the posture that, "We're here from the government to help you, be a copilot, help interpret our mind-numbing array of existing regulations." But also to help disseminate information and analysis and provide reports to the security officers; for example, "Here's a scam we've seen, and here's how it works." Bingo. That's the kind of information I want as a private-sector employee. I'm happier if we can use our understanding of criminal mechanisms to prevent cybercrime, not just penalize wrongdoers after the fact. Let's turn government into a learning organization.

That is the analog to the cyberunderground mechanism that shares information: "Hey, this is how this exploit works, let's add something and go hack someone!" The Rand Corp. [an independent think tank] has a study called "The Advent of Netwar" [available at www.rand.org/publications/MR/MR789] that's an excellent study of that kind of network-model, loose organization. The more traditional model in government is to send all the information to the center point and then sit back and expect them to be the ones who act. Hierarchies like that are at a tremendous disadvantage versus a network-model group of attackers. So let's build a network-enabled group of defenders. Information-sharing from point to point as well as point to center has great potential and is going to be required to have an effective societal response to cybercrime or terrorism. Community policing in cyberspace.