Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

The Ineffectual Protagonists

(The second of two parts)
There are only two ways to fight the Sophisticated Adversary: Regulate and sue

By

June 16, 2004CSO

Last time, I wrote about "The Sophisticated Adversary," malfeasants so socially and technically superior to you that their attacks have rendered your defenses impotent. It was a dark and cloudy bit of columning. So much so, in fact, that I felt compelled to promise a silver lining. I pledged that the next column would discuss ways to "fundamentally shift the game away from the bad guys."

In retrospect, this was a foolish promise. It assumed anyone is interested in combating the information security problem for the common good, at a holistic, architectural level; I don't think that they are. It's not hard to find people who say they are interested; most of them are selling products.

Nevertheless, I spoke with the leaders of several such vendors over the past couple of months. Smart ones, like Shlomo Kramer, who invented the firewall and has now moved on to application security; Bill Harris who took a bad expience with phishing at PayPal and turned it into an anti-phishing startup; Robert Bales, who once founded the National Computer Security Association (which became TruSecure) and is now throwing his energy into an anti-spyware venture; and Scott Charney, CSO of Microsoft.

A couple of points emerged from these conversations. One, the solution hailed by the vendors and by the current administration, namely market forces, has largely failed. And two, a holistic approach to fixing the problem isn't a likely near-term scenario. Heck, even look at the fact that all of these men got into the business of selling fixes to just small slices of the problem:spyware or phishing and so forthand not trying to sell the overarching solution.

As Scott Charney said, "The problem is, if you even think about the information security problem holistically, it can be overwhelming. We're talking about a multi-disciplinary issue."

Where does that leave us? It seems that, as things stand, there are only two ways to fundamentally shift the balance of power away from sophisticated adversaries: Regulate and sue.

Regulate: I'm not alone in this. The DHS cybersecurity task force recently deigned to suggest that in some cases, regulation would be necessary to protect critical infrastructurea shocking statement coming from any group that includes vendors like Microsoft. Charney himself said, "I'm not as anti-regulatory as some." Of course, he's not bear-hugging regs either. Charney says that there are rules for writing good regulations and he (as someone who used to write them) seems open the possibility of using such well-designed government strictures to improve information security. "Assume you can't create perfect security," he says. "We can at least raise the bar."

RESOURCE CENTER