[Cryptography] Fwd: SANS NewsBites Vol. 19 Num. 020 :Industry to Government: "Share More"

Bill Frantz frantz at pwpconsult.com
Sat Mar 11 01:45:40 EST 2017 

The following complaints are entirely compatible with the idea 
that the Three Letter Agencies have decided that there is more 
advantage in maintaining security flaws in commercial systems so 
they can be broken than it in having them fixed so US 
organizations are protected.

Cheers - Bill

====== Forwarded Message ======
Date: 3/10/17 1:06 PM
From: newsbites at sans.org (SANS Institute)

Industry Officials to House Committee: Government is Not Sharing 
Enough Cyber Threat Info
(March 9, 2017)
Tech industry officials testified before the U.S, House Homeland 
Security Committee's cybersecurity panel, saying that there is 
an imbalance in threat information sharing between the private 
sector and the government. Legislation passed in 2015 grants 
companies protection from legal liability when they share threat 
information with the government, but the government has been 
less forthcoming with threat information that could help protect 
IT systems in the private sector. Intel Security Vice president 
Scott Montgomery noted that when the government classifies a 
cybersecurity event, it "restrict[s] the number of people who 
can lend assistance and... allow[s] the adversary to operate 
with impunity." Witnesses said that if information about threats 
could be stripped of identifiable information and provided to 
members of private organizations who hold security clearances, 
companies would be better positioned to take action against 
similar threats.

Editor's Note

[John Pescatore]
This has been the standard complaint about all such government 
intelligence "sharing" initiatives for over a decade. Many 
proposals have been put out for how to overcome government 
worries about exposing sources and methods, but no movement on 
the govt. side. On the enterprise side, no reason to think this 
will change any time soon.

[Jake Williams]
Over-classification of cyber threat data is a real problem. I've 
worked incidents where threat data has been shared with federal 
law enforcement, only to see small portions of that same data 
shared with a limited distribution community weeks later in 
"Flash" messages. When we inquired why the most important data 
we shared with the feds wasn't shared with the broader 
community, we were told it was classified.

[Stephen Northcutt]
This is complicated, but also historical. For the last 25 years, 
the US Government's policy has been, "give us your data and we 
might share 1% back." If we are talking about a partnership, 
"that dog don't hunt".
http://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act
http://www.dhs.gov/topic/cybersecurity-information-sharing

Read more in:
http://www.nextgov.com/cybersecurity/2017/03/government-isnt-sharing-cyber-threats-promised-private-sector-says/136035/?oref=ng-channeltopstory

====== End Forwarded Message ======
-----------------------------------------------------------------------
Bill Frantz        | Can't fix stupid, but duct   | Periwinkle
(408)356-8506      | tape can muffle the sound... | 16345 
Englewood Ave
www.pwpconsult.com |               - Bill Liebman | Los Gatos, 
CA 95032
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170310/5414cfc7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4233 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170310/5414cfc7/attachment.bin>

More information about the cryptography mailing list