[Cryptography] Fwd: SANS NewsBites Vol. 19 Num. 020 :Industry to Government: "Share More"
Bill Frantz
frantz at pwpconsult.com
Sat Mar 11 01:45:40 EST 2017
The following complaints are entirely compatible with the idea
that the Three Letter Agencies have decided that there is more
advantage in maintaining security flaws in commercial systems so
they can be broken than it in having them fixed so US
organizations are protected.
Cheers - Bill
====== Forwarded Message ======
Date: 3/10/17 1:06 PM
From: newsbites at sans.org (SANS Institute)
Industry Officials to House Committee: Government is Not Sharing
Enough Cyber Threat Info
(March 9, 2017)
Tech industry officials testified before the U.S, House Homeland
Security Committee's cybersecurity panel, saying that there is
an imbalance in threat information sharing between the private
sector and the government. Legislation passed in 2015 grants
companies protection from legal liability when they share threat
information with the government, but the government has been
less forthcoming with threat information that could help protect
IT systems in the private sector. Intel Security Vice president
Scott Montgomery noted that when the government classifies a
cybersecurity event, it "restrict[s] the number of people who
can lend assistance and... allow[s] the adversary to operate
with impunity." Witnesses said that if information about threats
could be stripped of identifiable information and provided to
members of private organizations who hold security clearances,
companies would be better positioned to take action against
similar threats.
Editor's Note
[John Pescatore]
This has been the standard complaint about all such government
intelligence "sharing" initiatives for over a decade. Many
proposals have been put out for how to overcome government
worries about exposing sources and methods, but no movement on
the govt. side. On the enterprise side, no reason to think this
will change any time soon.
[Jake Williams]
Over-classification of cyber threat data is a real problem. I've
worked incidents where threat data has been shared with federal
law enforcement, only to see small portions of that same data
shared with a limited distribution community weeks later in
"Flash" messages. When we inquired why the most important data
we shared with the feds wasn't shared with the broader
community, we were told it was classified.
[Stephen Northcutt]
This is complicated, but also historical. For the last 25 years,
the US Government's policy has been, "give us your data and we
might share 1% back." If we are talking about a partnership,
"that dog don't hunt".
http://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act
http://www.dhs.gov/topic/cybersecurity-information-sharing
Read more in:
http://www.nextgov.com/cybersecurity/2017/03/government-isnt-sharing-cyber-threats-promised-private-sector-says/136035/?oref=ng-channeltopstory
====== End Forwarded Message ======
-----------------------------------------------------------------------
Bill Frantz | Can't fix stupid, but duct | Periwinkle
(408)356-8506 | tape can muffle the sound... | 16345
Englewood Ave
www.pwpconsult.com | - Bill Liebman | Los Gatos,
CA 95032
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170310/5414cfc7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4233 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170310/5414cfc7/attachment.bin>
More information about the cryptography
mailing list