[funsec] cyber-9/11

der Mouse mouse at Rodents-Montreal.ORG
Wed Apr 8 18:00:09 CDT 2009

> Robert, let me rephrase my last question.  Clearly, you oppose
> government regulation to force companies to take adequate security
> measures.  What would you suggest that we do to get these companies
> to take adequate security measures?

I'm not Robert, but, as someone (else) who opposes such government
regulation, perhaps I can say a little.

I oppose such regulation because I believe it will not have any
beneficial effect.  This is not because I believe there is no
beneficial effect possible, but rather because I believe that is not
what would come out of such regulation.

For example, the first thing I think needs mandating for SCADA systems
is that they not run any operating system with at least, say, a 15%
market share - it's just too dangerous to be part of anything even that
close to a monoculture.  But is that what regulation would produce?  Of
course not.  It would, I feel sure, result in (for example) a mandate
to run AV software - to which I reply "xkcd #463": if you're running
anything even capable of running AV software, You're Doing It Wrong
already.  And, indeed, mandating running AV software actually _impairs_
security, because it mandates running something capable of supporting
AV software and thus prevents sitting outside monocultures.

> Surely, you would not advocate a position of "let them crash and
> burn"?

As bad as that is, I consider it better than bad government regulation.
Good government regulation might be better, but I don't believe that
will happen - indeed, I don't believe it _can_ happen at present; how
to secure a network of computers such as we're talking about here is
very much an open research problem.  (It's easy to do in theory, but
only theories that ignore or handwave the human elements, such as by
assuming people will always follow defined procedures even when they
are inconvenient.  That works for cases like spooks, where people _do_
follow inconvenient procedures, because there's real enforcement to
weed out those who don't; it won't work for subcontractors of
subcontractors who are used to propping open doors while they step out
for a smoke, who don't understand how there can be any risk in bringing
a personal thumb drive in from home....)

I really do not think the state of the art is up to setting up SCADA
networks on the sort of scale we're talking about here.  If we try, we
_will_ crash and burn, with or without regulation; all we will have
control over is exactly what sort of crash-and-burn mode we'll see.  I
would much rather the first half-dozen crashes-and-burns were on small
test networks with good failover to tried-and-true backups, not on
large-scale live infrastructure.

I don't for a moment expect that'll be how it'll play out.  And I also
don't believe governments are capable of grokking the issues enough to
cause it to happen that way.  Heck, I wouldn't trust _myself_ to write
regulations to make it happen.

> A situation where the Federal government would once again be forced
> to come in and act in [hindsight] to correct for the excesses
> (inaction, in this case) of private industry?

If it's something that government can't afford to permit to
crash-and-burn, it should not be privately run at all.  (Governments
made that mistake with financial infrastructure and most of the world
is paying for it.)

How to get there from here?  I don't know.  I fear it will probably
take a few disasters to make it happen; the world certainly shows no
signs of learning that lesson in the financial arena; I don't see any
reason to think people will learn any faster here.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

More information about the funsec mailing list