A number of outlets have picked up a story on cyber information sharing, and the inability to get agreement on how vulnerability information is being shared. You can get a flavor for these from Brent Kendall's article in the Wall Street Journal. What he says is that the Justice Department and Federal Trade Commission are telling companies they "aren't at risk of antitrust liability when the get together to pool information about security threats and ways to defend against them..."
http://online.wsj.com/news/article_email/SB10001424052702303873604579493980585969834-lMyQjAxMTA0MDEwMTExNDEyWj
For a number of years, starting in 2003, I worked on this same issue on the President's Critical Infrastructure Protection Committee, which only means it is taking a long time to get to a point where channels within business sectors can share information. In the meantime, our credit card industry is being cut to pieces by Transnational gangs of very smart people. We see no evidence they have problems sharing information on vulnerabilities.
When the Deputy U.S. Attorney James Cole was asked to give examples of companies that cited antitrust issues with information sharing, "he declined to provide examples". No surprise there. I never heard the antitrust issue raised, until recently, when it appeared there might finally be agreement on a law to allow companies to share information. We never got the law. Now, we are getting "guidance" that information sharing will be OK as long as "companies aren't talking about competitive issue like price, purchasing and product innovations." The Feds seem to be missing the point of the industry argument. They don't want to share information about vulnerabilities for two reasons: (1) they are deathly afraid of liability for what may happen as a result of sharing, and (2) They are equally afraid of product liability that can arise from having competitors point out how insecure some of their products really are.
The real issue is more difficult. When companies share, they put a light on what businesses already know about the vulnerabilities of their products. How long did they know that software had a hole the size of Pittsburg that gave access to anyone who asked for it? What did they do when they found out? Who is responsible for developing the software they used? Vendors have been allowed to skirt these issues over and over because they have no liability for products they produce. Second, they don't want to know about vulnerabilities that might be hard to deny later. It does not look good for GM that they knew their ignition switch was not working quite right, but didn't repair it. There is no such liability for vendors in networks, but there could be if enough light is brought to the subject.
How many commercial vendors were using OpenSSL and have the Heartbleed vulnerability? [for an simple explanation of how this works, see http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/ ] They didn't write the code for it. They didn't know about the vulnerability, or they say that they didn't. When Google found that bug, they went to the group that writes OpenSSL and told them about it - not to any industry group or newspaper. They wanted it corrected before anyone made an announcement.
This is always a hard issue that everyone faces. How long can we allow a vulnerability to exist before it is corrected? Who has the responsibility for correcting it once it is known? How long to do they have to correct it, once they know? Who is liable if something happens before it is corrected? The industry would like the answer to be nobody is liable, and we can wait as long as it takes. What if GM could give that same response?
That is where we are with information sharing. Instead of addressing the real issues, they fein concern about antitrust, a bogus issue they invented. The Feds perpetuate this nonsense in the name of "government-industry cooperation". This calls for regulation, not letters and guidance. Amazon books:
No comments:
Post a Comment