Public-private security cooperation at RSA
Analyst Jon Oltsik believes such teamwork needs to be taken to another level. Here are a few suggestions where this would help.
In past years, I looked at theas a high-tech flea market staffed by the world's best security carnival barkers. Yes, important security topics were discussed, but the real focus of the show was selling products and doing deals.
This year's event has its share of tacky presentations and booth babes, but I'm hearing a lot of chatter about a far more important topic: the state of information security and its impact on us all. Finally, the combination of unending data breaches, sophisticated malware, and the very real cybersecurity threat has everyone paying attention. There is a broad recognition that we security professionals aren't hawking hardware or writing code, we actually have a responsibility to educate, help, and safeguard users.
This theme is evident throughout the event., a former U.S. Department of Justice attorney, talked about Microsoft's vision for end-to-end trust, describing why this is necessary and how it can be done in simple terms. While security crowds are often skeptical about Microsoft, Charney stated clearly, "It is our responsibility to make technology trustworthy."
Charney was followed later in the day by, who talked about NSA capabilities and its role in security cyberspace. Wednesday's speakers include Melissa Hathaway, acting senior director for cyberspace and the individual tasked with and reporting her results to President Obama. Finally, the day concludes with one of my favorite authors, James Bamford, who has written several books such as "Body of Secrets" and "The Shadow Factory" that are must-reads for anyone interested in cybersecurity, privacy, and the NSA.
I applaud this group of speakers and their messages, but I truly believe that private-public security cooperation needs to go to another level. Here are a few suggestions where this would help:
Security standards. The National Institute of Standards and Technology and the NSA should champion standards across the public sector while cooperating with the security industry on education and promotional programs. I'd like to see this cooperation on standards like the Key Management Interoperability Protocol (KMIP) and the Extensible Access Control Markup Language (XACML). I'd also like to see a standard for data "tagging" so that security requirements travel with the data for distributed security policy enforcement.
Information assurance. The defense and intelligence community is pretty good at data discovery, classification, and security. The private sector on the other hand is struggling. I'd like to see government agencies work more closely with the security industry to define standards, create best practices models, and enhance education.
Secure software development. This is the Achilles' heel of the technology industry, and secure development programs remain underfunded and behind the scenes. The federal government should flex its purchasing muscles by auditing vendor development processes, demanding that vendors adhere to the Common Weakness Enumeration/SANS Institute list of "Top 25 Most Dangerous Programming Errors," and creating some type of "good housekeeping seal of approval" certification for software vendors. This will stimulate new security training, products, and services and force the private sector into similar requirements.
Talk is cheap and cybersecurity gets worse each day. I hope that the government and security industry can build upon this common understanding to make real and immediate progress.