Shostack + Friends Blog Archive


National Broadband Plan & Data Sharing

I know that reading the new 376 page US “National Broadband Plan” [link to no longer works] is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular:

Recommendation 14.9 [link to no longer works]: The Executive Branch, in collaboration with relevant regulatory authorities, should develop machine-readable repositories of actionable real-time information concerning cybersecurity threats in a process led by the White House Cybersecurity Coordinator.

This is a pretty clear step forward. It will be a much bigger step forward if the data shared includes evidence of effectiveness of defensive steps. Without such evidence, budget and authority are unlikely to flow, therefore, actionability requires such evidence.

Also interesting is section 14.10:

Due to the diffuse nature of cyberattacks, sharing of information is critical when responding to, mounting sufficient defenses against and remediating attacks. However, businesses are often reluctant to share information, either with other private sector entities or the government, due to worries about the potential disclosure of such an attack and related concerns about corporate liability, despite the fact that the resources necessary to successfully respond often exceed those of individual private sector organizations…To ensure that this occurs, protocols and incentives should be developed for the sharing of cybersecurity information, threats and incidents in a non-attributable manner. [Emphasis added]

I think this is a pretty big win in a couple of ways. 14.10 is most interesting because we’ve moved from need to share to discussions of what the blockers are. The use of the term “non-attributable” is a move forward from the typical “anonymous.” I’d prefer to see a strategy that called for protocols and incentives to overcome the problems and concerns, giving us more room for innovation and experimentation.

Is the strategy a silver bullet for information security? No, obviously not. On the other hand, these elements are (as far as I know) new in Federal strategies or plans.

Thanks to Brent Rowe for the pointer.