Re: Re: Flawed Surveys [was: VPN endpoints]

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Paul D. Robertson writes:

> Isnt' it bad though, that these regulations are coming from outside of our
> field?  Shouldn't we be the ones lobbying and drafting and providing
> guidance?

I strongly agree, for a few reasons:

        -It makes sense/appeals to my sense of technical aethetics.  I.e.,
         the people who know most about the subject matter ought to be
         the ones developing standards
        -It's almost certainly a prerequisite for the recognition/practice
         of IT in general (and information security in particular) as
         a profession rather than merely a skilled trade.  I.e., something
         more like a medical doctor or lawyer than a transmission repairman
         (who, incidentally, is guided by more narrowly enunciated standards
         and regulations than IT on the whole is)
        -It is probably inevitable

These, incidentally, are the reasons why I was on the SAGE Certification
Committee when it was first getting started.  I don't have any particular
love for certification or regluation for their own sakes, but I can see
two main possible scenarios:

        -The Mom 'n apple pie scenario, in which motivated folks in
         the industry formulate standards and best practices, and use
         sufficient leverage to see them actually make an impact on the
         overall level of security
        -The Apocalypse Now scenario, where the industry(-ies) continue
         to blunder along the way they currently are, until some catastrophe
         or combination of circumstances result in regulation by some
         outside entity (i.e., the gummint)

Without attempting to characterise the reasons (or rationality) behind this,
it appears as if 9/11 and the collapse of Enron have started the ball
rolling in the apocalyptic direction. 

Part of the problem---perhaps the largest part---is the balkanisation of
the IT/IS population.  There are no natural lines of power leading up to
a small number of high-level entities whose decisions carry meaningful
weight within in industry (compare this to telcos, for example).  There
aren't any `structural' (for want of a better word) features driving
the players to have coincident goals (e.g., an online store will almost
certainly have very different priorities and resources than a university will,
and a biotech will be different from both of them).  And, for that matter,
there are a lot of cliqueish factions within the industry---Windows versus
linux, debian versus fedora, on down to emacs versus vi.

As near as I can tell, the only way to overcome this is to discover
some way of providing incentive for cooperation before governments are
given sufficient incentive to regulate.  Things which provide the government
with incentive to regulate are easy enough to come up with:  broadly,
failures of sufficient scope as to have an political impact (via an effect
on national security, an effect on the economy, an effect on public opinion,
or whatever).

The problem is that I can't think of anything (or even the general character
of a thing) that would provide incentive for IT/IS entities to cooperate.
Or at least nothing that doesn't, in the end, look very much like government
regulation.




- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFBOQ+zG3kIaxeRZl8RAnDWAKDbRZeHevxwmVcA6ibMD9olPEBmEgCgt11f
8XibfrDz6aZaeB8fRHjpXbk=
=UHzw
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards