nanog mailing list archives
Re: Routing Insecurity (Re: BGP in the Washington Post)
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Mon, 01 Jun 2015 22:34:46 +0700
On 1 Jun 2015, at 22:21, Mark Tinka wrote:
The difference is that there are standardized (global) guidelines forthose infrastructures within their own industry, that lack of compliancecan lead to serious fines, jail time or both.
1. Ensuring insurance underwriters understand the amount of unsecured risk they have, and working with them to develop the *verifiable* checklists they should be going through before they write 'cyber-' policies.
2. Working with ISO to develop relevant outcome-based standards (e.g., not what you type into your config, but rather the desired result, such as source address validation, detection/classification/traceback/mitigation capabilities, et. al.).
3. Working with regulatory bodies in various regulated verticals to require aforementioned ISOs, same with insurance companies serving those industries (this will have an ink-blot effect reaching down into their supply/service chains).
4. Working with governmental bodies to require aforementioned ISOs in the regulated industries.
5. Working with PCI/DSS to add an availability component, as well as all relevant integrity BCPs.
6. Adding outcome-based requirements surrounding all the relevant BCPs to peering/transit agreements, getting regulators and governments to require same.
I really think the insurance industry is going to be the best/easiest route to take (pardon the pun); this has the advantage of not requiring further governmental regulation, and does offer a market-based solution. I know Bill Woodcock has some experience in this general arena.
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- RE: Routing Insecurity (Re: BGP in the Washington Post), (continued)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 10)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
- RE: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Christopher Morrow (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Sandra Murphy (Jun 10)
- RE: Routing Insecurity (Re: BGP in the Washington Post) Russ White (Jun 11)
- Re: Routing Insecurity (Re: BGP in the Washington Post) David Mandelberg (Jun 04)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Andrews (Jun 02)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Danny McPherson (Jun 03)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Roland Dobbins (Jun 01)
- Re: Routing Insecurity (Re: BGP in the Washington Post) Mark Tinka (Jun 01)
- Re: BGP in the Washngton Post Mark Andrews (Jun 02)
- Re: BGP in the Washngton Post Randy Bush (Jun 02)
- Re: BGP in the Washngton Post Saku Ytti (Jun 03)