Black Hat: Community calls for government cooperation and transparency
Panel says Feds must do more to share data
LAS VEGAS: Security experts have called for governments to provide businesses with better data and intelligence on breaches and threats to counteract the risks facing today's businesses.
The expert panel, which first convened at the Black Hat conference, debated the role government should take in addressing data security and the extent to which intelligence should be shared with the private sector.
Marcus Ranum, chief security officer with Tenable Security, bristled at the notion that private sector firms should bear the brunt of protecting against sophisticated advanced-persistant threats (APTs) and state-sponsored attacks.
"I lose my cool when I hear people from the government saying that the private sector needs to step up," Ranum said.
"I am not qualified to carry out counter-intelligence against China, that is what the government is for."
Ranum's comments come on the heels of a call from former FBI executive assistant director Shawn Henry that private firms take a more proactive role in guarding against data breaches and targeted attacks.
Bruce Schneier founder of Counterpane Intelligence, suggested that rather than take an active role in legislating security policy and practices, government groups instead leverage their buying power in the market to persuade firms to change their security practices.
"Why can't NSA come up with a security standard that they like and let them go to the OS makers, the database vendors and the cloud providers and say "if you want government business, you have to adhere to this standard?"
Additionally, panelists suggested that the government should re-examine the way it shares and requests data from firms, giving organisations a better picture of where threats are originating and how to protect against them.
"What were seeing from the government is an insistence on wanting information, but all we get from them is 'we saw this information from your network'," Ranum said.
"The security community is flying in the dark on a "trust us" model while we hand over all this information."
Other members of the panel believe that the government would be best used addressing areas that the private sector is unable or unwilling to secure.
Icann chief security officer Jeff Moss suggested that the government could step in to offer security solutions in areas of public security vulnerability which commercial organisations do not see as worth pursuing.
"They are spending money in areas companies are not," Moss explained.
"Maybe that is a role for the government in these types of 'tragedy of the commons' situations."