tag:blogger.com,1999:blog-4088979.post3816752071968947338..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Counterintelligence and the Cyber ThreatRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-85069640976985161312007-10-24T19:49:00.000-04:002007-10-24T19:49:00.000-04:00One of you directly sent me this comment:"Industry...One of you directly sent me this comment:<BR/><BR/><I>"Industry talks risk management but they really do risk acceptance, not risk mitigation."<BR/><BR/>I'm confused by this statement. Risk Management is about a continuous cycle with the goal of reducing (mitigating) risk. We cannot eliminate risk, we can only reduce it. Part of the process is determining how much risk we are willing to accept, then putting in process and controls to reach that point. I would say 'risk acceptance' is a part of risk management, and there is nothing wrong with that.</I><BR/><BR/>Yes, the point of the quote is that a real risk management strategy would -- at some point -- include elements of risk mitigation along with risk acceptance. The thesis proposed by the NCIX is that people do far too much risk acceptance, and hardly any risk mitigation, as part of their risk management strategy.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-65637103809682935102007-10-23T10:38:00.000-04:002007-10-23T10:38:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-20409704512931638472007-10-22T12:58:00.000-04:002007-10-22T12:58:00.000-04:00There's plenty of risk transfer going on, too, Ric...There's plenty of risk transfer going on, too, Rich. This is best done, of course, via the legislative branch.<BR/><BR/>Lobbyists are well-paid for a reason.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-90211552712532100742007-10-22T12:14:00.000-04:002007-10-22T12:14:00.000-04:00Richard, I gave no attribution, but then you ga...Richard,<BR/><BR/> I gave no attribution, but then you gave no disagreement. Was your silence an endorsement of Dr. Brenner's point of view?<BR/> I agree that industry and government practice risk acceptance, but both practice responsibility avoidance more. No one was disciplined for the Robert Hanssen affair within the FBI ( http://en.wikipedia.org/wiki/Robert_Hanssen ), but one of the men who thought Hanssen was the mole was accused of being the mole himself. Hanssen was also an FBI cybersecurity expert. From actions such as lobbying of Congress to defang transparency laws over data loss or theft, banks silence over online banking losses, and people's acceptance of poorly written software for personal and business use, the problems we face are fundamental and due mainly to poor software design and manufacture. The incentives are backwards. You don't buy a house built without locks on the doors and an alarm system these days, but we do that with software all the time. <BR/><BR/>Johnjbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-28293567375021429902007-10-22T09:49:00.000-04:002007-10-22T09:49:00.000-04:00jbmoore, About "counterintelligence is not securit...jbmoore, <BR/><BR/>About "counterintelligence is not security," I didn't write that <B>I</B> said that. I wrote that Dr. Brenner said that. I will have more to say on the topic in a future post, anyway.<BR/><BR/>Rob,<BR/><BR/>I have never dismissed the insider threat. I think it is overplayed. As far back as <A HREF="http://taosecurity.blogspot.com/2005/02/insiders-or-outsiders-bigger-risk.html" REL="nofollow">February 2005</A> I wrote:<BR/><BR/><I>My personal opinion is that rogue insiders have the potential to cause the most damage, but the frequency with which they appear and cause havoc is lower than people think.</I>Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-43222342031839462562007-10-22T09:16:00.000-04:002007-10-22T09:16:00.000-04:00Richard,With statements like "With hindsight, the ...Richard,<BR/><BR/>With statements like "With hindsight, the more I hear about spies found inside government agencies, the more I understand that statement", it would seem like you are giving greater recognition to the "insider threat". :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-60531539851343319252007-10-21T22:39:00.000-04:002007-10-21T22:39:00.000-04:00Are you sure about the difference between security...Are you sure about the difference between security and counterintelligence? It's like saying a security person is a mechanic and an (counter)intelligence person is a systems analyst. Both a systems analyst and a "mechanic" are systems administrators. The latter troubleshoots problems and fixes them. The former figures out what causes the most problems and builds a system or architects a solution to prevent the problem from ever occurring again. A security person who doesn't use intelligence to find out why problems keep reoccurring and develops a solution to mitigate the issue is running the Red Queen's race, running in place to keep up. It's futile and it's stupid. Intelligent people figure out the most efficient way to do something to minimize their efforts. <BR/><BR/>Except for the Navy having their communications compromised by John Walker, the two most damaging spies in US history worked counterintelligence in the CIA and FBI. That tells you that:<BR/>1. there aren't enough paranoid people in counterintelligence, <BR/>2. there aren't enough competent people in counterintelligence in the US, and <BR/>3. if people wanted the problem fixed, it'd be fixed, but then they wouldn't have any jobs. Incentives should be decoupled from job security to an extent. In other words, it's okay if you figure out a way to eliminate your own job because we'll keep a place for you anyway.<BR/><BR/>If the security guy is doing his job, the counterintelligence guy wouldn't have any holes to stake out. The latter would have to create his own baited traps and monitoring methods.<BR/><BR/>Industry is really about risk responsibility avoidance. People accept risks all the time (you have to), but they either don't acknowledge them as risks or they avoid responsibility after the risky event has occurred. Witness bad coding and the lack of responsibility for writing bad code built into software license EULAs. If we built buildings the way we write software code, no building would stand for long. Close to perfect code can be written or all our fly-by-wire aircraft would never fly for long. Why are security investigators and bad guys basically performing QA testing on software these days? The proper incentives aren't there to design the software properly in the first place.jbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.com