Re: Hi, we're from the government and we're here to help

• From: Kelly J. Cooper
• Date: Fri Mar 10 17:21:25 2000

On Mar 10,  9:57am, Patrick Greenwell wrote:
> Subject: Re: Hi, we're from the government and we're here to help
*
*On 9 Mar 2000, Sean Donelan wrote:
*
*> The US Government as been amazingly pro-active in this area, or at least
*> some small groups have been.  They've also consistently said the government
*> can't protect the Internet.  The infrastructure is owned by private companies
*> and individuals; and industry has to work together to protect it.
*> 
*> The question is does industry think its worthwhile to work together?
*
*Funny you should ask that. There was a lot of discussion on Bugtraq
*recently about the attacks and from those discussions another list was
*started to discuss formation of an "Assocation of Responsible Internet
*Providers" ([email protected]). Discussion ensued regarding what the
*organization should be doing. There seemed to be general agreement 
*on the idea of first creating a NOC<->NOC communication
*protocol/procedures(this is at the people layer, not the technical
*layer.) I suggested that the group develop a charter, form a 501(c)(6),
*elect officers, obtain D&O insurance and then proceed. I also stated that
*any such venture was going to require very real money to accomplish, and
*asked if there was anyone willing to put their money where there mouth is,
*and monetarily contribute to such a venture(I offered to put up a few
*hundred dollars.)
*
*Suddenly, the list got very, very quiet. In fact, since I posted that
*message, there hasn't been a single post to the list. Emperically, this
*suggests to me that while everyone is quick to spend countless
*hours expressing an opinion on mailing lists, there is nobody willing to
*invest in making this happen. 


People who coordinate these kinds of consortia do so on a 
practically full-time basis if they want to get anything
done.  Asking someone who already has a full-time job (and
if it has anything to do with security, several full-time
jobs and a bad case of paranoia) to take on that level of
additional involvement could be considered prohibitive.

If a specific ISP sponsors the group, what's to stop the
rest of the world from accusing that ISP of bias?  Same
issue with a vendor.  The problems of anti-trust are very
serious in this arena.

If you have an elected board doing volunteer work and 
meeting on a periodic basis to discuss security, you suffer
from the same problem of resources without someone more
dedicated to sheparding the process along.  Everybody wants
a NDA (Non-Disclosure Agreement), but their NDA has to look 
like THIS while the other ISPs want the NDA to look like 
THAT.

If the government sponsors the group, they can circumvent
the anti-trust issue, but the gov't doesn't ever seem to be
happy about just letting things be.  Everything has a 
tendency to become a political pawn.  There's a very real
possibility that gov't sponsorship of a group trying to set
standards for work and incident response could evolve into 
the basis for regulation.  The "r" word frightens everyone 
in the ISP industry, so no one's taking a proposal to 
D/ARPA (whichever they are this week) to convince them that 
this is a good idea.  

The "r" word frightens a lot of people in gov't as well - 
many don't want the added overhead of another regulated
industry.  

The gov't has created a bunch of crisis centers (like NIPC)
who won't/can't sponsor an ISP Consortium, but want to be
invited to one if it happens.  You have CERT, keeping things
close the vest unless you establish a long-term relationship
with them.  You have SANS, trying to be an industry leader
but maybe getting lost in all the noise created by BUGTRAQ
and NT BUGTRAQ and the CVE and the Abuse newsgroups and the
Abuse mailing lists and ALL the OS security warnings and ALL
the Firewall security warnings and the MAPS RBL and the ORBS
list and NANOG and the IETF (particularly the GRIP working
group) and the FBI's INFRAGARD every freakin' person who 
stands up and claims to be a security expert who wants 
things done HIS way or his university's way or his
consortia's way and ON AND ON.

So you have places like CNRI (a non-profit organization 
which sponsors the XIWT, aka the Cross-Industry Working 
group, which spawned IOPS, the Internet Operators 
Consortium) and ICSA (a for-profit organization which
sponsors a bunch of consortia, but most relevant here they
sponsor ISPSEC, the ISP Security Consortium).  

Both charge a certain amount of money for membership & they 
try and get things done, but their efforts are often met 
with jeers from the community (in fora like, OH I DUNNO, 
NANOG?) because their consortia cost money, so they aren't 
open to everyone, so they couldn't possibly provide an
accurate representation of the community.

But they aren't the only groups out there.  There are 
others.  However, there are only so many of us who go to
these things - and we can't spend all of our time going to
meetings or we become useless, not having time to do our
jobs and stay in the loop and able to contribute.

All the groups suffer from the same problems - they slack 
off, lose funding, re-invent themselves, start some new 
subgroup, try to drum up interest, etc.  Because sustained 
volunteer work is HARD.  If you don't think it's hard, then 
you don't have enough to do.

THEN the next big thing comes along, people get scared, the
consortia suddenly get well-attended, NEW groups spring up,
the community starts complaining again and the cycle is
renewed.  That is, until people get bored again, or budgets 
change or the NEXT big thing that comes along has nothing 
to do with security.

This cycle is old.  I know I'm bored with it.

So now what?

How do you propose to cull the wheat from the chaff?  Get all
the right information about what ISPs are trying to do, and
going into the lab to test, and researching into the right 
ears (of other ISPs)?  How are you going to get the right 
people to speak and the wrong people to shut up for a few
minutes?  

Because if it was just as easy as kicking in a few bucks to 
yet another consortium, I'd do it in a heartbeat.

Kelly J.


--
Kelly J. Cooper     -     Internet Security Officer
GTE Internetworking - Powered by BBN - 800-632-7638 
3 Van de Graaff Drive            Fax - 781-262-2819
Burlington, MA 01803             http://www.bbn.com

• Follow-Ups:
  • Re: Hi, we're from the government and we're here to help Patrick Greenwell

• References:
  • Re: Hi, we're from the government and we're here to help Patrick Greenwell

• Prev by Date: Re: Here we go again
• Next by Date: Re: Here we go again
• Date Index
• Thread Index
• Author Index
• Historical