As many of you know, I've been involved in a project in Washington that is unique in the nation. The pilot PRISEM project is now being incorporated as PISCES: the Public Infrastructure Security Collaboration and Exchange System. Basically, it's a public option for monitoring local government, public utilities, and other down-market quasi-public organizations.
I'm convinced that because of the critical infrastructure and services provided by the (poorly-protected) public sector, the potential impact of disruption, and the lack of affordable solutions for monitoring and response, there is a need that has to be filled. I can say with some authority that private sector managed security providers don't prefer this market (underfunded, biennial budgets, government procurement rules, long sales cycle, etc.), yet the criticality remains and risk grows with time.
In my view, this is something that should be provided as a service - not necessarily by government, but by a consortium of government (because infrastructure protection), academia (because research and work force development), and other stakeholders. There's more to this than I can write up in this blog, but suffice it to say that there is a goodly amount of enthusiasm in a number of states for replicating this model, and there will soon be a white paper released that says as much.
So here's my point. Rather than doing marketing, outreach and "sales" to acquire "customers", why couldn't the whole thing be done through public disclosure? Granted, this tactic wouldn't make any friends (at first), but hear me out. Many in WA know about the public disclosure requests for EVERY PUBLIC RECORD from EVERY JURISDICTION in King County. You may also know that a precedent in Jefferson County established that, yes, firewall logs are subject to public disclosure. You may also know that this is a big open data state, and we actually encourage (for the most part) publicly-available data for transparency, and to avoid the expensive public disclosure dance.
So why not request all firewall logs from all public entities in the state, for the purpose of mining for security events and communicating that information back? I think this would be legal in at least our state, and would be a way to create disruptive change that moves the needle.
Nothing changes by doing the same thing over and over, and right now that's what we are collectively doing. Managing by landmine, rather than taking steps to get in front of the problem. I'd like someone to tell me why this wouldn't work. I think it bears discussion.
Type your search and press enter
- Threat Intelligence
- Happy Hour
- InfoSec 101
- Security Awareness
- Public Sector
- Financial Services
- Press Release
@critinformatics | Sep 21, 2018#ICYMI: Our technology is the foundation of the @pisces_nw project, which provides no-cost #cybersecurity event monitoring to #localgovernments while training the next generation of #securityanalysts in WA State. https://t.co/goUE7p2rXQ https://t.co/jGp9hQrKiS
@critinformatics | Sep 20, 2018[EVENT] We’re going to @techtalksummits in #Seattle next Wed., 9/26, at El Gaucho, and we’d like you to join us! Register today for an engaging evening of IT discussions, w/ free drinks and apps—Get there in time to hear @seattlemkh speak at 7 PM! https://t.co/V7Zp8XgNqd https://t.co/471r9FKiHY
@critinformatics | Sep 20, 2018#ICYMI [VIDEO] Check out this month’s #NewsJacker w/ @seattlemkh for the latest #InfoSecNews on #SmartCity & #Aviation #vulnerabilities, #ElectionSecurity, #WannaCry culprits, #NationStates, & more. #ITSecurity #InfoSec #ThursdayThoughts https://t.co/uREOTBFN7P https://t.co/f5V3OOBFCA
@critinformatics | Sep 19, 2018RT @FileFacets: #GDPR - Another Y2K or Real Apocalypse? Learn the essential #cybersecurity requirements that U.S. companies need to know to…