Major Variola (ret)[SMTP:mv@cdc.gov] wrote:

Instead of protecting the whole net, those responsible for 'critical' services should be held responsible for their app.

Use an air-gap, your refinery/dam/etc control doesn't need to be online.

If you must use networking for critical stuff (air traffic, medical insurance transactions) then use VPNs. And good policies. Use several independent upstream providers if reliability is important too, as it usually is. Tracert is your friend.

Use caching DNS proxies if you worry about DNS-root attacks.

Hold the managers of the 'critical' domains responsible. Let them hire security folks who'll do gedanken et al. attacks and learn to beef up their stuff.

Its a *lot* easier to focus on specific 'critical' domains and strengthen them than to whine and proclaim from D.C. about the 'infrastructure'

Perhaps fed tax breaks on fees paid to security folks would help. And tax breaks on equiptment security upgrades. Create/enforce tort laws so that when folks screw up security, they pay.

<\rant>

At 07:33 AM 9/20/02 -0700, Declan McCullagh wrote:

...

Previous Politech message:

"Defense hawks bash White House report, want new laws, regulations" http://www.politechbot.com/p-03999.html

James Lewis was one of the two CSISers I quoted in that article as wanting more laws. [...]

OR Make corporations financially liable if they fail to provide a service due to a cyberattack. Their insurance firms will then start to require standards in a much more diverse and flexible way than legislation would. This is similar to how bank vault and safe standards were improved during the last century. Peter Trei