cybersecurity proclamations vs. specific-application security

[Trei, Peter]

> Major Variola (ret)[SMTP:mv at cdc.gov] wrote:
> 
> 
> Instead of protecting the whole net, those responsible for
> 'critical' services should be held responsible for their app.
> 
> Use an air-gap, your refinery/dam/etc control doesn't
> need to be online.
> 
> If you must use networking for critical stuff (air traffic, medical
> insurance
> transactions) then use VPNs.  And good policies.
> Use several independent upstream providers if
> reliability is important too, as it usually is.  Tracert is your friend.
> 
> Use caching DNS proxies if you worry about DNS-root attacks.
> 
> Hold the managers of the 'critical' domains responsible.
> Let them hire security folks who'll do gedanken et al. attacks
> and learn to beef up their stuff.
> 
> Its a *lot* easier to focus on specific 'critical' domains and
> strengthen them than to whine and proclaim from D.C. about
> the 'infrastructure'
> 
> Perhaps fed tax breaks on fees paid to security folks
> would help.  And tax breaks on equiptment security upgrades.
> Create/enforce tort laws so that when folks screw up security,
> they pay.
> 
> <\rant>
> 
> At 07:33 AM 9/20/02 -0700, Declan McCullagh wrote:
> >Previous Politech message:
> >
> >"Defense hawks bash White House report, want new laws, regulations"
> >http://www.politechbot.com/p-03999.html
> >
> >James Lewis was one of the two CSISers I quoted in that article as
	> wanting more laws. 
[...]

OR

Make corporations financially liable if they fail to provide a
service due to a cyberattack. Their insurance firms will then start
to require standards in a much more diverse and flexible way than 
legislation would.

This is similar to how bank vault and safe standards were improved
during the last century.

Peter Trei