[Dailydave] CISPA == MAPP

Richard Bejtlich taosecurity at gmail.com
Tue Apr 17 16:26:10 EDT 2012


On Tue, Apr 17, 2012 at 2:16 PM, allison nixon <elsakoo at gmail.com> wrote:

Hi Allison,

I have a different view -- I'll try not to step on too many toes. :)

> Swift coordination between companies to respond to new threats is a
> technical problem and not a legal problem.

The problem is people are approaching this as a technical problem.
It's a trust problem.

> The incentive to share is there,
> and sharing systems are getting better over time without government "help".

The incentive is to not share.  There is no incentive for a company to
tell anyone that they've been breached.

>
> I welcome any information sharing from the government but I don't trust any
> mandate stating the government is entitled to your information if you(or a
> company you use) got compromised.

The bill in question doesn't say the government is entitled to your
information.  They're trying to improve the incentives for companies
to tell the government that they've been compromised so that the
problem is better understood.

I regularly speak to significant intrusion victims, and my company
helps them recover.  If you think I'm biased, I am biased towards
experiencing this problem on a sadly too frequent basis, over the last
14 years.

I don't think any legislation is perfect, or maybe even required,
since "intel sharing" between government and the private sector isn't
going to have as much impact as the legislators think.  However,
having met Chairman Rogers and been in several private and public
meetings with the principal legislators concerned, I think they are
trying to make a difference without harming civil liberties.

Sincerely,

Richard


More information about the Dailydave mailing list