[180343] in North American Network Operators' Group
Re: Routing Insecurity (Re: BGP in the Washington Post)
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Mon Jun 1 11:37:21 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: nanog@nanog.org
Date: Mon, 01 Jun 2015 22:34:46 +0700
In-Reply-To: <556C785C.2040807@seacom.mu>
Errors-To: nanog-bounces@nanog.org
On 1 Jun 2015, at 22:21, Mark Tinka wrote:
> The difference is that there are standardized (global) guidelines for
> those infrastructures within their own industry, that lack of
> compliance
> can lead to serious fines, jail time or both.
1. Ensuring insurance underwriters understand the amount of unsecured
risk they have, and working with them to develop the *verifiable*
checklists they should be going through before they write 'cyber-'
policies.
2. Working with ISO to develop relevant outcome-based standards (e.g.,
not what you type into your config, but rather the desired result, such
as source address validation,
detection/classification/traceback/mitigation capabilities, et. al.).
3. Working with regulatory bodies in various regulated verticals to
require aforementioned ISOs, same with insurance companies serving those
industries (this will have an ink-blot effect reaching down into their
supply/service chains).
4. Working with governmental bodies to require aforementioned ISOs in
the regulated industries.
5. Working with PCI/DSS to add an availability component, as well as all
relevant integrity BCPs.
6. Adding outcome-based requirements surrounding all the relevant BCPs
to peering/transit agreements, getting regulators and governments to
require same.
I really think the insurance industry is going to be the best/easiest
route to take (pardon the pun); this has the advantage of not requiring
further governmental regulation, and does offer a market-based solution.
I know Bill Woodcock has some experience in this general arena.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
