Routing Insecurity (Re: BGP in the Washington Post)
Roland Dobbins
rdobbins at arbor.net
Mon Jun 1 15:34:46 UTC 2015
On 1 Jun 2015, at 22:21, Mark Tinka wrote:
> The difference is that there are standardized (global) guidelines for
> those infrastructures within their own industry, that lack of
> compliance
> can lead to serious fines, jail time or both.
1. Ensuring insurance underwriters understand the amount of unsecured
risk they have, and working with them to develop the *verifiable*
checklists they should be going through before they write 'cyber-'
policies.
2. Working with ISO to develop relevant outcome-based standards (e.g.,
not what you type into your config, but rather the desired result, such
as source address validation,
detection/classification/traceback/mitigation capabilities, et. al.).
3. Working with regulatory bodies in various regulated verticals to
require aforementioned ISOs, same with insurance companies serving those
industries (this will have an ink-blot effect reaching down into their
supply/service chains).
4. Working with governmental bodies to require aforementioned ISOs in
the regulated industries.
5. Working with PCI/DSS to add an availability component, as well as all
relevant integrity BCPs.
6. Adding outcome-based requirements surrounding all the relevant BCPs
to peering/transit agreements, getting regulators and governments to
require same.
I really think the insurance industry is going to be the best/easiest
route to take (pardon the pun); this has the advantage of not requiring
further governmental regulation, and does offer a market-based solution.
I know Bill Woodcock has some experience in this general arena.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG
mailing list