Routing Insecurity (Re: BGP in the Washington Post)

[rdobbins at arbor.net (Roland Dobbins)]

On 1 Jun 2015, at 22:21, Mark Tinka wrote:

> The difference is that there are standardized (global) guidelines for
> those infrastructures within their own industry, that lack of 
> compliance
> can lead to serious fines, jail time or both.

1.	Ensuring insurance underwriters understand the amount of unsecured 
risk they have, and working with them to develop the *verifiable* 
checklists they should be going through before they write 'cyber-' 
policies.

2.	Working with ISO to develop relevant outcome-based standards (e.g., 
not what you type into your config, but rather the desired result, such 
as source address validation, 
detection/classification/traceback/mitigation capabilities, et. al.).

3.	Working with regulatory bodies in various regulated verticals to 
require aforementioned ISOs, same with insurance companies serving those 
industries (this will have an ink-blot effect reaching down into their 
supply/service chains).

4.	Working with governmental bodies to require aforementioned ISOs in 
the regulated industries.

5.	Working with PCI/DSS to add an availability component, as well as all 
relevant integrity BCPs.

6.	Adding outcome-based requirements surrounding all the relevant BCPs 
to peering/transit agreements, getting regulators and governments to 
require same.

I really think the insurance industry is going to be the best/easiest 
route to take (pardon the pun); this has the advantage of not requiring 
further governmental regulation, and does offer a market-based solution. 
  I know Bill Woodcock has some experience in this general arena.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>