Critical infrastructure and cyber-security Consulation - June 3 Deadline (passed) but read anyway
Critical infrastructure and cyber-security
How would you suggest Canada and the US collaborate to project critical infrastructure and ensure cyber security? Enter your submission (10,000 characters or less):
In the question as asked (and both versions above seem to agree) the word (a verb in this context) "project" makes little sense to me and I've been in and around technology in general and the internet and communications specifically for in excess of 40 years. If the word "project" were instead "protect" it would make more sense. That being said, I'll attempt to discuss and answer at least the second part of the question restated as "how would you suggest Canada and the US ensure cyber security?"
Taking into consideration that both the US and Canada are democracies and subject to the rule of law, and that they both have a constitution that must not only be upheld, it must appear to be upheld, whatever is done to ensure cyber security must be done in full view of the law and the public.
In my opinion, government should be an overseer as much or more than an implementer of most matters and in this case, security; setting standards of conduct and expected outcomes and then getting out of the way to allow private enterprise to decide how to accomplish the objectives. In addition to setting standards and expected outcomes, government should provide inspection and monitoring of progress towards the standards and outcomes in a fashion that statistically provides for high probability of adherence by the private enterprise without stepping over the bounds of privacy invasion or extra-legal means.
How should this work?
First - encourage open standards and implementations instead of closed and proprietary solutions and facilities. The potential for "many eyes" looking at the code and concepts of any/every technical facility will go far toward minimizing and possibly eventually eliminating a major source of potential security problems both by allowing those who have the talents and time to dive deeply into any given problem as well as by encouraging creators of such facilities to employ good systems design and implementation practices to start with; no more "security by obscurity" where lack of source code for some facility hides major or minor problems until the bad guys discover them.
Second - forgo the concept of the "government backdoor" and/or any installation of privileged access without judicial oversight or responsibility. Any such facility is an open invitation to compromise.
Third - recognize that the largest hole in any well designed technical system is the human in the loop. There is NO technical system that cannot be circumvented by compromising the humans involved no matter how much money you throw at it. You might study the evolution of thought that Bruce Schneier (www.schneier.com) underwent between his first security book, Applied Cryptography, and his more recent works, wherein he apologized for some of the concepts in his first book.
In addition, expect that systems will be compromised, so plan for it. Compartmentalize and try really hard not to have identical systems everywhere; encourage multiple vendors and multiple solutions to similar problems to discourage multiple compromises across systems. This is another reason for using open standards/open standards, aka FLOSS (Free/Libre Open Source Software) and non-proprietary solutions.
As to collaboration between the two countries - and indeed between any/all countries
Use open and above-board negotiation methods including access by the public to interim versions of agreements. Listen to the public and encourage them to participate at all levels.
Do not, under any circumstances, cloud the security objectives or process by hanging on other, non-security related (i.e. trade and commerce) objectives or road blocks. Securing infrastructure does not relate to securing music or media goods against piracy or have anything to do with copyright, East-West or North-South or any direction trade, etc.
Securing infrastructure has to do with setting standards that describe what "secure" means in a given context and how and when to enforce it; and how and when to share information about activities that either threaten to or actually do cross the border between our countries.
Richard C. Pitt
richard at pacdat dot net
What's Related