Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2012 > September
2012
Chris Hoover

Mass Consent, Part 2

Posted by Chris Hoover Employee Sep 10, 2012

My last post was vaguely about collective consciousness. It played off of the phrase “mass consent”, which I took from a William Gibson quote about cyberspace being a “mass consensual hallucination”. Just watching the Internet over the last 15 or years or so, there have been have been points where it is obvious to see it enabling mass consciousness and demonstrating mass consent. It is more obvious when you drill down into subsets or communities …take the IT Security community.

 

Do you remember the era of the firewall in the late 1990s? It was thing you HAD to have! Partly because you really had to have it…but partly because the vendors making firewalls wanted you to believe it was the thing you needed most. This was what we can, in hindsight, call the “Bastion mentality”. I will make my perimeter impenetrable! The firewall admins of the day felt like studs and you can be sure they helped perpetuate the idea. There was also a n-e-r-d factor of “Is your firewall stateful? Is your firewall wire-speed?” When the conversation gets framed like this, people get caught up. “I want stateful!  I want wire-speed!” and in that pursuit, people lose sight and are giving their mass consent to things that are not helpful. They are creating something by giving their attention to it. If the attention keeps flowing to one subject, you can bet the vendors will keep making a product to fit that story. However, while we were all building “impenetrable” perimeter walls, how many people during that timeframe were using PCAnywhere and had modems in their office where they could dial in right past the impenetrable firewall?

 

Do you remember the era of antivirus? It was almost concurrent, slightly after. It was the thing you HAD to do right. The “I love you” virus, sasser, slammer. It was the one thing you really HAD to worry about! You had to be manic about it even!

 

What about the era of the IDS? Don’t we need terabytes of text logs that we will NEVER ever look at?

 

Then the era of the IPS? Weren’t they all so important?!

 

Do you remember when you first saw a SIEM? Wasn’t it the most amazing silver bullet ever made?

 

User training! That’s what we need! Remember the era of the zillion dollar security bootcamp bubble?

 

Encryption! That will solve my problems!

 

Multi-factor authentication! If I can just get that…then I will be secure.

 

Forensics. That’s what I really need….NAC! etc.

 

Well, I am not saying there is anything wrong with any of these technologies. They are of course useful. We learned over time that defense-in-depth means something and we need the full arsenal. Sadly, we have also learned that some of the FISMA efforts we were engaging in were not gaining us much in actual security improvements. We have spent so much time consenting and participating in these tangents, we have lost things along the way, including national secrets, and untold trillions in intellectual properties. We in the IA community feel this. This is part of our collective consciousness, but we are starting to refine our expertise and learn from each other and it is having positive effects on even the federal bureaucracy. We are co-creating more clever automation schemes in open groups like the SCAP community, we are finding better ways to use data feeds and automated scanning. We are caring more about the actual state than the compliance documents. The mass move toward automation and continuous monitoring bodes well. Instead of reacting, we can instead choose our ground. We can give mass consent to proactive strength and vigilance. That is the thought that first excited me about the field of Information Assurance.  It is encouraging to me to sense my community moving toward a purpose. There is a lot we can do individually to move the collective. Be open to new ideas. Find the thought leaders. Join some RSS feeds. There are so many good ones out there. (Here’s one of my favorites: Richard Bejtlich - I’m biased because I’m also former Air Force) Let’s all get on the same page. Learn from your peers instead of being threatened or competitive. Post comments and give feedback. Reach out. What “era” would you say we’re in now? Where do you see our industry in two years? What would you change? Email me: chris.hoover@rsa.com

 

Chris Hoover

Black Hat just came to a close. RSA was obviously there, and we had our booth set up in the theme of “Cyberpunk”, which triggered the idea for today’s post.

http://www.facebook.com/RSASecured/photos#!/media/set/?set=a.489197461093629.124628.126911630655549&type=3

 

Cyberpunk is a genre of science fiction writing that focuses heavily on high technology and hacking. When I saw this was the theme for RSA’s booth I thought of William Gibson for the first time in years. Arguably the most famous writer of the cyberpunk genre, William Gibson coined the term “cyberspace” and defined it as a “mass consensual hallucination”. When I read this line as a teen, it struck me as not just a pretty piece of prose, but it was also valid and insightful. Gibson was saying that cyberspace is what we, as the users and participants, agree that it is. Similarly, we as the users and participants of the IA community shape it by mass agreement and consent. Why mention it in my federal security and compliance blog?

 

Well, it is a strange, exciting, and nerve-wracking time in federal IA! If you are a federal IA professional or a support contractor working in the federal space, how do you do strategic planning in the current IA climate? The Cybersecurity Act inches closer to law while caught in the middle of a political battle. When will it get signed into law? What sort of “bonus” regulations might get tacked on before it gets signed? Once signed into law, it will drive updates to FISMA. This will have impacts that are impossible to quantify right now. Large-dollar bid requests (RFIs and RFPs) are starting to roll out for Continuous Monitoring and FedRAMP solutions. These will change the faces of IA, C&A/A&A, and FISMA reporting as we know them. The clock keeps ticking toward the death of DIACAP, but with no real move-in-earnest toward DIARMF in sight.

 

In two years’ time, the federal IA landscape may be something we would not recognize today. There is a tangible feeling that we are moving into a new chapter in this industry. It is a time in which companies and careers may boom or bust. This is why I raised the point of the mass agreement and consent. Acts of Congress are certainly prescriptive, but the emerging IA initiatives that spawn from FISMA and Cybersecurity Act could be interpreted many ways and solved many ways. Different people have different ideas about what Continuous Monitoring is, or should be, for example. The SCAP community keeps cranking out new specifications and new versions, some with use cases that have yet to be fully defined. NIST SP 800-53 Rev 4 comes out (hopefully) this fall. Every time a new revision comes out, the IA community waxes philosophical about the intent of each new control or change. There’s lots of activity, but it’s not all fully defined. There is a final connotation or meaning that comes only with maturity, after people agree on it organically. This agreement is intangible in most ways, but is what makes a practice into a “best practice” for example. Mass consent.

 

As we develop our new Archer federal solution, I am forced to guess where the federal IA community will be in the future. Fortunately, RSA Archer is flexible and configurable enough to adjust to changes in the areas listed above. The other part of this equation, however, is the “mass consent” piece. I have some small measure of control over the face of future IA if I help create the best IA Management tool and it becomes the de facto standard. You have control over my tool and every other security and IA tool on the market by suggesting which features you want to see or which use case you’re seeing go unsatisfied, and by voting with your procurement dollars. You can even influence the face of the regulations themselves. At any given moment, how many NIST documents are open for comment? I just recently found out that even Dr. Ron Ross lives on the plane of mere mortals and you can email him with problems and he will reply by phone (!). The point is that we can have as much of an effect as we choose to have. The doors are open to us. We are a community and we decide the direction of this industry together. In this spirit, please post your concerns or email product suggestions and problems to chris.hoover@rsa.com

 

Chris Hoover

Filter Blog

By date: By tag: