(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) How can agencies and industry implement and sustain threat data sharing and create a robust, timely and systemic sharing environment (more than just incidents) that can... more »
A multifaceted approach of building trust, having “skin in the game” (“AntiFragile” - Taleb), incentives and penalties for both industry and government. It has to be made in the best interest of both “parties” to share threat intelligence. This coupled with a multifaceted approach of incentives, disincentives, non attribution, etc. Then you increase the probability that sharing will occur. The incentives for government... more »
With the preponderance of IT devices and chipsets being manufactured in China, there is a distinct possibility that the PLA is hard-coding spyware and back-doors in the hardware built there. Acquisition laws need to specifically require that all components & sub-components used in sensitive IT / data communications systems be built / fabricated and assembled by U.S. companies in the US. Further, safeguards (inspections... more »
No real accountability exists today for executives in regards to IT Security failures. Accountability should exist in cases where known security issues existed before the breach and executives failed to address them. Risk acceptance should not be used as an excuse for addressable security gaps.