Security Trust Networks – Developers Welcome
July 7, 2014 No CommentsSOURCE: SourceClear
An associate with the Belfer Center for Science and International Affairs at Harvard’s John F. Kennedy School of Government, Alexander Klimburg has advised the Austrian Institute for International Affairs, the EU, the Organization for Security and Co-operation in Europe, and NATO on issues of international cyber security. In his 2011 “Mobilising Cyber Power,” Klimburg points out that cyber criminals, cyber terrorists, and cyber warriors “share the same social networks and have comparable goals.”
The tools and tactics all three employ are, in effect, open source and accessible via the social networks they commonly use. Most government, military, and law enforcement authorities, in contrast, seek to combat threats to cybersecurity through bureaus, agencies, military units, and other officially constituted bureaucracies. While these may be useful and even necessary, Klimburg argues, they are not sufficient.
Understanding and defeating threats to cybersecurity calls for defenders who use social networks to create collaborative and collective security. Just as the threats are created in an open source environment, so those responsible for countering the threats must build and use an open source security. Relying on secretive government agencies and private consultants who sell proprietary security solutions can never be entirely adequate to oppose threats created collaboratively.
Klimburg encourages governments as well as private sector interests to foster what he calls “Security Trust Networks” (STNs). STNs study and advise on aspects of cybersecurity. While they may be encouraged, funded, and consulted by state or corporate entities, STNs operate independently of any government or private sector agency. The effectiveness of an STN is founded on in its independence and insistence on being defined by trust and ethics rather than by allegiance to national policy or corporate profit.
Operating within the law, Kilmburg writes, the STN’s “members share a common moral code … based on ‘doing the right thing.’ The shared moral mission of the STN is its official raison d’être.”
STN examples include The Information Warfare Monitor, which discovered and exposed GhostNet, a Chinese cyber-spy network focused on the Tibetan government in exile, and the Cyber Security Forum, which investigated the Stuxnet attacks.
“Unencumbered by the structures and concerns of governmental security services,” STNs are bands of experts who are driven to collaborate—in an open source, social environment—out of a sense of professionalism, concern for the community, a desire to serve, and a desire to be recognized by peers they respect and admire.
As STNs have learned to harness the power of open source intelligence and social collaboration within a community of experts—the very assets cyber malefactors likewise exploit—so those of us in the developer community can learn to leverage the same kinds of open source tools and social networks that enable us to create innovative software to build better security into that software.
Collaborative revision-control websites such as GitHub demonstrate daily the power of open source and social approaches to building better software. I would suggest that we developers begin forming collaborative networks—call them “security trust networks,” if you will—within our companies, across our industries, and across areas of interest.
Financial Services-Information Sharing and Analysis Center (FS-ISAC) is an example of an industry-wide STN-like network to facilitate collaboration on security threats against the global financial services sector. FS-ISAC distributes to members notification of and authoritative information on cyber threats that taraget the sector.
Developers in any industry could readily emulate the FI-ISAC model, focusing it specifically on supplying information on vulnerabilities in software and software components, with an emphasis on open source.
The model would work just as effectively across areas of interest. STNs could make the world of open source developers—think Android and Ruby on Rails—a far more secure environment.
Across industries and areas of interest, STNs could be sanctioned and funded by membership associations already active—FI-ISAC itself is an example. These organizations might also sponsor the development of STN-based security certification programs.
Within individual companies, management could take the initiative in authorizing STNs—although such groups must be given and must maintain very broad autonomy from formal organizational hierarchies.
In truth, however, no “official” sanctions are absolutely required. Arguably, those STNs that rise from the grassroots—the social networking of open source developers themselves—will become the most influential, best informed, hardest working, and most useful. The STN model is there for the copying. No authorization necessary.