Earlier this week I was joking w/ a friend that we need a "Jimmy the
InfoSec Bartender" for the industry. Or maybe a duo like Chris Knight
and Lazlo Hollyfeld (Real Genius, 1985). People you can turn to for a
beer or a dram and settle your nerves and turbulent thoughts with some
succinct sage advice. Enter Daniel Geer & Marcus Ranum. Dr. Geer &
Peter Kuper released an article from an upcoming issue of IEEE
Security and Privacy about the InfoSec/NetSec investment market, or
lack thereof, metrics, and the geopolitics
(http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf -). Ranum continued
his "Cyberwar: a Whole New Quagmire" series at Fabius Maximus with
"Part 4: About Stuxnet‏, the next generation of warfare?"
(http://fabiusmaximus.wordpress.com/2011/09/29/29291/ -).

If you've been reading about Stuxnet nuclear fallout, mass casualties,
and flying UN*X hosts then you need to read Ranum. He presents a much
larger picture of where we are, where we might be, and how to ~think~
about solving the problems. He isn't mucking it up with turf wars or
questionable disclosures. He is just trying to get "US" back on track.
I think he does so wonderfully.

Now, I'd like to concentrate on Dr. Geer & Kuper's paper for a bit..
what they say stands well but I'd like to season it a bit.

- The Real Cost of Facebook -- Everything they say SCREAMS that
winning the ~privacy~ debate w/ Facebook, Google, Sony, Apple, Amazon,
etc. etc. is CRITICAL to National Security. Why? Because _those_
players define the relative value of ALL data in the marketplace. I'm
going to extrapolate a long way and say that TS/SCI will become
meaningless in the coming decades if we can't get people to value
their own privacy and personal data.

- This is not blanket xenophobia, this is market economics and
geopolitics. You might be tempted to frame it as Economic Nationalism
gone awry but it's not that either. It's DATA. You have to make a
geopolitical decision w/ that data. Are we OK with a decreasing value
to our data and thus overall economy or are we willing to make a
change? And can we play nice w/ the markets to do so? "This is no
longer a game" indeed..

- The pain threshold for major data loss is too low. Wayyy too low.
And we can't mandate or over-regulate it because, as the author's say,
that becomes the ceiling instead of the floor (think PCI). As Security
Professionals how do we make our customers, family, and friends see
things differently? Ah yes, that recurring theme from prior posts.
Still a big question but where Geer & Kuper start is by figuring out
how to make the market see things differently. I say (back to bullet
one), make the Facebook and Google+ populace see it differently first.

We all knew this, right? Well.. yeah.. I think we did. However, on any
given week I'd posit that a majority of us forget to think about these
things. We're consumed with the fires burning our souls right that
moment. I get that but getting back to basics and real meaningful
metrics is always a good way to go into the next week, no? -Ali