Normative Cyber Security

On the government side, Brenner has come up with specific recommendations in seven areas. These are worth repeating, as follows:

1. Trade regulation and contracting

  • Use the government’s enormous purchasing power to require higher security standards of its vendors
  • Forbid federal agencies from doing business with any Internet service provider that is a hospitable host for botnets. And publicize the list of such companies
  • Direct the Department of Justice and the Federal Trade Commission to definitively remove the antitrust concern when U.S.-based firms collaborate on researching, developing, or implementing security functions

2. Roles of service providers

  • Require Internet service providers to notify customers whose machines have been infected by a botnet

3. Energy standards

  • Direct the Federal Energy Regulatory Commission and the North American Electric Reliability Commission to establish standards that limit the ability of utilities to connect their industrial control systems directly or indirectly to a public network

4 Tax code

  • Use the Internal Revenue Code to drive corporate behavior, e.g., to encourage investment in cybersecurity

5. Research areas

  • Attribution techniques and identity standards
  • Verifiable software and firmware, and the benefits of moving more security into hardware
  • Feasibility of an alternative Internet architecture

6. Securities regulation

  • Electric utilities that issue bonds should be required to disclose … whether the command-and-control features of their SCADA networks are connected to the Internet or publicly accessible networks
  • Public audit standards for cybersecurity should be toughened

7. International relations

  • The United States should engage like-minded democratic governments in a multilateral effort to make Internet communications open and secure

Brenner then suggests the following steps that entities in the private sector should take to enhance cyber security:

  1. Clean up their act
  2. Control what is on their systems
  3. Control who is on their systems
  4. Protect what is valuable
  5. Patch rigorously
  6. Train everybody
  7. Audit for operational effect
  8. Manage overseas travel behavior

Brenner’s suggestions are all good, although they are not new. And there’s the rub. If someone of Brenner’s stature is advocating cyber risk mitigation strategies, many of which have been recommended many times before, without any specific guidance as to how to effect them, then the issues will continue to be unresolved. It is commendable that Brenner tries to educate us on the dangers of cyberspace, but unless we get specific actionable recommendations with names, roles, responsibilities, work plans and deadlines, along with painful consequences for those “owners” who do not perform, little or nothing will get done. And even we get these plans in place, success remains questionable. Those in the know will continue to rail against the current state of cybersecurity and lament the lack of response to their remonstrations. But will it do any good?


  1. Heather J. @ TLC Boo Oct 25, 2011 at 7:25 pm | Permalink

    I agree that there is a need to do more than simply raise awareness – some sort of implementable plan is important in a book like this.

    Thank you for such a thorough review and for being a part of the book tour.

  2. Brian Krebs Nov 1, 2011 at 11:56 pm | Permalink

    Nice review. I’m interested in reading the book. Thank you.

    I’ve said for a long time that nobody will sufficiently dedicate the attention that cybersecurity deserves on the critical infrastructure level unless and until people start to die because of cyber-insecurity. And, of course, when that happens, there’s a very high risk that bad policies/laws will follow. I talked a bit about this in an interview a while back on Team Cymru’s Who and Why show.

Post a Comment

Your email is never published nor shared. Required fields are marked *