Mandiant Discovers the Tragedy of the Commons

Mandiant has deservedly achieved a high level of credibility as one of the top cyberattack forensics companies, as described in the February 11 – February 18, 2013 issue of Bloomberg BusinessWeek in the article “Hacked? Who Ya Gonna Call? They are the go-to company when it comes to determining the sources of APT (advanced persistent threat) attacks and helping deflect them.

It is also apparently considered to be the go-to company for issues of what’s wrong with the world of cyber. This is supported by a quote by Richard Bejtlich, Mandiant’s chief security officer, in the February 2, 2013 issue of The Economist in the article “Cybersecurity: War on terabytes.” Here Bejtlich states that “No one in the United States is expected to provide for their own air defense. We have an army to repel a land invasion, so who is out there protecting the cyber lanes of control?  Nobody. It is a free for all.”

This is the well-known “tragedy of the commons” issue, where no one is willing to take responsibility for commonly used resources with the result that they are not protected and preserved, only to deteriorate to the extent that they can no longer support their original function. I have written about the topic, as it refers to cyber security, in previous BlogInfoSec columns.

I also wrote on the topic in the feature article “Cybersecurity and the Critical Infrastructure: Looking Beyond the Perimeter,” in the ISACA Information Systems Control Journal (May 2006), available at

Unfortunately, it does little good for even someone as high profile as Richard Bejtlich to point out the problem if there is no will to fix it. We’ve discussed this issue for a decade or more, yet are no closer to a resolution. This is where government can actually help. There needs to be accountability and liability insofar as the common resources of the Internet are concerned, particularly in regard to the securing of those resources. Organizations in the private sector are generally only interested in shielding themselves and their particular parts of the system. The U.S. government, while recognizing that some 70-80 percent of the country’s critical infrastructure is in private hands, is tentative at best in making the necessary moves to secure the commons, preferring to assign its responsibility to some nebulous public-private collaborative effort. Well, it hasn’t happened up to now and is unlikely to happen in the near future until some definitive actions have been taken. The past decade has been wasted with pretentions that something is being done. Successive “cyber czars” have tried and failed.

And some of the fuzzy recommendations currently being offered are not likely to be effective either. For example, in his article “Confronting Cyber Barbary Pirates” on the Opinion page of the February 11, 2013 issue of The Wall Street Journal, L. Gordon Crovitz writes: “It will take decisive action by Washington to deter rogue governments from breaching digital networks to read email, steal corporate information or identify news sources.” Because of the difficulty of identifying the definite source of an attack and because many sources are not nation states, it is hard to see how deterrence will work. And what kind of action needs to be taken? No, putting one’s hopes on deterrence will only disappoint. We need to resort to avoidance, e.g., not making critical sensitive data available from remote locations, and prevention, i.e., not allowing access to sensitive applications and data by questionable individuals. Yet even these approaches won’t work unless liability and responsibility are appropriately assigned and accepted.

Post a Comment

Your email is never published nor shared. Required fields are marked *