Would you ever be comfortable with the government taking a direct action to address vulnerabilities in your networks?

Security & GRC Threat & Vulnerability Management Security Operations Center (SOC)+3 more

2k views8 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed

Under certain circumstances taking some level of action seems appropriate, but blocking the entity from being on the Internet would be a more appropriate action than actively hacking the system, adding and removing code. Back in my Intel days, I got a call from somebody at the Pentagon. I didn't believe who it was so I called around until I could validate the caller. They said Intel systems were attacking them because we’d had a couple systems taken over by a bot that was part of something going against the Pentagon, so they needed me to act. We were able to deal with it, and I probably would have been irritated had they just shut me off.

Another scenario occurred that did take Intel offline, and it was done by a private company. Going into earnings release one quarter, we're offline to upload certain things to the NASDAQ system. NASDAQ had basically blacklisted the Intel domain it was coming from. They took action to prevent us from doing what we needed to do. Once we sorted it out I was pretty irritated with NASDAQ, but I understood their reasons because they’d received a trigger of potential maliciousness and needed to protect the NASDAQ system. In essence, they disabled my ability to execute a business process to protect Intel.

Managing Partner & CISO in Software, 11 - 50 employees

It changes the dynamics of cybersecurity to have someone say—under color of law—we're going to access your system without your approval, or even without your knowledge. If the FBI had just blocked the domains they targeted from connecting to the internet, it would have forced the system owners to take action. They’d be like, “Our system is down. We need to respond or fix this issue.” Domains have been seized by the FBI before, it happens to sites doing some form of human trafficking, or other illegal activity, like Silk Road. The government uses the established laws to take them down.

If my fridge at home is compromised through hacking, can the Feds walk in and take it from my house? They shouldn't be able to. That seems like it would be a violation regardless of some broad subpoena. I try to translate what this would look like physically and it doesn't make sense to me.

1 3 Replies

Board Member, Advisor, Executive Coach in Software, Self-employed

If you believe the context that they attempted some reach out, then there was some potential attempt at a lockdown. I think the question becomes if somebody responded, but didn't respond timely or said no thanks.

Member Board of Directors in Finance (non-banking), 201 - 500 employees

In the case of the colonial pipeline incident, I wouldn't mind the government taking action on the pipeline owner because of the tremendous impact on the broader population. When thinking about this FBI action, we can't use examples where the impact is benign. I think it's reasonable to expect the government to say, “We expect this level of security and investment. We're holding the board of this pipeline responsible.”

Managing Partner & CISO in Software, 11 - 50 employees

These are privatized services and companies. If this were a nationally-owned pipeline it would be dramatically different, but Colonial Pipeline isn’t even publicly traded. If the government doesn't want to be so dependent the option is to nationalize these things. And we don't want nationalized critical services.

CIO in Software, 5,001 - 10,000 employees

It becomes a question of my liberties as a person or as a company. To what extent can the government tell me what to do? And can they take that action on my behalf? What rights do I have? How far is their reach, and under what circumstances does it take effect? Am I able to opt out or opt in?

3 2 Replies

Managing Partner & CISO in Software, 11 - 50 employees

Being able to opt in would have been great, but companies didn't even have a way to opt out. If somebody finds malicious intellectual property, or some errant, illegal files on any of those servers then it's easy to say, "Well, I'm not the only one who had access to this." The government could have had access to it. I think it should have been an opt in because you can't even opt out.

Board Member, Advisor, Executive Coach in Software, Self-employed

If an opt-in is the right way to do it, does it make sense that if you are causing harm or have a high potential to cause harm for others, you either opt in to the government taking you offline, or you're liable for the harm that you might create? And if you do create harm you're billed for it. You could argue that there could be an opt-in to just be on the Internet.

Content you might like

Have you patched Log4j yet?

Threat & Vulnerability Management Third Party Risk Management (TPRM)Risk Management

Yes39%

Yes, but third & Nth parties are still a concern39%

Mostly16%

No4%

Don't know1%

184 PARTICIPANTS

1.3k views

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data.

Security & GRC Regulatory Compliance

Head of Cyber Security in Manufacturing, 501 - 1,000 employees

I would say, DPO and Security team both shall be involved and work hand in hand.

Most of the time the legals and or DPO don't have the technical acumen to understand when data is floating to third party services.

Lets ...read more

596 views1 Comment

Does your org consider API security a high priority?

Security Strategy & Roadmap Threat & Vulnerability Management Risk Management

API security is our top priority8%

Very high48%

High34%

Medium9%

Low1%

API security is not at all a priority for us1%

101 PARTICIPANTS

816 views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & Leadership Strategy & Architecture Cloud +57 more

CTO in Software, 201 - 500 employees

Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

143 19 Replies

What are some ideas to keep up team morale remotely? Are there specific or structured adjustments you've made to counteract burnout/keep up productivity and mental health?

People & Leadership Process Management Team & Organizational Design +9 more

Community User in Software, 11 - 50 employees

organized a virtual escape room via https://www.puzzlebreak.us/ - even though his team lost it was a fun subtitue for just a "virtual happy hour"