← @kwm Twitter archive
Keith
@kwm
Regarding NTIA Collaboration on Vulnerability Research Disclosure http://www.ntia.doc.gov/blog/2015/enhancing-digital-economy-through-collaboration-vulnerability-research-disclosure . . . unsure what problem this aims to solve.
7/13/2015, 1:41:04 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
I don't believe that there's any relevant issue with respect to vuln disclosure. Vulns that are discovered are hoarded, sold or disclosed.
7/13/2015, 1:41:52 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
A "consensus-based multistakeholder process" isn't going to change if/when vulnerability disclosure occurs.
7/13/2015, 1:42:06 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
Assuming that the intent is to steer/mandate action following disclosure, I'm not optimistic about impact.
7/13/2015, 1:42:23 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
Vulnerability management is an inherently agency-specific function, and requires deep understanding of exposure, cost, etc.
7/13/2015, 1:42:44 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
Thus, *good* vuln management implies that near-field leadership have an understanding of risk. Then need vision+ability to steer response.
7/13/2015, 1:42:56 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
DoD/IC may have leadership capable of leading these efforts. Maybe have them dictate process to OGA? Problem is that OGAs aren't equipped.
7/13/2015, 1:43:08 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
Solution? Any agency w/ local IT/sec policy must have strong, capable security leadership able to interpret policy relative to own risk.
7/13/2015, 1:43:19 PM
Favs: 0
Retweets: 0
linkKeith
@kwm
Outcome of NTIA efforts will need be decisive and have broad executive, congressional backing in order to drive meaningful change.
7/13/2015, 1:48:24 PM
Favs: 0
Retweets: 0
link