The theme of this year’s FIRST conference is “Strength Together”. Since I first attended the conference in 1999, we’ve always said the basis for working together was “trust”. However that’s a notoriously slippery word – lawyers, computer scientists and psychologists mean very different things from common language – and I wonder whether security and incident response would benefit from a different framing.
When I joined the global incident response community I tried to observe behaviour, so I could fit in without causing offence. My conclusion was that relationships were actually established by “I will spend some time on you: if that makes my life better then I will spend more time on you”. Trust may develop as part of that collaboration, but the actual basis for it is mutual benefit. The hour I take out of my primary job of protecting my customers will be more than justified if your actions save me two hours in future.
This may seem like semantics, but I think it’s more important. As Wendy Nather’s keynote explored, my next security catastrophe may well originate in an entity I’ve never heard of: whether an obscure software library, an organisation deep in my (security!) supply chain, or a data processor engaged by an apparently peripheral organisational function. In a world where global service providers can be disabled by insecure webcams, “strength together” needs to extend far beyond those we have established trust relations with. In an emergency, “are we trusted?” may be too high a bar, “are we recognised?” (by others and by the claimed constituency) may be where we need to start.
And, in tough economic times, invoking “trust” and “social responsibility” may underplay the importance of working together. It’s often said that trust is hard to gain, easy to lose. When working together is business-critical, we simply can’t afford to lose the basis for it. A panel session suggested “socially responsible” as a motivation for information sharing, but if that’s the best we can do then we shouldn’t be surprised when its budget gets cut. Again, we need to frame working together as essential, not optional.
As the European Commission’s draft NIS2 Directive recognised, effective cyber-security collaboration is now critical for individuals, organisations, the economy and society. The converse of “strength together” is “weakness apart”: unless we recognise the necessity of working with others to improve the whole digital environment then it may not be long before that environment becomes intolerable for all of us.