The Cyber Neighborhood Watch

I think everyone is caught up now on the latest. Identification of compromises and potential breaches involving various supply chains stemming from the investigations and response regarding the SolarWinds Orion Platform. Breaches of cybersecurity controls has been scoped on a global scale and it just keeps on growing. 

During all of the subsequent reading and discussion that has been engaged the one quoted here from Schneier on Security caught my eye. For me it seems deserving of a bit more discussion. It's often related that information is free and we put up fences and commission gatekeepers to manage access. The niggling phrase for me in that quote is "we, the public, will never know." To me the framing of information is what is important and not the specifics. In that regard many wrestle with the balancing of transparency versus disclosure.

Transparency for my purposes is not the same as disclosure. If I tell you I keep a key under the mat (which is not something I do) to get into my house, that's a disclosure. It may be a detail that everyone should not receive. On the other hand, saying I have a contingency for getting into my house under all circumstances, that's a valuable bit of insight that can be reused a number of ways. Also, it's much better than telling all of my business. In form and function, that is pertinent to specific situations, that transparency can provide the basis for both increased awareness and security. This transparency is the type of information handling for which I'm a strong proponent. It is a sharing philosophy I referred to in January of 2000 as the "Cyber Neighborhood Watch."

When we think of the neighborhood watch in real life it doesn't rely on a practice of relating every discreet observation about your neighborhood to the authorities. Telling the authorities about Bob's skinny dipping frequency isn't neighborly. You don't have to and probably shouldn't do that. That level of disclosure would cause the trust relationship established with your neighbors to crumble in short order. What is a good practice would be for Bob is to let others know (sort of like FireEye did) that he's single and keeps his gate locked so when there was an intrusion suspected it became pretty short order to recognize it. So, how does this relate back to that quote?

The issue with the statement that I highlighted is not regarding any specific DFIR techniques, tools and procedures. Nor is it about classifying information, and whether or why the investigative findings for breaches reveal sources and/or methods about protecting information or access to it. It's about being neighborly. It should be relatively well-known by most practitioners in cybersecurity and infosec that there is an overabundance of classified information. Information may become classified by merely being adjacent to a source and method which is deemed close held, i.e., classified. In fact there are quite a few higher level security paradigms that fall into the good ole classified bucket for no good reason.

What I propose, in pursuit of the neighborhood watch paradigm, is that we take a close look at how transparency without potentially damaging disclosure can be normalized. In light of the events being discovered pursuant to SUPER/SOLOR/SUN* (yes that wildcard is most fitting in this case it seems) there is a good case to be made that transparency should be the rule of the day.