Better voluntary coordinated collaboration will be achieved if “smart people can coordinate their actions”.
Speaking at BSides San Francisco, Allan Friedman said that as individuals cannot make decisions and expect a free hand to fix it and role of Government is to understand market failures, paricularly in this space, there are a lot of questions at to where the market and Government are. “There are decisions people fail to make,” he said.
He said that there is a problem to solve around “collective action problems”, which deals with challenges of how large groups of people address questions and subsidies that make one sector better off.
“For large groups it is hard to justify problems without an incentive and a solution will be in understanding a shared benefit if we move,” he said. “I look at coordination problems in the infosec space, solutions exist and we can all jump in the pool at same time, but no one wants to jump first if others will not.”
Friedman, who was talking independently from his role in Government, said that there is a belief in multi-stakeholder governance, as the concept has dynamics and often you have to voluntarily participate as no one will ask you to engage and no one will force you, so you have to make sure it is multi-stakeholder and has the backing of the entire community to get engagement.
“We are interested in the digital ecosystem, and use it with trepadation and it is helpful for understanding how components fit together,” he said. “We have competition and collaboration in different points. Our focus is on voluntary coordinated action and different sectors and components, and they are small but different problems, and small niche issues and if we fix them would make a real difference.”
Friedman said that the outcome of the process is not to evolve a product, but to look for best practises and principles.”If we adopt together we can solve hurdles that exist,” he said.
In particular, Friedman highlighted three areas of development that needed voluntary coordinated action:
Network and infrastructure security – how should ISPs work together with software vendors for an efficient takedown process and not disrupt other work, and open source assurance and how adopt solution;
Web security and consumer trust space – how to promote TLS properly and prioritise it, how to promote known web app security without introdcing new vulnerabilities, distinguishing spyware vs malware for an anti-virus vendor;
Business processes and enabling markets – creating better future markets, and vulnerability disclosure.
He concluded with a request for comments – http://go.usa.gov/3gaXm, sayinf that further progress can be made if we come together, or know what other projects are being worked on. “A multi-stakeholder project is only as good as those who join and stakeholders determine the outcome,” he said.