Active Defense

A couple of days ago I attended one day of the Department of Defense Cyber Crime Conference 2005. I was only there one day because that was the only day they had sessions that weren't classified. That I was there at all, though, was a novelty, since this was the first time (in the four years of the conference) that they've invited anyone from the press. There were some interesting presentations (including one you'll hear more about by the general who's now in charge of all DoD computing), but like any conference, some of the most interesting information came when we were away from the conference sessions.

While eating lunch, I got into an interesting conversation with someone who works at a government computer forensics lab. I asked him how the forensics tools available to business compared, in features and function, to the tools he had at his disposal. He said that three years ago there was a huge gulf between the two, but that civilian forensics programs were catching up fast--and he gave the credit to Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and the other regulations that make IT executives crazy. The engineer said that the need to discover, with certainty, not just that corporate information had been taken, but who did the taking, and where they sent the information, was pushing business forensics to develop quickly, and in good directions.

When I talk about unintended consequences, most of the time I've seen something truly bad, but if SOX, GLB, HIPAA, and the rest can drive better tools into the hands of corporate information security professionals, maybe they weren't such bad ideas after all.