By Phil Reitinger
The Global Cyber Alliance uses a community approach to solve tough problems – systemic risks where there appears to be a solution but insufficient deployment. For our projects, we try to catalyze deployment of a solution by bringing companies, governments, expertise, resources, and project management to the table. As many of you are aware, our first two projects involve driving global deployment of DMARC to make email more trustworthy, and partnering with Packet Clearing House to build a global recursive AnyCast DNS Infrastructure employing DNS filtering. Each project is intended to move a “solution” on the path to universal, DMARC and DNS filtering, and so help to substantially eradicate a systemic cyber risk.
One question I am occasionally asked is whether GCA will disrupt markets and harm commercial companies. It is not intended to do so, and we are working to ensure that GCA “makes” markets rather than disrupts them.
DMARC is an example. There are commercial companies that support DMARC as a significant business line. GCA doesn’t intend to replace them; instead, we intend to make DMARC easier to deploy and use for everyone, so that more companies will deploy DMARC, and it will become not just a best practice but a best common practice. This benefits everyone, both the public and the commercial companies that provide DMARC services, by increasing both deployment of a technology protecting consumers and building a market for DMARC services. As a nonprofit, GCA has focused on low-cost, scalable efforts like raising awareness and providing a tool for small and medium-sized businesses to deploy DMARC: efforts that would be of little or no profit for commercial companies but build the overall market.
Similarly, in DNS filtering, GCA and PCH have built an infrastructure that anyone can use, protecting people or companies from malicious domains by blocking access to them through DNS. And again, our approach is designed to supplement, not disrupt, the market. Our service is free, but to make it deployable anywhere and to engender trust, we don’t collect personal information of the entities associated with look-ups of bad domains. That helps make our service broadly usable, but it also means we can’t offer value-added services that depend on knowing the IP address of devices using the service. For example, GCA/PCH can’t provide notice or customized reports to a company about what we blocked for them, because we don’t keep the un-hashed IP address. If you want that, then you need to enter an arrangement with a commercial provider. So again, GCA is trying to make a market by increasing the availability of a free service so that anyone can use it, but by helping to build a market for those who want more than free.
Some of our folks cringe when I say this, but sometimes I call GCA the gateway drug of cyber security. In a GOOD way, of course. We offer free services to protect the many, and we hope some companies will like the results so much that they will ask for more from the ecosystem.