Network Webcurity Wishlist?

breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"

"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."

Don't ban tools!

[pete-classic]

To borrow a phrase; if you outlaw nmap, only outlaws will have nmap.

-Peter

What I Really Want

[twoflower]

The number-one item on my wishlist would be for the government to keep completely out of network security issues -- the government should ensure security on its own networks, of course, but they shouldn't be concerned about anything else.

There's already enough laws to deal with DOS attacks and such -- more laws just means more expense for those who have to deal with them.

Twoflower

The obvious

[heyeq]

Well, for starters, don't let Microsoft's Chief Security Advisor work as a security advisor for the White House.

Most important and significant problem

[Cesaro]

The most important and significant problem is not putting the proper resources into getting that security. Upper level management are not technically minded folk, and they don't view computers and true tools. They don't understand the costs when you try to explain it to them. "I'd like to get around $200k so that I can physically seperate out infastructure and give us added security."
Management: "I'll give you 2 un-trained contractors, a spool of thread, and a tin can."

They just don't understand, or appreciate what computers provide, but yet they get irate when something happens. Therefor the largest hurdle to overcome is getting the senior people up to snuff, or willing to to dish out the resources for what needs to be done above and beyond a simply reactionary level. To them, pro-active computer security is like flushing money down the toilet.

Responsibility

[Alien54]

I do not know how you would do this, or what the right way to do it is, but I would like to see some responsibility for writing or creating secure systems.

I am thinking specifically of Microsoft, and the Microsoft Outlook Email Viruses, but this could certainly apply to plenty of other companies.

If companies are merely licensing the use of the software to us (and we do not own it), and charging the big bucks, shouldn't they be responsible and/or liable for the consequences - damages from using it? or is this a matter of they get all of the benefits, and we get all of the problems?

Don't criminalize security research

[mikej]

There's an ongoing trend to criminalize the tools and speech used to conduct security research; This is the single most frustrating aspect of the government's involvement in network security. Lists like bugtraq and tools like nessus and nmap are absolutely vital to the health of a network-connected system. Some suggested legislation would make all security discussions criminal, some would allow such work to only be conducted by approved organizations; Both would shatter the ability of the individual administrator to effectively secure his systems. If I could make one and only one request it would be to specifically disallow legislation that attempts to let companies involved with the internet take the security ball to their private court and bounce it around, leaving individual system administrators with no tools and no forums in which to discuss their own defences. In short: keep public, individual security research legal.

Thanks, and good luck.

Re:Holding Companies Liable

[jspey]

More specifically, if you pay for some software and it has security holes that a reasonable and prudent check should have found before it went on sale, and those security holes cause you problems (like lost time, lost money, lost business, whatever), then you can at least try to get the purchase price of the software back from the publisher. Seriously. Lots of software has holes in it. But if I buy win2k and install it, and the default install turns on IIS, and IIS has enormous holes in it that should never have made it past quality control, then I should be able to get the cost fo the software back from microsoft when I suffer problems from their poorly designed software.

If you make the penalties for unsafe software too large, no one will write software. But there needs to be some sort of incentive for companies with so large a market share that they don't care how crappy their software is to make their software safe.

Mr. Spey

Enforce the laws we have...

[moonboy]

• No New Laws - The government has a habit of throwing more laws at a problem (yes and money too). We don't necessarily need more laws, just proper enforcement of the existing ones. (or maybe I should say, no laws just for the sake of creating them....no hollow laws to appease the general pulic and press...if new laws are made, they must be effective!)
  
• Crypto - No more restrictions on crypto.
  
• Tools and Methods - The government shouldn't ban tools and methods used to work in network security. These are very necessary to increase the level of security. Like another poster said, if you ban them (ie, make their use, possession, etc.) illegal only the "bad guys" will have them.
  

He was lucky to work for your company

[sting3r]

One of my co-workers was scamming people on eBay from home, and one of the disgruntled customers called our local police department to whine about it. The police came down to our place of employment and started talking with the managers, and the managers literally turned white and started handing over records. This was without a warrant or court order, mind you. Last I heard, they had turned over the employee's entire HR file, his entire mail spool, and his desktop computer. Needless to say they did not want him to work there anymore after that day.

This brings up an interesting point, though: should Congress make it illegal for companies to give up your personal information to law enforcement without your consent (or a court order)?

-sting3r

Get out of the way.

[SecurityGuy]

The *LAST* thing I want is a legislative "solution" to a problem the so called experts can't even agree on. Full disclosure or not, is scanning illegal, should it be, etc. Legislative solutions are far too often nothing more than new problems. Copyright violation is a problem. The DMCA is supposedly the solution. Terrorism is a problem. The solution, apparently, is to pass laws undercutting privacy and liberty in the states. Crime via computers is a problem, their solution was key escrow (thankfully not implemented), and now the FBI is writing computer viruses (Magic Lantern).

Thanks, but no thanks. I'd much rather stick to securing my boxes with the understanding that it's a hostile net out there than have my government tell me the One True Way to do so. Passing laws which only apply to less than 5% of the world's population will not make the net secure, and feel good legislation is something I can do without.

Make it illegal for states to sell personal data

[zoward]

It is current practice of some US states to sell driver's license pictures and other personal data from their database to private firms, for various reasons. This practice should be illegal, or at the very least carefully monitored at the federal level.

Suggestions for the Government

[shanek]

1: Get out of our way WRT encryption and other secure technologies. We're not terrorists, we just want to keep our personal information secure. Installing "back doors" and other methods may, on the surface, seem like a good idea for national security, but in reality hackers can enter through those as easily as the government.

2: Hold vendors responsible for security holes in their products. Currently, the EULAs prevent someone harmed by a security flaw from seeking liability, even if that security flaw was deliberately programmed into the software as a "feature."

3: Recognize the role of antivirus firms such as McAfee and Symantec in protecting users. They should be unrestricted in their efforts to make and sell software that can protect computer users from harmful files, regardless of the source.

4: Realize that the best way to catch criminals and terrorists is through the use of human intelligence, which history has proven to be much more effective than randomly reading private EMails. Also, human intelligence doesn't involve threatening the liberty of normal, law-abiding Americans like many of the other proposed methods do.

5: This is probably the most important one: Remember the words of Ben Franklin when he said, "They that would give up Essential Liberty in order to obtain Temporary Safety deserve neither liberty nor safety." I would also add that, in these cases, you usually don't get the safety you're seeking in the first place.

US legislation != Internet legislation

[jet_silver]

Encourage the Senator to remain aware that legislation about the Internet doesn't have crisp borders. Bits don't change color when they cross national boundaries.

When you do that, you might get him to understand that such laws are not easy to enforce and will certainly involve a lot of jurisdictional disputes.
And you might encourage him to realize that it is the lowest common denominator of behavior on the Internet that represents the cutting edge of security needs.

In other words, passing legislation against US Internet users is tantamount to taking their guns away, when they can at any minute be involved in a virtual gun-fight with, for example, Chinese or Indian crackers who have no such laws hampering them.

My Wishlist

[medcalf]

In no particular order:

1) The Federal government should encourage, not discourage, the use of encryption, without key escrow or back doors, by not regulating encryption in any way. (The government should also invest heavily in the appropriate technology to break encryption when it needs to do so.) Without the fear of government intervention, application designers will be encouraged to add encryption to email and other software as a business advantage to themselves, thus allowing my business to communicate more securely with ease.

2) The Federal government should encourage open source and open standards by requiring the use of open source software and open standards on all government systems (except possibly military/intelligence systems). This will get more eyes on the code, thus reducing vulnerabilities and fixing them faster, and will ensure that people are unable to take advantage of unpublic holes in uncheckable software.

3) The Federal government should generally *not* regulate the internet, as this can introduce holes that cannot be fixed because of regulatory requirements. In particular, the government should not use either legislation or funding to control the use of the internet by libraries, schools and other non-Federal government institutions, or by private individuals and organizations. There are a few exceptions I would be OK with:
a) requiring "edge filtering" so that networks would not support denial of service attacks;
b) allowing wire fraud charges against people/organizations who deliberately send email without proper and valid headers (or with forged headers), so as to obscure their identity while sending unsolicited commercial email and/or perpetuating scams (note that this should be allowed for the purpose of anonymously propagating a political opinion, for example, just not for commercial use);
c) requiring organizations who control internet naming or numbering to have public accountability, as these organizations were largely granted a monopoly by the US government; opening up these processes to a standards-based system where everyone can participate; or allowing anti-trust legislation against such bodies if they attempt to coercively control internet access.

4) The Federal government should designate ISPs and online communities as common carriers.

5) The Federal government should require cable and telephone companies, as part of their FCC licensing requirements, to offer the option of access to the network for paying subscribers wihtout mandatory membership in an ISP, and in particular an ISP should not be allowed to gain monopoly status by association with a government-granted monopoly such as a cable system. This would have reduced the @Home debacle, for example, to a trivial matter. The potential for AOL/Warner is even worse down the road if something is not done to guarantee choice in broadband access.

OK, I guess I got a little away from security with those last some of that.

-jeff

Re:Holding Companies Liable

[jspey]

That works if you're a private company. What happens when a soccer mom gets her cable modem turned off because someone exploited some hole in IIS that she installed on her computer without knowing it? Never mind that to fix the hole she'll have to d/l the patch from the microsoft website, which is kind of tough when you don't have web access anymore.

Sure, after the patches are out then it's your own responsibility to fix it. But some of the holes and/or default configurations have no business being in a piece of published commercial software.

Mr. Spey

Some suggestions

[jd]

• Security should fall under some form of "trades description act" - eg: what you're offered is what you get. A firewall that isn't, secure transactions that aren't, or privacy that's sold, should be actionable. That isn't about the limits of technical skill, it's about fraud that merely happens to involve computer technology.
  
• It should be illegal for an ISP to prohibit customers from implementing security on their machines (except where that security is, itself, a hazard to other machines)
  
• Where the technology exists to prevent criminal abuse, and an ISP neglects to use it for reasons OTHER than financial or technical, then that ISP is an accessory to the crime, and should be held accountable as such.
  
• Insurance companies should have the right to carry out periodic audits of computers belonging to customers they insure, and modify premiums according to the flaws encountered.
  
• Customers of companies should have a similar right to scan the companies they deal with (and vice versa), so that neither side can claim ignorance of the status of the other, prior to transactions taking place.
  
• As things stand, "important" web transactions are secure, and all others aren't. This is the same as placing a large, neon sign over the hidden wall-safe. It is no longer hidden, or safe. I would like to propose that unsecure, or only partially-secure websites be subject to penalties, where such a policy results in a breach of security.
  
• Finally, where concious and deliberate inaction results in an expense to any emergency service, security agencies, etc, the organization responsible should be expected to reimburse those costs, in full. (Note that this is for inaction alone. You can't sensibly penalize those who make a genuine effort, even when that effort fails.)
  

Implementing even a few of these should deal with the national deficit, quite nicely. Some of the biggest costs in both public and priate spending are to fix serious problems, after the fact. The burdon should be shifted, as much as can realistically be done, to those responsible. A stitch in time saves nine. But, damn it, the tax payers shouldn't have to pay for someone else's failure to stitch.

Something you can actually do

[Syberghost]

Mr. Senator, there is something you can actually do for us.

It even involves you getting to pass a law, which I know is something you Senators greatly enjoy.

It is:

REPEAL THE DMCA SO WE CAN GET SOME DAMN WORK DONE.

Thanks for taking my valuable time (because I pay for your time, too) to listen.

Stop Gov't Interference w. Security Research

[rlp]

My biggest concern is the woeful state of computer security research in the U.S. Due to crypto restrictions in the U.S., foreign firms offering commercial cryptographic products have gained a major competitive advantage. This has translated into more R&D money for these firms. The crypto regulations were repealed. But now history is repeating itself, due to congressional meddling with Intellectual Property laws (DMCA, and it's ilk). It's had a chilling effect on security research in this country. Similarly, the Sklyarov arrest resulted in foreign security experts being very wary of even attending conferences in the U.S.

At a time when the U.S. needs to strengthen our computer security infrastructure, congress has managed to handicap the very people needed to accomplish this goal.

So, bottom line, change the laws (starting with the DMCA), before all computer security research moves offshore.

Re:tell them

[remande]

I'll make a stronger statement on that. Any attempt to require back doors on encryption (e.g. the Clipper Chip) will significantly increase our risk exposure. Let me illustrate.

A back door is really a master key. Government back door schemes require the encryption to have a back door key, and for the government to have that key.

If you're paranoid about the government like I am, you can see where giving it the master key can ruin your day. But even assuming that the government is all white hat, you're still in deep trouble.

That master key is worth hundreds of millions of dollars in the right hands. Organized crime could use that key to commit credit card fraud on millions of credit cards. This is also a great way for terrorists to get funding. Depending on the crypto scheme, it could be used to forge communications, rerouting shipments. If I had the Master Key and needed a couple of hundred pounds of plastic explosive, that would be my first idea.

And that key can't be kept very secure if it's being used. Thousands of people, whether law enforcement officials or court officials, will have access to that key. Out of a thousand people, somebody's going to be bribable for a mere one or two million dollars. Or be required to hand over the key to get their loved ones back. Or write down their password and have their office computer broken into. It won't be too hard for a determined criminal to get that master key.

I am a big fan of crypto, but I would honestly prefer no crypto to back door crypto. At least if you have no crypto you know you're not being spied on.

You do your part and I'll do mine

[The+Man]

I can take care of script kiddies, virus outbreaks, and idiots who install IIS. It is Congress's responsibility to do only two things: (1) require that the computers and networks belonging to the federal government are as secure as humanly possible, especially those which may contain citizens' records, and (2) protect law-abiding or possibly law-abiding citizens from the three letter agencies by forcefully restricting their activities to legitimate investigations using constitutionally "white" - not "grey" or "marginal" or "illegal as hell" methods. That applies to computer crimes as well as all others, and for practical purposes it should restrict the TLAs to prosecution of known crimes involving federal computers, and pursuit and analysis of foreign intelligence.

Don't protect private companies and individuals from anyone but the government. We can take care of ourselves.

Don't protect the government from law-abiding citizens. We're at sufficient disadvantage already.

Don't protect the privacy of convicted criminals.

Don't create laws that favour any one kind of entity over any other, except law-abiding citizens and corporations over convicted criminals.

Don't legislate exclusions of liability for security breaches. Let the civil courts decide who, if anyone, is responsible for damages due to security breaches.

Don't restrict or attempt to restrict cryptography, and strictly prohibit the three letter agencies from planting or distributing intentionally weakened or defective cryptographic tools.

Don't allow the three letter agencies to wiretap data connections without meeting constitutional requirements - it does nothing to improve security and most likely decreases it by creating additional copies of sensitive information.

Most importantly of all - *DO* build trust in the security community by passing and strictly enforcing JUST, FAIR LAWS in all matters concerning digital security, copyright law, privacy, and civil liberties. In other words, do your job as statesmen and earn the respect and trust of all the citizens you supposedly represent. Your job is MUCH easier to do when we can trust you, and sadly, your record makes that outright impossible.

That goes for information, too

[Hizonner]

There's an attitude out there that says people should have to justify their access to information about security... not just network security. You hear a lot of bleating in the press about how "just anybody" can get access to information about how to do dangerous things, and how we (whoever "we" are) need to clamp down on that in various ways.

The problem with that attitude is that, to get real security, you have to do things in a secure way everywhere. That means that everybody has to be thinking in terms of security... and not only that, but thinking in terms of things that will actually help, rather than just giving a false sense of security. That takes a certain mindset, and the only way to develop that mindset is to think about ways to break security, to see examples of how security is broken, and to see how existing security measures work, both so you can improve them and so you can avoid screwing them up.

If you restrict access to information, you end up with only two sets of people who have a clue:

1. A small group of overworked security specialists. These people can't do it all, and, if the rest of the world is poorly informed, they won't be listened to. In addition, in an environment where information is tightly restricted, it's very difficult to recruit and educate new security specialists.

2. The bad guys. Being more motivated than the general population, the bad guys will get most or all of the "restricted" information through their own networks.

Security is everybody's problem, and that means everybody has to understand it. When you release information widely, you educate 100 good guys for every bad guy. When you try to keep everything secret, you hold the good guys back more than the bad guys.

I'm not saying that there's never a reason to keep anything secret, but there should be a presumption in favor of openness. You should try to keep something secret only when:

1. It describes the details of an actual vulnerability that hasn't been fixed, and provides information useful in exploiting that vulnerability, AND

2. Having information about the vulnerability would not, in itself, permit people to protect themselves, AND

3. You're reasonably sure that large numbers of bad guys don't already know about it. In network security, large number of bad guys will definitely find out about it within a few months, if they haven't already found it independently. That means that keeping anything secret for a long time will never work.

In government, the sorts of things we need to watch out for are:

1. Excessive classification. It would be nice to see more legislative sunsets on classification, and more requirements for review of the decision to classify something. Patent secrecy orders are especially suspect.

2. Programs where government information is shared only with "trusted private sector partners". Not only is this intrinsically bad, but it encourages cronyism and corruption, and can create economic problems by raising barriers to entry in security-related industries.

3. Misguided weakening of "sunshine laws" like the FOIA. Because information is power even more in the Federal bureaucracy than in most places, there's an incentive for agencies to hoard it for political reasons. When all else fails, these laws often serve, not so much to free the underlying information, as to expose the illegitimate reasons it's being held secret.

4. The occasional calls for outright banning the release of scientific or engineering information, in the style of the idiotic Feinstein "bomb making information" law.